Next generation tactical attacks

Hacking has evolved from direct exploitation to

multi-stage tactical attacks. Client side exploitation,
application level attacks, complex social engineering
are the threats of the day. Does the conventional
threat definition work anymore? Are the
conventional security solutions geared to face the
emerging attacks?

How has hacking changed? relationships, tricking authentication systems

With the technological advancements in
existing security measures like firewall, IPS,
anti-virus etc., attacker’s approach is also
changing significantly. As direct exploitation
of the network devices, operating systems, and
applications is getting tougher, attackers are
increasingly turning to exploiting employees
and users, finding multi-stage attack paths,
attacking client software and attacking rich
internet applications. Organizations often
miss out vulnerabilities resulting out of this
“tactical approach” and live in a false sense of
security. Anyone who thinks that security
products alone can offer true security is settling
for the illusion of security.
Hacking has moved beyond
exploitation
Hacking has ceased to be only about exploits.
This is because the vulnerabilities are
transient. A newly discovered vulnerability will
be patched in the next cycle rendering the
exploit totally useless. In a typical penetration
test only one or two real exploits may be
successfully used. The rest of the time is spent
obtaining passwords, abusing trust
and hijacking services to gain access to more
systems. This is also true for attackers looking
beyond exploits to gain access and control of
confidential information.
Attackers are now opportunists: attacking the
opportunity of applications, people and
process for successful break-ins. H D Moore &
Valsmith’s paper- "Random Pwning Fun Bag”
first gave a good glimpse of the various tactical
approaches of the current day attacker. Below
we describe some of those next generation
tactical attacks and iViZ’s own experience that
are successfully used to find out unknown and
newer vulnerabilities:
“Attackers are now opportunists:
attacking the opportunity of
weak applications, people and
process for successful break-ins”
Attacking Data in Motion
Contrary to attacking the vulnerable software
directly, attackers are interested in exploiting
the opportunity of intercepting data in
motion. Attackers are interested in gaining
access to the data, not in gaining
09
 administrative privileges. So even though you
might have a very secure system, a
sophisticated attacker can steal your data
without attacking your secure system!
File Transfers
Traditional attacks involved exploiting the
FTP server software. However, in tactical
approach, attackers focus on the data transfer:
the opportunity of actual transfer in process.
File transfers attacked in this process could be
FTP or NFS which lead to significant
confidential data disclosure. This is also a
premium attack vector as most organizations,
small or large, use file transfers in some form or
the other.
Mail services
Unencrypted email can be read easily while it is
making its way to your friend's inbox! A typical
mail system is composed of one or more relay
systems, some form of antivirus / spam filter,
the real mail server itself and finally the user’s
email client. Traditionally attackers focused
only on the intermediate systems; however, in
tactical approach they target the mail clients as
well. For example, in older versions of some
mail clients, if two email messages containing
the same attachment name are received, the
newer message can overwrite the previous
message’s attachment. This can be used to
replace a trusted attachment with a backdoor
within the user’s mailbox.
“Gaining access to the data in
transit may be easier and more
attractive for a hacker rather
than gaining root privilege”
Attacking DNS services
With moderate security level, most DNS
servers are configured to reject zone transfers
from unauthorized hosts. However, in tactical
approach, attackers use brute force on possible
10
domains and host names to determine
whether those entries exist. Many DNS servers
are mis-configured to allow reverse DNS
lookups of private addresses, exposing the
names and addresses of important servers on
the internal network. A successful attack can
lead to false DNS records injection into the
cache and a potential hijack of internal and
external domains. Dan Kamisky’s famous and
shocking DNS attack is an example of this
attack.
Att acking Trust Based
Relationships
Trust is one of the easily exploitable things to
attack and leverage in a tactical approach.
iViZ, while conducting many penetration tests
has found that exploiting trust based
relationships can offer attackers easy access to
even the most secure systems! An example of
tactically exploiting trust based relationship is
the use of custom software meant for system
administration running in all the computers
inside a network with administrative
privileges. This means that this application is
trusted by every computer in the network. By
reverse engineering the software for the
hardcoded username and password, attackers
can compromise every host inside the network.
Any resource trusted by more than one user or
computer is a potential leverage point for the
attacker.
“Exploiting trust based
relationships can offer attackers
easy access to even the most
secure systems!”
Attack chaining through Multi-
stage attack paths
Conventional wisdom suggests that it is
important to focus on critical assets only. But
there are severe vulnerabilities in less critical
assets that can be used by attackers as a
launching pad for breaking into the network.
As a recent example of a famous security
breach, a hacker broke into the entire network
by using vulnerability in an administrator's
desktop. Possibilities and combinations of
such similar attacks are huge and are
important to mitigate. Unfortunately, multi-
stage attacks are complex and it is beyond the
capacity of human minds to find out all
possible attack paths. Situation gets more
complex when an attacker breaks into several
such less critical hosts and chains attack
payload through them before reaching the
final secure critical server.
Dangerous low threat vulnerabilities
and harmless high threat
vulnerabilities
There are many low threat vulnerabilities in
hosts that appear harmless because of their low
severity rating. However, these often lead to
severe vulnerabilities in a system. Attackers are
increasingly exploiting this opportunity.
Security managers focus mostly on eliminating
high threat vulnerabilities leaving the low
threat ones open – falsely assuming that they
pose little or no threat at all!
“What may appear as a benign
or low-priority vulnerability on
a host may be used as a
launching point for an attacker
to penetrate other devices on
the network”
Client Side Exploitation
Attackers are exploiting client side software
like browsers, word processors, document
readers to gain access to victim's system. Since
users are trusted within a network, attackers
can now easily bypass perimeter security
devices. Browsers and email clients are the
most popular targets since they are prevalent in
any desktop/laptop. There have been a lot of
vulnerability disclosures in IE, Firefox, Opera,
Safari, MS word, Adobe, MS outlook etc.
“A hacker can send you a link or
a file. Opening them could
easily trigger a trojan download
on your system in spite of your
firewall.”
ARP poisoning with software
updates
ARP poisoning combined with Man-in-the
Middle attacks have long been a known
technique for attackers to intercept and steal
confidential information. Tactical approach
uses this technique and goes one step beyond
by combining it with automatic fake software
updates. Attackers can fool users by forcing
their traffic to pass through a rouge gateway
setup by ARP poisoning and push malicious
software updates from a fake update server. As
an example, when a fake or trojan infected
update of “Microsoft word 2007” pops up on
the user’s screen, an unsuspecting user may
install the update believing that it is actually
from Microsoft. Every user’s workstation can
potentially be compromised this way.
Social Engineering
Social engineering hackers exploit the users’
credulity, laziness, good manners, or even their
enthusiasm. Therefore it is challenging to
defend against socially engineered attacks
because the targets may not even realize that
they have been duped, or may prefer not to
admit it to others.
Advanced social engineering techniques have
surfaced in recent times combined with client
side att acks, phishing, and system
exploitation. This form of attack is not only
effective but also has devastating impact.
11
 Tactical social engineering is
deadly when combined with
client side attacks even for fairly
security conscious individuals.
Attacking SSH
Software supporting encrypted protocols like
SSH can be used to gather information about
other possible targets on the network. Every
time users connect to a system using SSH, a file
is created in “/.ssh/” called known hosts. This
file lets an attacker see other hosts that trust the
user.
In newer versions, the Master mode can be
used with good leverage to hijack SSH
connections. Master mode lets the user set up a
tunnel which allows multiple sessions over the
s a m e S S H c o n n e c t i o n w i t h o u t re -
authentication. This essentially implies that
when one SSH connection is setup to a host
using master mode, an attacker can spawn
other sessions over this same connection
without having to know the password or have
access to a key!
Advanced Web 2.0 attacks
AJAX, RIA and Web services are three
important technological vectors in the Web
2.0 application space. These technologies are
promising and bring new equations to the
table, empowering overall effectiveness and
efficiency of Web applications. Mail
applications, social networking, document
sharing, business utilities are increasingly
using Web 2.0 technologies to add newer
features and increase application
responsiveness. However, these technologies
12
also bring with them a new class of
sophisticated threats which are not easily
detectable by normal application vulnerability
scanners. Some of the latest attacks that
hackers are increasingly exploiting are:
• AJAX Cross-site scripting XML
poisoning
• Malicious AJAX code execution
• RSS / Atom injection
• Client side validation attack in AJAX
routines
• Web services routing attack
• Parameter manipulation with SOAP
• XPATH injection in SOAP message
To stay ahead in this game of tactical security,
conventional ways must be discarded. A
laundry list of vulnerabilities generated by
automated tools is good but not good enough.
Instead, organizations should evolve to
building and testing security systems from the
perspective of tactical attack vectors along with
human vulnerabilities. In the game of security
its all about who runs faster. Is it you or the
hacker? There is no end to this race. Just
staying one step ahead is the name of the game.
Organizations should evolve to
building and testing security
systems from the perspective of
tactical attack vectors along with
human vulnerabilities.