Welcome to the Security 1:1 - Part 3
In part 3 of the series we will discuss various types of network attacks. On this occassion I will introduce as well some types of attacks directed more at end-user than at network or host computers - we will speak hear about Phishing attempts and Social Engineering tenchniques. Of special importance would be new emerging threats and attack types as well the evolving ones. More than ever before we see attacks involving all available media - such as social portals, VoIP or Bluetooth. The artcile will be complemented with Symantec references both to Security Reponse ressource as well as Connect blogs.
The Security 1:1 series consist so far of following articles:
What is a network attack?
Network attack is usually defined as an intrusion on your network infrastructure that will first analyse your environment and collect information in order to exploit the existing open ports or vulnerabilities - this may include as well unauthorized access to your resources. In such cases where the purpose of attack is only to learn and get some information from your system but the system resources are not altered or disabled in any way, we are dealing with a passive attack. Active attack occurs where the perpetrator accesses and either alters, disables or destroys your resources or data. Attack can be performed either from outside of the organization by unauthorized entity (Outside Attack) or from within the company by an "insider" that already has certain access to the network (Inside Attack). Very often the network attack itself is combined with an introduction of a malware components to the targeted systems (Malware has been discussed in the Part 2 of this article series).
Some of the attacks described in this article will be attacks targeting the end-users (like Phishing or Social Engineering) - those are usually not directly referenced as network attacks but I decided to include them here for completeness purposes and because those kind of attacks are widely widespread. Depending on the procedures used during the attack or the type of vulnerabilities exploited the network attacks can be classified in following way(the provided list isn't by any means complete - it introduces and describes only the most known and widespread attack types that you should be aware of):
What types of attack are there?
- Social Engineering - refers to a psychological manipulation of people (here employees of the company) to perform actions that potentially lead to leak of company's proprietary or confidential information or otherwise can cause damage to company resources, personnel or company image. Social engineers use various strategies to trick users into disclosing confidential information, data or both. One of the very common technique used by social engineers is to pretend to be someone else - IT professional, member of the management team, co-worker, insurance investigator or even member of governmental authorities. The mere fact that the addressed party is someone from the mentioned should convince the victim that the person has right to know of any confidential or in any other way secure information. The purpose of social engineering remains the same as purpose of hacking - unauthorized access gain to confidential information, data theft, industrial espionage or environment/service disruption
- Phishing attack - this type of attack use social engineering techniques to steal confidential information - the most common purpose of such attack targets victim's banking account details and credentials. Phishing attacks tend to use schemes involving spoofed emails send to users that lead them to malware infected websites designed to appear as real on-line banking websites. Emails received by users in most cases will look authentic sent from sources known to the user (very often with appropriate company logo and localised information) - those emails will contain a direct request to verify some account information, credentials or credit card numbers by following the provided link and confirming the information on-line. The request will be accompanied by a threat that the account may become disabled or suspended if the mentioned details are not being verified by the user.
Video: Symantec Guide to Scary Internet Stuff - Phishing
Symantec Security Response provides a portal where a suspected Phishing Site can be reported - if you ever encountered the Phishing attack and have details from the spoofed email with link to a specific suspicious website I highly recommend to report this to the provided portal: https://submit.symantec.com/antifraud/phish.cgi
- Social Phishing - in the recent years Phishing techniques evolved much to include as well social media like Facebook or Tweeter - this type of Phishing is often called Social Phishing. The purpose remains the same - to obtain confidential information and gain access to personal files. The means of the attack are bit different though and include special links or posts posted on the social media sites that attract the user with their content and convince him to click on them. The link redirects then to malicious website or similar harmful content. The websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice the difference. The website will require user to login with his real information - at this point the attacker collects the credentials gaining access to compromised account and all data on it. Other scenario includes fake apps - users are encouraged to download the apps and install them - apps that contain malware used to steal the confidential information.
Facebook Phishing attacks are often much more laboured - consider following scenario - link posted by an attacker can include some pictures or phrase that will attract the user to click on it. The user does the click upon which he is redirected to mirror website that ask him to like the post first before even viewing it - user not suspecting any harm in this clicks on "like" button but doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the fake app to access user's personal information. At this point data is collected and account becomes compromised. For the recommendations on how to protect your Facebook account and do not fall a prey to Facebook Phishing have a look at the Security Response blog referenced below.
Phishers Use Malware in Fake Facebook App
- Spear Phishing Attack - this is a type of Phishing attack targeted at specific individuals, groups of individuals or companies. Spear Phishing attacks are performed mostly with primary purpose of industrial espionage and theft of sensitive information while ordinary Phishing attacks are directed against wide public with intent of financial fraud. It has been estimated that in last couple of years targeted Spear Phishing attacks are more widespread than ever before.
Video: Protect Against Spear Phishing and Advanced Targeted Attacks with Symantec
The recommendations to protect your company against Phishing and Spear Phishing include:
- Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them)
- Keep your operating system updated
- Use a reputable anti-virus program
- Enable two factor authentication whenever available
- Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark
- Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted
One Phish, Two Phish, Classic Phish, SPEAR Phish?!
- Watering Hole Attack - is a more complex type of a Phishing attack. Instead of the usual way of sending spoofed emails to end users in order to trick them into revealing confidential information, attackers use multiple-staged approach to gain access to the targeted information. In first steps attacker is profiling the potential victim, collecting information about his or hers internet habits, history of visited websites etc. In next step attacker uses that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any are vulnerabilities or loopholes are found the attacker compromises the website with its own malicious code. The compromised website then awaits for the targeted victim to come back and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at the watering hole for his prey.
Internet Explorer Zero-Day Used in Watering Hole Attack: Q&A
- Whaling - type of Phishing attack specifically targeted at senior executives or other high profile targets within a company.
- Vishing (Voice Phishing or VoIP Phishing) - use of social engineering techniques over telephone system to gain access to confidential information from users. This Phishing attack is often combined with caller ID spoofing that masks the real source phone number and instead of it displays the number familiar to the Phishing victim or number known to be of a real banking institution. General practices of Vishing includes pre-recorded automated instructions for users requesting them to provide bank account or credit card information for verification over the phone.
- Port scanning - an attack type where the attacker sends several requests to a range of ports to a targeted host in order to find out what ports are active and open - which allows him them to exploit known service vulnerabilities related to specific ports. Port scanning can be used by the malicious attackers to compromise the security as well by the IT Professionals to verify the network security.
Symantec Endpoint Protection allows for port scan attack to be detected and blocked - the condition for detection is fulfilled when SEP detects more than 4 local ports being accesses by same remote IP within 200 seconds.
- Spoofing - technique used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. We can name few of the common spoofing types:
- IP Address spoofing - process of creating IP packets with forged source IP address to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf Attack).
- ARP spoofing (ARP Poisoning) - process of sending faked ARP messages in the network. The purpose of this spoofing is to associate the MAC address with the IP address of another legitimate host causing traffic redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.
- DNS spoofing (DNS Cache Poisoning) - attack where the wrong data is inserted into DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results for client queries.
- Email spoofing - process of faking the email's sender "From" field in order to hide real origin of the email. This type of spoofing is often used in spam mail or during Phishing attack.
- Search engine poisoning - attackers take here advantage of high profile news items or popular events that may be of specific interest for certain group of people to spread malware and viruses. This is performed by various methods that have in purpose achieving highest possible search ranking on known search portals by the malicious sites and links introduced by the hackers. Search engine poisoning techniques are often used to distribute rogue security products (scareware) to users searching for legitimate security solutions for download.
- Network sniffing (Packet sniffing) - process of capturing the data packets travelling in the network. Network sniffing can be used both by IT Professionals to analyse and monitor the traffic for example in order to find unexpected suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily readable with use of network sniffers (protocol analysers). Best countermeasure against sniffing is the use of encrypted communication between the hosts.
- Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) - attack designed to cause an interruption or suspension of services of a specific host/server by flooding it with large quantities of useless traffic or external communication requests. When the DoS attack succeeds the server is not able to answer even to legitimate requests any more - this can be observed in numbers of ways: slow response of the server, slow network performance, unavailability of software or web page, inability to access data, website or other resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected systems (botnet) flood a particular host with traffic simultaneously.
Video: Symantec Guide to Scary Internet Stuff - Denial of Service Attacks
DoS (denial-of-service) attack
Few of the most common DoS attack types:
♦ ICMP flood attack (Ping Flood) - the attack that sends ICMP ping requests to the victim host without waiting for the answer in order to overload it with ICMP traffic to the point where the host cannot answer to them any more either because of the network bandwidth congestion with ICMP packets (both requests and replies) or high CPU utilisation caused by processing the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is either to disbale propagation of ICMP traffic sent to broadcast address on the router or disable ICMP traffic on the firewall level.
♦ Ping of Death (PoD) - attack involves sending a malformed or otherwise corrupted malicious ping to the host machine - this can be for example PING having size bigged that usual which can cause buffer overflow on the system that lead to a system crash.
♦ Smurf Attack - works in the same way as Ping Flood attack with one major difference that the source IP address of the attacker host is spoofed with IP address of other legitimate non malicious computer. Such attack will cause disruption both on the attacked host (receiving large number of ICMP requests) as well as on the spoofed victim host (receiving large number of ICMP replies).
ICMP Smurf Denial of Service
♦ SYN flood attack - attack exploits the way the TCP 3-way handshake works during the TCP connection is being established. In normal process the host computer sends a TCP SYN packet to the remote host requesting a connection. The remote host answers with a TCP SYN-ACK packet confirming the connection can be made. As soon as this is received by the first local host it replies again with TCP ACK packet to the remote host. At this point the TCP socket connection is established. During the SYN Flood attack the attacker host or more commonly several attacker hosts send SYN Packets to the victim host requesting a connection, the victim host responds with SYN-ACK packets but the attacker host never respond back with ACK packets - as a result the victing host is reserving the space for all those connections still awaiting the remote attacker hosts to respond - which never happens. This keeps the server with dead open connections and in the end effect prevent legitimate host to connect to the server any more.
♦ Buffer Overflow Attack - this type of attack the victim host is being provided with traffic/data that is out of range of the processing specs of the victim host, protocols or applications - overflowing the buffer and overwriting the adjacent memory.. One example can be the mentioned Ping of Death attack - where malformed ICMP packet with size exceeding the normal value can cause the buffer overflow.
- Botnet - a collection of compromised computers that can be controlled by remote perpetrators to perform various types of attacks on other computers or networks. A known example of botnet usage is within the distributed denial of service attack where multiple systems submit as many request as possible to the victim machine in order to overload it with incoming packets. Botnets can be otherwise used to send out span, spread viruses and spyware and as well to steal personal and confidential information which afterwards is being forwarded to the botmaster.
Video: Symantec Guide to Scary Internet Stuff - Botnets
Beginning October 2013 Symantec disabled 500.000 botnet infected computers belonging to the almost 1.9 milion ZeroAccess botnet. According to Symantec ZeroAccess is the largest actively controlled botnet in existence today, amounting to approximately 1.9 million infected computers on any given day. It is the largest known botnet that utilizes a peer-to-peer (P2P) mechanism for communication. ZeroAccess is a Trojan horse that uses advanced means to hide itself by creating hidden file systems to store core components, download additional malware, and open a back door on the compromised computer. The primary motivation behind ZeroAccess botnet is financial fraud through pay-per-click (PPC) advertising and bitcoin mining.
- Man-in-the-middle Attack - the attack is form of active monitoring or eavesdropping on victims connections and communication between victim hosts. This form of attack includes as well interaction between both victim parties of the communication and the attacker - this is achieved by attacker intercepting all part of the communication, changing the content of it and sending back as legitimate replies. The both speaking parties are here not aware of the attacker presence and believing the replies they get are legitimate. For this attack to success the perpetrator must successfully impersonate at least one of the endpoints - this can be the case if there are no protocols in place that would secure mutual authentication or encryption during the communication process.
- Session Hijacking Attack - attack targeted as exploit of the valid computer session in order to gain unauthorized access to information on a computer system. The attack type is often referenced as cookie hijacking as during its progress the attacker uses the stolen session cookie to gain access and authenticate to remote server by impersonating legitimate user.
- Cross-side scripting Attack (XSS Attack) - the attacker exploits the XSS vulnerabilities found in Web Server applications in order to inject a client-side script onto the webpage that can either point the user to a malicious website of the attacker or allow attacker to steal the user's session cookie.
- SQL Injection Attack - attacker uses existing vulnerabilities in the applications to inject a code/string for execution that exceeds the allowed and expected input to the SQL database.
- Bluetooth related attacks
♦ Bluesnarfing - this kind of attack allows the malicious user to gain unauthorized access to information on a device through its Bluetooth connection. Any device with Bluetooth turned on and set to "discoverable" state may be prone to bluesnarfing attack.
♦ Bluejacking - this kind of attack allows the malicious user to send unsolicited (often spam) messages over Bluetooth to Bluetooth enabled devices.
♦ Bluebugging - hack attack on a Bluetooth enabled device. Bluebugging enables the attacker to inititate phone calls on the victim's phone as well read through the address book, messages and eavesdrop on phone conversations.
Symantec warns users over Bluetooth security