Can Infosec get ahead of the Blackhats?

It is described at times as an arms race. Information Security always seems to be behind the bad guys. Can this ever change?

We all know the routine by now. New exploit, new signatures, new patches, new updates, new exploits. Rinse, lather, and repeat. We hear of the next big thing to be adaptive. Heuristic scanning, signature scanning, IDS, IPS, all to mitigate the threats. We are always fighting the good fight from behind. Unfortunately, this will always be the case. Yes, we get faster, not as far behind, and better. Yes, we have people on our side actively looking for the latest exploits. It is a neck and neck race in this day and age, but the fact remains, the bad guys will always find something we haven’t. We do our best to mitigate. We know that people are the weakest link. We try to educate, but even the best education, following the best practices will not stop exploitable scenarios, be they human or code. Why? Because we are human and are flawed.

Now don’t think that I am all doom and gloom. We have made great strides forward, and will continue to do so. Truth be told though, their are only a few ways to even have a chance of truly stopping the situation, and they are either super extreme or extremely improbable.

First idea I have is to have, as was a tag line from the movie Sneakers, “No More Secrets.” If everyone from corporations, to governments were wide open about everything, then what is there left to steal? Just money which brings me to the second thought. Go back to the bartering system. This gets rid of the money issue, and actually makes sense. Trading goods and services for other goods and services. Now you don’t need credit cards, Money, bank accounts, etc… The other big one that gets brought up in my mind is of course getting rid of technology all together.

None of these ideas are practical of course, so we are back to the original thought here. Can we ever get ahead. More thank likely not, but we keep getting closer to being even. So keep training, keep educating others, and keep your wits about you. We are in for a bumpy ride.

Meanwhile, away from Las Vegas

Yep, Hacker or Security Summer Camp time is here. For those of us not out in Las Vegas at Blackhat, B-Sides, and Defcon, The world continues on. As it goes, the U.S. Army has a lot to learn about the world of hacking.

The Register put out a story on how the US Cyber Army got its rear whooped by reservists. This article should be scary, and for good reason. If the full time Cyber Army didn’t even know how they had been attacked, how do we expect them to defend our country, let alone attack aggressors? The simple answer is they won’t be able to, but why? Well it is actually a matter of a few things.

The military is a great institution. As such they have a great regiment, and are highly organized. Follow orders, follow procedures, be a good soldier. The higher up you are the more planning you are able to do, but still the open thinking is still limited unless under true fire. This goes against the idea of being a hacker, someone who can go out and keep directly up to date with the infosec world. the world of Zero Days, backdoors, malware and the like is ever evolving and at a breakneck pace. The amount of “Eureka” moments compared to normal military strategy “Eureka” moments is astronomical. Yes the ideas put for in The Art of War by Sun Tzu still apply but the pace of shifts, adjustments and new “weapons” one talks about is daily.

Now while both the full timer Cyber Army members and the reservists both might have an interest or passion for the world of hacking and security, the reservists have a huge advantage. According to the article a good majority of the work in the infosec field full time. Imagine how more up to date, be it from looking at darknet forums, to researching zero days, penetration testing all different sorts of systems, they are. Add on that they have gone through the training and regiment that the full time Army has. This is where the full time military failed. think about it, we all have heard of former hackers recruited by the government, and for good reason. It is straight out of Art of War, “Know thyself and know thy enemy and never in 1000 battles will you lose.” The full time Cyber Army needs that adaptation. they need to be more loose on regulations, need to be able to constantly think outside the box and be able to expand their skills and knowledge outside of a regimented system. Until that time, I hope those reservists are ready to defend the country cause the full timers are a liability.


We’ve been Hacked! A Client’s issue

I deal with a lot of small businesses and getting them to understand security risks of old software and why hackers would want to hack them is difficult at best. Recently one client of mine learned the hard way.

Money they say is the root of all evil, and for SMBs a root of security problems. They do not want to spend money to upgrade PCs and servers until the last possible minute before they crash out. You tell them that they are insecure because of the old systems, and they come back with, “We are small and have nothing that a hacker would want.” This is due to the way hacks are presented in the media. All you hear about are the hacks of government systems, or large companies that have credit card data. SMBs don’t have huge secrets (most of the time), and just don’t get it.

This attitude recently bit one of my clients in the rear big time. They noticed that things were running slow on their SBS2003 server. they also noticed a bunch of new user accounts set up on the server. We would delete the accounts and they would say, ok, we will watch for this to happen again. I ran malware detection programs such as Malwarebytes on their machines and server to find nothing more than a couple of tracking cookies and a few common adware toolbars. I’d remove these and we would then wait. The waiting is the hardest part. Finally it became so annoying they asked what we could really do, as they were not spending money on a new system. So, at their behest, I went on site where I could focus on the task at hand without being disturbed by other clients, and watch the system from the console. That is where the fun really began.

I started off using process explorer to just take a general look at the system health. I noticed the CPU was being heavily used, but I have seen that on SBS servers before, usually because of e-mail coming in and being scanned, or SQL databases being used. Still,. I kept Process explorer open and opened the Terminal Server manager, where I noticed a clue to what was happening.

In the matter of minutes I watched a listener connect and disconnect, an obvious brute force attack on remote access for the server. this prompted me to open up Wireshark and take a look at incoming connections. This is what I saw:

primecoin wireshark

A quick check online of this IP Address showed it to be in Germany. Now why would someone from Germany try to brute force this small company? Well the next clue was hiding in plain site.

The problem with working in the IT field is overconfidence. It is what makes us overlook the obvious. In this case I was not noticing something in Process Explorer.

Process Explorer hack primecoin

Yes the suspended processes in the screen shot were the culprits. Don’t they look like normal Windows Processes though? They key was their actual path. Svchost.exe normall resides in C:\Windows\System32, but in the case of the processes I suspended they were located in c:\Windows\System. Odd I thought so I went to the C:\Windows\System directory and noticed a bunch of files I had not seen before, including a subdirectory. I double checked on a different client’s SBS2003 server (Yes I have a few that still run it), and sure enough, the subdirectories and extra files I had found were not supposed to be there. The System directory is not supposed to have any subdirectories at all. Add on that one of the directories was called Primecoin. Well a quick Google search revealed that Primecoin is a Bitcoin competitor, and obviously that the mining of Primecoins was the reason people were interested in this server.

The WMIAPSRV.exe seen above actually had the handles below:

Digging into the folder I found the config file which had a bunch on nodes listed in it:

This was all fine and good, but removing these files and directories, while cleaning up the system and bringing the processor load down, does not remove the way that they were getting in. Yes we had removed all the obvious fake accounts, but what else were they using? Turns out that when they had gotten the Admin Password cracked, they had enabled a couple of built in accounts, given them admin rights plus created a couple of accounts that sounded like they should be there. The biggest culprit was a built in support account which should have been disabled by default. I proceeded to remove or disable the accounts and reset permissions as needed, along with changing the admin password, and forcing the whole company to change their individual passwords, plus add on factors to the passwords to make them stronger.

There was one last thing to take care of, and that was the brute force attack on the server. I went in and reconfigured the Firewall and the Terminal Services to allow a rather low connection count/retries on the port that we had terminal services open on.

Since going through all these steps, there have not been any signs of the server being hacked. No odd accounts have shown up, no odd directories have shown up, and most importantly the server is running smooth and the CPU has not been spiking. Does this mean they are completely clean? Of course not, but the prognosis is leaning that way. We all know once compromised, a machine is easier to compromise again. Vigilance is the key here, at least until they decide to get a new server.


Disclaimer: The client I talk about in this article knows I was going to write about this and have left their name out of the article at their request.