Cyber Threats

ABMTS – Cincinnati, OH

Malcolm Sykes, CISSP & Terry Lewis

2

The IRS as Target

700 + POD’s

More PII than any other government agency

Largest IT environment of any U.S. civilian agency

Process $2.5T of revenues

Complex & diverse IT infrastructure

Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in)

3

The Threats & Vectors

Malware (Trojans, viruses, worms, spyware, etc.) Web browsing E-mail Removable Media

Data Disclosure & Integrity Authorized Users Lost & stolen equipment Network Penetration

Denial Of Service Botnets

Insider attacks

4

Emerging Threats

Mobile Malware (Blackberry, iPhone, iPad)

Intrusion Worm Virus Blended Threat

+ + =

Memory Based root kits & other malware Cloud Computing

Infrastructure & Contractor Outsourcing Cross Platform Malware

Includes virtualized environments Blended Threats (multiple vectors)

5

Computer Hackers

Who are they?

No longer just techno-geeks.

6

The Attackers Financially or Politically motivated

Criminal gangs

Hacker Gangs

Political or religious groups

Well resourced

Employ individuals or groups of hackers to steal PII,

credit card & banking information.

Create & sell botnets & hacker tools Sometimes engage in activity to wage cyber war on each other or

to boost their reputation

Hacking for military and commercial secrets & to inflict damage

Funded by criminal enterprises, nations, political or religious entities

7

Political or Religious Groups

Highly motivated, professionally trained & equipped adversaries

Espionage and sabotage aimed at US Government, Military & Commercial sites

Strategic & Tactical Attacks Threat to the military & economic security of the United states

8

Botnet Attack1

Distributed Denial of Service (DDOS) attack launched on weekend of July 4, 2009

Targeted 27 American and South Korean government agencies and commercial Web sites

US Government targets included the White House, Secret Service, Federal Trade Commission, Transportation Dept. & the Treasury Dept. (but not IRS)

US Commercial targets included the New York Stock Exchange, Nasdaq, Yahoo & The Washington Post

South Korean targets included the presidential Blue House, Defense Ministry, National Assembly, Shinhan Bank, the Chosun Ilbo newspaper & top Internet portal Naver.com

Estimated over 50,000 IP addresses were participating in this attack Rated as unsophisticated Full Recovery less than one week

As reported in the New York Times July 8, 2009

9

Vulnerabilities & Mitigations

Default machine configurations are inherently insecure IRM Requirements & Policy Checkers Standard workstation COE image based on the FDCC

Patching & updating is often delayed in large organizations due to testing & implementation restrictions Assigned staffs, timeframes & tracking of updates

Absent, disabled or outdated anti-virus programs, firewalls, etc. Compliance reviews

Risky web-surfing & e-mail behavior Security awareness presentations & materials AV software, firewalls, site blocking software, network monitoring & IDSs

Social Engineering Security awareness presentations & materials

10

Targeting End-users

This is a byproduct of the move towards financially motivated malicious activity

Malicious activity has moved away from targeting computers & towards targeting end users themselves

Specifically, attackers are targeting confidential end-user information that can be used in fraudulent activity for financial gain as well as in attacking systems

Attackers no longer need to penetrate security perimeters

11

“Electronically Transmitted Diseases”

More employees are using mobile media CDs, DVDs, thumb drives, MP3 players (iPods), external hard drives

Mobile media is used by criminals as another vector to spread their malware. In addition to mobile media containing software, music, etc. purchased from flea markets, found in parking lots, etc. some commercially produced software has contained code that makes systems vulnerable to root kits & other malware

Mobile media connected to a non-IRS system will be exposed to any malware left behind from previously installed ETDs

Internal Revenue Manual (IRM) 10.8.1.5.2.5 prohibits the use of personally owned equipment, including software & media on IRS systems & vice versa

12

Cybersecurity Misconceptions

No one knows who I am on the Internet

The Internet is a virtual world, so nothing bad can happen to me

Security software (anti-virus, firewall, etc.) will protect me

The IRS will protect me

Law enforcement will protect me

Who believes all this?

13

Credit Card Sales

14

“5568”

<A> Billing: Pxxx xxx<A> xxx xxx Road<A> Suite 400<A> xxx, CA xxx<A> US<A> Phone: xxxxxx7605<A> e-mail: pxxx.xxx@atf.gov<A> Payment Method: Credit Card<A> Name On Card: Pxxx x. xxx<A> Credit Card #: 5568xxxxxxxxxxxx<A> Credit Type: MasterCard<A> Expires: 05/2009<A> CVV2: 421

15

Capturing Card Number & PIN

Organization database attacks Social engineering via e-mail, web site, telephone or postal mail Dumpster diving & trash collection Man in the middle web site attacks

Bank ATM modifications Equipment disguised to look like normal ATM Wireless “skimmer” & video camera transmit scanned card

information & PIN Criminals copy cards & use PINs to withdraw cash

16

Wireless Scanner Equipment being installed on top of existing bank card slot.

17

Wireless Video Camera PIN reading camera being installed on the ATM is housed in an innocent

looking leaflet enclosure.

18

From Patch to First Attack

NimdaNimda 336 DaysSept. 18

2001

Oct. 17, 2000 Patch MS00-078

SlammerSlammer 185 Days Jan. 25 2003

Jul. 24, 2002 Patch MS02-039

BlasterBlaster 26 DaysAug. 11

2003Jul 16, 2003 Patch MS03-026

SasserSasserApril 30

2004

Apr. 13, 2004 Patch MS04-011

17 Days

JViewJView Jul. 12, 2005 Patch MS05-0370-DayJune 2005

19

Zero-Day Exploits High risk, undocumented vulnerabilities with no approved patch

CSIRC released 10 Critical Advisories & 1 Bulletin for zero-day exploits since Jan 1, 2009

Multiple zero-day exploits targeted IRS Business Units via e-mail

Sometimes discovered by hackers & kept secret prior to use

Some patches not released timely (RPC memory overflow – over 4 years)

20

Zero-Day Exploit Against IRS In February 2009, an e-mail was sent to 2 IRS e-mail accounts Attachments utilized a Microsoft Excel Zero-Day exploit

Malware designed to export data to a remote IP address Used custom encryption (non SSL) over TCP port 443

Target IRS e-mail Addresses included: Former Employee (Account/Email disabled) Distribution List (e-mail forwarded to 10 employees)

Analysis confirmed outbound connection attempts were blocked & no data was exported

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

X

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

Anywhere, USA 66666

IRS EmployeeSome Building

Anywhere, USA 66666

IRS EmployeeSome Building

I. M. Hacker

I. M. Hacker

21

Zero-Day Exploit Overview

Treasury Email Gateway

IRS Email Gateway

IRS Employee IRS Distribution List(10 Employees)

Email sent via gmail.com

Spear Phishing Email was sent on a Friday targeting two (2) IRS email addresses that includes a distribution email address. NOTE: Following Monday was a federal holiday.

Invalid

Account

Email Attachment withMicrosoft Excel

SpreadsheetZero-Day Exploit

EMAIL

(Em

ail A

ttach

men

t)

Zero-D

ay E

xcel

Spre

adsh

eet

`

Call Back IP AddressXAnalysis identified that the malware calls back to IP address residing in the US over TCP port 443 using custom encryption for beaconing and/or data exfiltration activity.

IRS Environment

22

Real or Fake?

23

CNN Phishing Spam e-mail was circulating in January 2009 containing factual

information about the Israeli/Hamas conflict

It appeared to originate from CNN & contained a link to a website posing as CNN, which contained what looked like a video file

All links on the website actually resolved to the valid CNN website

Visitors who attempted to view the video were prompted to update to a new version of the Adobe Flash Player

Update was actually malicious code

24

CNN Phishing

`

IRS SystemIRS User

Russian IP

Israel/Hamas Spam Mail

IRS.gov Exchange Server

hxxp://xxx.cnn.2009.xxxxxxxxxxxxxxxxx.com

hxxp://xxxxx.com/servicepack1.exe

Use

r vie

ws

vide

o an

d at

tem

pts

to u

pdat

e A

dobe

Fla

sh P

laye

r

Mal

icio

us c

ode

(Ado

be_P

laye

r10.

exe)

dow

nloa

d an

d in

stal

led

User is

redire

cted to

a seco

nd stage w

ebsite

Malicious c

ode (servi

cepack

1.exe) is

downloaded and insta

lled

Data exfiltration to Russia

User receives spam

25

IRS Response to CNN Phishing

IRS initiated Content Filtering to block the e-mail

Only 11 of 38 AV products could detect stage one

Only 2 of 38 AV vendors’ signatures could detect stage two

Analysis revealed 36 IRS systems visited the fraudulent CNN website (Stage One)

Additional analysis identified 1 IRS system issuing HTTP GET requests to the Russian IP address every 20 minutes (Stage Two)

Further analysis confirmed that no data was exported

26

“Just Surfing the Web” In November 2009, an employee performs a search via Yahoo! for

“1979-2007 vehicle wiring diagrams”.

27

“Just Surfing the Web”

First (non-sponsored) URL listed by the search engine was malicious Embedded HTML executed a PHP file, downloading the malware file

45096.exe Malware executes & begins beaconing home to: kinoarts.com over

TCP port 80 Analysis revealed 2 additional call back sites not being blocked by IRS Further analysis confirmed outbound connection attempts were

blocked & no data was exported

28

Beacons

A beacon is an intentionally conspicuous device designed to attract attention to a specific location

In the cyber world, a beacon is a system that repeatedly attempts to make a hidden connection with one or more systems outside of its network

Ordinary user traffic is fairly random, so traffic generating a significant regular pattern is indicative of a beacon

29

Beaconing Activity Beaconing from infected IRS system attempting to “call home” to a

website in China for further instructions. Website was a known malicious website that was blocked

30

SCADA Supervisory Control & Data Acquisition

Provides data display, alarming, trending, reporting, & control for devices & equipment in remote locations (via LAN, modem, wireless technologies, or Internet)

Think US Critical Infrastructure

31

Cyber Attacks on SCADA Unintentional consequences caused by internal personnel or

mechanisms (testing software on operational systems or unauthorized system configuration changes)

Unintentional consequences or collateral damage from malware

Intentional attacks such as gaining control or DoS attack

Aurora - Simulated cyber attack on SCADA system in March 2007

Both unintentional and intentional attacks on SCADA systems have been documented

32

Questions or Comments