The Great Train Robbery of 1963 in Buckinghamshire, UK was orchestrated by a gang of 15 robbers that devised and executed a well laid out plan over the course of several months. Fast forward 56 years and we’re still seeing gangs of modern-day robbers orchestrating elaborate plans. Only in 2019, these plans leverage the power of technology and computing to carry out remote reconnaissance and data theft, all without the criminal having to leave the home.
While it’s been difficult to pin down the exact cost of intellectual property, IP, theft over the years, recent estimates have placed the loss in excess of $225 billion and as high as $600 billion per year. The loss of a company’s intellectual property, oftentimes the backbone of an organisation, can be a business’ death knell, or failing that, a severe hurdle.
After getting into a system, insiders and nation state attackers alike have a plethora of ways to pull off a heist and exfiltrate sensitive IP, be it source code, schematics, or technical design files.
Supply chain woes
One of the more commonly exploited vectors used by attackers today is poorly secured third-party supply chain vendors. Adversaries often take aim at organisations that have unfettered access to a multitude of customers to get a foothold inside their primary target.
What better way than to steal the keys from one kingdom in order to access a universe of kingdoms? To make matters worse, in most scenarios, visibility into these environments as a customer is essentially zero, meaning that at any point an attacker could gain unauthorised access without your knowledge. From there, they just blend right in.
A case I worked on recently involved an IT administration company and the attacker moving laterally through a third-party firewall. After they were in, the attackers leveraged the Windows Sysinternals utility PsExec to authenticate across the environment using an account with Domain Administrator privileges stolen from the supply chain vendor.
After identifying the data they were after, the attackers leveraged a file compression utility WinRAR to compress and password protect the IP; from there they funnelled the information back through the third-party firewall to exfiltrate. This allowed the attackers to avoid installing any malware or use any exfiltration protocols on the target network.
The behaviour was detectable after baselining the environment for lateral movement over the course of the last 60-90 days to identify anomalies. In doing so, this behaviour stood out immediately. Gaining a view of your environment’s normal day-to-day activity is crucial when it comes to sniffing out data theft techniques like this.
Beware the inside accomplice
Another attack vector I’ve observed does involve some physical presence, but a majority of the attack is conducted remotely. These attacks, which can take place at data centres and small site locations, involve employees of IT telecommunication companies assisting adversaries in gaining access to their targets.
Consider the following real-world scenario: Scheduled routine maintenance on the company’s IT equipment takes place, but when the technician arrives on the scene, some additional configuration is performed on one of the routers that opens a backdoor for the attacker to stroll right in. The technique no different than having an inside accomplice working at a bank provide the means for carrying out a robbery.
In this case, once in, the adversaries were able to install a well-known Remote Access Trojan, 9002 RAT, with an extensive list of exfiltration capabilities tying back to the attackers’ command and control infrastructure. Stored on each of the endpoints at this particular site was an application that synced trade secret data to a local database. The backdoor was able to locate this data and tunnel it out over an encrypted protocol.
Detecting this type of behaviour can be nearly impossible but having a degree of visibility into endpoint activity could have helped. Logging remote authentication attempts, alerting on unsigned binary executions, and keeping a watchful eye on telecommunication techs surely could have helped this organisation mitigate this scenario.
Insiders are always a concern given the level of access they have and their knowledge of where sensitive data is stored, but catching those criminals can be complicated when the insider feigns ignorance.
Consider this other scenario: An insider feeds intelligence to attackers and “accidentally” clicks on phishing links. I’ve seen employees of companies assist nation state adversaries by simply opening the door for them, then easily defend their actions by claiming ignorance. If your organisation receives 300 phishing emails and ten people click on the link, what happens to those ten people? Sure, you can enforce some additional security awareness training, but do you ever ask the question: “Was it intentional?”
While not everyone that clicks on a phishing attachment should be investigated, it is good to be aware. I worked on a case once where an employee infected his computer, allowed the adversary to use his machine as a backdoor, then played the victim. In this incident, the data the adversary was targeting had been stored in a compressed zip file on a network share. With logs, we were able to determine that six months prior, the data had been compressed and stored by that same employee.
Because of a lack of visibility on the organisation’s servers, the data was successfully exfiltrated after the adversaries dropped a file with China Chopper code, a webshell capable of exfiltrating information back to a remote command and control server. Organisations running externally facing webservers should always be on the lookout for suspicious files with odd timestamps on them. Some webshell variants are so small in size that searching by last modified, for files that are around 73 bytes in size, could be a good indicator that something may be afoot.
To stop IP theft, one of the big lessons to be learned here is that organisations need to make an effort to attain visibility across all of the devices in their network, especially servers. In about 75 percent of the cases I’ve worked on, exfiltration attempts occur from a server because their required uptime makes them more accessible targets for data theft. Conversely, computers that are shutdown at the end of every day aren’t reliable targets.
A majority of the gang members in that Great Train Robbery of 1963 ended up with convictions and in prison after attempting to hide out at a farm. The robberies conducted in today’s world often never end up with a conviction, so it’s imperative we protect our assets as best we can and respond immediately to prevent any exfiltration of sensitive information.
By Tim Bandos, VP Cybersecurity, Digital Guardian.