James Brown (VP Technology Solutions Group, Alert Logic), Stephen Coty (Chief Security Evangelist, Alert Logic), and Paul Fletcher (Security Evangelist, Alert Logic)'s live hack demonstration at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
5. Today’s Attacks are Becoming More Complex
THE CYBER KILL CHAINÂą THE IMPACT
Financial loss
Harm brand and reputation
Scrutiny from regulators
IDENTIFY
& RECON
INITIAL
ATTACK
COMMAND &
CONTROL
DISCOVER
& SPREAD
EXTRACT &
EXFILTRATE
• Attacks are multi-stage using multiple threat vectors
• Takes organizations months to identify they have been compromised
• 205 days on average before detection of compromise1
• Over two-thirds of organizations find out from a 3rd party they have been
compromised2
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – M-Trends 2015: A View from the Front Lines
6. Three Classes of Threat Actor
Hacktivist
Advanced Persistent
Threat (APT)Cyber Criminal
19. Stopping Imminent Data Exfiltration
INCIDENT ESCALATION
Partner and customer notified with
threat source information & remediation
tactics
8 min
FUTHER ANALYSIS
Alert Logic Analyst confirms user
IDs & password hashes leaked as
part of initial attack
2 hours
EXFILTRATION ATTEMPT
PREVENTED
Partner works with customer to mitigate
compromised accounts
6 hours
COMPROMISE ACTIVITY
Discovered through inspection
of 987 log messages indicative
of a SQL injection attack
Customer Type: Retail
Threat Type: Advanced SQL Injection
20. Preventing Ransomware Spread
INCIDENT ESCALATION
Critical risk of lateral movement
through shared drives identified
14 min
LATERAL MALWARE MOVEMENT PREVENTED
Analyst performs forensic review of additional 8,000 log
messages and 1,400 events that identifies additional attack
vectors through related events
6 hours
SUSPICOUS ACTIVITY
Cryptowall detected on key
gateway server in over 1,400
events (6,000 Packets)
Customer Type: Retail
Threat Type: Ransomware
Introductions:
James Brown
Title Too Long For Slide
Narrator
Richard Cassidy
Product & Technical Marketing
Role of SOC Analyst
Richard Kynaston
Some Hacker Dude
Role of Hacker
Site – the vanilla build of the underlying web server and possibly an application such as wordpress, but unmodified
Theme – the first class of “add-on”; 3rd party developed, usually added without full code review, may be hooking data from sensitive files or directories and/or may update/extend core wordpress files
Plug-ins – While themes can already be a problem alone, plugins are usually the bigger danger – may hook admin functionality, again added usually without full code review.  At times and dependent on how fully-featured/extensive the plugin, this might double the available attack vectors
Your Apps – Have they been developed with a security mindset? Do they include files/code from 3rd party libraries? How is the code reviewed?
User Input – A real danger zone, especially if the input is used to form variables in code functions (may open doors such as SQL injection, XSS); a comment field, a mailing list subscription field, a guestbook, a search function and so on
Document Storage – upload functionality, is there sanitisation of allowed filetypes? Can the user access the raw file after upload? (may open the door to webshells, backdoors, defacement pages,could be vulnerable in tandem with user-input)
Example recent vulnerable themes:
Wordpress WPLMS learning management system theme
Beauty Theme (arbitrary file upload)
Truemag theme – unauthenticated reflected XSS
Example recent vulnerable plugins:
Revslider (our demo example) - multiple issues such as unrestricted file upload, file disclosure/download https://vuldb.com/?id.76139
Custom Content Type Manager (project handed to new author “wooranker”, created a backdoor - https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html)
WooCommerce – popular wordpress e-commerce plugin (Feb 2016 XSS - https://0x62626262.wordpress.com/2016/02/24/import-woocommerce-xss-vulnerability/)
Kill Chain
Discuss what it is and how it relates to the anatomy of an attack
Discuss how we will show each stage of this being enacted as we run through the live hack
RevSlider Exploit
 Discuss that we’re going to demonstrate an exploit in a popular Plugin as an example of what we’ve been discussing earlier in the presentation.
Show the Plugin in Action and what it is/does on the WP Site - https://vuldb.com/?id.76139
Introductions:
James Brown
Title Too Long For Slide
Narrator
Richard Cassidy
Product & Technical Marketing
Role of SOC Analyst
Richard Kynaston
Some Hacker Dude
Role of Hacker
Recon (Finding & Verifying Your Target)
Google Dorks - https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=inurl%3Arevslider%20inurl%3Atemp%20inurl%3Aupdate_extract (RevSlider Result) or inurl:revslider%2520inurl:temp%2520inurl:update_extract for exact Dork
                                                           iii.     WPScan to verify vulnerability exists (can be used as an example of how our SOC can detect RECON activity against vulnerable site? OR
                                                           iv.     Link it back to CLOUD INSIGHT and why vulnerability management is key in preventing the organization from being exploitable in the first place against unpatched Plugins? OR
                                                            v.     Discuss both
Recon (Finding & Verifying Your Target)
Google Dorks - https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=inurl%3Arevslider%20inurl%3Atemp%20inurl%3Aupdate_extract (RevSlider Result) or inurl:revslider%2520inurl:temp%2520inurl:update_extract for exact Dork
                                                           iii.     WPScan to verify vulnerability exists (can be used as an example of how our SOC can detect RECON activity against vulnerable site? OR
                                                           iv.     Link it back to CLOUD INSIGHT and why vulnerability management is key in preventing the organization from being exploitable in the first place against unpatched Plugins? OR
                                                            v.     Discuss both
Initial Attack & CnC Activity
CURL Command Line used to upload Web Shell via vulnerable Plugin
1.      Function used embedded into “RevSlider” to make life simpler in updating the Plugin
CnC Activity to Malicious IP (in most instances, either through known MALWARE Domain/IP SRC or TOR Exit Nodes)
SOC View – NVISION ScreenShot on how this activity can be monitored, logged and identified by a trained SOC analyst and then escalated to the customer within a strict SLA to prevent attack reaching final stage of Kill Chain
Discover & Spread (Lateral Movement)
Hackers WSO provides Control Panel Access
Demonstrate that WP Admin console is not logged in but that Hacker now has admin level access through exploiting vulnerable plugin
Hacker can laterally move within server directories
SQL Config File for Keys (Pre-Exfiltration Phase)
                                 i.     PII, Financial Data, IP, etc…
Admin Directories Traversal
                                i.     Gather Data to infect other systems
Anecdote on 205 Days in target network ahead of moving to final exfiltration stage on Kill Chain