Cyber Side-Effects - Cloud Databases and Modern Malware

1,311 views

Published on

Database as a Service (DBaaS) offers a self-service model for provisioning databases, without the cost of setting up servers and burdening IT teams. However, DBaaS also offers cyber criminals easier access to your data, from both inside and outside the service. Apart from offering criminals a cheap and safe playground, DBaaS itself introduces new security issues. When an organization's internal data is stored in the cloud, an attacker no longer needs to gain access to the organization's network before compromising high-value data. This presentation will:
- Show how attackers are exploiting cloud database services in their operations
- Discuss key implications to internal databases
- Identify the hidden risks of DBaaS
- Re-asses the severity of database vulnerabilities in a hosted environment

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,311
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber Side-Effects - Cloud Databases and Modern Malware

  1. 1. Cyber Side-Effects: Cloud Databases and Modern Malware Amichai Shulman, CTO, Imperva 1 © 2014 Imperva, Inc. All rights reserved.
  2. 2. Agenda §  Introduction §  The story of a malware and a database §  DAMP – Database as a malware platform J §  Reflections on malware and DB access §  Reflections on DBaaS and DB vulnerabilities §  Summary and conclusion §  Q&A 2 © 2014 Imperva, Inc. All rights reserved.
  3. 3. Amichai Shulman, CTO, Imperva §  Speaker at Industry Events •  RSA, Appsec, Info Security UK, Black Hat §  Lecturer on Information Security •  Technion - Israel Institute of Technology §  Former security consultant to banks & financial services firms §  Leads the Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities §  Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” 3 © 2014 Imperva, Inc. All rights reserved.
  4. 4. HII Reports §  Hacker Intelligence Initiative (HII) is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~350 real world applications •  Anonymous proxies §  More than 30 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities 4 © 2014 Imperva, Inc. All rights reserved. Confidential
  5. 5. The Story of a Malware and a Database 5 © 2014 Imperva, Inc. All rights reserved.
  6. 6. Malware Sample §  Obtained sample in June 2013 •  Phishing email §  Made in Brazil §  Uses popular hosting service for Drop and C&C •  C&C stores functional code and bot management information •  Drop server stores stolen information §  Uses local SQLOLEDB provider for database communication 6 © 2014 Imperva, Inc. All rights reserved.
  7. 7. Malware Sample – Infection Flow §  Starts with a phishing email •  Notice of debt from known bank in Brazil •  “E-mail verified by windows live anti-spam” •  Link to alleged pdf file (detailing the debt) 7 © 2014 Imperva, Inc. All rights reserved.
  8. 8. Malware Sample – Infection Flow §  Starts with a phishing email •  Notice of debt from known bank in Brazil •  “E-mail verified by windows live anti-spam” •  Link to alleged pdf file (detailing the debt) 8 © 2014 Imperva, Inc. All rights reserved.
  9. 9. Malware Sample – Infection Flow §  Link leads to a screen saver file §  Practically an executable 9 © 2014 Imperva, Inc. All rights reserved.
  10. 10. Follow the Rabbit 10 © 2014 Imperva, Inc. All rights reserved.
  11. 11. Follow the Rabbit §  MIM “attack” between payload and hosted database •  Capture negotiation packet •  Switch from encrypted to plain text •  Connect with plaintext credentials to hosted DB 11 © 2014 Imperva, Inc. All rights reserved.
  12. 12. Follow the Rabbit §  MIM “attack” between payload and hosted database •  Capture negotiation packet •  Switch from encrypted to plain text •  Connect with plaintext credentials to hosted DB 12 © 2014 Imperva, Inc. All rights reserved.
  13. 13. Follow the Rabbit §  After connection is established to DB •  Malware stub invokes stored procedure “retorna_dados” (retrieve data) •  Retrieves 3 binary payloads from table “carrega” (payload) •  Stub selects one (according to column number) §  Saves it in %AppData% §  Names it govision.dll 13 © 2014 Imperva, Inc. All rights reserved.
  14. 14. Follow the Rabbit §  VirusTotal results for original binary: 30/46 •  Categorized as “banker” §  Other 2 binaries less “notorious” achieving 4/47 and 10/47 14 © 2014 Imperva, Inc. All rights reserved.
  15. 15. Follow the Rabbit §  VirusTotal results for original binary: 30/46 •  Categorized as “banker” §  Other 2 binaries less “notorious” achieving 4/47 and 10/47 15 © 2014 Imperva, Inc. All rights reserved.
  16. 16. Follow the Rabbit §  2nd stored procedure called “add_avs” •  Registers new bot agent in the C&C database 16 © 2014 Imperva, Inc. All rights reserved.
  17. 17. Follow the Rabbit §  2nd stored procedure called “add_avs” •  Registers new bot agent in the C&C database •  Identifier (C volume), version, Windows OS, browsers (Explorer and FireFox), date and some more ambiguous info “ins###” 17 © 2014 Imperva, Inc. All rights reserved.
  18. 18. Jumping Into the Rabbit Hole 18 © 2014 Imperva, Inc. All rights reserved.
  19. 19. Jumping Into the Rabbit Hole §  Connecting to the DB and collaborating with the service provider revealed: •  5 C&C databases and 2 Drop servers •  C&C grouped by different binaries in “carrega” §  CC1.db1, CC1.db2, CC1.db3 §  CC2.db1, CC2.db2 •  Drop servers §  Drop1 – compromised mail accounts •  Correlated machines from CC1&2 with data in Drop1 §  Drop2 – stolen banking activity information •  From the same bank in initial phishing email 19 © 2014 Imperva, Inc. All rights reserved.
  20. 20. Jumping Into the Rabbit Hole 20 © 2014 Imperva, Inc. All rights reserved.
  21. 21. C&C Servers §  Similarities •  Same table structure •  Same set of stored procedures •  Some agents found in multiple tables §  Due to multiple infections / test machines •  Binaries (divided to 2 groups) §  Differences •  Mostly disjointed sets of agents •  Names •  Differences in format of stored data §  Hyphen instead of parenthesis §  Version number 21 © 2014 Imperva, Inc. All rights reserved.
  22. 22. C&C Servers Same machine in all tables 22 © 2014 Imperva, Inc. All rights reserved.
  23. 23. C&C Servers §  Overall ~350 machines infected between Feb-June 2013 23 © 2014 Imperva, Inc. All rights reserved.
  24. 24. C&C Servers §  95% of infections occurred between June 3 – June 10 •  Earlier infection perhaps QA tests •  Attacker ran small simultaneous campaigns – wasn't detected by anti-spam mechanism 24 © 2014 Imperva, Inc. All rights reserved.
  25. 25. C&C Servers §  OS distribution •  54% use old XP OS •  65.5% enterprise editions 25 © 2014 Imperva, Inc. All rights reserved.
  26. 26. C&C Servers §  OS distribution •  54% use old XP OS •  65.5% enterprise editions 26 © 2014 Imperva, Inc. All rights reserved.
  27. 27. Drop Servers §  DROP 1 •  Compromised email accounts •  SMTP & POP3 servers •  Contact lists §  Extracted from Outlook or Outlook express §  Some “hand picked” accounts were found to be blocked due to spam §  From April 10 - June 10, 2013 §  ~600 infected machines & 767 compromised accounts §  Thousands of stolen contacts 27 © 2014 Imperva, Inc. All rights reserved.
  28. 28. Drop Servers §  DROP 1 •  Compromised email accounts •  SMTP & POP3 servers •  Contact lists §  Extracted from Outlook or Outlook express §  Some “hand picked” accounts were found to be blocked due to spam §  From April 10 - June 10, 2013 §  ~600 infected machines & 767 compromised accounts §  Thousands of stolen contacts 28 © 2014 Imperva, Inc. All rights reserved.
  29. 29. Drop Servers §  Drop1 had (only) 7 agents correlated to C&C servers •  Strengthens the hypothesis that these servers are from the same family •  Size of unknown operation much bigger than we had access to •  Much more C&C servers than Drop servers §  Infection achieved by multiple small campaigns rather than single large one §  Botnet army more resilient to server “takedowns” 29 © 2014 Imperva, Inc. All rights reserved.
  30. 30. Drop Servers §  Drop 1 email accounts gives visibility to geographical distribution §  Top: Brazil, USA, Argentina, Spain 30 © 2014 Imperva, Inc. All rights reserved.
  31. 31. Drop Servers 31 © 2014 Imperva, Inc. All rights reserved.
  32. 32. Drop Servers §  Drop2 contains stolen banking activity §  Same banking application that was targeted by the phishing campaign §  Each record contains •  Serial number •  Machine ID •  Unstructured data •  Timestamp §  No machines were correlated with entries in other databases §  Over 400 entries from 12 different machines 32 © 2014 Imperva, Inc. All rights reserved.
  33. 33. Drop Servers §  Attackers targeted corporate accounts •  Offer greater financial rewards •  Bank is dedicated to corporate accounts •  The bank itself was not breached §  Timeline between May 17 - June 15, 2013 33 © 2014 Imperva, Inc. All rights reserved.
  34. 34. Drop Servers §  Attackers targeted corporate accounts •  Offer greater financial rewards •  Bank is dedicated to corporate accounts •  The bank itself was not breached §  Timeline between May 17 - June 15, 2013 34 © 2014 Imperva, Inc. All rights reserved.
  35. 35. Drop Servers §  Drop2 entries come from 5 different malware versions: •  118, 126, 127, 128, 129 •  Only one machine “evolved” from 128 to 129 35 © 2014 Imperva, Inc. All rights reserved.
  36. 36. Drop Servers §  Version entries by date 36 © 2014 Imperva, Inc. All rights reserved.
  37. 37. Drop Servers §  Entries in same timeframe contain the same “CONTROLE” (session) value §  Entries are a form of stripped HTML pages sent to the drop server by the malware §  All accounts are business accounts of small organizations in Brazil 37 © 2014 Imperva, Inc. All rights reserved.
  38. 38. Drop Servers §  Entries in same timeframe contain the same “CONTROLE” (session) value §  Entries are a form of stripped HTML pages sent to the drop server by the malware §  All accounts are business accounts of small organizations in Brazil 38 © 2014 Imperva, Inc. All rights reserved.
  39. 39. Drop Servers §  Entries in same timeframe contain the same “CONTROLE” (session) value §  Entries are a form of stripped HTML pages sent to the drop server by the malware §  All accounts are business accounts of small organizations in Brazil 39 © 2014 Imperva, Inc. All rights reserved.
  40. 40. DBaaS as a Malware Service 40 © 2014 Imperva, Inc. All rights reserved.
  41. 41. Database as a Service §  For legitimate users •  Easy to setup •  No maintenance needed §  For criminals •  C&C and Drop servers •  Jeopardize “neighbors” 41 © 2014 Imperva, Inc. All rights reserved.
  42. 42. Database as a Malware Service §  Cheap and safe playground for hackers •  Easy to setup •  Anonymous •  Affordable §  Hiding in plain sight •  Hacker activity is masked with normal activity •  Difficult to pick up the specific DB used by hacker §  Resilient •  Certainly impossible to take down the entire DB machine •  Impossible to “hijack” C&C DNS •  IP blacklisting is not possible 42 © 2014 Imperva, Inc. All rights reserved.
  43. 43. Reflections on Malware & DB Access 43 © 2014 Imperva, Inc. All rights reserved.
  44. 44. DB Access by Malware §  Embedded Code (TrendMICRO report) §  Packaging DB drivers into modern malware modules §  Malware access C&C databases §  Stuxnet manipulating internal database 44 © 2014 Imperva, Inc. All rights reserved.
  45. 45. DB Access by Malware §  Stuxnet §  Narilam •  Updates MSSQL accessible by OLEDB & tamper stored data §  Kulouz 45 © 2014 Imperva, Inc. All rights reserved.
  46. 46. Reflections on DB Vulnerabilities 46 © 2014 Imperva, Inc. All rights reserved.
  47. 47. DB Vulnerabilities §  DB vulnerabilities pose small risk to enterprises §  None of the breaches of past decade involving internal DB were attributed to vulnerabilities §  Internal breaches usually carried out by non technical perpetrators BUT §  Hosted databases are exposed to the web §  “Sitting duck” for criminal hackers 47 © 2014 Imperva, Inc. All rights reserved.
  48. 48. Protocol Layer Vulnerabilities §  DB protocols are a mess •  Proprietary, ill documented (to say the least) •  Designed for internal network use §  In DBaaS they become web protocols used over public networks §  CVE-2013-1899 open source PostgreSQL DB •  Sample exploit: psql --host 10.1.1.1 --dbname=”-rpg_hab.conf” – user=”aaaaaaa” •  DoS of the entire server •  Catastrophic results in shared environment 48 © 2014 Imperva, Inc. All rights reserved.
  49. 49. Knock Knock Jokes §  CVSS 2.0 is the standard for computing risk score of a vulnerability §  Authentication requirement accounts for 1 point out of 10 §  In a shared DB hosting environment everyone can authenticate to the DB §  CVE-2012-5611 MySQL vulnerability •  Sample exploit: GRANT select ON MYSQssssssssssssssssssssssssssssssssssssssssssssssssssss sssssssssssssssssLqqqqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* TO ‘user11’@’%’ •  DoS of the entire server 49 © 2014 Imperva, Inc. All rights reserved.
  50. 50. Who Stole My Cheese? 50 © 2014 Imperva, Inc. All rights reserved.
  51. 51. Summary & Conclusion 51 © 2014 Imperva, Inc. All rights reserved.
  52. 52. Summary §  Attackers continue to show creativity •  Using cloud DB offering as an alternative to traditional C&C / Drop servers •  Harder detection and takedown §  Commercial malware is gradually becoming more “database aware” •  Attackers have the tools to pry into your database •  Next step: autonomous malware targeting internal databases §  Shared DB hosting platforms imply higher risk •  Exposure to protocol layer vulnerabilities •  Actual vulnerability score is at least 1 point higher 52 © 2014 Imperva, Inc. All rights reserved.
  53. 53. Recommendations §  It’s all about the data, stupid! §  While “network” and “end point” hygiene is important, attackers are ultimately looking for your data •  In large, modern, enterprise networks – infection is inevitable §  Enterprise must invest in security layers closer to their data assets §  DB service providers (and their customers) must re-asses risks and invest in virtual patching 53 © 2014 Imperva, Inc. All rights reserved.
  54. 54. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 54 Answers to Attendee Questions Join Group © 2014 Imperva, Inc. All rights reserved.
  55. 55. www.imperva.com 55 © 2014 Imperva, Inc. All rights reserved.

×