As the technical director at Foursys I have seen our consultants respond on many occasions to security incidents occurring within organisations computer networks.
Clearly at Foursys we have a bigger insight into network security than our respective customers, which is why I wanted to use this article to help highlight how intruders or hackers can gain access to a computer network using some rather easy techniques. The ultimate objective is to give you the knowledge to defend against such attacks.
Below I have highlighted one of the easiest methods that could be used to trigger an attack from outside your local network. In subsequent articles I will discuss other ways in which attacks can occur from both outside and inside the network.
Email a web link in.
I know what you’re thinking; surely this won’t work if you have email and/or web gateway system(s) in place, right?
Let me be clear here. It is absolutely WRONG to presume this is the case. Please read on.
Let’s say an attacker sends an email into the organisation being targeted. The hacker finds the website of the organisation that they would want to attack and makes a note of the domain name, which will be used to formulate the email addresses to send the mails to.
The email needs to be setup to appear humorous i.e. it could say something like “Look at this elephant from India”. Humorous emails are far more likely to be read than those equating to financial or other matters, since users have become a little wiser to these now.
An attacker would be best placed to use some kind of anonymous email account, maybe through a web-based email solution such as Hotmail or Gmail.
The link within the email would go to a crafted pdf file, hosted on a new website. The pdf file itself is designed to exploit versions of Adobe pdf reader that are not fully up to date. As a techie, I know that it’s a difficult task to patch Adobe PDF reader across an entire computer estate.
The PDF file itself delivers a payload that allows an intruder to gain remote control over the machine, using the web based protocols. As its user initiated (by the end user opening the file), most local firewalls won’t prevent the attack.
To distribute the payload to as many recipients as possible the attacker emails the link to the website hosting the crafted pdf to group receipts, something like;
- This e-mail address is being protected from spambots. You need JavaScript enabled to view it
- This e-mail address is being protected from spambots. You need JavaScript enabled to view it
- This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Most organisations have email addresses similar to this, which are groups of recipients.
So what about email filtering?
The email filtering solution won’t find anything to check. The contents will be plain, except for one URL link that goes to a new website.
So what about URL Filtering?
If someone sets up a brand new website, 90% of web filtering solutions won’t categorise the content and hence URL filtering (and email products that look at URLs) won’t normally provide accurate blocking against uncategorised sites.
So what about web based anti-virus checking?
In the majority of cases this is avoided by ensuring that the pdf file is password protected. Simply write the password into the email that’s being sent with the link.
So what about desktop anti-virus checking?
Its very easy to bypass the outer perimeters of defence using the above techniques. However, it might surprise you that its more difficult to get around desktop anti-virus than you may think.
Speed of attack. Many traditional AV products were slow to respond to some of the crated pdf files being utilised for these types of attacks (some took many months). So any type of attack would look to utilise a newly published/discovered vulnerability to ensure the chances of successfully network penetration are high.
The other alternative is to utilise a vulnerability that’s initiated in memory (Buffer Overflow), since many Anti-Virus products don’t scan RAM, they only scan for files read/written to a drive. Whilst many more up to date examples are available, the most widely known example was ms08-067 which was successfully utilised by the conficker virus to infect machines regardless of Anti-Virus products running on computers within the network (in the majority of cases). The payloads that can be delivered are all very similar and so it’s the exploit that’s the key to success in many cases.
We recently demonstrated both the Microsoft and PDF style of attack at our Threat Landscape events held over the Autumn and it gained a lot of interest.
So how do you stop this style of attack occurring in the first place?
- Patch Management
- Carefully constructed web policies around encrypted (un-scanable) documents.
- Two way network client firewall
- Security Awareness Training
- End User Education
Foursys offer Security Awareness Training courses that allow you to recreate this type of attack within the confines of a test network, allowing you to get a significantly better understanding of how such attacks occur by replicating them in a secure environment.
Follow us on Twitter @FoursysLtd
