3 posts categorized "Tom Goren Bar"
May 30, 2013
 File Server Risks, A Look Into Verizon's Data breach Investigation Report 2013
Pin It

As you may have seen by now, Verizon’s Data Breach Investigation Report (DBIR) 2013 is out. First and foremost, we wish to congratulate Verizon’s RISK team on yet another excellent and informative report. Although this report was released a few weeks ago, there are several points I felt deserved further attention, including the sudden increase in file server compromises and how automated tools are making it increasingly easy for anyone to become a hacker.

This year Verizon’s database grew substantially from 855 confirmed data breaches to more than 47,000 reported security incidents and 621 confirmed data breaches. While the basis for most of the statistics presented in the report is the 621 confirmed data breaches, statistics for all 47,000+ incidents are also provided. This year the RISK team decided to analyze the dataset of breaches by attack motive; state-affiliated espionage, financially motivated crimes, or activism. Looking at data breaches through this prism sheds light on several points worth mentioning.


As stated in the report - “Who wants my proprietary info?” is probably a better question than “Am I a target of espionage?” Every organization has some form of proprietary or internal information it wants to keep private. This information, which is almost always tied to an organization’s competitive advantage, is inevitably of interest to someone, somewhere. As the DBIR report clearly demonstrates, everyone is a potential target for data theft regardless of the type and size of the organization, or the specific motivation of the attacker.



A data breach starts with an initial compromise that grants the attacker access to the network, and leads to credential theft and data exfiltration. In about 70% of the data breaches the actual theft (credential and data) require few resources and little expertise – feasible with automated tools and scripts; basic methods that need no customization. Placing security measures around the data center will easily raise the bar on the required resources and the minimum level of expertise required by the attacker, thus reducing the impact of the initial compromise.


While automated tools have made it possible for just about anyone to become an attacker, a lack of data center security and monitoring has resulted in a huge blind spot where malicious activity is concerned. The DBIR 2013 still supports the common truth that organizations do not detect breaches on their own, but rather are informed of them by an external third party. Furthermore, in many cases this detection is accidental, stumbled upon while investigating something else, and the alert is merely a courtesy.



Lack of visibility into attacks and malicious activity allows attackers to operate undetected for months.

While the window of time available to detect the initial compromise is very small (seconds to minutes) and such compromises leave little-to-no evidence, the window of time available to detect malicious data access and exfiltration is much larger (hours to months). This is due to the time it takes for an attacker to explore the network, locate relevant systems, exploit those systems, and then collect and exfiltrate the data.



There’s a clear correlation between threat actor motives and the variety of data compromised. Unsurprisingly, the financial criminal’s motives are payment and personal information - information that can be easily monetized. The state-affiliated espionage motives however, tend to be trade secrets, internal organizational data, and system information, while hacktivists focus on personal information and internal organizational data. Despite the difference in end game, or motive, all three attackers must first acquire credentials in order to successfully breach the data they desire.


Another notable finding in the DBIR was a marked increase in incidents of file server compromise (22% in versus just 1% in 2012). A plausible explanation for this sudden, and significant, increase is the recent, extensive exposure of espionage cyber campaigns (19% of incidents) that are usually after the intellectual property of the target. Intellectual property information is usually stored as unstructured data in files rather than structured data in databases. The cyber campaigns exposed in 2012-13 (e.g. Flame, Rorca/Red October and China’s Unit 61398 and APT1) went undetected for several years which means that file servers have probably been compromised for years. Despite the fact that these incidents occurred years ago, evidence of these compromises was discovered only recently, resulting in inaccurately low incident reports of file server compromise in previous years.

Directory servers are also a target for espionage motivated attacks since APT attacks use them to create new users, grant permissions, and prolong the access to the network.


January 30, 2013
 Red October: The Hunt For the Data
Pin It

The recent discovery of the Red October malware has focused a lot on its effects, but inadequate attention has been given to its purpose.  The real goal of this campaign—which successfully evaded anti-virus and network intrusion detection systems for at least five years.

The malware contained many of the traditional functions associated with malware, such as key logging.  But focusing on these traditional capabilities misses a key point:  hijacking local data, such as files and credentials, was the means—but not the end.

Red October contained two interesting aspects:

  1. Attackers recycled stolen data from victims of the same sector to make their spear phishing emails less suspicious by incorporating some context that would be familiar to the victim. 
  2. Ability to identify and access the important data centers.

The victims of this cyber-espionage operation belonged to the most protected and threat aware sectors – government, energy, aerospace and military.  The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more.

Rocra, the name of the malware used in the Red October campaign, is APT by the book.  It has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration.

Specifically, it has capabilities to access both unstructured data (files) as well as structured data (database records), or as the Kaspersky Labs Report noted, it would “Collect information about installed software, most notably Oracle DB…”

What do these modules do?  Let’s break down some of them:

  • The purpose of the “Recon” modules is to help the attacker find the right data.
  • The purpose of the “Exfiltration” modules is to deliver the data to the attacker.

Overall, Rocra’s modules are capable of reaching FTP servers, remote network shares as well as local disk drives and copy files from these resources. Unlike the “Recon” data collection modules which are invoked by the attacker “on demand”, the “Exfiltration” modules are designed to run repeatedly and bring only new valuable data.

The infiltration to the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. The attached files recycled stolen data (and therefore context) from other victims of the same sector, making what would otherwise be a suspicious email, a legitimate email. It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance.

These targeted social engineering messages (“Spear Phishing”) bypassed “perimeter” security measures.

New software exploits will always be around to help circumvent “perimeter” security measures. DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size. However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.

Was it possible to detect and prevent the data theft?  Yes—had the victims monitored their data more closely rather than just monitoring the network perimeter and endpoints.


December 18, 2012
 Data Wiping: A New Trend in Cyber Sabotage?
Pin It

Yesterday, the Iranian CERT made an announcement about a new piece of malware that was designed to corrupt data. This malware joins the list of data corruption malware discovered in April, November and December 2012 – Wiper, Narilam and now GrooveMonitor respectively.  They wrote:

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.

GrooveMonitor does not pose a real threat to companies since it attack local files only and not the datacenter (databases or file shares) nor the datacenter backup. However, the Narilam malware discovered last month is a database sabotage malware. Its purpose is to corrupt databases of three financial applications from TarrahSystem used for banking, loans, retails and industrial applications.  But it is not a technical beauty pageant. When all of your data gets wiped and your antivirus proves to be worthless , do you take comfort in the fact the malware was simplistic?

Indeed, this new malware raises the question – are these just singular incidents or do we witness a trend of malware designed to corrupt data rather than steal it? While all three malware attacks originated in Iran, a country of great interest for several espionage agencies around the world, only Wiper is believed to be state-sponsored. The authors of the other two were probably inspired by Wiper to some extent. As Microsoft’s director of trustworthy computing Tim Rains stated nicely this week: “Unintended consequence of operating a sophisticated cyber espionage activity is that criminal groups are essentially given free research on how to infect systems and little-known vulnerabilities are brought to the forefront.”

This is just as true for method of operation. It is easier to hurt a competitor’s business by sabotaging its production systems by corrupting data rather than operating a complicated long term espionage campaign for stealing data. Roel from Kaspersky security blog sums it up: “If it wasn't clear already - the era of cyber-sabotage has arrived. Be prepared.”




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: