This week a shocking campaign of cyber attacks has been made public by Cylance, a US cybersecurity firm. The report has been released earlier than planned due to the level of risk these attacks pose, in the hope that it might prevent further breaches.
This news has been particularly alarming as it points to the Iranian government as potentially being responsible. Many of the attacks have originated from Iranian IP addresses and the targets of the attacks would align with Iranian national interests. The campaign must also be well-funded as attacks are numerous and tailored to the individual targets. Cylance freely admit that they have probably uncovered only a small fraction of attacks and many more may still be unknown to the victims.
This is where the Cylance report becomes interesting. Considering the sophistication of the attacks, it is deemed that the project is well funded, possibly by the Iranian Government. However, this time, the target has not been rival government networks.
Cylance said ten companies targeted in Operation Cleaver were U.S.-based, with the rest being scattered across the globe and including Canada, France, Israel, the UK, Pakistan and South Korea. The number of attacks on South Korea based industries such as airlines, airports, technology and heavy manufacturing is one of the key indicators that this attack stems from the Iranian government, at least indirectly. Iran is an ally of North Korea.
The attacks on airports and airlines are particularly worrying; these have been targeted in South Korea, the US, the UAE, Pakistan, Qatar and Saudi Arabia. Bearing in mind that these are also just the targets discovered so far, this could be the tip of a larger iceberg. It’s unknown precisely what the intentions of this group are but their choice of targets is certainly enough to ring alarm bells.
How Attacks were carried out
In their 86 page report, Cylance touch on the methods used, with the initial compromise techniques including SQL injection, web attacks and creative deception-based attacks. They have also exploited existing bugs to gain Windows privilege escalations and worm-like propagation mechanisms. The sophistication of their attacks is further demonstrated in the use of customised tools and advanced techniques to perform ARP cache poisoning, encryption, credential dumping, ASP.NET shells, process enumeration, network interface sniffing and keystroke logging.
The level of access this team managed to gain is also worrying; in the case of some airports they managed to even gain control of the gates and their security systems, potentially allowing them to tamper with gate credentials. In the case of individuals, they managed to access PayPal and Go Daddy credentials in order to make fraudulent purchases. They will also have managed to access a wealth of sensitive data, of which the implications are not yet known.
What you should do
In light of these attacks, it’s advisable for any large organisation or company to strengthen their cyber security, but particularly those in the aeronautical industry, an education setting or power companies, as these have been popular targets. At this point, it is difficult to say if smaller companies have also been targeted by these attacks. The hackers seem to be after data, making most companies a potential target.
The first line of defense would be to make sure all web applications are without the types of vulnerabilities in their source code which would allow a hacker to exploit it and gain access. It would be advisable to employ a penetration tester or similar if no-one in your company has this type of expertise. Then a web application vulnerability scanner such as Acunetix can be used to identify any vulnerabilities and their location within the applications’ architecture. Once these are fixed, the application should be scanned regularly to identify any new vulnerabilities, especially following any changes made. New vulnerabilities and therefore hack methods are regularly being discovered.
Once the application itself has been cleared of vulnerabilities, the next level to address is the perimeter servers. This can also be performed by the Acunetix tool and this network scan function is currently available for free with the online version of the software.
Finally, ensure that the company’s employees are educated enough to identify potential cyber-security threats. One of the techniques used to gain access to the company’s infrastructure was to lure the company’s employees into applying for fake job. The were asked to upload their CV using an application, infecting them in the process. In addition, it is always wise to run antivirus scans frequently so as to detect any potential malware as early as possible before it can propagate to the rest of the network.