Wednesday, December 12, 2012

Forensic report on SCDOR breach

Mandiant helped the South Carolina Department of Revenue with an incident response. The executive summary can be found here.

While this is not the first government network to be breached, nor the last one, this is worth the reading. I hope the longer, more detailed report will be posted as there are some open questions I have regarding the phishing attack, the types of traffic seen and the general sophistication of the overall attack.

The SCDoR was informed by an unnamed agency of the potential breach, at which point Mandiant was engaged.


A few interesting and salient points:
August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
The original intrusion was done through a phishing e-mail. From my personal observation, some campaigns are currently being executed, with a level of sophistication that's quite impressive: I helped with a case recently in which the initial e-mail presented a lot of characteristics of a company's internal communications.

August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.
The remote access was defeated by the lack of one-time password authentication.

September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
This usually requires administrator privileges. Unfortunately, the exec report doesn't mention whether the attacker got these from the user he hacked into or if he ran an exploit to elevate his privileges.


The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
A database or backup server containing valuable information - at least valuable enough to be dumped and sent outside - was leapfrogged onto. It also had access back to other systems.


Overall, it took a bit more than 2 months to detect the attack and start the incident response process. No less than 514 server interactions were counted from the report. Some good practices were apparently not followed:


  • Outside systems should not use the internal authentication to allow access - So if you are using Active Directory, use something else to authenticate your remote access/VPN/Citrix, such as RSA Authentication Manager or One-Time Password;
  • Database and Backup servers need to be strictly isolated and not reachable BUT from a few selected networks, on a few, selected ports/applications;
  • In Windows Domains, all static passwords with elevated privileges _have to be_ strictly longer than 14 characters: even in the latest incarnations of the Microsoft Operating Systems, NT-LM is still in use [see below].
To the SCDoR's credit, part of the information was encrypted and is most likely to be useless to the attacker.

Microsoft Windows OS still store passwords in two forms: 
  • The weak NT LanMan (NTLM), which is limited to a maximum of 14 characters, but split it into two strings of 7 bytes;
  • The relatively stronger MD4, which encrypts passwords of all length.

It is important to realize that none of these use salts, making the use of Rainbow Tables very efficient.

Cracking the NTLM, even for a password of 14 characters is a matter of a few hours. If your administrative users have passwords of length 14 or shorter, your whole network can be compromised in less than a few days.