Thursday, July 25, 2013

The script kiddie is dead

SQL attacks are pervasive; the result is leakage of credentials. Millions of username/email + password pairs have been stripped out of compromised SQL servers and posted into public spaces. Thus, attackers are routed to corporate surface areas when employees use their work email when registering on 3rd party application sites. The insidious part is that corporations are exposed to attack even when their enterprise infrastructure is secure. The problem swells when employees re-use their passwords across multiple sites. Even when the corporation has adopted two-factor authentication and strong password policies – an attacker may still gain access to employee personal data. That personal information can lead to secondary attack vectors against the corporation – such as direct access to the employee’s home network, mobile computing devices, and cloud data. With such vast amounts of contextual data available, it would only be a matter of time until a focused attacker can leverage something to further access into the enterprise. Previously the stuff of spy novels, attacks such as software bugging an Android phone are now very real.

While some security consumers still think of SQL attacks as Plebeian, they should remember that in Verizon’s 2013 Data Breach Investigations Report™ (DBIR), 76% of network intrusions exploited weak or stolen credentials. Please remember that these stolen credentials are being posted by the millions into publicly shared cyberspaces, largely downstream of an SQL injection. Furthermore, it would be ludicrous to think that a foreign intelligence service doesn't have a desk devoted only to exploiting these leaked credentials – it’s free access. And beyond that, consider they may also have a budget to maintain cyber-criminal persona for directing contractors at targets or purchasing stolen information.

Credentials stolen over approx 12 month period by a single non-state actor (courtesy Veraxes)
A few years ago, some security marketing programs tried very hard to draw a bright line between cybercrime and APT – but a handful of us took the opposite stance (See Kelly’s article) and illustrated the crossover between cybercrime and APT. Other news stories followed (Krebs, et al).

Regardless of these first hand experiences of security practitioners, security buyers still bifurcate cyber threats into “APT” and “everything else”. In this case, “everything else” means Botnets, Drive-by downloads, Zeus infections, Defacements, and “Script kiddie” attacks on websites. I have heard decision makers in the security organization tell me these are just a low-threat hygiene problem. Perhaps in the past this was true, but threats evolve. [soapbox]Personally I think this is just fallout poisoning from over-aggressive marketing used to educate people about the difference between real intrusions and anti-virus solutions.[/soapbox] Regardless, the idea that malware and script-kiddies are not dangerous is dead wrong.

Before discounting SQL injection, WordPress backdoors, and Drive-by’s as the work of script kiddies or“just cybercrime”, consider that every one of these is a vector for targeted attacks. Of the thousands of credentials for Fortune-500 companies posted to the Internet in the last few months, how many have been subsequently used by hackers to access email or corporate portals?

We are witnessing accelerated exploitation economics.  Knowledge about compromises, no matter how small, will now quickly disseminate across a vast network of blackhat consumers - many of which have the means to leverage small cracks into massive breaches. I have seen a mass WordPress defacer install credential stealers that were then used for lateral movement to other servers.  I have seen an SEO scammer sell server access to an interested 3rd party.  We have to see beyond malware and look at the threat - a threat has his hands on the keyboard. So, when a drive-by download installs Citadel (a Zeus variant) on the network, the corporation is being targeted for IP theft. When a script kiddie puts a webshell on the website, the user credentials are being targeted for follow-on attack and lateral movement. When employee PII is compromised, ask who is downloading thousands of employee emails? How will this data expose your company to greater risks?

Every attack matters. The script kiddie is dead.