(.. Tactics, Techniques, and Procedures) and I flew out of JFK on the morning of January 22nd, 2012. We were gainfully employed by ████████ and responding to a breach that a client had suffered. Mike and I spent a week pouring over forensic artifacts and soon identified the perp as a Russian-speaking hacker called “M4g”. Mike Arpaia M4g would later be revealed by the FBI as , indicted four times (including the ), and . Alexsey Belan Yahoo hack sanctioned by the Obama administration Belan targeted tech firms on the west coast. Many of the large breaches publicized during and are attributed to him, and news of others didn’t make it into the public domain. 2012 2013 This post details the victim estates and provides insight into the of a prolific adversary. Please use this material to consider your environment and ensure these weak links do not exist within it. modus operandi TL;DR Belan’s observed offensive traits were as follows: He identified peripheral web servers via Google and Linkedin searches Used known WordPress flaws and custom bugs to compromise PHP sites Linux authentication mechanisms were altered to capture credentials Nmap was used to identify exposed network services internally Corporate Wikis revealed administrative workflows and VPN details Ticketing, bug tracking, and version control systems provided secrets (e.g. cryptographic keys, seeds, hashes, credentials, and source code) Cookies from weak non-production instances (e.g. staging) were valid in production as cryptographic materials were the same — bypassing 2FA Client certificates (exposed by email, ticketing, or lifted from filesystems) were combined with known credentials to access corporate VPNs Engineering credentials were used to commit backdoors to version control which were self-approved and later deployed into production Email addresses and password hashes were amassed with each compromise. Cracked credentials were used to target further victims via exposed mail services (e.g. Outlook on the Web or G Suite), and the exploratory process was repeated to gain privileged network access via VPN or similar means. Defensive controls checklist: Segregate risky Internet-exposed servers (e.g. third-party PHP sites) Do not leave secrets in your Wiki, ticketing, or bug tracking systems, or send sensitive material over email (e.g. credentials, certificates, or keys) Don’t re-use cryptographic seeds, keys, or credentials across production and non-production environments (e.g. development or staging) Compromised servers made odd DNS requests (e.g. resolving ). Use a monitoring tool such as to flag anomalies m4g.ru DNS Analytics for Splunk Software certificates are an insufficient second factor. Use a 2FA solution such as and consider hardware tokens to protect private keys via and other standards, as supported by the real Duo FIPS 201–1 YubiKey 4 Proper segmentation, enforcement of a sensible policy around the safe transmission of secrets, and close monitoring of production systems nullify this threat. Technical Details The marketing department of Belan’s first known victim ran a vulnerable WordPress server from a branch office. The server sat on the corporate WAN and could access internal systems: it wasn’t segregated or placed in a DMZ. Belan found the server through a Google search and exploited it via . Next, he downloaded tools via from and elevated privileges via . CVE-2011–4106 wget m4g.ru CVE-2010–3856 The following steps were undertaken over a five day period: He replaced the PHP authentication mechanism ( ) to capture credentials of corporate users interacting with the WordPress site l10n.php Ran Nmap and discovered the internal Wiki Captured a handful of valid credentials via WordPress Authenticated with the Wiki using captured user credentials Came to understand the administrative procedures via the Wiki Failed to authenticate with the administrative portal (2FA was required) Identified a staging instance of the administrative portal that didn’t require 2FA. Authenticated, and subsequently identified directory traversal and arbitrary file upload flaws through manual testing Found that cookies generated in staging were valid in production, and modified a staging cookie to access the production instance of the administrative portal (bypassing 2FA) Gained privileged access to the administrative portal server via the known web application flaws, and a obtained a MySQL credential that provided access to customer data within the production environment Ran against the production database, creating mysqldump 1.txt Compressed and attempted to SCP to a shell server using directory structures containing and domains 1.tgz masterhost.ru mnogo.mobi m4g.ru The SCP process failed, and so was split into chunks and exfiltrated by placing them onto an NFS share used to serve static content in the production web environment 1.tgz Use of Linkedin to Target Peripheral Systems Belan’s second known victim was notified by the FBI of a breach. We identified an engineering account that had accessed the corporate VPN from Russian IP space, and subsequently discovered a compromised web server running on the engineer’s iMac in the kitchen of his home in Santa Clara. The web server was a Linux VM running within the iMac via Parallels. Belan had found the server via the engineer’s own public Linkedin profile, e.g. Personal websites listed in a user’s Linkedin profile The Linux VM hosted a handful of PHP sites. Belan worked to remotely compromise the Linux VM, host system, and finally his target, as follows: Tested each PHP site by hand to identify potential weaknesses Successfully identified and exploited a custom arbitrary file upload flaw Elevated privileges to via (as before) root CVE-2010–3856 Altered Linux and PHP authentication mechanisms to capture credentials Obtained and cracked local user password hashes from /etc/shadow Authenticated with the Linux VM via SSH using a valid credential Launched a brute-force SSH password grinding attack from the guest Linux VM against the host operating system (running MacOS X) Used tools to clear and log entries within the Linux VM utmp wtmp Successfully authenticated with the host operating system via SSH using a permutation of a known user credential Obtained corporate VPN configuration details from the host operating system, including the gateway details, client certificate, and private key Combined the VPN settings with known credentials to authenticate with, and access the corporate VPN as the engineer himself Application, database, and infrastructure logs within the victim environment were rolling (overwriting entries after 10–14 days). As such, our ability to investigate this compromise was limited. The facts however are as follows: Belan maintained corporate VPN access for four months The customer database was obtained from the production environment Lack of 2FA + The Cloud = By mid-2013, Belan had amassed 200 million credentials (including email addresses, passwords, but also answers to security questions). Organizations embracing cloud services but not 2FA were soft targets. A third victim was breached through the following steps: Use of a valid credential (user/pass) to authenticate with Google Mail Access to an Internet-based JIRA instance granted via OpenID Issues in JIRA revealed a legacy Internet-based Subversion (SVN) server Already known and valid credentials were used to access the SVN server Local privileges were elevated and engineering password hashes were obtained from and other files within version control /etc/shadow Internet-exposed Git production instance accessed via cracked credentials JSP shell committed into Git, self-approved, and queued for deployment An unwitting engineer later deployed the code into production Belan read the production database environment variables from an application server via the JSP shell he had implanted Ran against the production database, creating mysqldump 1.txt Compressed, split, and exfiltrated via the application server 1.tgz Fallout and Closing Remarks 1.2 billion usernames, password hashes, and security questions have been compromised from a handful of known victims (including Yahoo, Evernote, Scribd, and Zappos, according to the ), and likely millions of further records from unknown victims. New York Times Consider the number of organizations that provide services to their users and employees over the public Internet, including: Web portals for sales and marketing purposes Mail access via Microsoft Outlook on the Web and Google Mail Collaboration via Slack, HipChat, SharePoint, and Confluence DevOps and support via GitHub, JIRA, and CI/CD utilities Next, consider how many enforce 2FA across their attack surface. Large enterprises often expose domain-joined systems to the Internet that can be leveraged to provide privileged network access (via Microsoft IIS, SharePoint, and other services supporting NTLM authentication). entire The number of weak networks is high enough for Belan and the FSB to pose a serious threat to organizations around the globe with their Rolodex of secrets. The personal mail and messaging accounts of politicians, lawyers, activists, and journalists can also be easily targeted. Finally, consider the number of corporate VPNs using 2FA (requiring only a username, password, and software-based certificate). First-hand experience leads me to believe this number is high. VPN certificates and keys are often found within and lifted from email, ticketing, and chat services. 💥 unsafe
