Get pre­pared for the next cy­ber

Malta Independent - - NEWS -

It is a nor­mal day at the air­port. Sud­denly, the au­to­mated check-in ma­chines dis­play a sys­tem fail­ure. Travel apps stop work­ing and the agents at the check-in coun­ters can­not op­er­ate their com­put­ers. Trav­ellers can nei­ther check in their lug­gage, nor pass through se­cu­rity. Huge queues of peo­ple start gath­er­ing, while all the air­port mon­i­tors are show­ing that all flights have been can­celled. Bag­gages can­not be claimed and more than half of the flights can­not take off.

A rad­i­cal group has hacked the air­port’s crit­i­cal sys­tems us­ing dig­i­tal and hy­brid at­tacks. They have claimed re­spon­si­bil­ity for this at­tack and are us­ing their chan­nels to in­sti­gate more peo­ple to adopt their rad­i­cal ide­ol­ogy.

This was the sce­nario that over 900 Euro­pean cy­ber­se­cu­rity spe­cial­ists from 30 coun­tries had to face on 6th and 7th June, dur­ing Cy­ber Europe 2018. MITA was part of the Mal­tese team that par­tic­i­pated in the in­ter­na­tional cy­ber­se­cu­rity sim­u­la­tion ex­er­cise or­gan­ised by ENISA. In all, in Malta there were 50 lo­cal cy­ber se­cu­rity and me­dia pro­fes­sion­als from 11 or­gan­i­sa­tions who par­tic­i­pated in this event. This ex­er­cise was co­or­di­nated by the Crit­i­cal In­fra­struc­ture Pro­tec­tion Direc­torate and Malta’s Na­tional Com­puter Se­cu­rity In­ci­dent Re­sponse Team (CSIRTMalta).

The Mal­tese team was or­gan­ised in mul­ti­ple cells es­tab­lished at var­i­ous lo­ca­tions. The na­tional co­or­di­nat­ing cell, which in­cluded a me­dia cri­sis cell was lo­cated at the Min­istry for Home Af­fairs and Na­tional Se­cu­rity, while an operational cri­sis cell was gath­ered at MITA’s Data Cen­tre. An­other cell was es­tab­lished at the Malta In­ter­na­tional Air­port, from where both Air Malta and the air­port teams were co­or­di­nat­ing their work.

To pre­pare for this event, MITA set up a lab­o­ra­tory con­sist­ing of five ma­chines and which in­cluded two phys­i­cal Win­dows test ma­chines, two phys­i­cal Linux test ma­chines and an­other Linux vir­tual ma­chine. These ma­chines were equipped with sev­eral foren­sic and mal­ware anal­y­sis tools and were con­nected to a seg­re­gated net­work.

Many technical lessons learnt

One of the in­ci­dents han­dled suc­cess­fully by the team was an ex­e­cutable file which could have been eas­ily sent to po­ten­tial vic­tims via email or could have been down­loaded from a rogue web­site. This ex­e­cutable file was in the form of mal­ware act­ing as a drop­per, key­log­ger and ex­fil­tra­tor. The mal­ware cap­tures key strikes and, the one in ques­tion could cap­ture up to 10,000 key strikes on the in­fected ma­chine. Through key strikes, the at­tacker pos­si­bly cap­tured sen­si­tive in­for­ma­tion such as pass­words and credit card num­bers. More­over, the mal­ware ex­fil­trated files lo­cated on the vic­tims’ desk­top us­ing POST re­quest to a range of URLs. An up­dated ver­sion of the mal­ware was later re­leased, mak­ing use of per­sis­tent mech­a­nisms and ad­vanced anti-foren­sic tech­niques de­ployed to stay un­de­tected. This mal­ware was more com­pli­cated to an­a­lyse, since we had to use only specific tools.

As part of the sim­u­la­tion, a cy­ber-at­tack was also launched against air­port IP cam­eras. A packet cap­ture of the net­work traf­fic gen­er­ated by the IP cam­eras was pre­sented to the team for fur­ther anal­y­sis. By delv­ing fur­ther into it, the team could de­tect that the in­fected IP cam­era within the closed net­work had tried to in­fect other IP cam­eras through com­mand in­jec­tion vul­ner­a­bil­ity in their web in­ter­face. The at­tacker ex­ploited the com­mand in­jec­tion vul­ner­a­bil­ity and which as a re­sult in­stalled the same ver­sion of mal­ware on each tar­get de­vice. This mal­ware in­fected all the air­port IP cam­eras and bricked them, turn­ing them “blind” to any phys­i­cal at­tack.

An­other in­ci­dent was on an in­ter­nal Word­press site, where the team was pre­sented with an im­age of the vir­tual ma­chine host­ing the site. It was de­ter­mined that this at­tack utilised a Word­press SQL in­jec­tion vul­ner­a­bil­ity and had re­trieved the user and pass­word hashes for all users. The at­tacker could eas­ily iden­tify the ac­counts, which were con­fig­ured as Ad­min­is­tra­tor us­ing tools such as WPS­can. The at­tacker man­aged to crack pass­words since they were stored hashed us­ing a weak al­go­rithm. Then, the at­tacker logged into the Ad­min­is­tra­tion Sec­tion with the Ad­min­is­tra­tor ac­count and opened a back-door on the site. The back­door that the team tested and worked on was a PHP re­verse shell that was in­serted in one of the files of the Word­press theme. Ad­di­tion­ally, we also iden­ti­fied that the at­tacker man­aged to recre­ate the client-side ex­ploit by dy­nam­i­cally recre­at­ing it from stored im­ages.

Some other in­ci­dents that were han­dled in­cluded Ran­somware in air­port au­to­ma­tion sys­tems and tick­et­ing kiosks, DLL in­jec­tion on elec­tric­ity con­trol sys­tems, Ma­li­cious drone nav­i­ga­tions apps, Office hack­ing with smart de­vices and Mem­chached DDoS at­tacks.

It was a great ex­pe­ri­ence from which we have im­proved as a team not only from a technical per­spec­tive, but also in the co­op­er­a­tion be­tween the pub­lic and pri­vate sec­tors, where we were able to share knowl­edge and les-

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.