Tuesday, April 21, 2015

The Unknowing Insider Threat

Most of the Phishing emails seen attempt to infect the user's workstation. For example, it might plant something that attempts to record and steal banking and user credentials. Or it might encrypt the user's files and ask for a ransom to retrieve those files. Or it might plant malware that makes the workstation part of a larger botnet. All of which is generally Remote to Local or Local to Remote (your workstation talking with the Internet).

But how about Local to Local attacks? Sending a phishing email to an employee, and if they click and open it, it launches an attack on an internal device or server?

I saw two recent blogs that mentioned that concept and thought it was worth mentioning.

First, the great Didier Stevens posted a video blog showing how simple it is to DoS a server using MS15-034 with a macro in a Microsoft Excel document. If you don't recall MS15-034, here's a quick refresher. Imagine this scenario playing out ...
1.) Login to your work computer in the morning
2.) Open your email client
3.) See an email in your inbox titled 'Health Plan Rates'
4.) Open the excel attachment in the email
5.) Get prompted to enable macros
6.) Click enable macros
7.) Unbeknown to you, the Excel macro cycles through all internal IP addresses in your company sending the MS15-034 DoS request
8.) Your IT department getting ticked off at you after they determine that several internal Windows Servers (Sharepoint, Time Tracking, etc.) crashed because of you.

Second, Mike Czumak at SecuritySift.com wrote about a deeper analysis of MS15-034. In his article, he mentioned at the bottom another interesting Shellshock attack. It lead me to consider another similar scenario except worse ... ...
1.) Login to your work computer in the morning
2.) Open your email client
3.) See an email in your inbox titled 'Star Wars Movie Trailer' from your friend
4.) Open the link in the email
5.) Start watching the Movie Trailer
6.) Unbeknown to you, the javascript on the Start Wars Trailer html page is cycling through all internal IP addresses in your company sending Shellshock attempts
7.) Your IT department gets ticked off after they determine that several of their Linux Production servers were compromised and backdoored all because you watched the Star Wars movie trailer.

Why are these attacks interesting? Well, one important thing to note is that major vulnerabilities like MS15-034 and Shellshock were almost immediately patched in your DMZ (or externally exposed devices) if your company is any good at what it does. But it's legit to think that your server teams may have taken a bit more time with your Internal servers (ones that are not exposed to the internet, such as your ERP, Intranet applications, etc.). Thus these attacks may work well after all the hype has died down on the big vulnerabilities. And if there are some internal servers that you just never got around to patching or that you were willing to accept the risk on, guess what, this type of attack might bring back nightmares now!

That human factor is a killer, huh? Phishing attacks are going to be bread and butter for attackers for a long time to come it would seem.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment