Attackers aren't just in it for the fun anymore. While we still see our share of political defacement's and attacks that are pulled off just to prove a point, most of the cases that forensics firms like mine are working involve the theft of data. Attackers are stealing Personally Identifiable Information and selling it to crooks that use it to defraud Medicare/Medicaid and other social programs. The same data can be used to commit classic "Identity Theft" and open accounts under other peoples names.
Even easier is the theft of Cardholder Data, there is a sophisticated black market built around the sale of credit card numbers. I talk about it in my conference presentation "Hunting Carders for Fun and Profit" (coming to a con near you in 2013) and it really blows people away how readily available the hardware, plastics and card numbers are. It's really easy for an attacker to gather card numbers and sell them in bulk to a middleman that specializes in parting out these "dumps" for a set price.
All of this data capture and sale really is the "End Game". It's how they get there that I want to talk about.
The top way I see data being exfiltrated is SQL injection. I talked about this in my last post and put up a quick example. I usually see an attacker hammer away at a site for a couple of days with different tools, but once they find that vulnerable page, it's over in a matter of minutes or hours. This is a very direct kind of attack. They poke around until they find a way to directly access your DB and just suck all the records right out. It's very effective but not terribly sophisticated (usually, see Hunting Carders for a very sophisticated attack).
The second most common thing I see is web shell upload. There are hundreds of different vulnerabilities that allow the upload of a file to a website. If the user that owns the web instance has elevated privileges, it's all over but the crying. I regularly see these web shells deployed to a system and the attacker quickly using them to become intimately familiar with a website.
If you haven't seen a modern PHP web shell in action, I recommend poking around the internet to find some examples. They've come a long way since the first generation "webmin" clients.
|Screenshot from a modern web shell.|
Nothing is safe, almost all E-Commerce sites have config files that spell out IP's, DB types, usernames and passwords in clear text. Once you know where to look, it takes seconds to take over a site.
Another thing that I find is a false sense of security on behalf of site owners. I've heard "What does it matter if they got the database?, It's all encrypted" a number of times in the last year.This is a partially correct line of thought, real encryption would negate a huge number of breaches. The problem is that the average site does not feature encryption, it features encoding. During the database write they sneak in an MD5 hashing routine or Base64 encoding. This encoding is trivial to reverse and does no good at all. It's so bad now that I can recognize Base64 like it's the English language.
Worse yet, I see programmers getting almost all the way to real encryption with certs and two piece keys, but they hard code the keys and the encryption/decryption methods right into the site. They even name it things like "encryption_funcs.php". Again, it becomes trivial for the attacker to dump and decode if a web shell is in place.
|Embedded decrypt function, complete with key. Owned!|
More on that soon in "The End Game: Part 2. Persistence"