Recently there has been a lively discussion regarding the latest alleged leak of NASA—which allegedly included over 250GB of employee information, flight logs, videos, and radar feeds. The hack was meticulously described in a lengthy pastebin post (the post keeps getting moved), detailing how a hacker group gained access to NASA, which tools they used, operations they performed once inside, and how they managed exfiltration of data. Is this alleged leak real? Some would say that to answer this question you simply need to read the original post. Once doing so, there is enough evidence in the data provided that leads us to believe the alleged data leak did occur.
Debating whether the hackers tried to crash a drone or managed to exfiltrate 250GB of data is perhaps missing the point. It is not often that we see such a detailed behind-the-scenes description of an attack. However, what we can pick up from this data breach, in our view, is much more interesting.
APT? Well, That Slowly Escalated Quickly!
APT(?!) – a term reserved only for governments or the highly skilled criminals, right? If you are thinking that, you may be a bit behind the times. Thanks to the wonders of the Internet, even hacktivists have learned how to work in synergy, combining skills and trading Bitcoins to escalate attacks. In this case, a textbook attack quickly escalates from a Banker Trojan to a slow and methodical APT, spanning a period of over two years.
Gaining the initial foothold into NASA was bought using Bitcoins (supposedly attained from Ransomware) over two years ago. The initial compromise of the asset happened as part of a general Banker Trojan infection campaign. The campaign targeted individuals all over the world, infecting them with a malware called gozi. Once the campaign authors realized that a NASA computer was infected, they went ahead and terminated more than 10,000 of their bots, just to make sure that their malware samples are not providing signatures to the security companies, further reducing their chances of getting caught early.
We discussed the quick escalation of a threat in our Phishing Trip to Brazil HIII (yes, Banker Trojans was the main focus) where “personal compromise starts to become a corporate breach“. The Banker Trojan authors, not being in the business of infiltrating organizations, were looking to sell their foothold in NASA to any willing party that paid the most in Bitcoins. They cleverly advertised their merchandise claiming that, while we do not have a root account, “we fingerprinted many outdated systems in the network”— so finding out exploits wouldn’t be a problem. Needless to say, the Banker Trojan authors found a buyer, hence the data leak that is now raising red flags.
Sniffing, Mapping and Cracking
Most of the operation (apart from the initial compromise) was accomplished using generic tools available for everyone. Once inside the network, the group began looking for active nodes to compromise. For each compromised station/server, they looked for locally stored credentials and also left behind a sniffer to catch passwords being transferred over the wire. While also providing the group with access to new nodes, this method also helps to avoid traps—such as honeypots. Even though such security measures were probably not in place, the group states, “It was too easy that most of us thought these might be honeypots (lol). Luckily for us, our tcpdump sniffed some ftp login credentials to the other box that was reused for SSH also.”
I Got You Now, Data! But How Do I Get You Out?
We mentioned a few times in the past that attackers ultimately target enterprise data repositories. This incident is no different, as stated in the post, “After scanning the network (yet again) from our newest vantage point, we could see several networked storage devices (NAS) with pretty crazy obvious names DRONE_BACKUPS, DRONE_BACKUPS2, DRONE_BACKUPS3.”
The group knew their tradecraft and how to stay under the radar. “Since these storage devices weren’t even supposed to have SSH installed, massive amounts of port 22 traffic would be suspicious, to say the least.” To make sure their exfiltration of the data from the NAS storage went unnoticed, they made local copies of the data on each device, where it could be retrieved looking like ordinary index files over port 80. Two internal hops later, the data was uploaded back to their servers.
Prevention vs. Detection
So what is the key takeaway? The first step towards protection is to have detection mechanisms in place to discover data breaches as early as possible. The cyber security industry as a whole has been focusing too much on preventing attacks. The reality is that with ever-increasing attack surface including insider threats, and rising sophistication of attackers, putting up defenses without first having detection in place is akin to finding the needle in the haystack blindfolded. The group also states the same. Irrespective of that, enterprises need to re-think their cyber defense strategy and focus on detection first.