"International" Hacking: When the cooperation is the only cure.

Dario Forte, CFE, CISM

Security AdvisorEECTF - European Electronic Crime Task Force

Abstract BACKGROUND: In August 2002, fourteen

Italian hackers — almost all information security professionals — were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, U.S. Army, U.S. Navy and various universities around the world. This session will illustrate the generality of techniques used by the contemporary attackers with a particular reference to the “insider’s threat.” In addition, the speech itself will demonstrate how international cooperation is fundamental in hacking investigations.

European Hacking Scenario

Classified by territory, the European hacking scenario is Est Europe: malicious mobile code

(MMC), CreditCard Frauds, CyberExtorsions

Center/North Europe: defacements (script kiddies), Distributed Denial of Service (DDoS) and distributed information theft

Western Europe: crypto attacks

European Hacking Scenario (2)

Platforms used by the attackers Linux BSD

Best target’s platforms Windows *Nix (xBSD, Sun Solaris, Linux)

September 2001/August 2002: Operation Rootkit

International hacking case More than 1,000 compromised

machines worldwide 20% are military/goverment in the U.S. 20% are military/goverment in Europe Others are universities/companies

worldwide Operation details under a Non-

Disclosure Agreement (NDA)

The New Malicious Hacker’s Frontier: Attacking Strategic Target

International hacking case — main features Most case histories have demonstrated

that the “grey hat” phenomenon is growing

Grey hat use their own tools (no script kiddies)

They are inclined to acquire many critical/strategic files from goverment/military and very important financial/enterprise networks

Contemporary Hacking Lifestyle

Distributed information gathering, using already compromised machines as stepping stones and/or: Directly from the hacker machines Using “flat rate dial-up connections”

owned by foreign ISPs with toll-free numbers

Using a flat-rate account, stolen from “normal” users via Trojan horses

Caller ID hidden

Mentors and Reservoir Dog’s “Features”

Preferred targets: mainly Linux/Irix machines Break-in is done within 24 hours from a vulnerability discovery/disclosure

Once inside, they use to Steal files (mainly docs and source

codes) Use the computer as a stepping stone for

further operations (more hacking and DoSNET construction)

Use the computer for IRC traffic

General Scenario: How Crackers Exchange Information

Reservoir Dog’s techniques are consolidated in the cracker arena

The “most trusted” components of the hacker’s group used to set up a VPN between their machines — in alternative Secure Shell (SSH) Encrypted Irc IpV6 Tunnels

All the workload (such as scanning, exploit finding and testing, and attack) is shared by the components

A “skilled” hacker makes only a few defacements

Malicious Hacker’s “Modus Operandi” (cont.)

Typical Scenario: Hacking Tools Used

Information gathering: large use of nmap (with extended expressions) hping (for firewalled machines) Passive Fingerprinting

Attack phase Public available exploits (eventually

customized) Self-made rootkit, both “cross” and locally

compiled (depending on the target) Large use of log wipers and obfuscators

Master (with an XML engine)

Agents

Target

The link between masterand agent is encrypted

The scanning activity is shared between the agent (workload)

Information Gathering (Typical Scenario)

More than 300 GB of log were examined

for intrusion analysis purposes Five police/government agencies

involved Dozens of forensics exams were

conducted So a “practictioner coordinator was

needed”

Operation Rootkit: the Backtracing

A year-long investigation 14 people charged (four minors) More than 40 computers seized Almost one TB data seized Thousands of various

CD-ROMs/DVDs seized Many credit card files recovered

Operation Rootkit: Results

The “Insider Threat”

A portion of the group was working as infosecurity managers in big consulting firms/ISPs (even in the Italian branches of U.S. companies)

The remaining people were freelance security consultants

White hat @ day then black hat @ night (most customer’s machines used as stepping stones)

Initial Attack Analysis

• IDS Logs revealed hack originated from a German ISP’s Web Server.

•Began Coordination directly with German Authorities.

•IDS logs showed transfer of Root Kit from a Hacked University of Pennsylvania Computer.

•Began Coordination directly with University Officials

German Web Server

Hacked Army computer

Hacked University

Next Hop: Investigating University Computers

University officials gave system logs and image of the compromised computer.

Matched the compromise of the US University to the Compromised Army Computer.

Computer was used as “tool box” Identified numerous other compromised

systems including US Government Systems

Search of physical level revealed connection from Dial-up

HD Analysis found intruder’s rootkit.

German Web Server

Compromised Army Computer

Additional Compromised systems

Italian ISPUniversity Computer

The German Investigation German source computer belonged to a large corporation – it

had also been hacked. The German corporation identified the compromise of their

server. Hired an forensic firm in Germany to do forensic analysis.

The forensic analysis matched the fingerprint of the Redstone Arsenal and University of Pennsylvania. Source was in Italy. Hacker’s nick was Pentoz.

German Web Server

Hacked US Army Computer

Hacked University

Additional Compromised systems

Italian ISP

Thanks to the cooperation between Gdf, Nasa OIG, Usss Milan, Army Cid and Navy Nccis, it was possible to conduct one of the largest backtracing operations in the world. In this period EECTF has started his activity

Without international cooperation, it wouldn’t have been possible to achieve a good “event correlation rate”

The Importance of International Cooperation

European

Electronic

Crime Task Force

Who are we?

EECTF Mission

Very simple …

Free flow of investigative related information without the usual bureaucratic entanglements

Goals for this year

• Build up the organization to 100 members

• Develop training and certification specific to the task force

• Expand the free flow of information to reach not just Europe but Asia as well

Communication

between members

What do we use?

- Cybercop

Secure & encrypted communication

NON-DISCLOSURE AGREEMENT

Our members

EECTF is not affiliated with EU govt. Initiatives

is a technical/incident response group

our members are from law enforcement, military, accademia, financial and trusted private sector

Some case study

Reservoir Dogs Case Cyprus Credit Card Case Cyberfraud case involving

Europe and US Most of them are still under

NdA

The cyprus case

Through our network of contacts EECTF Was advised that leader of a worldwide credit card trafficking ring had been arrested in Cyprus.

We were able to arrange the travel of both the evidence and the police officers involved in the case to our forensic lab in Italy.

In Italy we were able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as the complete forensic exam could be completed in the U.S.

Lessons Learned

Operation Rootkit: Operation Rootkit: Companies should increase control on

the IT security personnel Customers should “think twice” before

leaving their IT systems in the hands of potentially untrustworthy consultants

All operations:All operations: International cooperation is essential in cybercrime enforcement

Know your enemy

Share information with your peers

test your knowledge and skill

avoid Burocracy whenever you can, but respect and interact with the laws.

Thanks