Hello all and welcome to our latest case study. This week I will be dissecting an incident response case on a high profile retail firm and discussing why poor email and user account management is causing us a terrible security headache.
Recently we performed an incident response for a national chain retail client who had a couple of email and user accounts accessed by a malicious party. The malicious party proceeded to send out over 1200 emails to the contacts of the compromised accounts, including some of their important clients.
Advice – “It’s very easy to over estimate the security of our email accounts, and incorrectly use them as a storage medium for sensitive documents and intellectual property. In a previous incident via a test phishing campaign we accessed via a compromised email account – we phished them – we found masses of intellectual property in the form of technical drawings. We also found ftp passwords where confidential files were being shared with clients. Email is not the correct medium for storing sensitive and confidential documents (usually as attachments). These should be secured and encrypted outside of email. – More on this later. – back to the investigation.
Our initial question were:-
1. How did the attackers get access?
2. Do they still have access?
3. Have other accounts been compromised and if so to what end?
4. What was the purpose of the emails sent out, e.g. malware, discrediting etc.
5. Would the hackers have access to personally identifiable information (if so the Information Commissionaires Office would need informing within 72hrs of the discovery)
We didn’t wait for the answers before we took immediate threat mitigation action. All account passwords were reset with strong passwords. Yes it’s a pain but without further information, it was a necessity.
To get answers to the above questions we requested copies of the following: –
1. Login/AD logs
2. RDP logs
3. VPN logs
4. Email logs
5. Externally facing web server logs
6. Syslogs for any affected machines
7. Access to the affected accounts and their email history for the last 3 months
However, the issue became apparent through teleconference discussions with key members of the organisation. It transpired that shared accounts were being used for over 100 users. Some of the users, dependant on site, had a different username, but they all shared the same password, and even the usernames were shared amongst users at the same site. The password being used was a weak six character password, and it hadn’t been changed during the last 13 years. What was more confusing was the level of access the accounts had, they were not locked down to job function and could even be used to login remotely via the virtual private network. In the interests of anonymity, I don’t wish to disclose the reasoning behind using these shared accounts, however, I can understand how a culture developed around it. That said, Armed with this information we immediately checked the shared account and password and discovered it existed in ten online password dumps.
Advice – We tested the shared email address using the online service “haveibeenpwned.com” this is something I would advise everyone to do with both their work and personal email addresses/account names. The site works by collecting all the password dumps from compromised online services along with their corresponding email addresses/account names.
Then when the user types in either their username/email or password it detects whether it is in the list. Clearly if your account is in the list and you haven’t changed your password since that breach you will need to change it immediately. It has a very useful alert feature too which will email you when your account is found as part of breach allowing you to take immediate action.
We were confident then how the attackers got access, particularly considering many users that had access to the shared accounts and passwords were no longer at the company and not all had left on good terms! Even after we have changed the password, the malicious party could still have access via new accounts or backdoor malware they added. Thankfully nothing in the logs indicated new account creation and the corporation wide anti-malware scan we advised found nothing. The hackers attempted to compromise the victims contacts by send a malicious pdf, which when opened directed the user to a nefarious website. Via the logs we could see at what point the victim account (patient zero) was logged into via a remote nefarious party. The IP address that was used to log into the accounts was a known bad IP address.
Advice – There are many online sites you can use to check if an IP address is malicious
e.g.
ipremoval.sms.symantec.com/lookup
These can be very useful to ascertain if a suspicious IP address is malicious.
The site the victims were directed to had been taken down by the time of our investigation, over we examined a cached version to discover it was a username and password harvesting scam, hosted on a hijacked domain and likely infected with malware.
Advice – If you wish to view a site that has subsequently been removed try using one of the cached view services online such as cachedview.com or go further back using the “wayback machine” i.e. web.archive.org
Although the logs did not evidence any further nefarious activity we have embarked on an infrastructure penetration test and scans to ensure that alternate routes back into the organisation have not been opened.
On this occasion we did advice the ICO were informed due to personally identifiable information being exposed.
Key take out messages
Well, as is often the case, we are back on account and password managment. If you think you have to have shared accounts think again. Even temporary employees should have a unique account and password, and the access level for the account should be restricted to only that which is necessary to perform their duties. As soon as they leave employment the account should be disabled. Assuming their replacement has the same level access it can then be renamed (if necessary) and enabled with a new strong unique password.
In short:-
– Don’t share accounts
– Don’t share passwords
– Create modern acceptable internet use policies, processes and procedures.
– Educate you users in good email and password protocol.
– Encourage users to use password managers
– Consider 2 factor authentication
– Change passwords every 30 days*
– Ensure passwords are long – think passphrase rather than passwords
That’s all for now, see you next week …….