6. Incident 1: Word Press XMLRPC Attack
Athletic Apparel Shop Brick & Mortar & e-commerce
Application stack Custom code written in XML
Word Press content management system
Detection method Intrusion Detection System (IDS)
16. Impact of Web App Attacks
• Web Apps are becoming more prevalent in organizations
• Web App attacks are “gateway” attacks
- Yahoo breach started with a Word Press hack
- Shadow IT
• Web Apps use more open source, than traditional applications
• Catching these threats in the early stages
- Prevents our customers from dealing with large scale breaches
Greeting. The analyst that work in our Security Operation Center, 24x7 are constantly on the look out for cyber threats. The SOC analysts are the heartbeat of Alert Logic and I’m here to share some of their stories. First, I’m going to provide some context and then share the stories about how our analyst were able to protect systems and keep business moving.
From system/network attacks to platform/library attacks to Web App attacks it’s easy to see there are multiple layers of security and a defense in depth strategy is essential.
Explain kill chain
We’re going to show you a hack of a Word Press XMLRPC attack. This type of web presence is common and my research revealed that an…
Athletic Apparel Shop, based in the UK, stores in 14 countries, including one in Massachusetts. They are active in ecommerce and are highly dependent on IT integration for logistics.
XML – Extensible Markup Language, similar to html. A well-known web design code language.
RPC – Remote Procedure Call, a protocol used for remote administration.
Video – This video is an example of a Word Press XML-RPC attack.
Narrative – The attacker checks to see if XML-RPC is enabled (it’s on by default since WP 3.5). The attacker then opens MetaSploit, searches and finds the exploit to run. Runs the command on the target website and brute forces the admin account password. THIS IS THE ACTION THAT IS DETECTED AND DRAWS THE ATTENTION OF OUR SOC ANALYST. And you can see, we now have admin rights on the website.
Length – 2:23
One of the SOC analyst said that Word Press attacks are always interesting, because there are so many different types, so it keeps you on your toes.
This is view of the details of the attack. We found a match in the payload and contacted our customer with a mitigation plan.
Be Prepared to walk through the rule: http://cheatsheet.logicalwebhost.com/snort-howto/
msg - This is the message that's sent to the sysadmin if the rule is triggered. In this case, Snort reports to the sysadmin "SCAN SYN FIN".
flow - This option allows the rule to check the flow of the traffic. It can have a number of values including established (TCP established), not established (no TCP connection established), stateless (either established or not established), etc. In our example, the rule is triggered on traffic with or without an established TCP connection.
flags - This couplet checks for TCP flags. As you know, TCP flags can be SYN, FIN, PSH, URG, RST, or ACK. This rule is looking for traffic that has both the SYN and FIN flags set (SF) and in addition, has the two reserved bits in the flags byte set (12).
reference - This section is for referencing a security database for more information on the attack. In our example, we can find more info on this attack in the arachnids database, attack 198.
classtype - All the rules are classified into numerous categories to help the admin understand what type of attack has been attempted. In our example, we can see that it is classified as an "attempted-recon".
Incident #2 is a SQL Injection attack and while there are many vulnerable websites, I thought the most interesting one was a large, private commercial bank. Operating 64 branches, online banking including smartphone banking apps.
Video – This video is an example of a Word Press SQL Injection attack.
Narrative – Once we get the IP address of the target host, we run WP Scan to learn more about the system. Looking through the results of the scan, it’s easy to identify a vulnerability. As you can see, there is a lot of good information we gathered from the scan. Now, we are searching for an exploit that matches the “like counter” button vulnerability we discovered from the scan. Here are some of the details about this exploit. “Inputs not filtered” = Please Hack Me! So now, we copy the syntax of the exploit command and open another terminal window to launch the SQL Injection attack. THIS IS THE ACTION THAT IS DETECTED AND DRAWS THE ATTENTION OF OUR SOC ANALYST. The injection exploit worked and you see the tool now asking for specific parameters. Now that we’ve been able to inject the exploit code into the Web Application, the next part of the attack is to brute force the password. The password is now cracked, so we copy it from the terminal window and use it to log into the Word Press Dashboard.
Length: 2:28
“Finding SQL Injection attacks is as close as it comes to finding a needle in a haystack.” Robert is right, for this attack there were 154 events detected to make up this ONE incident. It reminds me of the old Madlibs magazine with two almost identical pictures and you had to find the 10 hidden objects. Anybody remember those?
Well, have at it. Find the needle? Just kidding, maybe this will help?
Looking for a database in the schema.
It goes from a column in a table, from a table to a database and from a database to a schema.
In this case, this is an email database.
Here is a better view for our SOC analyst in our UI.
The reason Web Application attacks are so relevant right now is b/c: First bullet point.
Second bullet point, the Yahoo breach started with a WP hack, which the attacker used to infiltrate deeper into the infrastructure. Some organizations aren’t aware that they are even running Word Press, it’s so easy to setup, some employees go rogue and do their own thing. Third bullet point.
The attacks we just saw, were caught in the early stages, so, thankfully, that customer didn’t have to deal with a potentially larger breach.
Bottom line is, Hackers Gonna Hack and these attacks are easy to execute. Detecting the threat requires good content and the ability to handle the large volume of attacks. Organizations need security professionals to understand and monitor for these threats 24x7. Hackers don’t take vacation, hackers gonna hack!