12 days of Hackmas

schadenfreude

• n.Pleasure derived from the misfortunes of others.
• n.Malicious enjoyment derived from observing someone else’s misfortune.
• n.delight in another person’s misfortune

Welcome to the 12 days of Hackmas where we go through 12 of the most surprising, amazing and disturbing Cyber hacks that have ever been pulled off.

Why? Well it’s not all schadenfreude – there’s some great key learnings that you can take away from this list of misfortune and stupidity. Best you don’t find yourself on this list.

Overarching themes

There are some key themes that run across all of these breaches/hacks/attacks (whatever you choose to call them – cyber incidents?) and they are:

• Human error and/or failings
• Lack of software updates
• Backup failure

And that’s it. The second two really fit into human error and/or failings, because humans failed to properly implement or check that these things were being done.

Yep, it’s all our own fault!

Anyhow, let’s dig a little deeper into each of these cyber incidents and see how they unfolded.

(Note: Yeah, yeah, I get that the 12 days of Christmas run from 25 December to 5 January, but how many people will be reading Cybersecurity articles then?!)

First day of Hackmas: The NHS ransomware attack that shook the world

The NHS cyber attack – the biggest randomware offensive in history and the event that brought Cybersecurity to the forefront of everyone’s minds.

This attack impacted a lot of National Health Scheme hospitals in England in May of 2017. And although the NHS was the most talked about victim, the attack actually affected many other countries.

Could this attack have been prevented?

Based on reports, the NHS were notified that they needed to upgrade certain key systems to close a security hole in Windows XP.

“£1.9bn had been set aside for UK cyber-protection – when cyber-attacks were identified as one of three main threats to the UK’s defences.

We’re spending around £50m on the NHS cyber systems to improve their security. We have encouraged NHS trusts across the country to reduce their exposure to the weakest system, the Windows XP.” – English Defence Secretary Michael Fallon

Microsoft stopped supporting Windows XP in 2014, meaning they were no longer rolling out security patches for an Operating System that was a then 15 year old system.

The Guardian reported that 90% of NHS trusts were using Windows XP at the time of the attack. Get your head around that! 90% of the NHS hospital system, that included life saving equipment, was running on obsolete computer systems that were not supported and obviously vulnerable to attack.

Globally, more than 300,000 computers were infected with the “WannaCry” ransomware and in Britain it was the NHS that was the worst hit.

Staff at these health service organisations were forced to revert to pen and paper, and use their own private computers and mobile phones – as the attack affected their telephone systems as well.

Patients were turned away from hospitals and doctor’s surgeries in parts of England as the organisations were left to deal with the ransomware which encrypted data on their computers and demanded payments of $300 to $600 to restore data.

How could this have been prevented?

1. Don’t use obsolete equipment (Microsoft subsequently rolled out a patch for the old Operating System)
2. Backup your data and get a Disaster Recovery Plan (ransomware is ineffective if you can simply restore your files from a recent backup)

Second day of Hackmas: Casino gets hacked via a fish tank

Probably my favourite hack of all time is the Casino that lost its high roller database after its fishtank got hacked.

In the end the attack was just like any other – find a vulnerability in the network and exploit it but the exposed piece of infrastructure was not the usual.

You see, the fish tank in question had a thermostat and sensors that was connected to the internet, presumably so that it could be controlled and maintained from someone’s smartphone app.

And this is the problem with Internet of Things (IoT) devices: they aren’t built with security in mind. They’re often cheaply produced products that have “cool features” that can only be updated via an app.

These apps come shipped with default usernames and passwords (usually the username is admin and the password is… admin) that people don’t change. There’s no incentive to change the password because once you’ve connected to the fish tank (or whatever it is you’ve just purchased) you’re more concerned with playing with the settings than you are about having to remember yet another password.

What did the attackers walk away with? 10GB of data on the Casino’s high roller database.

How could this have been prevented?

1. Did the fish tank need to be connected to the internet???
2. Setup a guest network that is isolated from your corporate network
3. Change the default password
4. Install any available software updates

Third day of Hackmas: Operation Cupcake

Hacks are typically pulled off by two types of people or groups:

• Professional attackers who are motivated by monetary gain
• Adolescents looking for a rush

Operation Cupcake falls into the latter when in 2011 the British Intelligence service MI6 went on the hunt to hack a radical Muslim preacher.

The preacher operated an online magazine that pushed radicalised beliefs and even more worryingly, instructions on how to manufacture pipe bombs in your own kitchen.

The document that MI6 were looking to target was titled “Make a bomb in the kitchen of your mom” and what they did next was both important and amusing.

MI6 allowed the recipe book to remain on the site for distribution, but instead of the book containing bomb making instructions it was changed to recipes to make cupcakes.

Could this have been prevented?

Probably, but I’m glad it wasn’t.

Fourth day of Hackmas: Stuxnet – the virus that didn’t do anything (to computers)

I like this virus because of the incredible story that’s behind it. The fact that it didn’t harm computers is also a good one.

And it contained a little bit of humour just to mess with the end targets.

This one plays out like a spy movie.

In 2010 a worm (type of computer virus) was discovered that didn’t appear to much more than propagate across the internet.

Initial investigations of the worm found that it had genuine digital certificates (that guarantee whether a file is trustworthy or not) from recognised companies and it appeared to be well developed and had a direct objective. Meaning that the worm was able to determine its target, but if it didn’t find its target it just moved on.

Once the worm infected a machine it went about checking the computer for necessary parameters. If it finds the right parameters then it moves onto its next phase.

The difference with Stuxnet is that it was designed not to harm digital systems; it was designed to harm physical equipment. In this case, a specific type of centrifuge found only in Nuclear facilities.

Yep – Stuxnet was designed to cause specific models of centrifuges to stop working. And only a limited number of these models were in use around the world – mostly in Iran.

In the end it took out a quarter of Iran’s centrifuges.

Could this have been prevented?

Doubtful.

Fifth day of Hackmas: the 102nd caller will win a Porsche

We’re heading back a long way now to 1995, when a young main in Los Angeles was very keen to win a a Porsche 944!

The radio station LA KIIS FM was running a competition where the 102nd caller into the show would win this Porsche.

The young man assured his success by taking control of the radio station’s phone network and blocked incoming calls to the radio station!

The FBI were onto him though and he ended up spending 5 years in prison for the breach. The details of how he pulled off the breach are not fully known, however it’s fair to say that in 1995 there were some gaping holes in many systems security.

Could this have been prevented?

Surely – who knows the exact way the hack was pulled off, but it would’ve been some form of lax security.

Sixth day of Hackmas: The day the internet nearly fell over

It’s a little known fact that the internet is basically held together by 13 servers. These servers are known as the “Domain Name System Root Servers”. The DNS root servers essentially provide the roadmap for almost all internet communications.

Now these servers are more accurately “clusters” of servers and there’s some technical reasons/constraints as to why 13 was the number chosen. Read about that here if you’re super interested. Here’s a snippet of that information…

In IPv4 in widespread use today, the DNS data that fits inside a single packet is as small as 512 bytes after subtracting the other protocol supporting the information contained in packets. Each IPv4 address requires 32 bytes. Accordingly, the designers of DNS chose 13 as the number of root servers for IPv4, taking 416 bytes of a packet and leaving up to 96 bytes for other supporting data and the flexibility to add a few more DNS root servers in the future if needed.

#verynerdy

Anyhow back to the hack. In 2002 an hour-long attack was aimed at these 13 root servers. The length of the attack might not seem like long, however it was the scale of the attack that was most breathtaking.

A Distributed Denial of Service (DDOS) attack was used on this occasion, which aims to overwhelm networks with an onslaught of data to the point that the target system can no longer cope.

An hour of this type of attack was built into the tolerance levels of the sophisticated and highly resilient design of the server clusters, however it was noted at the time that the whole system was not far off reaching its limits. If these limits had been reached, delays and failed connections would have started to be seen – and finally a total internet black out would have fallen over.

As it turns out, only four or five of the thirteen servers were able to withstand the attack. The attack was against all 13 root servers which is a rare and coordinated attack.

How the complex system of servers works:

The root servers, about 10 of which are located in the United States, serve as a sort of master directory for the Internet.

The Domain Name System (DNS), which converts complex Internet protocol addressing codes into the words and names that form e-mail and Web addresses, relies on the servers to tell computers around the world how to reach key Internet domains.

At the top of the root server hierarchy is the “A” root server, which every 12 hours generates a critical file that tells the other 12 servers what Internet domains exist and where they can be found.

Could this have been prevented?

It was! Even in the early stages of the internet, these systems (largely located only in the USA) were extremely well thought out. Huge amounts of redundancy and planning were put into this – and this type of attack was anticipated.

Seventh day of Hackmas: Winter came to HBO

HBO is a premium television network in the US and in 2017 suffered a massive data breach that reportedly exposed 1.5 terabytes (i.e. lots) of data. The breach was discovered after the hacker group named “little.finger66” used a sophisticated cyberattack to gain access to the HBO network.

“Hi to all mankind,” the hackers said in emails to media outlets, including the Los Angeles Times. “The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones!!!!!! You are lucky to be the first pioneers to witness and download the leak.  Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling.”

What exactly was taken?

Beyond the already released (at that time) episodes of the hugely popular Game of Thrones, it was unclear if the claim of 1.5 terabytes of data was accurate. The concern beyond the unreleased episodes, however, was the major concern that the hackers now had access to company financial documents, employee emails and personal information about its employees and customers.

The Sony hack in 2014, whilst smaller in data size, contained a number of very controversial pieces of information – including the pay gap between Jennifer Lawrence and her male co-stars in the movie American Hustle.

What’s the suspected cause?

One of the following is true, however it’s never been publicly confirmed by HBO.

1. HBO was running old and outdated systems that were easily compromised. Netflix lost 10 episodes from Orange is the New Black due to the same vulnerability.
2. A company executive was targeted in a spearphising campaign. It’s not unbelievable to understand that if an exec were to request administrative credentials from fearful systems administrator, those credentials would be handed over without question.

Could this have been prevented?

Both of those scenarios can be prevented.

1. Update old systems and make sure your current systems are patched for the latest security updates
2. Educate your staff! Build a company culture where a subordinate feels comfortable to ask a superior to confirm that they really need those logon credentials

Eighth day of Hackmas: The Aussie unicorn is breached

Canva is one of Australia’s biggest software companies and is a heralded “tech unicorn” due to its $1B+ valuation. It is an online service that can be used to design and create content, logos, or other marketing collateral.

The breach saw the data of 139 million users such as usernames, names, email addresses, country and user-supplied data about their location being compromised.

The passwords were stored in a “hash” (think of it like encryption, kind of) and for some accounts that linked their Google accounts to Canva to login, those oAuth tokens were compromised.

Partial credit card information was also compromised, however Canva confirmed that they couldn’t be used for payments.

The size of the breach (which Canva’s security team detected mid-way through and stopped the full download) was roughly 139 million user details and password hashes for 61 million users.

The good news is that Canva did take considerable efforts to circumvent such an attack, and whilst the unencrypted data that was exposed is of value, the passwords and oAuth tokens were encrypted and importantly – stored in an another location.

Canva also advised all users to change their passwords (despite assuring everyone that their password was safe). It is another friendly remind as to why you should have a different password for each of your online accounts.

Could this have been prevented?

This one is all about the response which was widely critised but fundamentally was pretty sound. Canva offered clients a year of 1Password (a Password Management tool). Canva provided a blog update to their user base explaining what the breach meant and how users could better protect themselves in the future.

Ninth day of Hackmas: the US phone system is hacked by a blind boy whistling that leads to Apple being founded

Remember the old phone dial tone? Phone systems in the early days (1950’s) were based on automatic switches triggered by tones. There were several tones and frequencies used to determine when a call was over.

In 1957, a young blind boy was lonely and isolated until his mother introduced him to the telephone. He became obsessed with the phone system as it for once allowed him to interact with others with prejudice. He could talk and sing and he would later go on to setup a phone messaging system that played recordings of his stories.

Whilst he didn’t know it at the time, he had a genius IQ of 172 and was pitch perfect. He spent hours playing with the phones and eventually worked out that if he whistled into the phone at a particular pitch, the phone system would register that as a finished call and stop charging. He was then free to make as many free long distance calls as he liked.

Once he went to college he became one of the most popular kids on campus, as he started to charge $1 to unlock phones for long distance phone calls. Eventually he was caught after his super powers made the news and the authorities were alerted.

Little did he know that there was a generation of “phone phreaks” (as they called themselves) who were producing hardware versions of his whistle known as “blue boxes”. In 1971 Esquire Magazine ran an article on the young man “Secrets of the Little Blue Box” that made Joe Engressia (or Joybubbles as he later changed his name to) an icon.

This article inspired a young Steve Wozniak to call his friend, Steve Jobs, and begin reading him passages. Jobs and Wozniak became obsessed with blue boxes and within five years they had founded Apple.

Engressia’s superpowers came to a close in 1991 when the analogue phone network was replaced with the digital one that’s still largely in place today. To continue connecting, Joybubbles (as he was known as by then) placed adverts in newspapers and magazines around the world so he could talk to anyone who called. Here’s a video of Joybubbles talking to people from Australia.

Could this have been prevented?

Don’t be heartless. It’s Christmas.

Tenth day of Hackmas: The great pokies hack that the courts believed was “a lucky streak”

In a similar story to the Ninth Day of Hackmas, two gamblers (John Kane and Andre Nestor) found a bug in a poker machine in Las Vegas.

Exploiting the bug enabled them to win half a million dollars. Kane had heard about a firmware bug with the poker machines that let him play a prior winning hand again – but this time at over ten times the original value!

The casino had the pair arrested over their claim of suspicious play. They were ultimately sued for hacking and their lawyer argued

“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”

They won the case.

The pair were originally charged with “computer and wire fraud” in January of 2011 with federal prosecutors alleging that the bug in the firmware had to be activated. The activation process was a complex system of pressing buttons which they argued, was a form of hacking.

But the men’s defence argued that both the men pressed buttons on the face of the machine that they were legally allowed to press and nothing more. Therefore they were playing by the rules presented to them and it could therefore be put down to a “lucky streak” (source).

Could this have been prevented?

Always, always update your software and firmware when vendors suggest you do.

Bugs are in all types of systems. Check out this 2019 urgent patch release from HP. For whatever reason, these Solid State Drives (SSD hard drives) will stop operating after 32,768 hours of operation (3 years, 270 days, and 8 hours). Why? Some bad code was found on the drive firmware that meant that after this period of time the drives would permanently fail.

How many systems admins will see this warning and update the firmware? I guess we’ll find out in 2021 when these drives start failing…

Eleventh day of Hackmas: The great Blood Breach

In 2016 one of the most personal data breaches in Australian history occurred: the personal data of 550,000 blood donors was leaked. It included all kinds of information including identifying information such as names, genders, addresses and dates of birth.

This breach could have been severely damaging if not for a few people who acted ethically. Independent security expert, Troy Hunt, was contacted on Twitter by anonymous user claiming to have personal details of Troy and his wife.

Troy said that he, nor the Red Cross, was never threatened – which is a welcome relief in this day and age of digital crime. Troy contacted AusCert (a cyber emergency response team) who then notified the Red Cross of the breach.

Mr Hunt said the breached data contained answers to a number of true-false donor eligibility questions, including one that asked donors whether they had engaged in “at-risk sexual behaviour” in the previous 12 months.

“Both the questions and answers mapped to the individuals were part of the dataset. That would be one of the most sensitive things in the breach, especially if you answered in the affirmative,” Troy Hunt said.

To the Red Cross’ credit, they were very forthcoming with details on the data breach and continue to provide information about how they handle private information.

Could this have been prevented?

The breach occurred because a third party contractor took a copy of the database and left it on an unsecured public web server that anyone could find. Sound familiar? Yep, that’s exactly how Uber’s customer database was breached in 2016.

However in the case of Uber, they were widely criticised due to their response. The Red Cross on the other hand handled the breach as well as could have been anticipated.

Twelfth day of Hackmas: The day 40 million credit card details were stolen via a company’s Air Conditioning unit

Up until 2013, Fazio Mechanical Services was a relatively unknown refrigeration and HVAC system provider. Little did anyone know that by hacking Fazio attackers would gain access to Target’s Point of Sale system.

And all it took was 11 steps.

Step 1 – Steal Credentials

In order to target Target, the attackers needed a doorway. Fazio supplied Air Conditioning units to Target and these units were connected into the main Target network.

Stealing the credentials was relatively simple: Malware (in this case Citadel) was installed into the Fazio network via an email phishing campaign.

Yep. Just send an email and people will click on it.

Step 2 – Connect in using the stolen credentials

The credentials stolen from Fazio granted the attackers access into Target-hosted web services which were dedicated to their vendors.

“[Fazio] does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target. Our data connection with Target was exclusively for electronic billing, contract submission and project management.”

Fazio Mechanical Services President and Owner Ross Fazio

The web application used by Fazio was very limited and despite the fact that attackers now had access to an internal web application hosted on the Target network, they would have been unable to execute any commands. Without the ability to execute commands the attackers really couldn’t do much (except perhaps muck around with the temperature).

Step 3: Exploit a web application vulnerability

As per usual, the web application in use had a vulnerability and the attackers only needed to find it. The attackers worked out that the Windows system in use had no usable vulnerabilities, but the PHP component did.

“This file suggests that the attackers were able to upload a PHP file by leveraging a vulnerability within the web application,” An Aorato report concludes. “The reason is that it is likely the web application has an upload functionality meant to upload legitimate documents (say, invoices). But as often happens in web applications, no security checks were performed in order to ensure that executable files are not uploaded.”

The malicious code was probably some kind of “web shell” which is a web-based backdoor. This backdoor would have allowed the attackers to upload files and execute commands as they pleased.

Many of the exploits used by the attackers were hidden in plain sight, most likely because they knew that this particular attack would be a once off. Therefore the attackers wouldn’t have wanted to invest too much time and infrastructure hiding their tracks.

Step 4 – Find the right targets

Now that the attackers were in they had to perform some reconnaissance. They could run commands within the network but they needed to know more about the internal network structure of Target’s network: i.e. they needed to find where Target stored customer information including credit card information.

They used a simple query on Target’s Active Directory to narrow down their search to the core database servers.

Step 5 – Obtain administrative access

Here the attackers needed to move quickly. They used a hacking technique called “pass-the-hash” that allowed the attackers to impersonate an Administrator – which would last only as long until the actual Administrator changed their password.

Step 6 – Create a new administrator account

In order to evade detection, the attackers then needed to setup their own administrator account which would allow them remote access.

The stolen credentials from Step 5 would have allowed them to create a new administrative account – which they did. They called this user “best1_user” which is the same username used by BMC’s Bladelogic Server Automation product.

This is obviously abnormal behaviour within a network and if Target admins had been notified they could have shutdown the hack at this point.

Step 7 – Hit the target computers

With their new administrative credentials, the attackers could now proceed to go after their targets. They first needed to bypass firewalls and other network-based security solutions that limit direct access to targets. They also should block the running of processes remotely on machines.

The attackers ended up using hacking tools to jump via various servers that were not tuned to look for suspicious behaviour until they landed on their target machines.

Ultimately the tools the attackers used needed the administrator account to run, so if the Target admins had been looking they could have shut the attack down.

Step 8: Steal the data… but there was a hiccup

The attackers at this point would have searched through the key databases looking for Personal Identifiable Information (PII). However because Target was PCI compliant, the database servers didn’t store any credit card information.

The attackers were able to steal the PII of 70 million Target customers, but not the credit card information that they came for.

Step 9: Plan B – attack the POS machines

The attackers had probably assumed that they would have all of the credit card information by Step 8, so hitting the POS machines was probably not the initial target of the attackers. The POS machine attack would have been a contingency.

Using the intelligence they had gathered during the previous steps, the attackers installed their malware onto the POS machines. The malware (named Kaptoxa) scanned the memory of infected machines and saved the credit card details.

Reports suggest that this was the only step that required custom-made malware rather than common, legal, IT tools.

At this point no level of Antivirus would have helped.

Step 10: Get the data out of the POS machines

The malware sent data to an internal file share using a windows command and their administrative account. It would periodically send data out using this method.

Step 11: Get the data out of the network

Again using the Target administration account, the attackers could then send the data out of the Target network undetected.

Could this have been prevented?

There’s a number of ways and points in this whole hack that could have prevented this breach.

1. Educate staff not to click on stuff (step 1)
2. Patch systems (step 3)
3. Looking for abnormal behaviour (step 4 would have increased server usage to abnormal levels)
4. Looking for abnormal behaviour (step 6 should have triggered an alarm for sensitive user creation and abnormal user behaviour)
5. Looking for abnormal behaviour (step 7 should have triggered an alarm for remote code execution)
6. Looking for abnormal behaviour (step 10 should have triggered an alarm for sensitive user creation and abnormal user behaviour)

Conclusion of the 12 days of Hackmas

I hope that you found some of these stories both entertaining and informative.

If you need help navigating your way to better Cyber Resilience, post a comment below or check out our Cybersecurity Blog here.