Infiltrated dot Net

APT - The Butler In China Did It
Written by Jesus Oquendo   

Some companies do the darndest things to minimize, and outright not report incidences of being compromised. It most certainly is beneficial to them to do so as stakeholders and customers would cringe at the thought of having their information disclosed and assets wiped out. This would lead to something similar to a bank-run in some instances. Translation: big losses.


While many companies are mandated by certain regulatory guidelines to disclose a compromise [1], there are no statistics that I am aware of that illustrate whether compromises are, or are not reporting compromises. It is pretty much a guessing game.

We could browse the financial records at the end of the year and check for losses but fuzzy math dictates that creative accounting can do away with instances of a compromise. At the same time, it can lead to a “gotcha” [2]. Where, a company didn’t publicly disclose it and was likely hoping no one checked said company’s filings.

Recently, a couple of servers I maintain were undergoing an attack from a company. The company in question was Philips and the attack was coming from an IP block they were using in China. The attack was targeting different managed VoIP servers for different clients of mines, and the attack and was synonymous with other instances of toll fraud. In these attacks, a rogue attacker tries to enumerate users, and then tries to brute force a password in an effort to place calls. Those calls often run into the tens of thousands of dollars in a short time frame.

Aside from the attack coming from Philips Electronics, what made me shake my head was that I am positive that whoever was behind the attack was not an employee at Philips. My investigative - slash - forensic analysis intuition led me to believe that someone had compromised a machine at Philips, and was using that compromised machine to attack the PBX I managed. Nothing more, and nothing less.

This intuition stemmed from the fact that the attacker had the same MO time and time again. The tools used in their attacks matched other attacks I had seen, the accounts they were attacking were the same, the timing and fingerprinting information associated with the attacks were the same.

While undergoing the forensics and incident response analysis, I wondered “how many individuals in the security arena would see this similar attack and simply attribute it to Philips and or even better, China.” After all, the IP space where the attack originated was in China therefore it obviously was an Advanced Persistent Threat attacking my servers. This level of thinking is what now leads the charge when it comes to security (so-called) pros labeling everything under the sun an APT.

Vincent Liu described it best when he stated something to the tune of: “Forensics experts are happy at finding lost keys. Case closed no need to look further, we got what we wanted.” Who do I blame for glaring problem in incident response, forensics and the security arena? Mainly the analysts.

In the analysts’ goal to reach the top of the security food chain: "Hey look at my interesting article I wrote on my blog" (this includes me), they overlook far too much. This in turn trickles out to the media who understands things less than the analyst. And by the end of this type of document, I would not be surprised if someone links up to it with a headline similar to: "Philips launching large scale espionage."

Sadly, when the attack was occurring, I tried contacting someone at Philips. I tried the networking lists [3],  and I also tried via connecting to someone directly via LinkedIn. I omitted that person’s name:

xxxxx,

You are connected to someone named Caļus O. (Sr.Dir. Corporate Mergers & Acquisitions at Philips). I'd like to get a message to him but I am not directly connected to
him.

I have about a dozen managed machines which have been attacked by a machine within Philips' network and I am having a difficult time in locating someone on Philips'
security team.

Would you be kind enough to forward this message to Caļus as he may be able to connect me directly with someone in the know @ Philips.

I scoured the Internet trying to get a hold of someone at Philips to let them know what was occurring. In the end, I just fired off ACLs to stop the attack, but ultimately no one at Philips ever returned my e-mail and after about three months the attacks from their network stopped.

At no point in time have I heard news of Philips being compromised which leads me to believe that they either purposefully did not report it; either the administrators or engineers kept it under wraps, Philips Management team were unaware, or perhaps there was someone in Philips attacking other machines while working at that location. I am inclined to believe that the administrators cleaned up the machine. If so, we need not look far to see that companies failures concerning policy, separation of duties, management's guidance and so forth.

With that said, I can tell you that I often see many compromises coming from quite a few companies. Those companies are likely infected to some degree and I don't think that the hired professionals in those corporations have an inkling of an idea about incident response, forensics and or attribution. Yet some of the "pros" who do have a slightly higher inkling would be the first to fire off on their blogs: "APT - the butler in China Did it." They will fire off quick snippets of what they see without truly analyzing the entirety of the situation. Why is this?

Many engineers, programmers, academics are quick to fire off an assessment knowing full well that the information they are presenting is slanted. Once this cat is out of the bag, media then re-shapes this information into a package of good old fashioned “Sky is Falling” propaganda. That in turn gets absorbed by politicians making decisions that have little rhyme or reason. This is the failure of “cybersecurity” and the whole theme on APT - how exactly did you come to this conclusion?

APT – an over-abused term coined by someone in a position to capitalize on the unknown. Everyone should be aware of attackers as a whole. Whether they come from China, Russia, Japan, even here in the United States, where I am currently typing this. Why are security “pros” so fixated on trying to finger out a country based on an IP address. I just don’t get it and never will.

Sources:

[1] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
[2] http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
[3] http://seclists.org/nanog/2011/Jun/6