On February 28th, 2017 the US Department of Justice indicted a notorious hacker, Alexsey Belan, and his FSB (Russia’s internal security service) handlers for a massive hacking spree that compromised Yahoo and used that access to attack many additional targets. In response to the indictment, Chris McNab wrote an essential guide to the tactics, techniques and procedures (TTPs) used by Alexsey Belan that he and his colleagues observed in their incident response work.
As with our previous work on the GRU, FIN7, and North Korean indictments, we’ve used the Mitre ATT&CK™ framework to play back the findings from the indictment. In future blogs in this series, we’ll continue to use ATT&CK to map some of the biggest cyber indictments to come out in the last few years. We’ll also end with a review of the most common TTPs used by these attackers and top mitigation tips for defending against them. One key difference is that this blog details more attacker activity in production service environments rather than attacks against user endpoints in corporate environments.
The indictment names Yahoo as the chief target for Alexsey and his FSB handlers (we use “Alexsey” and “attackers” interchangeably throughout this blog post). As one of the world’s most popular email services, Yahoo held the email accounts for several FSB targets, namely, “email accounts of Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and internet-related service providers whose networks the conspirators sought to further exploit”. As well as this, “the conspirators sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm; a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline”. Yahoo was targeted due to the data that they held, rather than being the end goal for the attackers. Organizations should consider how their data or access could be used by attackers against other targets.
Note: the numbered “Stages” below reflect the ATT&CK framework ordering
Stage 0 – PRE-ATT&CK
Technical Information Gathering
- Acquire OSINT data sets and information
Technical Weakness Identification
- Analyze application security posture; Analyze data collected; Identify vulnerabilities in third-party software libraries; Research relevant vulnerabilities/CVEs
Alexsey used Google searches to identify web servers associated with target companies. Once he discovered some web servers, he would profile them to look for weaknesses. Additionally, he used LinkedIn to research employees working for target companies and discovered personal websites run by those employees that he then exploited to gain initial access.
People Information Gathering
- Analyze social and business relationships, interests, and affiliations
While not directly related to the breach of Yahoo, the attackers used their access to Yahoo to develop their targeting options. The indictment states: “The conspirators frequently sought unauthorized access to the email accounts of close associates of their intended victims, including spouses and children, to gain additional information about and belonging to their intended victims”.
DS Mitigation advice: Awareness of an organization’s security posture at the perimeter and beyond is critical for understanding where attackers might begin targeting an organization. Employees need to be informed that their personal assets such as email accounts or Internet-connected devices may well be targets for attackers looking to then pivot up into corporate or other environments.
Stage 1 – Initial Access
ATT&CK TTP: Exploit Public-Facing Application (T1190)
Chris McNab observed that Alexsey used a known bug in WordPress, specifically CVE-2011-4106, for which there was a publicly available exploit to gain access to a server in the marketing department of a company he targeted. Most likely this server was not considered to be a high value asset but was a crucial foothold for the attack. In the case of the employee’s personal website, Alexsey exploited a custom file upload flaw (likely Local File Inclusion or Remote File Inclusion) to gain access to the environment.
DS Mitigation advice: Publicly available exploits represent a very high risk to an organization running vulnerable software that is Internet-facing. This is because the capability is now available to any interested attackers. It is recommended that patches for publicly available exploits should be prioritized. In the cases where patching is not feasible, additional compensating controls such as access control lists or firewalling should be applied to mitigate the risk. Employee’s personal systems should not contain any corporate credentials.
ATT&CK TTP: Spearphishing attachment (T1193), Spearphishing Link (T1192)
The indictment states that: “Spear phishing messages typically were designed to resemble emails from trustworthy senders, and to encourage the recipient to open attached files or click on hyperlinks in the messages”. This is a common technique for attackers. By assuming the identity of a trusted source, they can take advantage of pre-existing trust relationships. This adds legitimacy to their malicious emails and significantly increases their chances of successfully phishing their victim. Alongside spearphishing with attachments, the attackers also sent “Other spear phishing emails[that] lured the recipient into providing valid login credentials to his or her account(s), thereby allowing the defendants to bypass normal authentication procedures”.
DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. Employees need to be made aware that even emails from trusted sources should be treated as untrusted and caution is needed when opening attachments. Additional controls can be used to transform risky attachments to safer file formats. Black lists for web traffic can be used to detect and block known malicious URLs if they happen to be opened.
Stage 3 – Persistence
ATT&CK TTP: Web Shell (T1100)
An innovative TTP used by the attackers was to compromise Internet-facing source control systems using recovered credentials and to use that access to commit a JSP (Java Server Page) web shell, which gives the attackers control of the web server, to the production code base. Due to how the code deployment process was constructed, the attackers were able to self-approve the code commit and therefore the web shell was deployed into production. Chris McNab details this process in the “Lack of 2FA + The Cloud =” section of the Medium article.
DS mitigation advice: An effective code review process is essential for security as well as general code quality. Requiring a “four-eyes” process where multiple code reviewers are mandated can mitigate the risk associated with developers wittingly or unwittingly self-approving code changes. Code reviewers need to look for security issues as well as concerns relating to performance, stability, correctness, etc.
Stage 4 – Privilege Escalation
ATT&CK TTP: Exploitation for Privilege Escalation (T1068)
Once Alexsey gained unprivileged access to a Linux environment, he would use a publicly available exploit (CVE-2010-3856) for the Linux kernel to gain privileged access, that is, root user access. This process is described in the “Use of LinkedIn to Target Peripheral Systems” section of the Medium article.
DS Mitigation Advice: As with gaining initial access, publicly available exploits are one of the highest risks for organizations. With privilege escalation exploits in the kernel (affecting any operating system), the affected machine must be rebooted after patching for the patch to be applied. The use of a patch management solution can help to keep an environment patched to an appropriate level.
Stage 5 – Defense Evasion
ATT&CK TTPs: Clear Command History (T1146)
The indictment states: “BELAN downloaded to Yahoo’s network from the BELAN Computer a program known as a “log cleaner.” This program sought to remove traces of the intrusion from Yahoo’s records (logs) of network activity, to make the conspirators more difficult to track”.
DS Mitigation advice: Attempts to modify system logs, such as the Event ID 1102 on Windows, should be logged wherever possible. Centralized logging where logs, such as syslog, are automatically forwarded to central location can mitigate an attacker attempting to alter the logs on a local system.
Stage 6 – Credential Access
ATT&CK TTPs: Exploitation for Credential Access (T1212), Hooking (T1179), Credentials in Files (T1081), Private Keys (T1145)
Once Alexsey had elevated his privileges to be root on a Linux system, he would grab the password hashes from the /etc/shadow file, which is where Linux stores the hashes for its user accounts. Alexsey would also backdoor the authentication system, most likely to log cleartext credentials for when users logged into the system.
Alexsey also used non-technical means to uncover credentials for a particular environment. Specifically, he accessed internal resources like wikis, ticketing, bug tracking, and version control systems in order to steal credentials for VPNs and cryptographic material that was used for further exploitation. The Medium article section “Technical Details” describes this attack.
An effective technique used by the attackers to gain access to inboxes of targets was to use cookie “minting”, specifically, “the conspirators engaged in the manual creation of account authentication “cookies” known as “minting,” to gain unauthorized access to victim webmail accounts”. Effectively the attackers were creating fraudulent session cookies and using them to gain access to the target inboxes. As session cookies are typically created after the authentication process had succeeded, this approach had the benefit of bypassing any two factor authentication (2FA) used by the targets. This cookie minting approach was a significant component of the attackers’ post-exploitation activities and one of the main ways that they made use of their access to the Yahoo environment.
The attackers also discovered that the same cookies created in the staging environment were also valid in the production environment. This reflects a standard attacker approach of looking for the less well-protected systems that which are easier to compromise instead of starting with the most hardened and protected systems.
DS Mitigation advice: Storing directly reusable credentials in wikis and other information systems is not advised. Usage of a password manager for secure password storage and sharing is recommended. Logging user logins to accounts on customer-facing services is essential for detecting anomalous behavior. Corporate VPNs should use strong 2FA solutions such as TOTP or U2F for the second factor rather than relying on information which can be stolen from inside of the corporate environment. Cryptographic material needs to be separated between production and staging environments.
Stage 7 – Discovery
ATT&CK TTP: Network Service Scanning (T1046), Remote System Discovery (T1018)
Once Alexsey gained access to an environment he used the well-known and powerful nmap tool to enumerate the machines on the internal network. This is standard technique to discover internal resources and this was part of the approach that Alexsey used to find the corporate wiki and other systems. The Medium article describes this process in the “Technical Details” section.
DS Mitigation advice: Network segmentation can be used to limit which systems an attacker can interrogate after a successful compromise. This can be achieved with host and network firewalls and/or VLANs (Virtual Local Area Networks). While internal IDS (Intrusion Detection System) systems can detect nmap and other scans, there are standard evasion techniques used by attackers – for example, slowing the scan down to the extent that it becomes difficult to differentiate from legitimate traffic.
Stage 9 – Collection
ATT&CK TTP: Data from Local System, Data from Network Shared Drive, Data Staged, Data from Information Repositories
According to the indictment, the attackers stole a copy of the Yahoo User Database (UDB): “The UDB was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account”. This UDB was then used to:
- target users on other web platforms by stealing passwords and analyzing the security questions
- steal financial information by searching for CVV codes
- steal gift card information
DS mitigation advice: Monitoring account activity, including admin accounts, is important for uncovering anomalous and/or malicious behavior.
Alexsey and his FSB handlers represent a class of motivated and capable attackers. They were comfortable using existing attack tools but were also capable of discovering their own flaws where required. They were also skilled enough to identify that cookies minted in the staging environment worked in production and how this could be taken advantage of. The attackers showed tactical flexibility and intent, which was a dangerous combination.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.