A Story of Cyber Attack and Incident Response
HAPPY FRIDAY AFTERNOON TURNED INTO RUSH HOUR
It was one Friday afternoon in June 2015. Office workers were chatting about sport news and happy hours that night. A sudden phone call changed the happy mood altogether. A Client was under cyber attack and the website got defaced by a (in)famous hacking team. The Client's big boss was very worried and he needed to know the impact of the cyber attack, the root cause and the prevention measures RIGHT NOW.
The paper work was done in minutes. The whole consulting team was pulled off from going home (or pubs) for that matter. The team packed tools and laptops into a carrying case in seconds and jumped into a taxi heading towards the Client's site down town. Finally the team arrived the Client's office. It was 10 pm Friday.
WHAT HAPPENED
The response team had a kick-off meeting with the Client's representatives. They told the team no previous warning from the hacking team, nor was there any blackmail message. They were told by their customers about website defacement Friday morning when they wanted to do online securities trading.
The IT guy handed the response team some server logs and he suspected that the cyber attack was done through FTP account take-over as he saw repeated login attempts.
The team set up a makeshift incident response centre. The team collected server logs, memory dumps, Apache logs, and so on. It was 11 pm.
TIMELINE OF INCIDENT - 3 WAVES OF CYBER ATTACKS
For the next 72 hours, including Saturday and Sunday, the whole incident response team had been working around the clock. The team came up with the following for the boss.
There have been three instances of cyber attacks on the Client.
(1) First Attack Attempt – FTP Account Takeover Failed
Timing: early morning of 2015-06-21 and late evening of 2015-06-25
It was between 2015-06-21 03:34:25 to 03:39:02 and 2015-06-25 23:24:03 to 23:25:50.
Attacking IP: xxx.yyy.zz.xx (Jiangsu of China) – this may be spoofed.
Process: The dictionary attack on FTP account was based on an automated tool due to the high frequency of logon attempts. From the Apache log the FTP attack was NOT successful.
(2) Second Attack Attempt – Website Backdoor Installation Succeeded
Timing: The second attack was in the morning of 2015-06-25 08:14:15 – 08:14:33
Attacking IP: xx.yyy.zzzz.xx (L’viv of Ukraine) – this may be spoofed.
Process:
Discovery: Based on the Apache log provided by the Client, there appeared to be an initial reconnaissance scan occurring where the attackers were looking to see if the file (WordPress plugin “revslider”) existed.
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:15 +0800] "GET /robots.txt HTTP/1.1" 200 35
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:17 +0800] "GET /wp-admin/admin-ajax.php HTTP/1.1" 200 1
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:20 +0800] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1
Exploit: The discovery phase was successful and the hackers found the web site using “Revslider”, they used a second vulnerability in “Revslider” and attempt to upload a malicious theme to the site:
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:23 +0800] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/info.php HTTP/1.1" 404 19715
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:26 +0800] "POST /wp-admin/admin-ajax.php?page=pmxi-admin-settings&action=upload&name=info.php HTTP/1.1" 200 1
Take-over: If the exploit was successful, they injected a backdoor into the website, which they accessed directly at /wp-content/uploads/wpallimport/uploads/7e5c480be9430902b770248114057520/info.php
This provided full access by circumventing existing access controls.
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:28 +0800] "GET /wp-content/uploads/wpallimport/uploads/7e5c480be9430902b770248114057520/info.php HTTP/1.1" 404 19715
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:31 +0800] "POST / HTTP/1.1" 302 -
xx.yyy.zzzz.xx - - [25/Jun/2015:08:14:33 +0800] "POST /wp-login.php HTTP/1.1" 200 3679
(3) Third Attack Attempt – Website Home Page Defacement Succeeded
Timing: The third attack was in the evening of 2015-06-25 18:41:33 to 18:42:22
Attacking IP: aa.bbb.cc.ddd (Istanbul of Turkey) this may be the originated source
Process:
The bariss.php (a decoded PHP file in base 64 format) was requested and submitted for several times, the process could involve hacker’s interaction with the hacking program bariss.php. It appeared that index.php of the defaced page was set up at 18:42 through the hacking program.
Apache Log Extract:
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:33 +0800] "GET /wp-content/themes/leons/bariss.php HTTP/1.1" 200 1343
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:34 +0800] "GET /wp-content/themes/leons/1.jpg HTTP/1.1" 404 19715
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:37 +0800] "GET /favicon.ico HTTP/1.1" 200 -
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:39 +0800] "POST /wp-content/themes/leons/bariss.php HTTP/1.1" 200 1136
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:42 +0800] "GET /wp-content/themes/leons/bariss.php HTTP/1.1" 200 52977
aa.bbb.cc.ddd - - [25/Jun/2015:18:41:52 +0800] "POST /wp-content/themes/leons/bariss.php HTTP/1.1" 200 35413
aa.bbb.cc.ddd - - [25/Jun/2015:18:42:02 +0800] "POST /wp-content/themes/leons/bariss.php HTTP/1.1" 200 7134
aa.bbb.cc.ddd - - [25/Jun/2015:18:42:14 +0800] "POST /wp-content/themes/leons/bariss.php HTTP/1.1" 200 35549
aa.bbb.cc.ddd - - [25/Jun/2015:18:42:22 +0800] "GET / HTTP/1.1" 200 904
bariss.php has the following functions:
a) Email Home Function
b) Show / Edit / Download Database Function
c) File Copy / Upload / Download / Rename / Deletion / Permission Setting Function
d) Directory Creation Function
e) Remote Shell Function
LESSONS LEARNT
Quick Wins
1) Reset the administrator’s password of servers and firewall.
2) Rebuild the website from backup that is free from defaced web page and backdoors.
3) Website administration access should be bound to the client’s internal IP address.
4) WordPress plugin vulnerabilities can be patched by the latest version available from the vendor.
5) Apache header should be set to hide the system information.
6) Turn on UTM module of the firewall with tightened policies.
7) The firewall should stop external file upload to the website.
8) FTP service should be set to limit repeated logon attempts.