Pawn storm – Oldest tricks in the book and we’re still falling for them

Unless you are well-versed in the world of IT-security you might not know what Pawn Storm refers to, or you might think it is a chess tactic. Pawn Storm is an espionage operation started by an unknown group of individuals around 2007. The operation mainly targets government and military related organizations from the United States and their allies, directly or indirectly. There are some reports that the group has been aiming its attacks on people opposing the Kremlin as well as Ukrainian activists and military. This leads to speculations that the group is operating from Russia with a possible connection to the Russian government. Main targets are directly attacked through a number of common attacks or indirectly by attacking anyone who is related to the main target. A good example is a group of bloggers who were targeted in attacks just a few days after they had interviewed President Barack Obama. This is a common way to get to a target by broadening your area of attack and finding a weak link in the chain of individuals or organizations that are somehow related. One target was a company that sells nuclear fuel to power stations. So one can quickly see how this operation can become dangerous rather fast. The targets have mainly been military, government and media in the United States.

It was recently discovered that the group might have been preparing for a large-scale spear phishing campaign against financial institutions during June last year. According to the latest reports, it’s unclear if the campaign has started yet. But, when and if it does it will most likely be based on different spear phishing attacks against banks around the world.

The group has so far mainly been seen to use three different types of tactics in their attacks.

  • Spear phishing emails with different attachments made specifically for the current target. An example is if the target was a Bank then the attachment might be an Excel with a transaction history. The content of the file would look legit to not raise too much suspicion. Different exploits would be used with these files that would deliver different payloads. The group seems to mainly use a backdoor called Sednit or Sofacy.
  • Large networks of phishing sites that would try to get the user to enter credentials to different accounts. One of these examples includes fake OWA login pages that are sent to employees of targeted organizations. If they are tricked to enter their credentials then these credentials will be stolen and can be used later to gain further access into systems.
  • Exploits embedded in legitimate websites. These attacks are known as drive-by attacks that usually exploit browser,  java- or flash plugin vulnerabilities to drop payloads on a visitor’s machine.

According to the security researchers that discovered these attacks and wrote the different reports that I have read through, the organizations, groups, companies etc. that they have found to be targets in this operation have all been notified about this. But that doesn’t mean that everyone who is an actual target has been. There also might be other operations being planned +(,) where new targets are being explored.

So, how would organizations protect against these attacks? These attacks are the same old attacks as we’ve always seen, just in a very large scale and very well thought through. They are carried out using social engineering techniques and the quite correct assumption that no one updates any software. Also, of course, as this operation most certainly makes use of zero day vulnerabilities it might be difficult to protect against it. Patches may not exist or may not get out in time after the first attacks have been discovered.

In the case of malware and malicious links being sent via email in spear phishing attempts I would say that:

  • Acting with caution when reading emails.
  • Being suspicious by default.
  • Security training and some new company policies could be put in place.

Even if anti-virus and different filters are used as protection, the risk is still high. Only one email has to get through to trick some poor employee into giving the Pawn Storm individuals access to the internal network (an anti-virus won’t catch a malware with a new signature and carefully written methods of operation). Teaching employees about what kind of emails to trust and what not to trust is a good start. If they are not expecting an Excel sheet about transaction histories between two gentlemen in a German town then they should probably not open it. If an organization needs to receive attachments via email in the form of Excel sheets or PDF-files it can be tricky to protect against attacks depending from what kind of sources you would expect to get mail from (like the example with the two Gentlemen in a German town if you are in fact working for a small very local company in New Zealand). One thing you could do in a situation like this is to keep everything updated, from Operating System to software that are in use (Like Adobe and Microsoft Office).

The same principles applies to getting emails with strange links that at first seem legitimate. The countermeasures mentioned above apply here as well. Another countermeasure here could be to teach employees to look closely at the link they are about to click. Usually hovering over it will reveal if the link goes somewhere else than what it says. If they can’t recognize the URL then it shouldn’t be clicked. An alternative that works on Android is to “press-and-hold” on the link to reveal where it points to (This might of course be problematic in the way that some people might then press and activate the link by mistake then instead).

 

pawnstorm_legmail

 

 

 

 

 

 

If they still click the link and from there want to verify the page they could again have a look at the address they were taken to, for instance looking closely at the spelling of the address (Making sure it’s example.com instead of examplex.com). Alternatively they can be taught to take a look at the little icon next to the URL in the browser that indicates if the connection is secure and trusted. This of course requires the organization that owns the website to always use SSL on all important web resources so that one can always assume that the icon should be there.

 

pawnstorm_legsite

 

 

 

 

 

 

 

In the case of Firefox which was the browser used in the example above, more information can be found via the link below. Don’t forget to check where you end up ;).

https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure?as=u&utm_source=inproduct

The drive-by downloads which is the third main method used by the group can be hard to protect against if the organization requires applications running Java or Flash in the browser, as these two are most commonly used to drop the payloads due the large amount of vulnerabilities found in these two solutions. Javascript can also be used to carry out different attacks. Amongst these, browser exploits can sometimes be utilized. However, Javascript is usually harder to turn off than Java and Flash in the browser due to so many websites today that depend on it to function properly. I however, recommend to remove Java and Flash in the browser if not used, and if possible plugins such as NoScript can be used to only allow a small amount of websites to execute Javascript in the browser. If none of these can be removed then the best alternative would be to keep browser, plugins, Java and flash updated at all times.

To summarize, the problems at their core are the same as usual. Software will most likely always contain vulnerabilities and thus users need to become more careful and be reminded to not trust what ends up in their inbox, even if it looks very legitimate and tempting to open. If in doubt, ask your helpdesk or head of security. Not everyone has a head of security, in which case you could contact an IT-security consultant about the matter. Now, people can’t really be expected to call someone every time they get a strange email with suspicious content. That’s why the different levels of countermeasures need to be taken to prevent this type of directed attack.

Another problem to be taken into consideration is the rest of the organization’s infrastructure. There could be servers being exposed to the Internet, which contain vulnerabilities that could be used to gain access to the internal network. In this case the attacking group would simply need to place more focus on a single target and expand their methods of attacking to discover new ways to get inside of the network. Therefore, it’s always important to review security in the organization often.

There are many things that need to be taken into consideration when building up a defense against these attacks. The recommendations in this article can be thought of as a pretty good starting point – or extensions to the security implementation that already exist within an organization.

 

References

http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/

http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit

I'm a Security consultant at TrueSec. I mostly deal with penetration testing and code reviews, but I also like to allocate time for different kinds of security research. Twitter - https://twitter.com/alcorsecurity

Tagged with: , ,
Posted in General, Hacking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories
%d bloggers like this: