Monday 8 December 2014

The Hack

I've been off work, obviously with my feet, however, I've also been off because I've moved house, which took just over a week.  There are a couple of bits and bobs left at the old house and the sale is progressing, whether it all gets done for Christmas and the wife and I can actually celebrate is anyones guess.

Those events are however not what I want to talk about today, no todays topic is one of the systems under my control being the subject of a hack, a successful hack too.

I've been in this game a long time, I've administered Unix, VAX VMS, Sun Solaris, Windows and Linux servers, I've seen access attempts, heard social engineers (cold callers) and even found evidence of folks trying to pick locks to server and switching equipment cabinets.

Until this hack however I'd never lost control of a machine, never had any damage done, and never expected such a strange attack.

The target machine for these problems was a Windows 7 32 Bit virtual machine, being used as a development box with an externally open port to a fixed IP on the local LAN, which the IT Admin had wired upto the company external IP Address and a third party company routed a tunnel through our firewall.

Through this single IP/Port combination the Windows machine was compromised...

Oddly, and quite annoyingly, the IT Admin immediately pointed his finger at one of the pieces of software I was running "Apache"... Could you imagine the uproar in the world at large if Apache web server had a vulnerability which allowed the kind of hack I'll detail later?... Let me just say, I ribbed him back about it, but his inert and instant finger pointing away from what I believe the true problem child annoyed me.

The other software being run on the machine was Visual Studio 2013, whether that is vulnerable, I don't know, perhaps however one would expect some evidence that online/connected services being used by Visual Studio were accessed, some log or trace, and there aren't any, the only traces left were in the Windows logs (event viewer).  Reinforcing my annoyance at the finger being pointed away from Windows.

The user software being operated did not contain any code to do the actions carried out on the machine, indeed only Windows contains the ability to do what was done, so this was the final nail in the coffin for me Windows was to blame.

What was the hack?  You know what, I have no idea, having gone through the evidence and checked I have no idea what allowed the activity, however here's my general pattern pulled from the event viewer.

Thursday 13:30  Machine left in Idle.
Friday 03:01  External Access Logon Requested
Friday 03:03  Logon negotiated with null GUID

(This logon was never listed as successful, only that it was negotiated, I therefore suspect an IP Spoofing attack or some kind).

Friday 03:04  Logon elevated to grant all tokens

Whoever this was, they spent about three hours poking about insude the machine, then logged off.

Saturday 03:01  Logon negotiated with null GUID
Saturday 03:01  Logon elevated to grant all tokens
Saturday 03:03  All user accounts set locked
Saturday 03:13  Volume Shadow Copy started
Saturday 03:23  Volume shadow Copy crashed
Saturday 03:24  Unknown Application reported 100% CPU
Saturday 03:38  New user account created with name "hahaha"

Several more shadow volume copies occur, then this person logs off.

Sunday 04:13   hahaha logs on
Sunday 04:15 All user accounts set to disables, except hahaha
Sunday 06:38 hahaha logs off
Sunday 06:39   Machine shutdown by hahaha

That's what they did, not a lot I admit, however, we have the times this happened, we have the Event View log as proof, and we pay a company to look after the company firewall... So they have access logs right?... Right?... RIGHT?...

Nope, apparently it is too much hassle to check the logs, and according to one source "we get port scanned 100 times a day, what's the point of chasing down one hack?"... erm because they got in... they didn't just scan they got in, and for the life of me I can't figure out how.

Windows was patched, firewall was on, only a none-standard port was open and it was only listening with a custom application with a specific and narrow role to carry out...

Everything else on the machine was not available to that port, or on the second network adapter in the machine!

No comments:

Post a Comment