Last week I wrote about the importance of assessing your platform risk to truly understand your attack surface. For one reason or another, attack surface is one of the most misunderstood concepts in security, and often the fundamental mistake people make when they draw up their security plans. But that’s a topic for another post. Today is all about Alexsey.
Most of the damage caused by Alexsey is concentrated between 2012 and 2013, but thanks to the FBI and a fascinating blog post by Chris McNab, not only can we put a name to the face and connect him to massive breaches at Yahoo, Evernote and Zappos, but we also have some key details behind his techniques. The attack progression described by McNab in his analysis of Alexsey’s TTPs (Tactics, Techniques and Procedures) is very consistent with what we see every day at Alert Logic – the targets of opportunity are often periphery web applications, attacks are very simple (in same cases trivial) and resulting damage, if not detected early, can be massive. According to The NYT, during his brief run Alexsey Belan compromised 1.2 Billion accounts in highly publicized breaches, and likely millions of others. I can’t recommend reading the entire post enough, but to summarize a few interesting details:
- Alexsey found his victims simply by running Google and LinkedIn searches. Why? No one pays attention to periphery applications. One was owned by a marketing department, another by a member of an engineering team.
- Initial entry vectors were well-known WordPress vulnerabilities and custom PHP flaws. The specific WordPress flaw in the TimThumb plugin was extremely widespread, and exploited on mass scale. Securi estimates over a million WordPress installations have been compromised by this vulnerability alone, which only seems like a staggering number if you don’t realize just how much of the internet is essentially made up of WordPress installations (28% of all web sites).
- Not only were some of the vulnerabilities well known, they were discovered some number of months and years prior to the attacks. In first two cases privilege escalation was achieved by exploiting CVE-2010–3856, which means basic patching would have eliminated the exposure. Could Alexsey develop his own zero-day privilege escalation code? It’s anyone’s guess, but he doesn’t seem like the type.
- Some of the lateral movement techniques are notable for their simplicity and elegance. In one of the breaches Alexsey simply replaced the PHP authentication mechanism to capture credentials of anyone interacting with the site. Assuming some of these users had access to critical systems, the rest was easy.
- In one case the target only realized they were compromised when contacted by the FBI. By then Alexsey had undetected access for 4 months. Embarrassing.
The common thread running through these breaches is a misunderstanding of the true attack surface. For a long time security practitioners have been matching appropriate security controls based on the criticality of the asset and importance of the data - its canonical law…it’s what you are taught to do. Protect your most critical assets with everything you’ve got. While no one has ever questioned the wisdom of this approach, over time it has effectively become an anti-pattern. The modern attack surface is much wider than it was in the past. Many factors contribute to this, but ultimately this happened because we have been gradually replacing most applications with web code (much of it derived from open source), including basic tools used by the marketing team, which unwittingly becomes the entry point for someone like Alexsey Belan.
Alexsey’s story is far from unique. In our webinar on understanding your attack surface, we go through a few other examples where periphery web apps were the first domino to get knocked down. Also included is a basic framework for how you should evaluate your application stack for risk and deploy the right defensive measures to get the broadest coverage you can.
Why the web apps you're worried about least could be your most critical exposure
Misha Govshteyn, Founder & SVP ProductView Webinar