Peeled onions and a Minus Touch: Verizon data breach digest lifts the lid on theft tactics

The 2018 report gives us a glimpse of tactics hackers are using today in the name of data exfiltration.

Data breaches, successful cyberattacks, and hacking events are often shrouded in silence.

Beyond the bare-bones facts, it is often difficult for companies which have become victims of such crimes -- as well as the external cybersecurity experts which perform forensics and damage control after -- to admit to more than they have to.

Legal ramifications, prized reputations which may take a beating, and protective non-disclosure agreements often mean that very little is shared publicly which relates to how a security incident was able to take place, the timelines involved, or any of the gritty, contextual details.

If we are going learn how to better defend corporate networks from cyberattacks in the present and the future, communication and being able to learn from each others' mistakes are key.

While anonymized, Verizon's new 2018 Data Breach Digest (DBD) contributes towards this goal and also gives us a look into how cyberforensics teams tackle data breaches.

In this year's edition, there are some interesting stories of note which demonstrate trends in malware usage, modern attack vectors, and also the mistakes companies make which can cost them dearly after a cybersecurity incident has taken place.

The peeled onion

In a case known as the peeled onion, Verizon security researchers -- the VTRAC Investigative Response team -- tracked a set of cybersecurity incidents connected through the use of cryptocurrency-related malware.

The malware would compromise the CPUs and graphics hardware of infected systems in order to covertly mine cryptocurrency, such as Ethereum or Monero, in what is known as cryptojacking.

According to Verizon, the majority of cases involved the illicit mining of Monero and Zcash.

In one customer's case, alerts were originating from corporate firewalls which suggested suspicious network behavior. The firewalls were blocking traffic attempting to reach the Tor onion network and captured data packets revealed the malicious behavior originated from a Microsoft "powershell.exe" process.

Upon further inspection, it was found that the cryptojacking malware compromised the enterprise system through CVE-2017-0143, a remote execution vulnerability leaked by the Shadow Brokers.

The problem was patched, but not before the cyberforensics team uncovered hundreds of Windows builds that were not up-to-date or secure.

The Minus Touch

Forensic data is often at the heart of any investigation into a cybersecurity incident. However, in a recent case, there was nothing more than a blank hard drive and co-location data center which was less than ideal to work with.

The investigation turned into a costly affair as the customer's data was hosted at a co-location data center, but rules and regulations banned Verizon from accessing the information. Cyberforensics teams were forced to wait for local crews to connect hard drives to in-scope servers.

"Though generally simple, some co-location data centers are well-equipped to handle these requests while others struggle to coordinate with the folks on the ground," Verizon says. "For this situation, the customer was sharing a physical system with other customers which could prevent the ability to image the drive at all due to commingled customer data."

Days passed, and when the hard drives were finally handed over, there was no data to be found.

The local crew had not followed the correct procedures, and in doing so, failed to copy the data at all. This added days to the timeframe, and in the case of cyberattacks, such delays can result in further compromise, new attacks, and unpatched systems left exposed for far longer than necessary.

The Monster cache

In a case given to Verizon which involved unauthorized, fraudulent ATM transactions and severe financial loss, it was found that the threat was potentially caused by an insider.

CNET: Equifax's hack, one year later: A look back at how it happened and what's changed

The team arrived on site, and in what may have been considered a bad omen, were allowed in without a single security check. To make matters worse, most of the staff that may have been involved in the scheme had been axed and the new employees hired to take their place were not yet familiar with the corporate systems.

Analysis by Verizon of the information and event management (SIEM) log identified a malicious system connected to the network which had gained access to critical servers and databases. The malicious system was not recognized and there was no evidence of an external implant.

It was found that any connected device was able to gain full network access due to errors in configuration and a lack of rudimentary security controls.

TechRepublic: Why passwords are a terrible method of authentication

"In-place network monitoring was not correctly configured, and while there was a SIEM in place no one was reviewing and investigating alerts," Verizon added. "These fundamental design flaws in the entire network weren't only an open door for attack but also made it trivial for a threat actor to fly under the proverbial radar."

Physical access to the main data center and the introduction of the unauthorized system on-premise allowed the ATM scheme to occur.

However, as the company failed to maintain even basic security policies and standards, it is not possible to track down the insider support or the true depth of such deception.

"Only by sharing cybercrime information can companies and governments effectively combat cyber threats. It is our intention this knowledge sharing continues -- now and in the future," the company says. "We hope that companies will continue to proactively share information on breaches as time progresses. Barriers are already lowering, as businesses discover there is more to be learned from sharing than from sitting in silence."

In April, Verizon released the latest edition of the firm's Data Breach Investigation Report.

The report, which was based on 53,308 security incidents, 2,216 data breaches, and 67 contributors worldwide, suggested that ransomware has now become the most popular form of malware to use in cyberattacks aimed at the exfiltration of data.

Read also: Ransomware: An executive guide to one of the biggest menaces on the web | Ransomware: Get ready for the next wave of destructive cyberattacks | Ransomware: Why the crooks are ditching bitcoin and where they are going next | A Winning Strategy for Cybersecurity | Cryptojacking campaign exploiting Apache Struts 2 flaw kills off the competition

In 39 percent of the security incidents logged, ransomware -- such as Locky, Oni, and Mamba -- was present.

Previous and related coverage