Social Media Part I: Threats

Transcription

1 Social Media Part I: Threats ThreatScape Enterprise November 04, :40:32 PM CST, Intel , Version: [1]

2 Executive Summary This report details some of the basic threats that propagate via social media or that use information contained on social media sites that may impact an enterprise environment. These threats include direct and indirect data loss, exploitation, brand abuse and the targeting of company resources. Enterprises should be aware of the potential risks to their environment. Key Points Direct and indirect data loss, exploitation, brand abuse and the targeting of company resources via social media are all possible risk factors for enterprises, regardless of company use policies. Enterprises should be aware of their interests in third-party social media sites and of the threats that may impact those environments. We expect social media to continue to function as an attack enabling vector for the foreseeable future. Threat Detail Threats via Social Media The use of social media poses various threats to enterprise environments, including unintentional data loss; the compromise of social media sites; exploitation that occurs through third-party sites; or applications, brand abuse and company account takeover. Unintentional Data Loss Social media provides opportunities for the unintended disclosure of corporate information through active disclosure (i.e., content that employees may post about a company in forums they believe to be safe) or passively (i.e., through the analysis of connections between individuals or other information that is not directly provided by the user). There are three primary ways in which unintentional data loss can directly harm an enterprise: the direct exposure of company 2014 All rights reserved. isight Partners, Inc. 2

3 information by employees, the indirect exposure of information than can be mapped to aid enterprise targeting and the unintentional loss of information that can be used to bypass knowledge-based forms of two-factor authentication (2FA). Targeted Use of Information Employees can unintentionally release information about company policies and practices without realizing they are doing so and may not accurately use privacy settings to limit to whom their information is visible. The names of individuals who associate or work with one another, their role in the company, the names of key decision makers or upcoming negotiations can all be used to generate targeting data for attackers as they work through the reconnaissance phase of an attack or create a targeted spear-phishing . Indirect Social Network Mapping Employees may also passively expose corporate information through their links to others via social networks. Social network mapping can be used to map corporate environments relatively thoroughly, particularly through websites such as LinkedIn, where corporate contacts are more likely to be highlighted, and through other social networks that always enable user contacts to be visible (i.e., Google Plus, which gives users limited control over who includes them in their circles). Malicious actors can leverage a number of online tools to rapidly develop sophisticated maps of social networks as part of a reconnaissance phase when attacking a corporate entity. Tools like Maltego, which enables rapid social networking analysis, often have limited free-use versions (i.e., Maltego Community Edition or Maltego Casefile), which can be combined with open-source projects (i.e., malformity) or custom scripts to quickly map networks. isight Partners has previously discussed this tool and its use by Arabic-speaking actors for this purpose specifically (for more information, see isight Partners. "'Maltego CaseFile' Tool Could Increase Use of Social Network Mapping Among Malicious Actors," Intel Dec. 16, 2011; and "Arabic-Language Underground Actors Posting Tutorials for Maltego Social Network-Mapping Software," Intel March 23, 2012). Simply by virtue of being digitally connected, users can give attackers a great deal of information about who works for a company and in what positions-information that can give attackers with targets and fodder for creating targeted spear-phishing messages. Knowledge-Based Authentication Unintentional data loss can also enable attackers to defeat two-factor knowledge-based authentication (KBA) to gain account access. Questions meant to authenticate users in addition to an initial password often include questions that may be found through social media (e.g., mother's 2014 All rights reserved. isight Partners, Inc. 3

4 maiden name, the first street a user lived on, their pet's name, etc.), and users may not realize that their activity on social media sites may inadvertently publicize this information. Underground marketplaces exist for information on users that can answer these questions. For example, ssndob.ms (formerly ssndob.ru) is a large underground marketplace dealing in KBA answers that are sold to be paired with other credentials for identity theft purposes. The markets for this kind of information can be extremely lucrative, and innovative actors that can rapidly scrape information from public-facing profiles can quickly monetize that information (for more information on SSNDOB, see isight Partners. "Operators of PII Resale Site 'SSNDOB' Allegedly Compromised Companies with Large Databases of PII; Accessed Source Code for Adobe Products," Intel Oct. 8, 2013). Similarly, information that links personal and corporate accounts can become a target. For example, in 2009, Twitter released a public notification that a significant amount of company information had been accessed by an attacker who compromised an employee's personal account and used the information contained in that account to gain access to the employee's corporate Google Docs account, which in turn contained information on the company's finances. Poor security of personal accounts can allow attackers to gain information that may answer secondary KBA mechanisms or that may be linked to joint resources. As a result, companies should encourage employees to always use proper passwords, even on personal accounts, and should avoid using KBA as a secondary authentication measure when better alternatives are available. The Impact of Unintentional Data Exposure Overall, unintentional data loss can lead to a loss of competitive advantage and brand degradation and enable more advanced attacks against an enterprise environment (such as spear phishing) to succeed. This in turn can lead to financial loss, data loss or exposure, corporate espionage, the loss of intellectual property or valuable negotiating information, unintended access, privilege escalation or other undesirable results. Data Exfiltration and Corporate Compromise Data compromise can impact enterprises in a variety of ways depending on what type of account or user has been compromised. The following section discusses the impact of various kinds of compromises depending upon the surface (i.e., employee, corporate or otherwise) that experiences an attack. Other resources, such as corporate computers, can also be compromised or otherwise abused through social media platforms. All of these risks fall under the category of "compromise" and are discussed below All rights reserved. isight Partners, Inc. 4

5 Exfiltration of Employee Data Data compromise is always a risk with third-party entities whose security measures are not necessarily clear to the companies or individuals using them. Unfortunately, the "brand name" factor associated with many major social networking sites often substitutes for a clearly communicated and effective security strategy. Many social networking sites are not contractually obligated to protect data entrusted to them and the majority actually protect themselves from liability through end user licensing agreements. Enterprises should be aware of what rights are held by social networking sites to which they entrust any of their information and should always assume that any information released via or contained in a third-party social networking site is available to the public. isight Partners has seen extensive targeting of social media sites, with a number of successful compromises that could impact enterprises and/or their employees. For example, In February 2013, a white hat security researcher named Nir Goldshlager publicly released proof-of-concept (PoC) code detailing a vulnerability that he responsibly disclosed to Facebook earlier that year. We observed this same code being reposted amongst malicious actors. The code demonstrated a vulnerability in OAuth, an open protocol used by Facebook for secure authorization, that targets the "app_id" and "next" query strings to give an application user full access to user accounts (for more information, see isight Partners. "Security Researcher Publishes Proof-of-Concept Code that Grants Full Control of Facebook Accounts," Intel Feb. 28, 2013). The same researcher also reported on similar flaws in the Facebook Graph API that would allow an application developer to exploit token exchanges to query restricted user data, including geolocation and hashed password, which we also saw in circulation (for more information, see isight Partners. "'Mauritania Attacker' Releases Potentially Exploitable Vulnerability in Facebook's Graph API," Intel May 31, 2013; and "Actors Observed Discussing Facebook Application Spoofing Technique; Attack Method Valid but Limited," Intel June 5, 2013). Enterprises should be aware that any information contained in a social media profile is vulnerable to compromise, and that the security of the information contained in that account is entirely within the jurisdiction of the site to which it has been provided. Information gleaned from compromising social networking sites can allow for the same kinds of use as information garnered through scraping publicly available data, including furthering spear phishing and the defeat of KBA challenge questions. In addition, data compromise may reveal more secure or restricted information that employees only intended to share with their close contacts, including sensitive personally identifiable information (PII). As a result, data gleaned from account compromise is even more likely to be damaging to a corporate environment All rights reserved. isight Partners, Inc. 5

6 Corporate Accounts and Third-Party Resources Company resources can also be targeted and used to redirect users to malicious content or to defame an enterprise's image. Many web application attacks, such as cross-site scripting (XSS), SQL injection (SQLi) and conventional password bruteforcing, can lead to attackers gaining control over company accounts with a third-party service. We frequently see this phenomenon associated with Twitter, where hacktivist attackers will target a well-known figure's Twitter account to post defacements or pivot into other accounts. For example, the Syrian Electronic Army (SEA) has proven very adept at targeting a significant number of media organizations, leveraging information gleaned from social media to craft targeted spear-phishing s. In April 2013, the SEA compromised the Associated Press (AP) and The Guardian's twitter accounts, using the AP's twitter account to post a false report that the President had been injured in a bombing at the White House, a statement that resulted in an immediate 130 billion dollar drop in the Dow Jones Industrial Average (for more information, see isight Partners. "Syrian Electronic Army Continues Highly Effective Phishing Campaign Targeting Media Organizations; Compromises AP and Guardian Twitter Accounts," Intel May 1, 2013). Events like these can severely harm a targeted institution's brand image and may result in significant financial harm. Such access may also result in data loss (hacktivist actors will often delete accounts that serve as password reset sources for the accounts they target, which may result in significant data loss), privilege escalation (as hackers use one account to compromise others) and data exfiltration by actors that remove sensitive corporate or personal information from accounts they compromise. Traditional XSS and SQLi can also impact social media sites in unexpected ways. For example, we have seen actors releasing video PoCs demonstrating XSS vulnerabilities in Facebook's interaction with applications, which tends to be frequently targeted (for more information, see isight Partners. "XSS Vulnerability in Facebook's API May Enable Application Session Hijacking," Intel Oct. 9, 2013). Attacks like this can enable attackers to make an otherwise reliable application execute arbitrary code, allowing for redirection, man-in-the-middle (MiTM) attacks, defacement or data exfiltration. Other enterprise resources, such as applications created for promotional reasons that interact with or are integrated into social media sites can also be targeted for takeover or abuse. Cyber criminals can use compromised accounts or other means to drive traffic to or from a given page, skewing promotional applications that involve prizes for referrals or entries. Any such contests or promotions should be designed to handle just this potentiality All rights reserved. isight Partners, Inc. 6

7 Direct Exploitation of Corporate Machines Actors frequently abuse social media, primarily Facebook and Twitter, to distribute malicious links and redirect users to exploit kits delivering malicious payloads. Twitter is frequently targeted because of the ubiquitous use of URL-shortening services that naturally obfuscate destination URLs, a feature that makes targets less wary of potential malicious content when it is packaged in a limited-character microblog or short Facebook post. For example, in May, 2013, isight Partners reported on the use of an actor-controlled Twitter account used to target USAID workers. The account, which featured pictures of a female soccer player re-purposed to spoof a USAID aficionado, consistently posted pro-usaid messages with a shortened URL leading to a Dropbox download entitled "this is my pic.scr" that installed Poison Ivy, a remote access Trojan (RAT) and a suggestive screensaver. A second connection referrer was identified associated with the same campaign linking to a Facebook profile that was also effectively delivering Trojans while mimicking a girl interested in USAID. Fake Facebook posts used for malware dissemination (eromang.zataz.com) This campaign was linked to other U.S. Government targeting, including the U.S. Department of Labor (DoL) compromise that occurred around the same time (for more information, see isight 2014 All rights reserved. isight Partners, Inc. 7

8 Partners. "USAID Poison Ivy Campaign Through Social Media Linked to Department of Labor Compromise," Malware Report # May 22, 2013). Cyber criminals also frequently leverage social networks to expand their target pool. Actors will generally use compromised accounts to spread links that direct to an exploit kit or other malicious payload, allowing for the perpetration of click fraud, pay-per-install (PPI) activity or credential theft and then use the same compromised accounts to send further phishing messages, seeking to compromise new user accounts. Compromised accounts can also be used to access organizational data (for more information, see isight Partners. "Facebook-Themed Lures; Risk Posed to Organizational Data," Intel March 14, 2013; and "Dorifel Malware Spreading via Facebook Messenger; Threat Posed to Organizational Data," Intel April 9, 2013). We have also seen significant use of Facebook-themed lures in conventional spam messaging. For example, the UPS/DHL group was responsible for a significant number of spam messages that propagated via Facebook using parcel-themed lures in 2010 and 2011 (for more information, see isight Partners. "Facebook- and USPS-Themed Spam Campaigns Likely Executed by the Same Pay-Per-Install Service," Intel Nov. 17, 2011; and "Recent Spam Exploiting the Facebook Brand May Be Tied to a Group Known as the UPS/DHL Group," Intel Sept. 22, 2010). We continue to see similar activity now targeting the mobile marketplace that may be using similar methods (for more information, see isight Partners. "Spam Campaign Spreading Asprox and Mobile Malware Simultaneously; Represents Expansion of Known TTP into Mobile Marketplace," Intel Oct. 28, 2013). Brand Abuse Brand abuse is another threat posed by social media that is unique from the other threats discussed. Organizations should be attentive to how their brand name is used on social media sites, as actors may attempt to defame sites for financial or activist reasons. For example, in 2011 we observed actors using Google Plus to inflict reputational damage on financial institutions, notably Bank of America (for more information, see isight Partners. "Google Plus Account Attempts to Cause Reputational Damage Against Bank of America," Intel Nov. 16, 2011). We have also observed a number of financially motivated schemes that have impersonated namebrand sites or accounts to distribute malware. For example, in August, 2013, we reported on the use of the SourceForge brand to deliver various malware payloads (for more information, see isight Partners. "SourceForgery: SourceForge Brand Used to Distribute Malware Cocktails,"Intel Aug. 26, 2013). "Typosquatting," the practice of purchasing domains that look very similar to popular sites to catch inattentive typists, has also been used by malicious actors seeking to 2014 All rights reserved. isight Partners, Inc. 8

9 spoof legitimate pages or install malicious payloads (for more information, see isight Partners. "Updates on Typosquatting Campaign Identified in July; Changes to URLs, Infrastructure and Propagation Mechanisms," Intel Oct. 25, 2013). Brand abuse is much more difficult to track than an organization's legitimate accounts since the possibility of impersonating a given site is limited primarily to attackers' creativity. Organizations should be proactive about brand-image monitoring and aware that attackers seeking to defame an organization can leverage social media. Outlook and Implications We assess that social media will continue to offer companies benefits and increased security risks. Enterprises should inventory possible threats to their business in their industry and determine which threats are most likely to impact their operations. Various mitigation options are available to prevent or decrease the impact of each of the threats discussed in this report (for more information and mitigation strategies, see isight Partners. "Social Media Part II: Mitigation," Intel Nov. 4, 2013). Information Cut-Off Date: Nov. 4, 2013 Threat Intelligence Tags Intended Audience: Executive/Policymaker Language: English This message contains content and links to content which are the property of isight Partners, Inc. and are protected by all applicable laws. This cyber threat intelligence and this message are solely intended for the use of the individual and organization to which it is addressed and is subject to the subscription Terms and Conditions to which your institution is a party. Onward distribution in part or in whole of any isight proprietary materials or intellectual property is restricted per the terms of agreement. By accessing and using this and related content and links, you agree to be bound by the subscription terms of service All rights reserved. isight Partners, Inc. 9