comment by
goobster
badged comment
goobster  ·  2841 days ago  ·  link  ·    ·  parent  ·  post: 9.3M Patient Records Hacked  ·  

I used to work at F5, so I got to be in some really scary meetings where people talked about a variety of attack types.

Ransomware and other attacks like it are still just basically the digital form of smash-n-grabs. It's like the late-night attack on the jewelry store, where someone bashes in the window, takes a fistful of shiny, and disappears into the night to sell that shiny to someone else.

What's scary are the tactical attacks.

CyberFighters were the first that I am aware of. They knew that banks had insurance against attacks. So they would DDoS the bank's site and charge a rate slightly less than the insurance would pay out. Sustained attacks over hours and days would eventually get the banks to cough up cash.

Blunt, but effective.

Then another group started launching DDoS attacks against banks, but it turns out these were just a front for the real crime, which was happening behind the scenes. A bank's web site gets DDoS'ed, and everyone is scrambling to redirect traffic to Akamai, profile the attack packets and teaching their ADC's to dump packets matching those attributes, etc.

And the phone rings constantly.

On one of these calls, "Eugene" with a weird accent, is on the phone from the branch office in New York is getting whacked and can't get access to his DNS. So he asks for the IP Address for the back end system they are re-routing traffic to, as a quick-fix to get around the DNS.

Shit. Eugene tries to log in, but his login isn't working because the Active Directory server needs to talk to the DNS, but the DNS is saturated by the ongoing DDoS. "Do you have a login that works without Active Directory, so I can get in?"

The hassled sysadmin has nine different Terminal sessions open on six different machines, and Akamai is on the other line, and the phone keeps slipping off his shoulder... so he gives Eugene the credentials to log in, bypassing the DNS and tunneling around the ADC directly into the control server or firewall in the DMZ.

... and five months later, a junior sysadmin is running some cleanup on some hard disks which were mis-configured in this old server over here, and they notice a couple gigs of text files in a weird numbered directory. Looks like log files, but, she goes ahead and TOPs the first hundred lines of the first file and sees... names... social security numbers... addresses... doctor's names... prescriptions...

She greps the directory for text strings in the format xxx-xx-xxxx, and gets hundreds of thousands of hits.

The junior sysadmin locks down the permissions on the disk. She copies the log files over to her personal directory. Checks the accesses... huge numbers of IP Addresses that start with 5.8.x.x ...

Eventually someone figures out what happened, and the DDoS attack was a distraction for the social-engineering hack from "Eugene", who then got behind the back doors, and made himself comfortable inside their data center, siphoning off data constantly for months.

These attacks aren't new. They are ongoing today.

It's just nobody talks about them because of what it would do to their stock prices. So everyone keeps these breaches under wraps.

And this is going on all the time.