Cyber-kill chain, seven phased, chained cyber-attack: from early reconnaissance to the goal of data exfiltration constitutes a rootkit. This is malicious computer software which is designed to enable access to a computer or an area of its software that is not allowed to an unauthorized user. In this paper, seven stages of the cyber-kill chain will be evaluated from a perspective of a real time example (below) taken from Pro-Tech cyber security website.

Case Study:

On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm. The website was compromised to launch an apparent watering-hole attack against the company’s customers. It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from the Hacking Team data breach, CVE- 2015-5122. This attack yet again showcases the opportunistic tendencies of adversary groups and bad actors. The malware deployed by this exploit has been seen in a number of targeted attacks and provides attackers with a foothold on the victim’s machine and/or network. The exploit file, movie.swf, was ZWS compressed a tactic that has been observed to evade anti-virus programs. Once uncompressed, a binary was found to be embedded in the Flash file. Upon further analysis, this file was found to contain behavior consistent with a Trojan commonly called IsSpace. Based on its codebase and behavioral patterns, it appears that IsSpace could possibly be an evolution of the NFlog backdoor, which has previously been attributed to the adversary groups DragonOK and Moafee. Both groups are thought to be operating out of Southeast Asia, and Moafee in particular has been associated with attacks on the US defense industrial base.

Evaluation:

In this case, the root kit which was used to get an access in to the root or administrative privilege of the machine under attack (in order to hide the malware), is by tactic of evading anti-virus program. This root kit appeared to be consistent to the behavior of a Trojan called IsSpace. I.e., it probably is IsSpace or some derivative to it.

Step 1: RECONNAISSANCE

In this case study, even though it’s not clearly stated how the hacking groups have conducted the process of reconnaissance, based in the process used, which is a water hole attack, the reconnaissance process has concluded to launch an apparent attack against the company’s customers. Techniques like open TCP/UDP ports or harvesting emails and conference information of the central system which customers and the company frequently visit may have been searched for vulnerabilities. Here adobe Flash exploit was initially seen as vulnerability in the reconnaissance process by the hacking team.

Step 2: WEAPONIZATION:

A process of organizing the information collected in the reconnaissance process and coupling exploits for a deliverable payload. This process can be considered as putting a set of directions for the step to be taken. Here in our case, Weaponization of the aerospace firm website was predetermined. Since reconnaissance has gathered the information that there is a likely customer’s interaction through Adobe Flash exploit, which is discovered to be vulnerable by the hacking team, then it is therefore weaponzed.

Step 3: DELIVERY:

In the seven cyber-kill chain, delivery refers to the actual launching of the weapon. It can be through human, at whom an unauthorized access to the system is provided or USB-direct installation is cooperated by personal in an organization, or it can also be technical like email attachment and TCP (DOS) attack delivery. In our case, since the attack on the aerospace company’s customers is plotted in the aerospace website, in which the customers might have to be infected when they come to access the vulnerable resources of the company, it is clear that waterhole phenomena is the way it was delivered.

Step 4: EXPLOITATION:

Following the delivery of the weapon, exploitation activates the attacker’s malicious code in to the system. This stage manipulates application, operating system and user’s behavior vulnerabilities. Taken from our case study, the exploit file, movie.swf, was ZWS compressed a tactic that has been observed to evade anti-virus programs. Here the exploits are preparatory analysis made by the hacking team to stop the anti-virus plus exploiting techniques in order to hide by compressing itself to a file.

Step 5: INSTALLATION:

At this fifth stage, installation, remote access of a victim’s system allow the adversary to get persistent performance of tasks through creating Trojan and backdoor. Installing malware unknowingly may occur to enable the malicious malware. Disruption or destruction need not to occur at this stage, it may only be to establish the control and communication station. For our case study here again, the exploit file installs itself, and embedded in the flash file.

Step 6: COMMAND AND CONTROL:

In this stage of cyber-kill chain the installed devices in the previous stage will allow the command and control instructions to be carried out. Here compromised hosts through Internet controller server is under Command & Control (aka C2) channel. Once the C2 channel establishes, intruders effectively have “hands on the keyboard” access inside the target environment. Here in our case, upon installation made common and control and behaviors seen in Trojan commonly called IsSpace is found.

Step 7: Actions on Objectives:

In this stage, having successfully gone through the past six stages, the hacking team is able to get its objectives. The longer the hacking team has this level of access, the greater the impact it will be. Longer stay can help get further objectives like network information-traffic sensing, file access specific information, file corruption- crucial files can happen. In our case study, IsSpace is possibly an evolution of the NFlog backdoor, which is associated to DragonOK and Moafee groups, which in-turn have been associated with a US defense industrial base attacks. Therefore the objectives of this hack can be to extract and target the US government, especially DOD.

CITATION:

*Pro-Tech – https://www.usprotech.com/7-essential-steps-cybersecurity-kill-chain-process/

*Rootkit Wikipedia: – https://en.wikipedia.org/wiki/Rootkit

*Linuxhint – https://linuxhint.com/cyber_kill_chain_steps/

Birhane: Researched and compiled from sources above.