Page 85 - Cyber Warnings
P. 85
The attacker uses these keys to gain access to those other servers and repeats the process to
move undetected within the enterprise.
It is likely that the attack can easily spread to nearly all data centers in the enterprise, given the
high number of keys (10-200 per server on average in most enterprises).
Some companies with more than 100,000 keys are granting access from low-security test and
development into production servers alone. Key-based access between data centers is almost
always present.
Usually, there are also many SSH keys granting access from individual user accounts to
privileged service accounts, bypassing systems that were supposed to monitor privileged
access.
Cybercriminals use sophisticated means to avoid detection. They can monitor the server for
days or weeks to see which SSH keys are actually used with which servers and then piggyback
on legitimate connections to move undetected.
Bringing the Fortune 500 to Its Knees
At this point, the digital interloper may confuse the system or destroy it outright. They can
modify database records in subtle ways, corrupt backups or render every penetrated server,
storage device and router inoperable.
For example, the attacker can reprogram the firmware on routers and switches, install malware
into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on
the affected servers and storage systems, including any penetrated backup systems and
disaster recovery systems.
This would be a crippling blow for a Fortune 500. IT teams would need weeks or months to
rebuild and reinstall its systems, and it would likely lose a good number of recent transactions.
How many hours, days or weeks can a typical Fortune 500 be down before the reputation
damage is irreparable?
The damage to shareholders could easily exceed $30 billion, given the extent of the damage
and the inability to operate or even communicate.
These days, there are multiple possible reasons for launching such an attack. Perhaps a nation-
state in a cyberwar might conduct such activity to as many enterprises as possible, even
attacking multiple enterprises simultaneously.
Perhaps a terrorist organization wants to cause chaos. Perhaps a hacktivist wants to teach
investors not to put money in “unethical” enterprises. Perhaps a criminal organization wants to
extract ransom.
85 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
