It’s been a tough couple of weeks. We’ve been spending way more time than I would prefer helping new/existing clients recover from security incidents. Integral to this effort is the process of each client learning from the incident and updating their security incident response plans accordingly.
One thing that you generally don’t yet find in most such plans is crossing over to the “dark” side of the internet – but moving forward I think it’s likely you may. Let me explain what I mean and why…
One of our clients referred another company to us that unfortunately had been hacked. Several weeks prior their client-facing website/application had been “hijacked” and was redirecting clients from certain geographic regions to an overseas site. The client focused on recovery rather than investigation – so they never tried to determine what the purpose of the redirects was. Best guess would be a drive-by malware site, although the geographic discrimination is an unusual twist that would have been interesting to understand. In order to ensure that any traces of the compromise were eradicated, the client rebuilt the site at a different hoisting provider on a fresh Content Management System (CMS) install with updated modules/templates.
The client called us because the site had been hacked again. This time the site had been defaced by a hacker. By the time they called us they had taken the site offline. They wanted to get the site back up as soon as possible. But before doing so they wanted to know how the site was hacked, so that it wouldn’t just recur again. Because the site is hosted, the quality and quantity of the logs that were available were limited. That being said, we had several good data points: an overseas IP address attempting to hit the admin page of the app and the fact that the hacker had signed his website defacement.
It was relatively straightforward to determine that the IP address was a cloud server provider – often used by the hacking community. However, conventional searches did not find anything on the hacker tag that had signed the defacement. Time for a trip to the dark side.
Most people are familiar with TOR (The Onion Router). It’s a mechanism that you can use to surf the web in an “anonymous fashion.” The TOR client (installed on your computer) directs internet traffic through a network of servers to conceal your location/usage. TOR makes it very difficult to trace Internet activity. Of course, it is widely used for nefarious purposes.
One thing many people don’t know about TOR is that it can also be used to connect to “hidden services” on the internet – sometimes referred to as the “darknet”. The .onion domain is the most well-known of these. It’s the hidden part of the internet where virtually anything can be bought or sold (e.g., drugs, guns, credit cards, botnets, and assassins). It’s not for the faint of heart – and despite the “anonymity” that is provided by TOR, you still find yourself looking over your shoulder when you’re on it. In short order, we were able to determine the date/time of the compromise and the mechanism on hacker message boards. (I’m intentionally keeping the details sparse in deference to our client).
Part of our client’s continuous improvement process is adding TOR/darknet knowledge to their Computer Security Incident Response Team (CSIRT). Hopefully, they won’t have to exercise the plan anytime soon – but if they have a security incident to respond to their Incident Response Plan now includes a trip to the dark side.