Attack indicators for NG-911 networks
What is in this article?
Computer systems are attacked for two general reasons: they are specifically targeted by attackers, or they are a target of opportunity. The first type of attack has nothing to do with the system itself, but rather what the attacker is specifically after, e.g., details that are useful in the planning of a heist. The second type of attack primarily focuses on system vulnerabilities, with little regard for the organization.
For example, an attacker may comb the Internet for companies that use Zen Cart 18.104.22.168, a popular online shopping cart, and exploit those using SQL injections, a type of attack that identifies vulnerabilities in an application’s software and then inserts malicious code into the program. Retailers are particularly prone to such attacks. The attackers don’t care that the site is a non-for-profit helping hungry children, for instance, only that it is vulnerable and that sensitive data such as credit card information can be stolen from it.
On that note, the press conference was informative in more ways than the mayor anticipated. The topics covered were encouraging not only to the community at large that would benefit from the expanded emergency services, but also to the cybercriminals that now had an open door into the once-closed 911 networks. During the press conference, the mayor personally thanked, by name, the different private companies whose tireless efforts made the initiative a reality. Unwittingly, she disclosed enough information for the cybercriminals to start their research.
The Computing Technology Industry Association (CompTIA) describes the four stages of a cyber attack as reconnaissance, scanning, researching vulnerability, and performing the attack. Each of the stages can cycle back to another stage as the attack penetrates an organization. In this scenario, the attackers were very deliberate, targeting the NG-911 internetworks and the vulnerabilities their implementation could create. CompTIA describes reconnaissance as the information-gathering stage for attackers to gather any data that can prove useful. They comb through websites, news groups, and domain registrations—pretty much anything that will show them where the doors are, and provide clues as to what might be on the other side.
The mayor unknowingly—and erroneously—provided information during the press conference that gave the attackers several opportunities, by mentioning that NG-911 services could be accessed via e-mail. Of course, e-mail delivery currently isn’t an option because there is no location capability and they can be delayed by hours, minutes or days—or not delivered at all—which would significantly hinder emergency response.
Nevertheless, the mayor’s proclamation resulted in a flood of e-mails from the public, which wanted to test the system. Unfortunately, it also resulted in an advanced persistent threat (APT)—specifically, spear-phishing attacks aimed at the Sheriff’s Office.
Spear-phishing attacks, which are specially crafted e-mails sent to specific individuals from a target organization, account for 91% of targeted attacks, according to TrendLabs, the research-and-development arm of cybersecurity solutions vendor Trend Micro. These e-mails are designed to look like legitimate e-mails, but contain links and/or attachments that are infected with malware. The good news was that those attacks were blocked because the Sheriff’s Office had the appropriate cybersecurity measures in place.
The mayor also had mentioned during the press conference that surrounding agencies would have direct access to each other’s networks—she even provided approximations as to when they would be online and participating with NG-911 services. The bad news is that these smaller agencies generally lack the IT resources of the Sheriff’s Office.
All of the surrounding agencies received e-mails with a PDF attachment entitled “Compliance Requirements for Next-Generation 911 Services,” which appeared to originate from the Sheriff’s Office. The document served as a decoy while the malware was installed; once in place, the malware awaited instructions from a malicious command-and-control server controlled by the attackers. (See Figure 1 for a description of a spear-phishing attack.)
Figure 1–Spear-phishing infection chain
Source: Trend Micro
These attacks were particularly troublesome because the attackers were able to install a rootkit, which helped to hide the remote access Trojans (RATs) from detection. Adding a second layer of obfuscation, the attackers used a family of RATs referred to as “FAKEM” for their ability to disguise themselves as other protocols.
Further, because the attackers knew which vendors were involved in the NG-911 rollout—they simply looked up the government contracts, which routinely are posted online—they were able to research the vendors’ software to identify vulnerabilities or design flaws that could be exploited.
For example, PSAPs across the U.S. have used Geographic Information System (GIS) services in order to improve emergency response for decades. NG-911 further enhances theses services by layering multiple datasets from external sources, such as traffic analysis, to further reduce emergency response times. The attackers were able to use the standard features of GIS to their advantage. For testing purposes, the vendor had identified a default agency, and had configured the system so that any test calls assigned to this agency would close automatically. This agency was assigned all of the calls generated from the Diamond Exchange during testing.
Another standard feature of any 911 system is to route inbound calls to the operator covering a specific geographic area. The attackers were able to use the system application programming interface (API), which was documented on the vendor’s website, to simulate the coverage area of the aforementioned default agency.
As a test, the attackers created a GIS boundary around an abandoned field and assigned its jurisdiction to the default agency. They then simulated a burglar alarm from the field’s address, which automatically was routed to the default agency and closed in the database. The attackers’ final preparations included the creation of a small “zombie army.” This army can be any number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam and viruses) to other computers connected to the Internet. The compromised systems of those agencies participating in the NG-911 deployment are an example of a zombie army.