Wednesday, October 2, 2013

bgp route injection == sick recon??

Short n sweet for this post, but I've got one brewing that I think will be pretty good, so stay tuned.  This is just some random food for thought...

So yea, bgp route injection is old news, but that didn't stop issues from coming back later.

I got thinking about this because I was talking to a buddy who runs networks at a company that got popped by everyone's favorite actor(s), Annoying Pwnage Terminators.

If you've ever been on the receiving end of their work, you might've been amazed at the sophistication of the recon.  Spearphish emails are just perfect mimics of the way legit ones look, and after they're in they don't seem to spend nearly as much time searching around for things as your avg pen tester.

The speculation I've heard is that this is due to the fusion of cyber milspec teams, college students, and state intel agencies.  That intel part must account for the uber-recon, right?

Well my buddy mentioned that sometime before the known start point of the breach, there was a route injection event that lasted a small amount of time, and originated from Asia.  He claimed that there was no traffic rcv'd back during that time, so basically packets from his org just routed out to some black hole in asia.

That bit got me thinking...  If you targeted bgp route injection like that, just what exactly would you end up getting from your victim??

The data would be somewhat limited if you weren't sending back ACKs for their push packets, but you could still grab some significant info:

- internal DNS
- internal IP
- email contents
- usernames
- cookies / session id's
- hashes / passwords
- etc??

So armed w/ my theory, I hit up another buddy who works in that space for a living and laid out my theory.  I can't lie, he sounded underwhelmed and didn't seem sold on the idea.  But it still seems interesting, so I figured I'd share.

Dan says there are crazy forensics on bgp injection history, but I think the attack my buddy experienced was from some local asian link (that was connected via mpls or whatnot to the rest of the network), so I'm not sure that type of injection would be captured by the logs.

Anyway, if you do business in that region, and if you've been popped by those crews, and if you can confirm that you saw route injection prior to the attack, feel free to drop me a note and I'll give anonymized updates here.

Until next time, have fun n keep hackin :)

No comments: