Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC Stormcast For Tuesday, May 24th 2016

Technical Report about the RUAG attack

Published: 2016-05-23
Last Updated: 2016-05-23 17:50:28 UTC
by Rick Wanner (Version: 1)
3 comment(s)

RUAG is a Swiss based company that participates in the aerospace, defense, and space industries. In January of 2016 they detected an external compromise in their network. Further investigation revealed that they had been compromised since at least September of 2014.

The most interesting thing, in my mind, is that this attack was not particularly advanced or stealthy but demonstrated an almost textbook attack profile. From the report summary:

" The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection. After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges."

They went after high profile targets:

" One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships"

Command and Control (C&C) and exfiltration was over HTTP on port 80, a port almost every organization will have open.

" The malware sent HTTP requests to transfer the data to the outside, where several layers of Command-and-Control (C&C) servers were located. These C&C servers provided new tasks to the infected devices."

This report is good reading for system and network defenders because it describes the various components of the attack.  It is interesting to read and ask if you have the instrumentation and controls in your network to prevent or at least detect a similar compromise.

The recommendations are not ground-breaking.  They are things we have all heard before and should be doing in our own networks, but inevitably get push back when recommend or try to implement due to the perceived impact on users. Here is a high level summary of the recommendations:

System level

  • blacklisting and whitelisting 
  • minimizing privilege
  • restricting common hacker tool usage
  • up to date patching and updates

Active Directory

  • closely monitor your crown jewels
  • two factor authentication
  • have AD externally audited regularly

Network Level

  • all Internet traffic through one choke point
  • proxy and log all Internet access
  • internal network segregation
  • internal network instrumentation (netflow data logging)
  • DNS logging


  • long term log archives (2 years or more) of crucial systems such as 
  • centralized logging
  • continuous log analysis against known IOCs

The summary report is available here.  The detailed report is available here.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

3 comment(s)
ISC Stormcast For Monday, May 23rd 2016

If you have more information or corrections regarding our diary, please share.

Recent Diaries

The strange case of WinZip MRU Registry key
1 day ago by Pasquale Stirparo (2 comments)

Python Malware - Part 2
2 days ago by DidierStevens (0 comments)

EITest campaign still going strong
4 days ago by Brad (1 comment)

TeslaCrypt closes down...Releases master decryption key
4 days ago by Rick (3 comments)

Resources: Windows Auditing & Monitoring, Linux 2FA
5 days ago by Russ McRee (1 comment)

VMWare Security Advisories VMSA-2016-0005
6 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation
6 days ago by Manuel Humberto Santander Pelaacuteez (3 comments)

Exploit Available For Cisco IKEv1 and IKEv2 Buffer Overflow Vulnerability
6 days ago by Dr. J. (2 comments)

View All Diaries →

Latest Discussions

HTTP(S) from DMZ to internal network
created 1 week ago by Anonymous (0 replies)

ERP software security issues
created 2 weeks ago by AMAS (0 replies)

infocon.txt issue
created 2 weeks ago by Nelson (2 replies)

Issue wit RSS Feed?
created 4 weeks ago by Matt M. (1 reply)

Privesc on Windows Server 2008 R2 Datacenter x64
created 1 month ago by Shaf (4 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
3 months ago by Dr. J. (24 comments)

Microsoft Patch Tuesday Summary for May 2016
1 week ago by Alex Stanford (5 comments)

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
3 months ago by Dr. J. (9 comments)

Neutrino exploit kit sends Cerber ransomware
2 weeks ago by Brad (5 comments)

March 2016 Microsoft Patch Tuesday
2 months ago by Alex Stanford (22 comments)