
Fox-IT hit by cyber attack - breakingcups
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/
======
RandomTrees
The core of the problem, a lot of paragraphs down:

> we have strong evidence that supports our hypothesis that the adversary
> gained access to our [DNS provider's] credentials through the compromise of
> a third party provider

> A factor which possibly helped the attacker was that the password had not
> been changed since 2013

> We chose our DNS provider 18 years ago when 2FA was neither a consideration
> nor a possibility

~~~
c12
Slightly off topic but 2FA was both possible and a consideration 18 years ago,
just not for the majority of people.

~~~
chinathrow
Correct. Banks in Europe hat various 2FA methods in place, even in the early
days of online banking around year 2000.

~~~
kybernetikos
I was using a simple form of 2FA with my retail bank in Switzerland back in
the early 2000s.

------
the-dude
Fox-IT is THE leading security firm in The Netherlands.

~~~
thinkMOAR
Because dutch news outlets always contact them for quotes, because they only
know one security company. I'm pretty sure they are not the best.

I tend to find it disappointing to see a security company use google analytics
on their site and leak their visitor information to a big data third party.

~~~
YouKnowBetter
Would you care to comment on who you'd consider better?

~~~
d215
[https://radicallyopensecurity.com/](https://radicallyopensecurity.com/) are
pretty great. Don't know if they're actually _better_ than fox-it. The latter
I only know by reputation.

------
technion

        CTMp network sensors
    

The first six Google hits for this phrase, relate to Fox-IT being hit. Can
anyone share some details on these sensors, given they are described as being
critical to the response?

~~~
stephengillie
Some of the results I find for CTMP are Continuous Time Markov Processes. Here
is a slide deck with poor kerning[0]. From an interesting slide:

 _Numerical solution of implicitly encoded CTMCs_

 _If R is stored as a sparse matrix of columns, a_ Jacobi _or_ GaussSeidel
_iteration has the cost of a vector-matrix multiplication,_ O(n(R))

 _If R is stored using implicit techniques (Kronecker algebra or decision
diagrams), memory is greatly reduced but runtime can increase._

 _E.g., using_ Shuffle _to compute the effect of_ v, (pi)^(old) .
(operator)(L<k<1) R(k,v1), _is slower than_ Sparse _multiplication if the_
R(k,v) _matrices are very sparse._

This research paper describes tracking cattle with a wireless sensor
network[1].

\---

Or this could be Cisco Technology Migration Program[2]. They could have some
sort of network probe to identify "upgrade-ready" products, which could be
leveraged for other purposes.

\---

[0] [http://www.cs.ucr.edu/~cshelton/talks/ctmp-
tut.pdf](http://www.cs.ucr.edu/~cshelton/talks/ctmp-tut.pdf)

[1]
[https://www.researchgate.net/publication/271419298_Cattle_mo...](https://www.researchgate.net/publication/271419298_Cattle_monitoring_system_using_wireless_sensor_network_in_order_to_prevent_cattle_rustling)

[2]
[https://www.cisco.com/web/partners/pr11/incentive/emea/tmp.h...](https://www.cisco.com/web/partners/pr11/incentive/emea/tmp.html)

~~~
t0pr0
Dude... CTMP means Cyber Threat Management System and it's a producy developed
by Fox-IT as monitoring solution.

------
mehrdadn
I thought this was about the company that makes the PDF reader. If there's a
way to disambiguate the title that would be nice.

~~~
feikname
I disagree with the notion that they're ambiguous at all. Foxit and Fox-IT
have quite a noticeable difference in their names, IMO. (although they do have
the same letters, so I get your point)

~~~
cwilkes
Would a screen reader pronounce it as “fox dash it” or “fox it” for both? In
my mind I read “fox it” without the dash and thought it was the PDF company.

Which was really weird trying to wrap my head around how they could discover
an issue like this so quickly.

------
LeonM
This is the exact reason I moved all my DNS to a new provider, as the old one
does not allow 2FA. It sucks that you have to rely on an external supplier for
such a critical part of your infrastructure. In my experience, most DNS
suppliers mostly care about marketing, not so much about security.

------
rdl
Weird. While they're on Cloudflare Registrar now, it appears they used to be
on Network Solutions.

NetSol is pretty bad in a lot of ways, but you can make it less bad with some
configuration competence. I would have assumed an IT security company would
have done that.

------
SaturateDK
I really liked the write up of this incident, but not the

> It’s become a widely accepted mantra that experiencing a cyber breach is a
> question of ‘when’ and not ‘if’.

Part however.

~~~
wepple
I’m curious; what’s wrong with that? Do you disagree, have an example of a
large org who has never been compromised?

~~~
Double_Pulsar
Most large organizations have been compromised by the NSA already, and with
the leaking of tools by the shadowbrokers...

We could say that we will keep seeing more and more hacks.

------
bawana
so who was the DNS hosting provider? one of these?

[https://www.keycdn.com/blog/best-free-dns-hosting-
providers/](https://www.keycdn.com/blog/best-free-dns-hosting-providers/)

DNS is REALLY a weak link. Another one is the border gateway protocol. I
recently read about all GOOGLE, FB, Apple,etc traffic being redirected through
a single Russian address for a few minutes.

So how does a third party get access to the creds to allow messing with your
DNS hosting account? Social engineering? Or are there holes we need to know
about?

------
heredoc
[https://crt.sh/?q=%fox-it.com](https://crt.sh/?q=%fox-it.com) shows that
certificates issued on September 19th are not revoked yet.

------
g0ran
> It’s become a widely accepted mantra that experiencing a cyber breach is a
> question of ‘when’ and not ‘if’.

An excuse right off the bat and quite poor one, especially since it is a
security company.

~~~
Quarrelsome
Be fair. The burden on the defender is harsh as fuck. You're only as strong as
your weakest link and attacks/probing is very cheap

------
amelius
> Ensure that all system access passwords are reviewed regularly and changed,
> even those which are used rarely.

Surprised they don't use one-time passwords, or 2FA exclusively.

~~~
icebraining
2FA still uses passwords (usually), so it stills makes sense to review and
change them.

------
tkoski-hs
How could one have detected this kind of attack even faster?

Periodically calling the endpoint and validating the certificate used is the
right one?

~~~
heredoc
you can monitor certificate transparency for new certificates of your domain
see [https://sslmate.com/certspotter/](https://sslmate.com/certspotter/) or do
it on your own.

~~~
technion
Note that certificate transparency monitoring isn't instant. I've seen certs
take a day or more to show up.

Which is still highly valuable, in the scheme of things. But wouldn't improve
on the timescales they've described.

(I run ctadvisor.lolware.net)

~~~
detaro
Do you have statistics about how fast different CAs are/how it is distributed?
Are some CAs always "lagging", or do many of them have occasional late
outliers, ...?

~~~
tialaramex
You can see some statistics for Comodo's crt.sh monitor here:

[https://crt.sh/monitored-logs](https://crt.sh/monitored-logs)

Note that this doesn't tell you whether a CA logs all/ most or none of the
certificates they issue. In my experience it would be unusual for a CA to
deliberately _wait_ before logging certificates, either they're logged more or
less immediately or they don't intend to log them at all. To issue
certificates with an SCT baked inside them (which is convenient for customers)
you have to log a "pre-certificate" with the exact same details first anyway
to get the SCT.

BUT if there's a problem the Mozilla trust store policy (and perhaps others,
but only Mozilla's happens in public where we can see it) says the CA must
show the trust store all the affected certificates. By far the easiest way to
do that in 2017 is shove them all into a CT log and then spew a list of links
to crt.sh or another monitor, rather than uploading some Word document full of
X.509 PEM files or whatever. So even CAs that we know don't normally log
everything will put all the problematic stuff into logs during disclosure, or
else someone reading m.d.s.policy will do it for them.

Some CAs have a deliberate customer policy of letting you choose NOT to log,
sometimes with a warning saying if you don't log this stuff then Google might
distrust it. Symantec was really into redaction, which is logging but with the
"sensitive" bits of the certificate removed. But Google never really bought
that idea, and Symantec are exiting the CA business.

------
philamonster
>Sept 19 2017, 02:21 The actual MitM against our ClientPortal starts. At this
point, the fraudulent SSL certificate for ClientPortal was in place and the IP
DNS record for clientportal.fox-it.com was changed to point to a VPS provider
abroad.

>Sept 19 2017, 07:25 We determined that our name servers for the fox-it.com
domain had been redirected and that this change was not authorized. We changed
the DNS settings back to our own name servers and changed the password to the
account at our domain registrar. This change will have taken time to have full
effect, due to caching and the distributed nature of the domain name system.

5 hour, 4 minute response time. I would be okay with that _if_ I could get
over what was overlooked.

