“Puss in Boots” APT campaign
Credit to Author: Nikolay Pankov| Date: Wed, 16 Oct 2019 09:53:22 +0000
Have you ever thought about what your answer would be if your precocious child asked, “What’s a politically motivated APT attack?” In fact, it’s straightforward. Just dust off your copy of Charles Perrault’s Puss in Boots and read it together with an eye on the cybersecurity aspects. After all, if we ignore the artistic liberties, such as a talking cat and ogres, the tale represents a marvelous example of a complex multivector APT attack against a (fictional) government. Let’s unpick this cybercrime together.
The tale opens with a miller posthumously leaving everything to his sons. The youngest son’s share of the inheritance includes the contact details of a person who goes by the pseudonym Puss in Boots and is obviously a hacker-for-hire — as you may remember, in Shrek 2, this silver-tongued cat wears not only his trademark boots, but also a black hat. After a brief exchange with the client, the cybercriminal hatches a dastardly plan aimed at seizing power in the country.
Establishing the supply chain
- The cat catches a rabbit and presents it to the king as a gift from his master — the miller’s son, posing as the fictional Marquis de Carabas.
- The cat catches two partridges and delivers them to the king as a gift from the marquis.
- The cat continues presenting wild game to the king for several months, all supposedly from the marquis.
If at the start of the operation, the Marquis de Carabas was a nobody, then by the end of the preparatory phase he is known at court as a trusted supplier of wild game. The royal security service committed at least two glaring errors. First, security should have become wary when an unknown entity started sending game to the castle. After all, everyone knows there’s no such thing as a free lunch. Second, when making an agreement with a new supplier, the first thing to do is to check its reputation.
Social engineering to open the door
- Next, the cat takes his “master” to the river, where he persuades him to remove his clothes and enter the water. As the king’s carriage drives past, the cat calls for help, saying that the marquis’ clothes were stolen while he was swimming.
The cat is applying two levers at once here, claiming that the wet young man is not a stranger but a trusted supplier of wild game, and that, having given his help selflessly, the cat now needs assistance. The fake marquis cannot identify (or authenticate) himself without his stolen clothes. The king falls for this simple trick, mistaking a fake identity for the genuine article. It’s a classic example of social engineering.
Watering hole attack via the ogre’s website
- The cat arrives at the ogre’s castle, where he is received as an honored guest, and asks his host to demonstrate his magical abilities. Flattered, the ogre turns itself into a lion. Pretending to be afraid, the cat says that anyone can turn into a large beast — how about shapeshifting into a small one? The gullible ogre turns into a mouse, and the cat’s claws end its life quickly.
To complete the deception, the marquis needs a website — what kind of supplier doesn’t have one? Creating a site from scratch would be foolhardy: It would have no history, and its date of creation would look suspicious. Therefore, he decides to hijack an existing site. Here, Perrault vaguely sketches a vulnerability involving loose access permissions. The cat logs in as an external pentester and persuades the local administrator to play around with the access control system. The administrator first raises his own privileges to root (lion), and then lowers them to guest (mouse). As soon as that happens, the cat deletes the account with “mouse” permissions, effectively becoming the sole administrator of the website.
- The king visits the castle and is so pleased with the reception that he decides the marquis is a good partner for the princess, and thus proposes inviting him to court and making him an heir to the throne.
This is what happens when social engineering works as intended. The victim visits the now-malicious website and concludes a deal there, giving the hacker access to valuable assets (in this case, the throne). Not directly, of course — here it’s through giving his daughter away in marriage to the bogus marquis.
Supply-chain attack
Perrault’s text does not mention this part, but if you were paying attention, you probably noticed that by the end of the tale, the Marquis de Carabas
- is the king’s trusted supplier — he has been providing wild game for the monarch’s table for several months, and
- is the husband of the king’s only daughter.
All that separates him from unlimited power is the old man on the throne. Basically, to become absolute ruler, all he has to do is inject some lethal virus into the code of the next partridge, then sit back and wait.