CUSTOMER

One of the largest players in the gig economy that provides online platform for order placement requesting transportation services.

In a nutshell

Our client had become a victim of an e-mail ransomware attack after hackers obtained both an access to and control over a number of company sensitive databases and threatened to compromise external services and corrupt the data.

We were asked to become part of a remote international incident response team composed of various cybersecurity experts with different backgrounds and skillsets from all over the world. The challenge was a multifaceted one, with our client requesting Incident Forensics on multiple servers to assess the whole situation, as well as simultaneous Security Hardening for the organization to prevent compromise of the company assets. we had to perform our activities with the persistent presence of malefactor actors and active threats in the Client’s corporate environment. Despite the overly dynamic nature of the challenge, intensive and successful 24/7 collaborative work of the whole international team enabled us to effectively curb excessive risk and gain time for further defense actions.

PROCESS

Spanning a total of three weeks three teams working in sequential 8-hours shifts headed each by a Certified Incident Forensics Investigator followed a cohesive plan with delegated tasks and provided real-time status updates for managing the incident. For successful resolution we performed several types of work:

1. Deep forensics of both client infrastructure and critical assets looking for signs of Advanced Persistent Threats and malicious activities;
2. Real-time infrastructure monitoring and processing of a wide number of logs from security systems;
3. Isolation of systems in order to preserve and collect evidence and migration of all client’s critical systems into the cloud to minimize impact on the business;
4. Penetration testing of the core application in active mode to identify factual and potential entry points.

During our investigation, we found both threat actor’s footprints and multiple security misconfigurations that may have led to potential compromise. After performing a full-scope compromise assessment of the client’s infrastructure, we prepared a detailed report and provided recommendations to improve clients’ cyber resilience state.

WIFI hacking scenario: here the scenario is boiled down to setting up a bogus access point with a fake captive portal, DoS-attack the legitimate access point, and use the fake one to steal login credentials from a WPA enterprise network.

RESULTS

Through a coordinated team response, we improved visibility on the occurred cyber incident and enabled our client to manage the response with greater control, higher efficacy, and reduced time between threat detection and elimination. During investigation, we discovered multiple critical misconfigurations that could have been used as entry points for malicious actors. We hardened the system allowing operations to return to normal and educated our client on which systems were compromised. All findings were documented with suggested actions to mitigate the gaps according to cyber security best practices.

CUSTOMER

The Customer is an international bank with $500 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers

In a nutshell

Our team was tasked to conduct a wireless network penetration test for an international financial institution that needed validation on its network design and implementation.

We simulated a cyber-attack from a black box perspective that implied zero knowledge about the customers IT system. We managed to connect to their internal network via corporate WiFi which in turn granted us unrestricted access to the customer’s office domain and to internal systems vulnerable to other exploits.

This case is illustrative of how keeping an eye out for the little things could save your business.

PROCESS – EVIL TWIN ATTACK

The customer had carefully designed the network to provide separate access to employees and guests. The guest network revealed that it was physically separate from the company WAN. However, the employee wireless clients were configured with certain flaws, which made our attack attempts to exploit the network fully successful.

To initiate the WIFI penetration test, we set up a wireless Evil Twin PoC at the customer’s premises. I.e., we created a fake wireless hotspot with authorization on the web-interface – Captive Portal – that has a similar identifier to the legitimate access point. After this has been done, to speed up the reconnaissance process we made the legitimate access point to go offline with the jammer attack. In such a way, we forced devices already connected to the target network to reconnect. Thus far the clients connected to the fake access point automatically since it was similar to the legitimate one. Upon reconnect, clients provided us with a 4-way handshake used to authenticate devices to the network. These handshakes have been captured in order to crack the network password via a brute force or dictionary attack. This final step of cracking the password let us into the network.

WIFI hacking scenario: here the scenario is boiled down to setting up a bogus access point with a fake captive portal, DoS-attack the legitimate access point, and use the fake one to steal login credentials from a WPA enterprise network.

RESULTS

Executing evil twin attack, we swiftly managed to break into the network via corporate WiFi. As the wireless networks used RADIUS authentication with AD credentials, a successful handshake capture was enough to gain initial access to the network and an account in the office domain. Provided that the Customer did not employ any wireless scanning tools, so the Evil Twin AP would remain undetected for a long period of time.

Demonstrating the weaknesses and respective confidentiality risks of the system, we have advised to change encryption to impersonate a legitimate AP to reject networks without the proper SSID and authentication settings and helped to implement security restoration measures.

TECHNOLOGIES AND TOOLS

Methodology: SniffAir

Tools:  Kali Linux distribution kit (Aircrack, Wireshark Filters, Wifijammer, internal-twin, Wifiphisher), Hashcats, Captive Portals, MAC-spoofing, Airgeddon, Dns Spoofing and BeEF using WiFi Pumpkin, rouge-wifi and evilAP defender.

CUSTOMER

The Customer is an international bank with $900 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers

In a nutshell

We were asked to conduct a Social Engineering Penetration Test and try to access the internal network of a bank by manipulating their staff. In such a way, the Client was willing to check the effectiveness of existing security solutions combined with awareness campaigns among employees regarding cyber hygiene.

Despite the client’s cybersecurity maturity, after a week of reconnaissance, we managed to bypass security services and get inside the system using one of the classic tricks – mailing lists with malicious attachments. This case illustrates that with proper data gathering and system exploration, quite often attackers are able to identify technical (in this case – sandbox) bypass ways and exploit human element, which in turn allows penetrating the network, escalating privileges and accessing files beyond the restricted domain.

PROCESS

Reconnaissance. It took us one week to study the Client’s systems. We gathered information about software, OS, browsers, antiviruses, email clients etc. used by employees. We also concentrated on the format of the email message and other elements of the corporate identity, news and events in the company – everything that could have made the letter, phishing site and targeted attack more trustful.

Sandbox bypass vulnerability. We have established that the customer is using a sandboxing system that analyzes attachments to detect malware. This system executes untrusted code inside a restricted environment, analyzes what actions it performs in the system and determines whether this file is safe or not. Such a method prevents phishing attacks through attachments of any type.

We applied special learning techniques to identify how to bypass this filter. By analyzing how the system launches and examines the file’s process tree, we were able to design malware to trick the sandbox. We prepared a new payload that passed through the antivirus control, file signature and behavioral analysis control, and activated the code only a few days later without revealing itself as malware.

Hacking Scenario. Despite the variety of creative approaches aimed at misleading the employees, from the technical point of view, it all boils down to just two actions: phishing to steal account data and launching an executable file to infect a device. In our case opening and launching an attachment to a letter became a trigger for the script to work successfully.

RESULTS

By identifying the sandbox bypass vulnerability, our malicious email passed the security stage and the dropper activated itself on one of the employee’s devices. Further, we established connection and through file shares we found an opportunity to pick up certain accounts, find incorrectly configured access to the backup, and work our way through the network to take over the domain. After the test was completed, we provided a list of feasible measures to restore the required level of security and helped the bank to patch the security gaps in the shortest time period.

TECHNOLOGIES AND TOOLS

Methodological approach aimed at using parts of the malicious code that connects to the server and shares required information.

CUSTOMER

The Customer is an international commercial bank with $500 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers.

In a nutshell

Our team was tasked to evaluate the current level of Web application and Mobile banking application security for a commercial bank in Europe. While the scope was limited to a black box perspective and implied a scenario of an outside attack knowing the client’s name only, we managed to exploit application deviations, reach critical data, get full access to bank’s clients’ accounts and withdraw money as an ultimate goal.

This case demonstrates how a combination of two simple yet critical vulnerabilities can lead to a full security compromise. At the same time, such vulnerabilities are often overlooked and hence become a common attack vector for malicious actors. 

PROCESS

To carry out high-quality comprehensive testing, we used both manual and automated testing tools and techniques.

OTP compromise. During testing we discovered that account access through online banking is protected by two-factor authentication with OTP-code. We managed to find a critical vulnerability in OTP that enabled us to take it over with a brute-force attack (login page password-guessing attack). Furthermore, OTP-verification had also been used for financial or any other asset transactions. Provided that a malicious attacker knows the user’s credentials, it would have become possible to access any account of the bank and conduct unsolicited money transfer, thus completely compromising the security system.

The same OTP vulnerability was confirmed in mobile application, although a different server was used to process requests and APIs of web and mobile applications were supposed to function separately. Hence, mobile app contained the same flaw in the logic of session management and security risk was respectively outstretched.

Authentication compromise. Another critical vulnerability was found when authorizing access to users’ data. Being logged into online banking system and changing the user’s ID token, the hacker could see the private data of other bank clients, including their transactions and balances. Therefore, it was possible to select accounts with preferable balances and then – by using an automatically generated script – brute-force credentials, enter the victims’ accounts, brute-force OTP and withdraw money.

Hacking Scenario: getting full access. The vulnerability in the authentication process allowed access to any user account in the system. The attacker could easily check the account balances, select preferred accounts, brute force necessary details and initiate unsolicited transactions by exploiting OTP vulnerability.

RESULTS

We performed a number of tests to analyze the security of the bank’s web and mobile applications. The testing revealed several types of vulnerabilities classified according to the risk levels defined in the OWASP methodology. The combination of two critical vulnerabilities allowed our team to conduct any transactions from bank clients’ accounts without proper authentication.

To help the bank patch the identified security gaps, we have delivered a comprehensive report covering all found vulnerabilities and provided mitigation recommendations which were implemented at the remediation phase.

TECHNOLOGIES AND TOOLS

Methodology: OWASP Top 10

Tools: BurpSuite, Acunetix, Google Chrome Developer Tools, Python, WPScan, Nessus, Nmap, SQLMap, Nikto, DIRB, Metasploit, custom scripts.

CUSTOMER

The Customer is an international bank with $2.5 billion in total assets. The bank offers a whole spectrum of banking services for private and corporate customers.

In a nutshell

Our penetration testing team was assigned to simulate a real hacker attack on the Bank’s branch in Central Europe as part of client data security check and compliance requirements. Penetration Test was performed from a blackbox perspective (i.e. zero initial information, apart from the target organization’s name).

By constructing an attack, we were able to get access to the core processing systems and SWIFT system. Moreover, the team found a way to transfer money from one bank account to another on behalf of other customers. In such a way, the goal of the test was reached successfully.

PROCESS

Preparation. To ensure accurate results, our team used both manual and automated testing tools and techniques. At the beginning of the penetration test, we have discovered a vulnerability in the bank’s external network. We have designed a dropper (a kind of Trojan) to install our malware to a target system. Through a phishing attack, this dropper was downloaded to a computer in the Client’s network. The dropper contained the malware which reproduced itself into several places for sustainability and migrated from one process to another. Being initially downloaded as a text file, it was transformed into a malicious code by macros in such a way as to avoid detection by antivirus scanners. Thus, neither security systems nor firewall and antivirus solutions have detected malicious activity conducted inside the network.

HTTP connection compromise. Further, we identified that https connection was performed through Amazon CDN. Hence, we have registered a domain on Amazon, which served us to create an alias and compile bank requests, redirecting those to our own server. In such a way the bank’s IT team recognized that connection from their internal network was directed to Amazon which though could mean exchange of any kind of updates. Therefore, an implicit connection made it possible for an ‘attacker’ to remain undetected.

Hacking Scenario: getting full access.  After penetrating the internal network, we collected user private data and main credentials, escalated privileges to domain administrator role, hijacked the domain and gained full control over the system. At this point our task was accomplished. The real-world hackers though would be able to go further to core processing systems and conduct unsolicited transactions.

RESULTS

The adversary simulation activity allowed us to demonstrate a complete compromise path by using a single vulnerability in the external network combined with one successful phishing attack. At the remediation phase we worked closely with clients’ IT security team to immediately mitigate all found vulnerabilities and apply best security practices. By means of this penetration test, the bank managed to avoid users’ accounts compromise and mitigate business risks such as financial and data loss, and reputational damage. At the end our client developed better security practices and was able to meet the highest level of compliance and regulation standards.

TECHNOLOGIES AND TOOLS

Methodology: OWASP Top 10

Tools: Cobalt Strike, Pupy, PowerSploit, Metasploit, Nessus, Nmap, Tor, Burp Suite, w3af, WPScan, Wfuzz, ZAProxy, OpenVAS, Skipfish, SQLMap, manual testing.