Blackbox Penetration Testing for an International Bank

CUSTOMER

The Customer is an international bank with $2.5 billion in total assets. The bank offers a whole spectrum of banking services for private and corporate customers.

In a nutshell

Our penetration testing team was assigned to simulate a real hacker attack on the Bank’s branch in Central Europe as part of client data security check and compliance requirements. Penetration Test was performed from a blackbox perspective (i.e. zero initial information, apart from the target organization’s name).

By constructing an attack, we were able to get access to the core processing systems and SWIFT system. Moreover, the team found a way to transfer money from one bank account to another on behalf of other customers. In such a way, the goal of the test was reached successfully.

PROCESS

Preparation. To ensure accurate results, our team used both manual and automated testing tools and techniques. At the beginning of the penetration test, we have discovered a vulnerability in the bank’s external network. We have designed a dropper (a kind of Trojan) to install our malware to a target system. Through a phishing attack, this dropper was downloaded to a computer in the Client’s network. The dropper contained the malware which reproduced itself into several places for sustainability and migrated from one process to another. Being initially downloaded as a text file, it was transformed into a malicious code by macros in such a way as to avoid detection by antivirus scanners. Thus, neither security systems nor firewall and antivirus solutions have detected malicious activity conducted inside the network.

HTTP connection compromise. Further, we identified that https connection was performed through Amazon CDN. Hence, we have registered a domain on Amazon, which served us to create an alias and compile bank requests, redirecting those to our own server. In such a way the bank’s IT team recognized that connection from their internal network was directed to Amazon which though could mean exchange of any kind of updates. Therefore, an implicit connection made it possible for an ‘attacker’ to remain undetected.

Hacking Scenario: getting full access.  After penetrating the internal network, we collected user private data and main credentials, escalated privileges to domain administrator role, hijacked the domain and gained full control over the system. At this point our task was accomplished. The real-world hackers though would be able to go further to core processing systems and conduct unsolicited transactions.

RESULTS

The adversary simulation activity allowed us to demonstrate a complete compromise path by using a single vulnerability in the external network combined with one successful phishing attack. At the remediation phase we worked closely with clients’ IT security team to immediately mitigate all found vulnerabilities and apply best security practices. By means of this penetration test, the bank managed to avoid users’ accounts compromise and mitigate business risks such as financial and data loss, and reputational damage. At the end our client developed better security practices and was able to meet the highest level of compliance and regulation standards.

TECHNOLOGIES AND TOOLS

Methodology: OWASP Top 10

Tools: Cobalt Strike, Pupy, PowerSploit, Metasploit, Nessus, Nmap, Tor, Burp Suite, w3af, WPScan, Wfuzz, ZAProxy, OpenVAS, Skipfish, SQLMap, manual testing.

top