CUSTOMER
The Customer is an international bank with $900 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers
In a nutshell
We were asked to conduct a Social Engineering Penetration Test and try to access the internal network of a bank by manipulating their staff. In such a way, the Client was willing to check the effectiveness of existing security solutions combined with awareness campaigns among employees regarding cyber hygiene.
Despite the client’s cybersecurity maturity, after a week of reconnaissance, we managed to bypass security services and get inside the system using one of the classic tricks – mailing lists with malicious attachments. This case illustrates that with proper data gathering and system exploration, quite often attackers are able to identify technical (in this case – sandbox) bypass ways and exploit human element, which in turn allows penetrating the network, escalating privileges and accessing files beyond the restricted domain.
PROCESS
Reconnaissance. It took us one week to study the Client’s systems. We gathered information about software, OS, browsers, antiviruses, email clients etc. used by employees. We also concentrated on the format of the email message and other elements of the corporate identity, news and events in the company – everything that could have made the letter, phishing site and targeted attack more trustful.
Sandbox bypass vulnerability. We have established that the customer is using a sandboxing system that analyzes attachments to detect malware. This system executes untrusted code inside a restricted environment, analyzes what actions it performs in the system and determines whether this file is safe or not. Such a method prevents phishing attacks through attachments of any type.
We applied special learning techniques to identify how to bypass this filter. By analyzing how the system launches and examines the file’s process tree, we were able to design malware to trick the sandbox. We prepared a new payload that passed through the antivirus control, file signature and behavioral analysis control, and activated the code only a few days later without revealing itself as malware.
Hacking Scenario. Despite the variety of creative approaches aimed at misleading the employees, from the technical point of view, it all boils down to just two actions: phishing to steal account data and launching an executable file to infect a device. In our case opening and launching an attachment to a letter became a trigger for the script to work successfully.
RESULTS
By identifying the sandbox bypass vulnerability, our malicious email passed the security stage and the dropper activated itself on one of the employee’s devices. Further, we established connection and through file shares we found an opportunity to pick up certain accounts, find incorrectly configured access to the backup, and work our way through the network to take over the domain. After the test was completed, we provided a list of feasible measures to restore the required level of security and helped the bank to patch the security gaps in the shortest time period.
TECHNOLOGIES AND TOOLS
Methodological approach aimed at using parts of the malicious code that connects to the server and shares required information.