Breaching a Bank: Mission Impossible Style

Good afternoon everyone. I hope you all are enjoying bite so far. So before getting started, I'll just I just have a quick question for you. Who came just by looking at the talk?

>> Huh?

So I'll repeat the question. So who came here just by looking at the talk style? Lovely. We have a show of hands. So um the title itself is just to get a get your attention and make you more curious which is the theme of today's talk. No matter how many millions or billions you might invest in your security controls, if you don't have adequate awareness as an organization, you will fail. So today I'll walk you through on how we did actually compromise bank just because someone is so curious enough to click on a link and enter his credentials. So um we'll be starting off with a bit of introduction red team infrastructure that we set up and we'll be moving on to

how we gained access to the internal networks and we were looking at what all the privilege escalation techniques we tried out and how we did compromise the entire domain and finally we have few key takeaways for the blue teams to uh integrate with their own sock or security controls are there and if time for uh we have few minutes for question and answers and I'll be happy to answer any questions that you might have. So starting off with we are Zero a major manu managed service provider in the UK and we have few offices in South Africa a lot of offices in the UK we are also a certified BOP uh cyber scheme sponsor also accredited penetration testing

providers up next who am I uh team senior consultant at Zenzero I have around four years of offensive security experience And I love adversary simulation, red teaming. And in my spare time, I love to walk around with EDS trying to bypass it and to see if if if uh any of the techniques are getting detected as I have few credentials in offensive security space and I've listed it's not a huge list but I've listed out there and um as we all know red teaming is a team sport. We need experts from all aspects of the cyber food chain for an assessment to go with cuz you didn't know like what you want to do in the

next stage. It's all about the element of surprise in red team. So whenever I needed help I look in Zaman who is our head of red team and I'm head of cyber. Z comes in with around 25 years of experience and that guy's pretty old. He knows he knows uh he's been out since pentest was a thing. Uh so he bought an enormous amount of wealth to the assessment and added advantage. I led the assessment myself but whenever I needed help Z and Abs came in and ABS on the other hand he's one of the best social engineers I've ever worked with. This guy would literally sell you your own car for an higher margin. So that's how good he is.

So starting up with red team infrastructure for an red team assessment to go well we need the right tooling and we need we need to ensure that we can rely on that tooling. So for that purposes we had couple of C2s with one redirect each host in AWS and GCP with legitimate domains and search installed in it. We also had one goofish server which which has some modifications were made to it just to avoid signatures not to get flagged by any uh email uh email detection security controls that out there. Also just before we start the assessment we knew what type of websites the bank employees were interacting on on a daily basis with our preliminary

reconnaissance. So we registered 15 plus look like domains and I've used a few of the uh semantics that we came up with and that's how the domains look like and we did this very early on just to make sure that our domains pass through all sorts of proxy verification and interpretations that's out there. So up next, let's brief about the mission. Obviously, Target Banks was an acme bank. I just came up with a fictional name as you all know acme is uh the legit term for something something that's fious fictional that's out there in cyber. Permit officer the bank actually uh are being assessed every 6 months and they well they understand themselves to have a really good

security awareness programs out there fishing videos uh fishing emails all sort of earnest uh programs that's out there have bought it and they are going through it on a daily basis or or let's say for example in an half early basis or in a monthly basis and this bank had a global presence And they had around $20 billion of assets all over the globe, 4,000 plus employees. And coming to the assessments uh duration, it was around 80 days spread across 6 months period of time. But we were able to achieve our goal much earlier than that. And the objective initially we had was one which is to breach the external network gain access to their internal

systems and to uh make our presence f inside the bank's network. So that was our initial goal but we also had a improvising goal coming along the way once we uh achieved one of the objectives. I'll talk about that in uh upcoming slides. So first things first as we all know as all traditional written stats we started the assessment with uh reconnaissance open source intelligence and we mapped out the entire attack surface we we were we enumerated valid usernames emails um VPN endpoints and breach credentials and more and more more but this specific recon part is where we spent a great deal of time we looked at the news, the ongoing events of their organizations.

We were covering through procurement sites to see if they had any arrangements with third parties. Is there any mergers or acquisitions happening so that we could facilitate a a supply chain attack or gain access through another uh merger or an acquired company and we had all of this information in place. We essentially created a dossier of all of the data that we uh collected so far. And we put it up in a spreadsheet it was very organized separate tabs. So from because of because from our past experience we need we we know that if you're going to conduct a social engineering assessment or if you're going to do fish or someone during a rating you need that data in

hand and you should be ready to talk about to uh to the person that uh you should be able to convey the data that you have so that the assment would be more believable. If you are phoning up the help desk and saying I need access to this, you need to have your data in place and you could uh build up the app with or the relationship with the helpers so that your fishing scenario is believable. So um we tried to look at all of the legacy systems, routers and everything that's hosted out there. But on a later point, we knew that we came to know that none of the externally hosted assets had any vulnerabilities or misconfigurations

that we could take hold of or we could leverage it to gain initial access. Their their external network was pretty fortified. So we couldn't get gain access through that. There was one router if I remember correctly out there in somewhere in Europe which had which looked interesting but later on it didn't lead to anywhere. We twitted from the traditional route and we wanted to go through the social engineering element of it. We did a number of campaign which iterated each and every time. We didn't get any luck at start. We sent it to a a number of users and we then again sent it to another number of users but we weren't gaining any traction at all. So what we

tried to do is we started to profile users based on their Lenin and we targeted specific users and obviously you know if you're going to send us fishing email to a head of cyber or a C that's not going to yield anything for you. So we targeted someone who had less cyber awareness we targeted. Guess what had happened at this point. So we so we thought to ourselves then there was a couple of brainstorming sessions happening inside our team and we thought okay let's split from here and we didn't we we also didn't know if if the emails were ending up in the mailbox or in spam cuz obviously you're doing it from external perspective. So

we thought let's not add any links. Let's go with a combination of uh email fishing and wishing scenario. So usually most of the red teams they shy away from the wishing u scenario of phoning up or up any of the employees of the target organization but we at Zenzero we take uh everything as a challenge and we do it because we obviously have apps. Um so so we came up with uh this specific scenario where we created a document which which wasn't a document just a HTML template and we put it up in an email send it sent across to multiple uh users in the bank but we also had a specific number in the footer of the

email. We procured this number through Skype and uh matching this with the previous recon that we did. We matched as many number as possible, the same area code also the last two digits of the original help desk that the bank has and we sent it to a number of uh employees within the bank and we sent it again to another another number of employees within the bank but nothing happened and we waited for a while to someone to phone up the actual number that we send them.

So, one user called John calls back to our number and I think it was it was 3:00 a.m. on a Thursday morning. Uh, this chap he was at the railway station and he desperated he was so desperate and actually curious about what's in the document and he needed access to this document. So he called us back. One of our members in the team picked up the call and was like, "This is a bank's help desk. How can you help? Uh how uh how can I help you?" So John explains the situation to us and uh the team member says, "I've got this issues quite a time uh in few days. So we'll help you out. Don't worry." And we

actually asked John to uh enter malicious URL. We sent it out to him verbally. We didn't send him through email. We didn't send through text message. We didn't do anything. We just spelled it out loud on a call and John enters it into his corporate laptop gets blocked. At this point, I thought John would get suspicious, but he didn't. So we thought that link was being flagged by any domain or DNS spiders out there. But we asked John to for a minute and we hung up a call and we created another URL, another domain, another fishing mal fishing fishing site and called John again. John picked up the phone and he like are you ready? Like

yeah we here's your another URL please go through it. And again he goes through it. Nothing happens. The same package is in place. So we thought okay something's something's wrong with their corporate network or maybe there they have really good security protections or web filters out there and John pause for a bit and he thinks to himself himself and he informs us on the call aent call and I have to take it right now I can't I can't speak to you guys now so he hangs up on the calls upon us on on call and we to ourselves the pressure starts to kick in and everybody second guessing second guessing a a choice to call him back

and as abs being abs he called John again once more without hesitation just couple of minutes after John hung up guess what there was no response at all we all thought this was and me I was like Tony stuck on this give I was literally wanting John to answer call but nothing happened after a few minutes I'm I'm sitting there did should we called him and guess what? Don calls us back and he's munching food on his mouth. It was around 2:00 a.m. at at that time. Probably he was making himself a sandwich. So this time we asked John not to enter the URL in his corporate laptop but on his mobile device. I don't know for for

what reason it allowed us in but there were no security implications or security controls that were present on the mobile device. We asked to ask John to enter his credentials and this time he he was able to browse to the URL that we sent him. So once he goes through it we asked him to enter his credentials his authenticator code and everything goes well and one of the member of our team captures the credentials in the back end and logs in and adds our Zenzir authenticator app to his M365 account. Also from the previous recon that we did there were few mentions of RSAs and RSA terms being used within the organization and there were a few logos in few of the

websites that's out there. So we as a a final step we asked John if if you could give your RSA token code for securityification that would be great. Again John munching on his food gives out the RSA token. So we got it finally. So far we have access to M365. Once we got into M365 this time we were confident and we thought was okay something something's happening now. We have uh gained some success in in couple of months. So once we got into access we had access to department departmental tapon slides um technical documents what type of softwares they were using what type of hardware have been that's been used around the bank and there were lot

of excel excel files containing credentials there and there were also VPN user guides which we were hunting out to see because that's the only way you could gain access to the internal network because accessible I don't know for what reason they have provided access to a non-technical person uh but we were able to login inside Azure and we gathered usernames um system details if the devices were compliant or not with uh 365 and what are all the servers that being synced we had all of those data and we also profiled John as much possible and we knew that at at some point we would need to impersonate this this guy cuz just by looking at M365 We

we came to know that no other possible way is there just to impersonate John and access. So we ided him for a month. We were looking at his uh employee number. We knew more than John would know know about himself. We knew his uh ID number, seat uh seat number in the office, what office he's works from. Also, we even we even knew his dog's name. Uh another fun fact during legitimate assess uh the assessment was John called us for a legitimate query he didn't know there is still a rating assessment going on or he's being hacked he phoned us back he asked a legitimate we didn't know the answer for so we proxied to the

original help desk of the bank asked them what's the solution they gave it to us and we sent it out to John to see so that was crazy anyways moving on so you might ask if you had everything. You even you said you had RSA token code and you have M365 credentials. Why you didn't log in? Because John was an absolute workaholic. This chap works at a bank in a nonIT field or in a nonIT department sends text messages or teams messages and even at 3:00 a.m. in the morning. Who does that if he works in a bank? If I work in a bank, I would go happily sleep after 5 p.m. So again, uh coming back to the topic, we

needed RSA token code. We had the pin code, but we didn't have the token code, which is the authenticator of the RSA itself. We went through all the way to his first joining email, but it was one time only, so we didn't actually use it. So bringing back the pieces to gain access to VPN we had the SSO that's N35 credentials we needed RSA code uh so to do that we actually probed bank's original help desk asked them what the process to uh do do a current installation and they said if you want a new installation of the RSA token code the previous installation that you have might be invalidated. So we thought to ourselves, oh that's that's a bummer.

And if we do this and if we call the help desk and if John gets notified, assessment ends. So coming back to John's personal arrival details, we knew that John is going to going for vacation after a week from Europe to another place and he had booked his flight tickets and for some crazy reason he he has decided to leave it out in his M365 or SharePoint folders and we got hold of it and we knew that at this certain time at this certain place he's going to board his flight and One negative point that we had is was just a 3hour window that we had. So as soon as he boards the flight, we need to

make sure that we have everything in place. Uh email the IT help desk, call them, set the RC token and gain access to the VPN that we have. So 3 hours window in in our office room few of the members were there and I was working remotely and we told them to put up a flight radar and the flight a flight plan of the plane that just going to take was all on screen. Everybody was screen sharing and we were literally waiting for him to board the flight. Once we saw that the flight took off from the airport, we called uh we called the back help desk. We requested for RCA to reset that was successful and uh we

received a QR code from uh the help desk to John's email. We registered our own RS token authenticator and we also deleted the following email from the bank's actual help desk. Also, we made to make sure we cleared our tax. So, from our fake bank help desk, we sent out an email saying that um you are your new R token code has been extended. So, this is the new token that you should be using. And we deleted the original email and John is above 30,000 ft on sky. He doesn't know he's been hacked. Now, we have 2 hours left. We logged into the production environment. Um so before doing that we created a new Azure

VM uh authentication was successful but however uh there was compliance checks uh on the device and that failed and we weren't able to log into the production VPN. So we were looking at all other sorts of uh VPN endpoints that have gathered from the recon uh recon phase and Zeke comes on call and he says did you try the test VPN? I was like, "No, why would I try that?" And no, you try. There was there was one specific string as tech1 bank.Vvpn and I tried it out and we got in. For some reason, they didn't have combined checks over there. Personally, I thought it's just a test test VPN to see if the VPN is working or

not. But later on we found that that test we is used for third party contractors to do pentest and other sort of internal testing that was up there. It was gold mine for us. But however from the VPN there were no servers accessible just the citric end point. So VPN was basically a jump box. We have to go to the Citrix to connect to the internal networks. So after we u our point of contact know we were able to gain access to the internal network we have gained access to um uh the VPN and we gained access to citics they told us now really great you have a new set of rules now I'm think

okay fine that's that you have two EDRs present and you should be able to privilege escalate from the standard user that you have compromised already compromised the domain monitor bank communication that's to compromise their exchanges and gain access to the cloud application they have they have built themselves that's the inhouse applications that's out there in Azure so phase two is that we got access and we pivoted from VPN to Citrix we started our immigration to see what what's out there into their internal network for some reasons confront was disabled But PowerShell wasn't. And another fact is that AD active directory module was pre-installed. I didn't have to do anything. So all I have to do is run

commands. And we enumerated all sorts of uh critical uh servers that's out there. Join controllers, certificate authorities, Azure sync servers, databases, privilege groups, you name it. Everything was in our and this specific enumeration went for 30 to 45 days. And we were so careful that we should be able we should be running only specific commands in specific time frames. We didn't run two commands within 5 minutes. So that's how cautious we were and that's how I was. And after the enumeration we found out that we had access to 18 terabes of storage files in shares. And this this specific share had sensitive information like bank documents, vulnerability reports, passwords and files, excels etc etc. So we also identified few

misconfigurations. We had uh 50 plus uh service account had SPN set and two service accounts part of admin groups which were a which we were able to curb roast and uh you could ask why did you choose these specific two user accounts because these specific accounts didn't have uh password expiration and they were part of few admin groups. So that's why we targeted these specific two accounts and one uh server was configured with unconstrained delegation and one account had uh generic privileges over the unconstrained delegation server that's uh anc um conclusion till now is that we need to abuse these two server server accounts need a valid attack path to reach Bob so that we could gain access

to the unconstrained lation system. So this is how our attack path looked like. Once we gain access to Bob's credentials, we would be able to uh abuse the unconstrained delegation PC and Bob himself had self and password reset ACL uh applied on him to gain privilege group access and we we would be able to access the exchange servers if we did abuse them also. Remember we had access to a whole bunch of shares. We literally are sitting on keys of kingdom the whole time. But at that stage of the assessment we didn't know what passwords we will find. We wrote a simple script in the background uh to uh to enumerate the searching process to enate the SHs

and make sure we made sure the script was stealthy and I it queried one folder for 10 minutes and it it had a buffer time of another 10 minutes before it uh before it went forward with another share on the folder. So each and every command that we ran in we replicated in our test environment. So we do this for our every assessments. We replicate the uh environments out there. We procured crowd strike. We procured prelex every command and possible enumeration techniques were tested. There was one uh living of land techniques that didn't raise any um alerts. But that specific technique didn't work within their environment cuz um uh for some reasons uh traffic wasn't

going out. Also we did create a bispoke malware that evaded uh crowd strike and relics within uh I think we did that within 10 days of time. So coming to the bypass here. So the configuration is that we set CS file in an aggressive mode and relics which had all of the elements in all policies in the trial version. This just to give you a hint here. This was a configurational bypass which means that you we are able to bypass this only on aggressive mode on extra aggressive. We didn't uh implement any run processes in the malware. We this specific malware was only to give you a reverse connection back to your C2. And with

that being said, we could use sock proxy to actually move. we didn't have to be confined in the restricted Citrix environment so far. So we tested out our malware. This is our uh output from our test environment. So as you can see cross track falcon is up running endpoint relic point is there and we got a connection. So after this is being tested out uh we try out all the sock proxy commands using um uh impact toolkits that we would be using for curing and all sorts of stuff that's out there. So once we are certain and we are confident that we drop our malware, we dropped it in and I was waiting there for 5 minutes to get reverse connection

back and I thought something was get flagged but after 5 to 8 minutes of time we got a rever connection back and everybody in the team they were rejoining and they were so happy that we were able to bypass cross strike and relics within a few days of time of the assessment that we got in because we initially didn't have uh any knowledge that that might be crowdstroke relic. So this itself was a huge achievement for the team also initiated socks proxy going for the this is the out that this is the actual output that we did to uh abuse the source accounts and we got the credentials. We did abuse two service accounts but

only one password was uh cracked. After we gain uh access to that specific account, we laterally moved and as we expected that specific account had access to few the data integration service and we use enterp user was uh part of deny log locally and deny remote loon group. we were able to login into the uh into the systems and we discovered through all of the shards and files that's out there and we were able to retrieve the credentials of Bob if you if you know we knew that valid attack path valid attack path and there was one script which had credentials of that specific user and no also far. So at this point we had two ways to go.

One take the first attack parts that's to abuse the group ACL and uh to abuse uncontra uncontrained delegation. But for some reason when we tried out unconstrained in our own environment it got picked up. It's because of you need a specific tool like Rubious to uh for run uh inject into a fork and run process to evade it and we didn't have the time to do the research or implemented cuz we were in the last 5 days of assessment and remember we started a script that was running in the background after 15 days we had the results of the entire SHs and one of the file had the root password of ESXA. So that was a gold mine for us. So once

we logged into the vspire vere as root, we saw a domain controller running and these guys had 50 plus domain controllers in in their environment. We targeted one domain controller which was pretty old. Nobody gave a eye to it and it was it was just a syncing for some purposes and nobody did an update over there. So we thought why don't we just switch off the domain controller at late hours and exfiltrate the VMK file and send it out to our own domain that we have hosted. Even if we do that, it wouldn't be logged as a security event. It would be just a network event cuz the VM would just go down and all they could

see is a blip. Even uh a single alert would be raised in the SM dash dashboard. So once we got once I got the approval from uh my senior official so they yeah you could go for it and we switch off the DC excfiltrated the MDK file and copied it to a SH folder and we hosted malicious domain as acme at finance in with cloud they also had few filters in place when I tried to access the malicious domain that I created from the Citrix environment And it g me a warning of you. This is an unagressed website. You you will not be able to access it after 24 hours. But still it gave us a 24hour

window. So this itself is a major miscondriation cuz in 24 hours I could literally uh upload all of the financial documents that I have my hands on. So we exfiltrated the VMDK file and there were no alerts. after 5 days and we were doing post exploitation the point of contact says that we have spotted you and I was like okay so that's good but we have achieved our goal so far and we thought how long would it take your take your sock to identify us we a lot of confident approach we were just going all guns blizzing inside the uh internal environment when we once we had the MDK file so that's pretty much it how we did

compromise the bank And a few uh key takeaways for the blue is that configure your EDRs and XDRs better detection system uh settings saying that make it extra aggressive and prevent only with media or high as you wish. But I know that's going to be a lot of false posit. it would give you an upper hand on having visibility of all the things that's going out there and implement advanced uh IOC with event based not just going with the existing IPs or MD5 hashes or other sorts of uh techniques that's out there correlate it with the event based rules and configure alerts on critical endpoints even if it's anformational uh informationational alert cuz you never know if your critical systems are

turned off. You should always be sus suspicious that something's going out there. And configure impossible loons with geio restrictions and make sure that nobody else is uh trying to impersonate any of your employees. And finally give out more uh security awareness with sophisticated uh security uh fitting scenarios or implement red teams and uh red team assessment with a specific use case and scenarios like we did so that it would just stress your employees your processes your procedures that's your organization. So that's pretty much it. If you guys have any questions,