Report Like You're Crazy

all right everyone's here from the keyote right so instead of being lazy let's be crazy now um so brief introduction of me um capro is my handle um You can call me Nate as well um I am a senior offens of security practitioner um for uh brillet I'll get into them a little bit more later um I'm a former podcast contributor to um these guys here um been doing that for a while and then you know you get a job you have more time for or less time for that and more time for podcasting so what the Talk's going to look like is first I'm going to say well what do I mean by when I say report

like you're crazy what do I actually mean by crazy and then after that we'll go through three different scenarios that kind of come off of that mindset um that I've done made reports for in the past um they're all nonp specific and generic and kind of no one's no names are out there so I'm not giving you guys information that I mean you could probably after this figure out who it is but you know we we'll go from there so what do I mean by crazy what's the number one thing that we write in our reports for offensive or just defensive like we're looking at vulnerabilities right we're looking at the numbers we're looking at CVSs scores

we're looking at hey is it a critical medium high low whatever um so I always had put this out there when I first started hey if we get a CVSs score like an average of an 8.9 for a client that's considered high under their standards for CV CVSs but if there's a tenth of a percent more they're critical right it there's a lot of stuff that's going on there it doesn't really tell us the whole story and a lot of the times I would see clients or just other um pentesters get stuck in this number crunch to determine risk it's like well we only have a seven it's like well that seven also includes SB signing not being

required there's a whole other attack that's available there so as I started to go kind of a wa for pen testing for a bit and started doing OS investigations for a while um I said well what if we thought up of some crazy ideas of how vulnerabilities in the context of the information that we have would affect an organization and basically what that means is how crazy of a story can I make like a DND campaign kind of encounter to make it sound like this vulnerability will screw you up like big bad guy Dragon comes in and all hell breaks loose but it's because you have S SSL vulnerability on the external like small seed big story

um generic uh talker presenter quote the but it it fits it's I was trying to say it's like well if I'm going to be crazy I have to make sure that I'm not wrong so of course it sounds like I'm going to make something crazy that doesn't mean that it's wrong to say that um so in the talk we're going to go over three scenarios that I've actually written up um for different clients and kind of the methods to get there and the mindset to get there so the first one is called operation your mine um we had a osen investigation where we had a law firm in Africa um we were supposed to get all of their Tech stack all their

external stuff figure out what internal tools they may be using via ENT and then also look at their personnel their personnel specifically was a bunch of lawyers who knew Law Firm lawyers um they were specializing in mineral extraction law or a couple of them were and that's important uh later in the story here so what what do we do uh we looked at their Tech stack it's a tech stack in Africa yeah it's pretty minimal um nothing lot there zero vulnerabilities looked like it was pretty much patched up um there weren't many services their web app looked fine looked at their socials of every single lawyer at the firm Facebook Instagram Twitter LinkedIn we found all that

nothing really stood out we didn't to find anybody embezzling or doing anything like super nefarious or whatever and then here's my to go off of Tim from the keynote here's my lazy hack and it is what I call the Holy Grail of ENT if you take a company's name or their company email or a person's name and type file type colon PDF into Google it searches all PDFs that Google has ever indexed to see if that that name or email or whatever shows up in that PDF file so I ran that and I found out that there was this massive massive mining project for graphite that one of the lawyers was the notorized on and it was between two

multi-billion dollar mining corporations one of which being out in the European Union and they were pretty International and one they were selling that project over to the Indian corporations I'm not kidding when I say the Govern or the dollar amounts are was a lot of because graphite and for those that don't know graphite is one of the main components in um all the lithium ion batteries that are going into cars so a lot of people are wanting to get Mining rights to that so that they could you know be a part of that supply chain um but in this document I read the whole thing it was like 120 Pages greatest reading material ever uh the problem was that I found was

that not only were emails in there for the lawyer but there were emails in there for every single Board of director from either company and every single seite member from either one of those companies so then I was like well okay what what do I do with this information and how do I like show a threat here and I proposed this and this is a very dumb down version of it because I had like names like who's the accountant at this other place and whatever um so my first thing I'm gonna fish the lawyer I'm gonna impersonate that lawyer now for the rest of it and then I said okay cool once I get into his email we can then

impersonate him to fish all of the board members to say hey we have some updates on this PDF and this new contract because this new law came out in this in country in Africa and here's the PDF of all those details boom okay cool that PDF's got a malicious payload into it that talks back to my C2 boom boom boom I'm inside both of those networks and then can pretty much do whatever I want create a wire fraud uh R hold them for ransom have someone else do the ransomware attack like things like that I wrote all of this out in my report I even had it to the point of like I found every single Personnel or person in the

European uh mining company that would be required to sign off on a wi transfer of over a million dollars to the point of like yeah okay I'm writing that down and I grafted it all out similar to this with people and names and whatever and I did it for the Indian company as well so after you impersonate him to fish board of directors it flips to either company so the client didn't talk to us for like two to four weeks after that after that report was given and I thought I had just lost us a client for writing that into a report but instead they came back and said uh they took it very seriously

and they actually found multiple vulnerabilities inside the internal Network and they found more documents that were in there just left unsecured for this deal it was it was bad and they were like thank you very much for bringing this to our attention to which reading that email I was like oh no just no I don't don't uh okay so then it was a huge success on that report and my boss was like okay you're going to do this again um so for context I want to see who knows how wines made complete change of pace here who knows how wines made okay in general these are kind of the things that you need to do and that

and you need to have to make wine you need soil to plant in you need specific grapes you need to harvest Crush ferment Barrel age bottle cell okay cool there's the loop of wine making we're going to focus on this uh for the context here the actual soil reason for that I got off work one day and my wife was watching this video of this video game or was this wine tycoon game and I was like oh okay this is kind of cool and one of the features of it was you had different soil types that were going to be you know better for making a charday a Mero whatever I'm not a wine guy

that's the only ones that I know um cab Cabernet Shiraz okay now I guess I know I've been hanging out too much with my wife um that's not a bad thing um so then we got a client right afterwards or like a couple weeks later and it was a winery so I'm like oh cool this is kind of interesting and as Personnel that we were given to look at a bunch of salespeople Distributors truck drivers contractors um we did the exact same thing for the African uh lawyer firm we looked at all their vulnerabilities that were out there nothing great it was a bunch of SSL V2 V3 whatever that wasn't too much there we looked at their

socials you know no one's like selling wine on the side or being like hey there companies really bad like no one's going out and saying it's like hey if you were to like walk into this room at this night there's free wine or something like that um so nothing really stood out so I go okay cool Holy Grail time let's try this again and I found a PDF that looks similar to this and for those of you that haven't taken oh what what's the course now geography or geology in sense High School this is a pH or basically just a pH metering map so when you do do a soil test for planting or farming anything a lot of

times we'll do a soil test to see hey how good is the soil is there any sort of areas that we need to worry about um and it basically either looks like this or it'll look like a paint by numbers on how the pH level looks and I found on their website in their WordPress website buried in a link somewhere was a map that literally looked like paint by the numbers of all their fields and what their pH level was at for the entire field so it was like 8.5 6.5 7.3 or whatever so what does that mean and what what can you do for that well due to looking at the actual field from Google Maps and satellite images we

were able to see oh they've got automated irrigation systems all over the place they've got this big Central spot at their warehouse there so I went oh okay cool so what if we like geolocated to a bunch of ips that were in their system there I'm not kidding you and this is the most terrible thing to ever do do not put plc's on the internet with the port open to the internet clicked looked at it yep and called them immediately and said hey this was out there um turn it off now because we were able to see like exact pH levels to going out to every single field um and so when we went into the

report we said we can either physically go there and start screwing with like dials and knobs and whatever or we could have just done you know looked at the OT Network like we did and then you know sabotage that soil that way for fun I went I'm going to go to Amazon and buy a bunch of lie which on the pH scale there's on the pH scale you have zero and 14 lie or CTIC soda or whatever is 14 so it's the highest concentration you can have I was like I'm going to hire my buddy to that knows how to fly and we're going to take a cargo plane and then just dump that over all their fields

instantly like would screw up any sort of soil testing it would cost them millions of dollars to get that back and then if they were publicly traded which I believe they were I was like okay cool so then we just short the stock when that age comes out or just hold us short for forever and then we make a bunch of money sounds like a good idea it's not the weirdest thing in the world but you can go like that to which like I already said they were like oh okay yeah this is really really bad we tighten up all of our physical security we've got all the irrigation stuff now talking not to the

external internet this is great and they looked at the plane one and they went yeah we have no idea how we would address that one and I'm like you really can't but I was like they bought the plane thing though they bought it it's it's going to be funny uh but then uh actually those two uh reports really got um caught the eye of another uh person that I was working with who eventually went to a different company and I now work with him at the same spot so I I'm now working for a Electric Coop or a subsidiary but an Electric Cooperative and what electric cooperatives are is think of it as like your farming Cooperative they're

non-for-profit um but a key note here is that electric cooperatives cover about 50% % of all the land mass of the United States so you have like your everg that's like going to get your major cities and stuff like that or your major metropolitan areas but then the rest of the rural areas of the United States those are going to be your electric cooperatives and stuff like that or even in some major cities like for me in Houston I've got an Electric Cooperative that runs a bunch of stuff um so as we were talking like preh hire like try and build out the job and figure something out um he asked what are the biggest threats do you see to

the Grid in general and I went oh and by the way the title of this one was lights out with a 22 um for so I said okay so here are the three threats that I see like top threats Russian state sponsored hackers with the ability to disrupt OT controllers basically what they've been doing in the Ukraine since 2020 or 202 2014 holy cow I haven't been able to say 2014 today um basically the lights out stuff that they've been able to do where they go into a substation they go into the power plants and they just start flipping switches to see which one turns everything off and just full disruption um set ran somewhere biggest thing is

like if they fish and get in I know this is Antiquated infrastructure that's probably on defaults for every single active directory default that you can probably have ever seen exploited anywhere it's like they all have tools for this so if they get in ransomware actors are going to be the next thing and then the third one and the most weird one that I came up with with him I said well what if I just went to a substation I just like shot out the cooling fans real quick and he's like that would be really bad and I'm like yeah that would be really bad right because and I'll get into why later but what was funny is I didn't even guess

how really bad it was it happened a week later some guy back in uh March April of this wait January February February of this year went out into Carolina and just shot out some Transformer on a substation created this huge Ark fire that firefighters were battling for like 4 days and then they had to set up a mobile um substation to like reroute all the power until they could fix it and all this other stuff and I was like okay well now I get to explain how this works so why does this work well if you look at any sort of substation as you're going by it you're going to see these massive cooling f

right those cooling fans are set up to cool what is called um uh galvanized steel where it actually has like magnetized strips through it so they have a neutral strip and then they have a magnetized strip and if you put a hole where two of those magnetized strips meet and then also add a bunch of heat to it the electricity will actually power its way through that heat through a positive charge and then just explode out until it finds ground because there's so much high voltage there so if you just like either Nick one of those fins or take out one of those fans and let it get too hot boom um why does it

work or why did this work in the first place for this um substations are in remote areas I don't think you want to be living next to a substation because one high voltage and two it's kind of loud um because all you're hearing is just high voltage the entire time um due to um just environmental easements um there's a plethora of cover for around these things so whoever they never caught that guy um whoever did it they were able to just hide inside of like foliage or inside the woods that was right next to it and just pop shots from there um and also physical security is lacking I don't know anybody who is in as a

security guard would be like oh yeah no I want to go and like Patrol a high voltage thing where if I walk the wrong way I could probably kill myself this is this is great I love this job um but it is what it is um there's a lot of people that there was a company out in Idaho that said oh we've got the solution for this and they basically took like a tank style approach where they basically just made 4in thick steel covers for it that makes it look like a bunker from for like Warhammer 40K that just goes like slips right over these Transformers and we're like yeah that's cool but how much does that cost

about a lot it was like okay fine and this wasn't the only planned attack either that that one in North Carolina was planned the one um here that did get caught there were like 12 people and this is like an hour away from me that this happened earlier this year as well um where they had like 12 people ready to go and do the exact same thing um but then I my boss asked after that happened I he said well what would you do better and I'm like or what can you do better and I'm like well we've already been doing it for forever we've already been thinking like this there's a great talk by Chris Rock um not the comedian that

got slapped on stage um he an Australian guy um he runs a seam monster he did a talk called uh how to overthrow a government at Defcon 24 it's one of my favorite talks um one of the parts of his um Talk he goes over you know how do we get you know how do we disrupt power how do we disrupt water and electricity and all that stuff and part of that caption says I don't have C4 but I have a bike frame two taable saws and a drill and a drone meet Mr choppy yeah if that's not stealing jokes I don't know what is um anyway so I I put this up here to say

it's like okay cool if I'm going to do this now I'm not going to be anywhere near a substation I'm going to just send it drone in we've already seen in the in the past year how effective drones are just in Modern Combat and also just you know they're getting super Advanced whereas like five years ago it was like cool a DJ and accessible a DJI drone still is expensive it it was like three grand or something like that for a really good one if not more but now you can wire up one for like 150 bucks and then just throw it throw it away and throw it at anything you want um um so

he said well what what's the other thing on like yeah you can use drones you can do this and I'm like well okay so here's the other thing I would actually Target these instead not the big substations I would Target these first so on your poles you have three Transformers that are up on there A lot of times you'll just see one or two depending on how densely populated an area that the pole is located and I was like these cause specific outages basically what this does is you have your hotline that goes from The High Vol voltage that's supplied by the substation after it gets power from whatever power um producer that you're getting it through and then

it'll go into those Transformers and basically bring it to your house so those step it down from high voltage down to like usable like 12240 volt so I was like well okay so if I get five guys together and I go and say since we're in Kansas City I go to Every I go in like a 5 10 block radius and I've got all five guys looking at different poles and I syn up and say okay cool take all these out real quick boom boom boom power goes out for like all 20 blocks okay power company sends out a bunch of guys um they get diverted away from larger substations that may be affected that may be out in the middle

of nowhere and then I've already got my drone over there to say okay cool Boop done drone just drop something or cut lines or do whatever and make an explosion there boom done we don't know what happens at that point but I do know that and there is a lot of research behind this that if power is out for more than 3 days Masseria goes in to effect because you don't a lot of places won't get water a lot of places won't get gas so heating cooling food gets to be to a point of no return um anything that's refrigerated I know I'm a real bummer after the first the keynote um another bummer is is that this is super

effective because those Transformers those smaller Transformers not the bigger Transformers the smaller Transformers have been on back order from suppliers in the United States to or just internationally for over a year there are people and cooperatives out there that are still waiting on stuff they ordered a year ago and so that was the the main thing that I said I was like okay cool so the other thing that we could do is we could just disrupt all these supply lines are just you know there's a lot of it's like physical attack or um operationally it's kind of a a lose lose scenario here well one of the things that we started implementing for us at um The

Cooperative we started saying okay we have a culture of we want to help our members or their customers and I said that's great we need to help ourselves first before we can do any of that and when I say I literally just ripped into every single vulnerability that they had the my first day and also probably got da within 5 minutes of me getting my work computer it happened and then they said okay well how do we fix it and then just build up from there so it's more of just these things you want to give them the worst case scen they asked what the worst case scenario was and I gave them exactly what I told you and they're like

okay you have our attention now so now you all think I look like this right now it's Pepe silia um but what are the takeaways that I wanted to bring away from this as hackers in general offensive defensive whatever we can see writing we get to see writing on the walls that is stuff that people aren't going to look for or other people aren't going to look for your accounting person is not going to see hey exchange on Prem is external the internet or something like that you're going to be able to see different things of like Hey we're getting stuff at like 12 a.m. why is Bill from accounting logging in at 3:00 a.m. on vacation right now or something

like that we're able to see that we're able to look and correctly see hey and we're also able to read we're the ones that look at all the breach notifications we're seeing all the different articles we're able to see okay this actor uses this this actor uses this and has these methods we can then build up around that and figure out okay what's our worst case scenario as a company you have that internal context as an employee or as just an attacker that's looking at their company in general and as ethical hackers it's our job to correctly and effectively convey threats and risks to organizations whether they're going to like it or not um because I've had a lot of places that

have said and I know this has happened I'll give the report to whoever our point of contact is and it's like I know he's changing stuff onto it there's no way that he's getting away with this as to a CEO and it's like okay that's that's fine and everything but it's better that I have sounded crazy to get a point across of like hey this is really bad this could lead to this crazy scenario or something like that then have not said anything at all because what's the worst thing that you can do ever not say something that exists so if there's a problem not saying a problem exists is almost as bad as hitting enter

on the the keyboard anyway that's my um Talk hope everyone enjoyed it and did I get us back on

time