Chris Horner - How to Lose Your Credentials and Gain a New Domain Admin

All right, good morning everyone. It's always a little bit of pressure to uh give the last presentation before lunch because you got a bunch of hangry hackers going on, but bear with me and we'll get through this. All right, so my name is Chris her. I work for Rebick Security, which is a consultancy in Charlotte and we focus on offensive security testing. So, your pen testing, social engineering tests, uh vulnerability assessments, things of that nature. So, today we're going to talk about how to lose your credentials and gain a new domain admin. We're going to look at the problems of ransomware. We're going to take a look at how these groups operate when data gets breached. We're going to

see where it ends up on the internet. And then in the end, we're going to do a walkthrough of an actual pen test that we conducted and that will actually show how a ransomware attack could proliferate through an organization. So when we talk with our clients, what we frequently hear is that ransomware and fishing are the two top concerns that they have. And these days, ransomware groups are highly organized criminal enterprises. heavy emphasis on highly organized. They operate with their own rules. They have their own goals. They have people that fill specific roles within their organization. But what this allows is for their operation to grow like any other business would. So a lot of times the way that these

ransomware groups operate is they have affiliates and affiliates are the ones that go out and carry out the dirty work while the ransomware group is providing the platform or the tools for them to carry out their attacks. The way that they profit is that if their affiliates are successful in extorting a ransom from a company, they give a kickback to the ransomware operator. But those kickbacks are highly in favor of the affiliates. affiliates will keep 80 to 90% of the ransom collected. The ransomware group keeps anywhere from 10 to 20% typically. Other ransomware groups operate on a subscription model. But regardless, they enable people with moral flexibility to start their own little burgeoning criminal enterprises. And the

only reason these groups exist is to chase the bag. And they do it because it's been highly profitable and highly successful for them. A uh recent study from Artic Wolf showed that 83% of companies that are attacked actually end up paying the ransom. Ironically, they have extremely high customer service standards. So, this is an example of ransom hubs terms of service. They expect their affiliates to operate in a certain way. For example, they do not allow attacks on Commonwealth of independent states like Russia. They can't attack targets in Cuba, North Korea, or China. They do not allow attacks on nonprofit organizations. They do not allow attacks on hospitals. Not because they're altruistic or that they really care, but

because if you mess with the hospital, they shut the place down. People start dying. Law enforcement starts taking a lot bigger interest in your activity and they try to avoid that as much as possible. They also stipulate no reattacks. If you pay a ransom and one and their affiliate comes back and hits you again, they will provide you the decryption key. If the if you pay the ransom and their affiliate does not provide the decryption key, they'll step in and take care of it. And they even have contact information on their website how you can get a hold of them if you have a problem dealing with them or their affiliate. So, they go to extraordinary lengths to

make sure you walk away having had a good customer service experience when you deal with them. And a lot of legitimate companies could honestly learn from from these groups on that front. This is a copy of a chat log from from the ransomware group Aira after uh after a company had paid the ransom. They went back and told them outlined exactly how they compromised their systems and what they need to do to close it up. It became the most expensive internal pentest of all time. So this slide is from Breach Sense. It shows what which uh industries are targeted the most. Construction and manufacturing lead the way. Construction sounds surprising until you remember they deal with a lot of confidential

information. Who's really behind building projects? Not to mention they have a lot of subcontractors. They have a lot of vendors that they deal with which as we've seen in the news lately this ultimately increases the attack surface of an organization and let's just be honest a lot of times they are typically behind the curve when it comes to cyber security preparedness. So manufacturing too, think about all the intellectual property that's contained in a factory when it's building whatever it's building. Not to mention the massive amounts of money that move through there. And it starts to make sense why these industries are so highly targeted. Then rounding out the top five, you have education, finance, and IT.

This is a snapshot of companies, victim companies just from the last 12 months that have been victims of ransomware attacks. And if you look in the upper right corner, look how small that cursor is and how how far down it goes. So that gives you an idea of the scale of this problem these days. And again, this is just from a 12-month period. As far as where these attacks take place, USA all the way, US wins by a nautical mile. Over 51% of attacks are right here on home soil. The rest of the globe divides out the rest of the pie. As far as who's carrying out these attacks, now this one, this slide I have

to put an asterisk on, and I'll explain why in a bit. So for 2024, Lock Bit and RansomHub were the leaders in ransomware attacks. Those two organizations alone accounted for over 20% of all attacks, one in five. And Chile down in the bottom right corner was 3.3%. So as we all know in the cyber security world, things move very quickly and in the ransomware world, it's no exception. So we give different versions of this presentation to to different groups and so these statistics were compiled around around the first quarter of this year. Thing is by the time we compiled them and then started getting the presentation it was already outdated just in the first few months of this

year Chin has now moved to the very front of the line as the most prolific attacker. Ransom hub has since been shut down and lockbit themselves was breached and their website was defaced about a month ago. The center for internet security p published these statistics showing that in Q1 of this year Chilean had moved from 3.3% market share up to 9% and then by the end of Q2 they were up to was it 24%. Yeah 24% of of all attacks they are moving quickly and they are extremely good at what they do. Now there's a few different reasons for this because when groups like ransom hub get shut down the people that were working there either

with the operator group or the affiliates move on to the next big thing. Currently that would be Chile. So one of the favorite tools of ransomware operators are info steelers. Usually these are delivered through social engineering attacks. It's delivered through email or getting somebody to click on a link that they shouldn't. And so what happens is their browser ends up getting infected. So these info steelers, we're all familiar with the autofill feature of a lot of browsers. Automatically fill in your name, address, phone, credit card information usernames passwords etc. Well, guess what? If you get an info stealer on your system, it is siphoning everything out of those autofill things and transmitting it over to to

attackers. Some of them even steal session cookies which can then attackers can attempt to replay. They don't even need your username and password to log into whatever service you were you were using them for. And these input steelers can be set to update in virtually real time as well. So as it collects new information, it gets siphoned right on out. But once this information is collected, then the credentials or wherever it was used are used to carry out further attacks. So on the left side of of this slide, it shows this is an actual info stealer log and you can see what kind of information it was collecting. Cookies, autofills, account tokens. This particular one also siphons

some files out of the computer too. And on the right side, I redacted a lot of it, but this is what it looks like from the attacker viewpoint. They get to username, password, and plain text and the exact website that those credentials go to. So, another problem these days is with uh with our remote workforce. So, sometimes people use their personal device to log into corporate assets and say their kid downloads the wrong Roblox mod and infects that system with an info stealer and then that person goes and logs in to their company account. Oh, I just need to check my email or something. Well, guess what? Now those credentials have gotten out. And this is

not a far-fetched scenario. So we might remember the snowflake breach last year. What the indicators in that attack were was that Jira Jira creds were captured from a contractor's personal device that was infected with an info stealer and MFA was not required and in this case was not enabled for their login. So what ended up happening was an attacker got a hold of those got into the Snowflake environment and breached a whole lot of data from their customers. And the fallout from that was enormous. They were presented with Snowflake was presented with class action lawsuits from companies like AT&T, Lending Tree, Sander, Advanced Auto, a dozen other companies who had their data compromised in that breach.

Then those victim companies were then sued by their customers for losing control of all of that data. It's a gigantic mess and it's still rolling through the court system today. Now, as far as this data when it gets dumped and when it gets breached, a lot of times it's assumed it just goes to the dark web and that's not always the case. There are actually websites on the clear web that deal in the sale of this breach data. 77 store is an example of that. As you can see, they offer things like social security numbers, bank account, PayPal account, again, anything that you would need to extort or steal from somebody. And according to secure world, our personal

information sells for very, very cheap. A basic package of personally identifi personally identifiable information. Name, address, so goes for as little as five bucks. Want to throw a credit card in there? 20 to $120 depending on the account. Your online banking credentials $35 to $65. Um, copies of your IDs 500 to a few grand. But interestingly enough, one of the most expensive records is healthcare records. And that's surprising to some, but think about all the information you have to fill out when you go to a healthcare provider. Then on top of that, while you can always get a new bank account number, you can get a new credit card number, you can even move and change your

address, you can't change your health information once once it's out there. So that information just is what it is. Those records typically go for an average of $1,000 each. Blackbed is another clear website um that that deals in the sale of this kind of data. On the left side, you can pick the kind of industry, the kind of information that you're looking for. In this case, we were looking at banks. And then there's another drop down. You can even drill down to the exact bank whose information that you want to get. Add it to your shopping cart. Check out. And there you have it. It operates like any other e-commerce storefront. They just deal in terrible things.

So, when it comes to the dark web, our lawyers advise us. We have to give this disclaimer. We don't recommend going there. If we're talking about the dark web in a situation like this, it's from anformational perspective only. It is a terrible place and nobody should ever go there for any reason whatsoever. Everybody clear on that? >> All right. So, here's how you get there. First, you have to download the tour browser. Tour stands for the onion router. You can get it for all major desktops and Android. And once you boot it up, it runs. It looks like the internet we're all familiar with. It just happens to run a lot slower. What the main difference is that there is no

Google dark websites. You have to know how to find them. And again, from breach sense, this shows what a dark web address looks like. They end in onion. The middle of it is complete gibberish. you would never guess it. You would never accidentally come across it. So, you have to know how to find those kind of sites. And then even if you go to one of those websites, they look like this. They look like they were created with all the latest and greatest technology from 1996. They just sell illegal things, drugs, roids, firearms malware whatever. But if you want to track what's going on in the ransomware world, there's an open source project called ransomlook.io. IO

and they track the activity of these various groups and the last time I updated the slide was about a month ago and they were tracking 493 different groups across 137 forums and 200 and some odd my eyes are old it Telegram channels. Telegram is the preferred encrypted program of choice for criminals and ransomware providers of all sorts. It's so notorious for illegal activity on its platform, the CEO was arrested last year in France under allegations they were doing little to combat criminal activity on the platform. But then you can drill down into the different groups. I use Gilin here. As you can see from the bar graph, they've been very busy. If this slide were to

scroll down, you could even see the companies that they've popped as well as screenshots of what they do. We talked about people that provide specific services within ransomware groups. Initial access brokers is one of these. The clue is in the name. What they do is they just sell the initial foothold onto a corporate network. They don't care about doing the ransom, doing the negotiating or anything else. They just let it go. They just want to get their piece and move on. So, an IBM study showed that uh attackers were in a network an average 206 days before ever launching an attack, which is seven months. What in the world are they doing in there for

seven months? Well, if you're familiar with uh pentesting methodology, you've probably heard the word enumerate until your ears bleed. Enumerate, enumerate, enumerate. But that's important. It's the most important part because how can you analyze something you don't understand what's going on? So, that's what they're doing in there. They're doing recon. They're setting up their persistent access, siphoning data out slowly sometimes so it blends in with normal traffic. Ransom HHub, when they were in existence, they had a countdown page on their website that showed which companies were being extorted and how much time they had left to pay the ransom before their information would get dumped. So, funny story with that. Um, like I said, we do this presentation to

different versions of it to different industries. And we were talking to banks and credit unions one time. one bank didn't show up that morning and um you know it's fine things happen right so we uh decided it would be fun to pull this page up live during the presentation and we saw that bank's name on they were on ransom hub's page they were actually in the middle of dealing with the ransomware attack so like in meta a few weeks ago we learned never to do live demonstrations ever again but to the point of attackers taking their time of the network this is ual chat log from an attack group that was targeting a Catholic charity. Um they they had done

their homework. They knew that the organization had been extorted in 2020 and had paid the ransom. They knew the revenue. They knew how much employee benefits and salaries cost. Want to know what else? They knew how much they were covered for in cyber insurance. They knew exactly what to ask for because they'd seen the policy. And negotiating becomes an awful lot easier when you know what the other side has to spend already. So as far as how this an attack can unwind through a network, this is where we do the pen test walkthrough. And most of these slides are going to be from an actual test that that we did. So we always start with OSENT research and

we're trying to find valid usernames of a company. And so the way we do that scrape things like LinkedIn, Zoom info, stuff like that. Just trying to get names. We take different versions of the name, different email address formats, first name.last name, first initial, last name, whatever, and we run it against the Office 365 login portal because that portal is weak to username enumeration. If you find a valid username, it prompts you for a password. If it's an invalid username, you get an error. So once we have the email address format, we take our list of names, we use a tool called MSO spray and we spray our list in the correct format against the Office 365

login page. We combine that with a tool called Firerox. What that does is it rotates the IP address for every one of our requests so it doesn't look like we're doing what we're doing from from the same IP. But the end result is we have a list of valid usernames that we know are good for that company. We take that list of valid usernames and we run it against known databach files and we look for matches. In this case, we found one. This particular client, one of their employees, their credentials were in plain text in a in a uh in a dark web databach file. And I swear to God this is true, and I

wish it wasn't. The password, of course, was password one 1234. Yeah. >> So, those credentials worked. We used them to log in and it worked. But we ran into an MFA prompt. What people sometimes forget is that Microsoft has a number of different APIs to authenticate against and sometimes they're not all set up correctly. So, we use another tool called MFA sweep. We used those valid credentials, figured out if we authenticated against the graph API and the service management API, we could get through without the MFA prompt and we were in. So once we got in there, we were on Azure. We dumped the entire username list and we started a password spray attack. And of

course, we started with the one that we knew worked, password one, two, three, 4. And this is an actual screenshot redacted from that test. We found 36 more accounts that were using that password. And then worse, you see in the red box, some of them have notes. Some of the success notes have say that MF MFA is in use. But if it doesn't have that line, there's no MFA on that account. So now we had even more accounts that we could use to try, you know, moving around around the network without running into MFA. So we have weak password policy. We have password reuse, which is already off to a bad start. one of the sets of credentials got into

their R&D SharePoint. So, if we were an attacker, this is where we'd siphon the uh intellectual property information. Another one popped open remote desktop web instance. We figured out at the top there, if we typed in C: Slash, we got to the top of the network drive, the very top of the C drive, and we could explore the rest of those folders. So, now we started seeing all sorts of stuff that we're not supposed to see. Eventually, we found where they kept their backups. This is another thing that that attackers do. So, before they launch, they fully launch their attack, they'll either delete or encrypt the backups, but this is how they know where to go.

And another reason they're sitting in there so long, they know those backups are going to become infected with their presence. So, if a company's facing a ransomware attack, they don't have time to sit there and go back and figure out when it happened. So if they try to restore from a backup, guess what? It's still going to be the access is still going to be there. So then we use another tool net exec and we were looking for uh SMB read permissions on SMB shares and using the credentials that we had captured from before found the pot of gold in the SQL database. One set of the credentials had readr permissions and um because it

turned out it was a SQL admin account which I will remind you the password was password 1 2 3 4. Want to know what else? It doubled as a domain admin account. Another big no no. So game over. So we had the keys to the kingdom. We dumped the nds.dip file which has all the hash passwords for the company in it. took it offline, began cracking it because we're professionals. We don't look for just one path through the network. We want to find as many as possible as testing time allows. And we started our process completely over and just kept going. If you're following along closely, one thing you might have noticed, we then throw a single exploit.

There were no zero days. There was no wild coding involved. This was just a combo attack of weak passwords, misconfigurations, and overlay permissions accounts, which is the holy trinity of problems that lead to network compromise. And a finer point on that, these are things a vulnerability scan alone will never pick up. Vulnerability scans have their place. You can be patched all day long, but we get your password and you got your permission set wrong, it's still going to be game over. And that's how it works with those ransomware groups, too. And this the final point, we are seeing a lot of clients that are implementing EDR systems. Um, but what we're seeing is sometimes people treat these like

silver bullets and they're not. See, when we're doing our pen test, we're not trying to be quiet. We're not trying to be stealthy. You know, we're time bound unlike a real attacker. So, we're noisy and we're trying to go through and get what we can. But what we find, we work with the IT team of our client because we want to notate in our reports what alerts that they're seeing. So if this was an attack, how would they a real live attack, how would they have paired against it? Would they picked it up? Would they have stopped it? What we're seeing a lot of times is these systems need still need fine-tuning. Alerts are not coming in at the right time. They're

not autoblocking certain things. That's what happened in this test. We never should have been able to dump that NTDS file without triggering something. they did get an alert and they contacted us 15 minutes after the fact and hey we caught this and like yeah we're already uh cracking your password sorry alerts are going to unmonitored mailboxes because Carl back here left three months ago and nobody rerouted his email so if you're doing testing do your clients a solid and test this with them have them tested like any other piece of infrastructure and if you're the one approving test make sure your provider is including this as well. So to wrap up, ransomware, fishing, info steelers, those are still the top

concerns. When it comes to protection, the basics matter. You have got to lock down the basics. It doesn't matter all the money that gets spent on fancy toys and silver bullets. If you don't have the basics locked down, your organization is still at risk. And then finally, test those controls before bad people do, which I know sounds self- serving given what I do for a living, but you do not want your final exam to be a live attack. That's what I got. So, let's go eat.

>> Oh, no. >> All right. Uh, all right. Let me think. That's a lot of pressure. Um, all right. What percentage of attacks do we know of that contain info steelers as a component? >> Right out the gate.

And uh Oh, that's fancy. Um,

I gotta go back through my own presentation and find a good one. >> Yeah. Who? There we go. Who is the uh who's the current leader of ransomware groups? >> Oh man, I I don't even know who said that one first. >> Yeah, that's uh >> no leading the witness. Dark websites. What do they end in? The URLs.

>> There we go. All right. Thank you, everyone.