A Letter from Anonymous II

Disclaimer

[1] Some of the topics discussed / demonstrated are criminal in nature

[2] “Don’t try this at home unless you want to go to jail. You have been warned, I am not responsible for your actions.”

[3] You will gain more from the lecture if you participate at times.

[4] Any likeness to real people or organisations does not imply anything about security

[5] Questions at the end please…

Our Topic

[1] What if you received a Cyber ransom / extortion threat?

[2] What would be your response?

[3] How would the attackers evade capture?

[4] How might you be attacked / compromised ?

[5] This will be focused from a professional services company point of view e.g. Doctors, Lawyers, Accountants and Telco’s where confidentiality is paramount.

“ 90% of all incidents is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall into the PEBKAC (Problem Exists Between Keyboard and Chair) and ID-10T (idiot) uber patterns.”

“Financial Motivation is also alive and well in phishing attacks. The old method of duping people into providing their personnel identification number or bank information is still around but the targets are largely individuals versus organizations. Phishing with the intent of device compromise is certainly present.”

Verizon Data Breach Report

Source: Verizon Data Breach report

Since October 2014, Jersey and Guernsey companies across all sectors have been targeted by the ‘Dridex’ malware through email phishing.

Our Company Network

Server LAN Corporate LAN DMZ

Fileserver

Database

Active Directory

Email

Day 1 – The EmailDear Friends and Foes,

We have been in your network and taken all your data due to your own poor security.

For the small sum of 10,000 EUR you can avoid having all your confidential data leaked online.

If we don’t receive payment by Friday 13th November at 6.00 p.m CET to the following Bitcoin address below, we will post your confidential data for all to see.

1An8CzdFJQdSaMeEoKMYyUQ6Fz37wK5GyX

You may communicate securely using with us at our email address below:-

secure_rex@pony-telecom.eu

Our manifesto is at http:dpaste.co/GthD53bx87 and proof of compromise is at http://dpaste.co/HJGYTRF5788976

Yours Sincerely

Rex Mundi

Hacker Manifesto

[1]

[2]

[3]

[4]

[5]

Unlike other groups out there, we have no interest whatsoever in making any kind of political or social statement. We are only interested in making money, which brings us to the code of conduct we have put in place

Communication and/or negotiations between us and our targets is never released, regardless of whether we get paid or not.

We never discuss or even acknowledge the fact that some of our past targets might have paid us.

We automatically delete all of the stolen data once a full payment has been made.

We never target the same company twice and, for obvious reasons, we always stick with the original requested amount.

[6]If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking for more money once we have already been paid would be pointless as no target would pay a second time out of fear we might ask for even more money a third time.

Dear Breach Diary…….

Day 1• Confirm Breach• Contact Police?• Collate Logs• Bring in network forensic experts

Hacker Tradecraft - OPSEC

[1] Never reveal operational details

[2] Never reveal your plans

[3] Never reveal trust anyone

[4] Never confuse recreation / hacking

[5] Never operate from your house

[6] Be proactively paranoid

[7] Keep personnel life / hacking separate

[8] Keep your personnel environment contraband free

[9] Never talk to Police

[10] Don’t Give anyone power over you

Funding Attacks

Attack Implementation

Purchase Services

Fake Name Generator

10 Minute Mail

Persona Death

Hacker Tactic – Passive Recon

The target has no indication that reconnaissance is taking place against them!!!!

Do you know the most dangerous 71 character cyber attack?

The Phish

DMZ

Attacker registers <name>-<company_name>.com and clones company website. Adds login form

Attacker sends email to company with pretext enticing login to fake website

Attacker harvest login and tries to login via VPN.

Cost of Setup

• Time: 2 hours• Financial < £25

Result

• Access to Corporate LAN via VPN• Fails if 2FA is used.

Dear Breach Diary…….

1• Confirm Breach• Contact Police?• Collate Logs• Bring in network forensic experts

• Phishing Attempts discovered• Investigation Corporate LAN2

Passwords / User Reporting Problem

Passwords Harvested

Bodmin1649Jersey06Nemesis87Whistler07Whistler02Australia2000Jersey59Monday241

Source: Verizon Data Breach report

This is simply that not all attacks will be reported by users to the security for a variety of reasons

Solution:

Foster a culture to enable users to report issues without fear

Network Partially Compromised

Server LAN Corporate LAN DMZ

Fileserver

Database

Active Directory

Email

User Pc Compromised

Initial Compromise Demo

Bypassing a fully patched system with up to date AV signatures

Dear Breach Diary…….

1• Confirm Breach.• Contact Police?• Collate Logs.• Bring in network forensic

experts.

• Phishing Attempts discovered.• Investigation Corporate LAN

ongoing.

2

• Compromised confirmed on Corporate LAN workstation.

• Potential Webserver attacks discovered.

3

Attack 2 – Web Application

DMZ

Attacker targets website after reconnaissance

SQLiSQL Injection used to dump database behind website.

Attacker may get shell and be able to use it to attack network and or install malware.

Cost of Setup

• Time: 2 hours• Financial < £0

Result

• Web Server Defacement – Loss of Public trust• Data exfiltration from databases

Lateral Movement – Pass The Hash

Server LAN Corporate LAN

Fileserver

Database

Active Directory

Email

User Pc Compromised

Attacker dumps password hashes for all users. Finds new user ‘Bob’

Attacker replays captured credentials against all systems. ‘Bob’ is in the admin group on the fileserver.

Attacker uses powershelland AD queries to map network

Attacker gets more hashes and compromises the database and AD serversNetwork is now compromised and data exfiltration begins

Dear Breach Diary…….

1• Confirm Breach.• Contact Police?• Collate Logs.• Bring in network forensic

experts.

• Phishing Attempts discovered.• Investigation Corporate LAN

ongoing.• Inform Police.

2

• Compromised confirmed on Corporate LAN workstation.

• Potential Webserver attacks discovered.

3

• Pass The Hash discovered on file server and account created.

• Account creation discovered on AD and Database servers

• Compromise confirmed.

4

• Confirm state of Police investigation.• Initiate Negative Publicity campaign.• Inform Regulators• Pay / Not Pay?• Go Public before attackers ?

5

Rex Mundi

• Labio.fr – exposed patients blood test results• AFC Kredieten – exposed loan applications• Temporis – French employment agency• Dominos Pizza –• Drake International – Canadian employment firm• Americash – American payday lender

Final Thoughts - Questions

EU Data Protection Regulations – 2.5 % fine of worldwide turnover for falling to report a breach.

[2] Attackers can stay anonymous. Short time frames make it unlikely that a Police investigation will succeed.

[1]

[3] Once compromised, the game is over.

[4] Test the strength of your counter measures..