As a security company, we spend a lot of time advising our clients on the tools and techniques needed to fend off the ever-hungry, increasingly clever cybercriminal. 2018 was a lesson in how not to do security. According to research from NordVPN, more than one billion people were affected by the loss of personal data through 13 data breaches at 11 different companies. 2019 will be no different; cybercriminals are taking no prisoners, and they’re ambitious enough to go after some of the biggest global companies (arguably with more security resources at their disposal) to get what they want – your data.
But you don’t have to be a Facebook or a Google to be on a cybercriminal’s target list. No company is immune to the charms of a hacker and his/her keyboard. Even security companies.
So, we make a habit of staging security attacks against ourselves. The aim of the exercise is for us to better understand how our own systems would fare in the face of a cyber-attack and, if truly faced with an adversary with malicious intent, how effective our protocols would be against preventing his/her success.
In our most recent exercise, we uncovered a flaw in our own defences, the value of which greatly outweighs any discomfort we might feel admitting this as a security provider. Why am I sharing this? We feel the results of our experiment offer crucial insight for any business of any sector currently fighting the ongoing cyber battle.
Attack of the Pentesters
The last pentest by our SensePost redteam proceeded from the assumption that the attacker had already breached the perimeter and secured a ‘beachhead’ on a machine within our private network. Having ‘secured a beachhead’, the modus operandi for our SensePost team was to run a horizontal brute force attack, using employee information gleaned from open source technology, such as LinkedIn, to build a credible list of ActiveDirectory user IDs.
The next step was to take a series of commonly used passwords, trying them out across the entire list of users, until a match was found that provided access to one user’s account. Leveraging that user’s credentials, the SensePost team was then able to gain access to a list of all active users, and the process was repeated – running the passwords until access was gained to an administrative user. By implementing a tool made infamous in the large-scale WannaCry hack – Mimikatz – the team then extracted cache credentials for the domain administrator.
The team was able to hack into the domain admin’s account in less than a day. The crowbar that pried open access? A trusty list of example passwords.
You’re probably thinking that the brute force attack was successful because the passwords in question were ‘weak.’
The vast majority of them actually met general suggested levels of security credentials – alphanumerical and between 8 and 12 characters long, with a sprinkling of punctuation and capital letters here and there. The reason why they were so easily hacked was because they used formats, however ‘strong’, that were predictable.
(The password our attacker was able to crack was ‘May2018!’)
According to our data about customer environments, one in three passwords (32%) starts with a capital letter and ends in a number. One in eight (12%) contains a year and one in every 11 passwords (9%) ends in three numbers. Do any of these configurations sound familiar to you? Chances are you’re using a password right now for at least one of your accounts that follows one of these formats.
The more predictable the password is, the easier it is for cybercriminals to anticipate and then build template passwords to be used in these kinds of highly targeted brute force attacks. Apparently, we weren’t immune either.
Ghost in the Legacy Machine
It wasn’t just passwords that caused a chink in our armour. Our pseudo cybercriminal also took advantage of a missing patch on an old machine sat collecting dust in the corner of the office; one that had a legacy vulnerability (via a ticketing system). While the attacker was unable to steal any data from this legacy system – it had long been replaced, had no data on it, and was disconnected from the environment – this was never actually their intent. Their aim was to elevate their access across the domain.
Hacker Seizes Mission Control
So, our make-believe hacker has tripped us up not once, through pesky passwords, but twice through a legacy system. Strike three came through a controlled experiment we designed to breach an endpoint through Microsoft DDE.
Our hacker friend started the next phase of the campaign with an email, containing a Word document with an embedded DDE object. This enabled him/her to reach out to and evoke an external script object. This prompted a common ‘end of formula’ message box in MS Excel, asking whether the user wanted to enable editing. Hitting yes triggered a download of PowerShell, giving our cyber foe full remote command and control of the machine.
Our detection technology picked this up, because DDE isn’t permitted. As soon as we spotted this red flag, we were then able to monitor for a change in the registry, indicating that the machine is potentially vulnerable. We also were alerted to the fact that the machine was attempting to ‘talk out’ to an external source, and the use of PowerShell to communicate with the command and control center. I
’m relieved to report in fact that, although the test identified serious vulnerabilities, our detection platform identified elements of the attacks at numerous different stages and we were able to track the exercise in near to real time. I guess that’s why detection is such an important part of a ‘defence in depth’ strategy.
Learnings for Businesses
We’ve said it before, but it bears repeating – in today’s digital age, a breach or hack for any business of any size and sector is a case of when and not if.
Self-awareness is crucial to fighting the ongoing cyber battle – you can’t fix what you don’t know is broken. And while this type of war game might bruise the egos of the proudest enterprise cyber security teams, experiments such as the ones we conduct are essential to gain insight into avenues attackers might pursue to get to your data. Don’t be caught off guard – understand the risks to your business by enhancing your systems and techniques on a regular basis, and don’t be afraid to get your hands a little dirty in simulating and anticipating fake crises before they become a terrifying reality.