“How Im going to own your organization in just a few days. So many organizations are wasting money on outdated APT tools and massive budgets on heavily defended perimeters driven by the domain practices of old school security practitioners and greedy vendors just makes me laugh.
Im going to be vague in my example for obvious reasons.
First I spend a few hours on google and LinkedIn and find targets of opportunity at xyz company that I think could get me a human that will fall into a trap with an old trick called a phishing attack. Everyone likes to join groups with similar interests as others in their field. One group on LinkedIn called “”People with Top Secret Clearances”", or Security Professional, executive administrative assistants… etc.. you get the point.
I find a few names at the xyz company im looking to score on and make a few phone calls. “”Hi im such and such vendor and I would like to speak to Mr. Ed about a new product we are offering”". Of course hes not going to take my call but if I ask nicely im sure i’ll get an email address or even better his assistant if I already didn’t have that from LinkedIn not to mention his whole staff.. LinkedIn is so helpful. I also now have the naming convention for your organization just in case I want to email a few other targets…. First initial . lastname @xyz.com
I find a nice root kit like Zbot or ZeroAccess. But im going to add just a little extra payload which has a couple extra features to accomplish one goal, jump to the first host I can find which will allow me to make a harmless ssl connection to an innocent ISP dhcp address to pull in more small programs i’ll need. Your probably not cracking ssl at your organization so you have no idea why this newly owned computer is talking to x.x.x.x address. The nice thing is this program is already coded so I dont even need to write it. Google is your friend for code.
So i send my well crafted phishing attack and Betty Sue, Mr Ed’s executive assistant, sure enough she clicks on the link and gets the ZeroAccess infection. She also gets my dll injected payload which immediately looks for netstat connections and uses some unpatached java exploit or flash update service or even an open share to immediately hop to the first host it finds in the cache of connections.
At this point i dont have any egress connections from the original host except for the ZeroAccess cnc calls for droppers… but i now own another machine.
Meanwhile in the background IT has detected the ZeroAccess infection on Betty’s computer and ordered it to be reimaged or worse scanned with some malware tool and cleaned and returned to service because she just cant afford to lose the data on the client.
Over the next few days me and my little program (which i can update at will) can use various techniques to find cache from this or any other host on your network as I work my way around till I find the right client or server with the data im looking for and using that same ssl connection send my payload home.
Few days later your company financials or accounts and passwords, network IP addresses of critical systems show up on pastebin or in the media or sold off to the highest bidder.
Lessons learned: