In this fictitious account of a hack on Waze Banking, Security expert and Ethical Hacker, Callum Butler, illustrates how organisations could fall prey to hacking in real life. Here is his simulated account of how a worst-case hacking scenario might play out.
My first target is the receptionist, Veronica. A loyal employee to "Waze Banking", the bank we’re planning to hack. So, what has Veronica got to do with the hack? She isn't part of our team, but she is a point of vulnerability. Using social engineering (that is, when unsuspecting users or employees are tricked into handing over confidential or sensitive data) we convince her we are ISP (Internet Service Provider) engineers. Our cover? We are doing some routine speed checks on their office.
If Waze had invested in Security Training, Veronica might have been aware Social engineering attacks are becoming increasingly common. We are not on the visitor list, but hey, we do have a (fake) outage report. So, that must be OK, right? Thankyou Veronica. That was too easy.
Network Hacking: Access
Greg, the IT administrator, the only IT guy in this office comes to meet us. Conveniently for us the alarms are triggered just at that moment.
As we walk through reception we send Veronica some ransomware. This is now spreading throughout the network and creating a silent connection through HTTPS to our Command-and-Control server. All with an unknown hash.
If they invested in Advanced Malware Protection versus relying on traditional legacy signature databases, they would have been able to recognize heuristic behaviour. But we’re in the server room now and allowed to roam free. Off we go.
Exploiting the network
Servers, Firewalls, an old NAS (Network Attached Storage). We have new exploits to run on all these devices. Boom! We suddenly come across a KVM (keyboard, video, mouse) connected to a server that Gregg the IT guy was working on. Someone has done their homework and downloaded USB protection to prevent USB drive access. However, with a USB Rubber ducky we can break the HID trust of Windows and still connect the drive and download the RAT (Remote Access Trojan). In turn, this connects us to our CnC (Command and control).
RATS are like actual rats. They will allow us to scout and route through the corporate infrastructure using credentials grabbed through the server.
Advanced Inspection and Prevention services with Layer7 prevention methods could have stopped this kind of botnet intrusion. (I wouldn't want to be in the room when Gregg the IT guy speaks to the CISO, yikes!)
Within 10 minutes we have infected the management network and have established a way into the corporate network.
Initiating the hack
Back in our undisclosed location, we can route through proxies, VPN's and Tor networking. We have persistent access to our friends at Waze. Time to initiate the hack!
We have collected usernames, passwords, banking information, company information, emails and all lots of other little secrets.
We are rapidly spreading malware. We send the ransom message.
With our network hack and a shaky Active Directory setup we can access backups, hosts, the monitoring and every other system with just one username and one password.
Unlucky Waze Banking. Who knows, next time, it could be you.
Are you confident your network and employees are hack-proof? Are you fully up-to-speed on how to combat network hacking?