An anonymous letter discusses a hypothetical ransomware attack on a professional services company. The letter outlines how attackers could compromise the target's network through a phishing email containing malware. This initial access could allow the attackers to laterally move within the network and exploit other systems to exfiltrate confidential data. The letter warns that paying the ransom demand does not guarantee the stolen data will not be leaked or that the attackers won't target the company again in the future. It concludes by questioning how the target would respond to such an attack and emphasizes that proper security measures are needed to prevent network compromise.
2. Disclaimer
[1] Some of the topics discussed / demonstrated are criminal in nature
[2] “Don’t try this at home unless you want to go to jail. You have been warned,
I am not responsible for your actions.”
[3] You will gain more from the lecture if you participate at times.
[4] Any likeness to real people or organisations does not imply anything about
security
[5] Questions at the end please…
3. Our Topic
[1] What if you received a Cyber ransom / extortion threat?
[2] What would be your response?
[3] How would the attackers evade capture?
[4] How might you be attacked / compromised ?
[5] This will be focused from a professional services company point of view
e.g. Doctors, Lawyers, Accountants and Telco’s where confidentiality is
paramount.
4. “ 90% of all incidents is people. Whether
it’s goofing up, getting infected, behaving
badly or losing stuff, most incidents fall
into the PEBKAC (Problem Exists Between
Keyboard and Chair) and ID-10T (idiot)
uber patterns.”
“Financial Motivation is also alive and
well in phishing attacks. The old
method of duping people into
providing their personnel identification
number or bank information is still
around but the targets are largely
individuals versus organizations.
Phishing with the intent of device
compromise is certainly present.”
Verizon Data Breach Report
Source: Verizon Data Breach report
Since October 2014, Jersey and
Guernsey companies across all sectors
have been targeted by the ‘Dridex’
malware through email phishing.
6. Day 1 – The Email
Dear Friends and Foes,
We have been in your network and taken all your data due to your own poor security.
For the small sum of 10,000 EUR you can avoid having all your confidential data leaked online.
If we don’t receive payment by Friday 13th November at 6.00 p.m CET to the following Bitcoin address below, we will
post your confidential data for all to see.
1An8CzdFJQdSaMeEoKMYyUQ6Fz37wK5GyX
You may communicate securely using with us at our email address below:-
secure_rex@pony-telecom.eu
Our manifesto is at http:dpaste.co/GthD53bx87 and proof of compromise is at http://dpaste.co/HJGYTRF5788976
Yours Sincerely
Rex Mundi
7. Hacker Manifesto
[1]
[2]
[3]
[4]
[5]
Unlike other groups out there, we have no interest whatsoever in making any kind of political or social
statement. We are only interested in making money, which brings us to the code of conduct we have put in
place
Communication and/or negotiations between us and our targets is never released, regardless of whether
we get paid or not.
We never discuss or even acknowledge the fact that some of our past targets might have paid us.
We automatically delete all of the stolen data once a full payment has been made.
We never target the same company twice and, for obvious reasons, we always stick with the original requested
amount.
[6]
If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking
for more money once we have already been paid would be pointless as no target would pay a second time out of fear
we might ask for even more money a third time.
9. Hacker Tradecraft - OPSEC
[1] Never reveal operational details
[2] Never reveal your plans
[3] Never reveal trust anyone
[4] Never confuse recreation / hacking
[5] Never operate from your house
[6] Be proactively paranoid
[7] Keep personnel life / hacking separate
[8] Keep your personnel environment contraband free
[9] Never talk to Police
[10] Don’t Give anyone power over you
12. Hacker Tactic – Passive Recon
The target has no indication that
reconnaissance is taking place against them!!!!
13. Do you know the most dangerous 71
character cyber attack?
14. The Phish
DMZ
Attacker registers
<name>-
<company_name>.com
and clones company
website. Adds login form
Attacker sends email to
company with pretext
enticing login to fake
website
Attacker harvest login
and tries to login via VPN.
Cost of Setup
• Time: 2 hours
• Financial < £25
Result
• Access to Corporate LAN via VPN
• Fails if 2FA is used.
16. Passwords / User Reporting Problem
Passwords Harvested
Bodmin1649
Jersey06
Nemesis87
Whistler07
Whistler02
Australia2000
Jersey59
Monday241
Source: Verizon Data Breach report
This is simply that not all attacks will be
reported by users to the security for a variety of
reasons
Solution:
Foster a culture to enable users to report issues
without fear
20. Attack 2 – Web Application
DMZ
Attacker targets website
after reconnaissance
SQLi
SQL Injection used to
dump database behind
website.
Attacker may get shell
and be able to use it to
attack network and or
install malware.
Cost of Setup
• Time: 2 hours
• Financial < £0
Result
• Web Server Defacement – Loss of Public trust
• Data exfiltration from databases
21. Lateral Movement – Pass The Hash
Server LAN Corporate LAN
Fileserver
Database
Active
Directory
Email
User Pc
Compromised
Attacker dumps password
hashes for all users. Finds
new user ‘Bob’
Attacker replays captured
credentials against all
systems. ‘Bob’ is in the
admin group on the
fileserver.
Attacker uses powershell
and AD queries to map
network
Attacker gets more
hashes and compromises
the database and AD
serversNetwork is now compromised and data exfiltration begins
22. Dear Breach Diary…….
1
• Confirm Breach.
• Contact Police?
• Collate Logs.
• Bring in network forensic
experts.
• Phishing Attempts discovered.
• Investigation Corporate LAN
ongoing.
• Inform Police.
2
• Compromised confirmed on
Corporate LAN workstation.
• Potential Webserver attacks
discovered.
3
• Pass The Hash discovered on file
server and account created.
• Account creation discovered on
AD and Database servers
• Compromise confirmed.
4
• Confirm state of Police investigation.
• Initiate Negative Publicity campaign.
• Inform Regulators
• Pay / Not Pay?
• Go Public before attackers ?
5
23. Rex Mundi
• Labio.fr – exposed patients blood test results
• AFC Kredieten – exposed loan applications
• Temporis – French employment agency
• Dominos Pizza –
• Drake International – Canadian employment firm
• Americash – American payday lender
24. Final Thoughts - Questions
EU Data Protection Regulations – 2.5 % fine of worldwide turnover for falling to report a breach.
[2] Attackers can stay anonymous. Short time frames make it unlikely that a Police investigation will succeed.
[1]
[3] Once compromised, the game is over.
[4] Test the strength of your counter measures..