The document summarizes a simulated attack on an organization via compromise of a trusted third party supplier. It demonstrates how threat actors used phishing to deliver malware, abused active directory trusts to move laterally between the supplier and target networks, and extracted credentials and customer data from the target organization's systems after gaining initial access through the third party. It stresses that such trusted third party attacks are a real risk and organizations need to carefully restrict access and monitor for signs of compromise when connecting suppliers to their internal networks and assets.
2. Contents
Introductions
+ Whoami / Nettitude
Overview
+ Summary of the hack
+ Why you should care as an organisation
Demonstrate a Trusted Third Party Compromise
+ Weaponisation & delivery (Phishing)
+ Abusing Active Directory trusts (Bi-Directional)
+ In Combination with Trusted Network Routing
+ Elevation of privileges in enterprise
organisations
+ Extraction of Customer data and
privileged access
3. @benpturner
+ Managing Principal Security Consultant @ Nettitude
+ Lead the Global Red Team Operation @ Nettitude
+ 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure)
+ 5 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST)
Training / Talks
+ Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018)
+ Workshops - Red Teaming with PoshC2 (BSides London/Manchester)
+ 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4
+ PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4
Development Projects
+ Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework
+ https://github.com/nettitude/PoshC2_Python/
+ General day to day PowerShell & C# projects
4. @BaffledJimmy
+ Security Consultant @ Nettitude
+ Work mainly on large Active Directory / infrastructure engagements and Red Teams
+ CHECK Team Leader
+ 8 years as a British Army Officer – mainly centered around cyber leadership roles
+ Enjoys both the offensive and defensive sides of red teaming, and abusing companies internal tooling against
them.
5. Team Spicy Weasel
1st Place - 2018
+ labs.nettitude.com/blog/derbycon-2018-ctf-write-up
1st Place - 2017
+ labs.nettitude.com/blog/derbycon-2017-ctf-write-up
3rd Place - 2016
+ labs.nettitude.com/blog/derbycon-2016-ctf-write-up
6. “
”
Skilled and motivated attackers are
compromising third party suppliers with
a view to pivoting into their ultimate
target organization.
FireEye, 2018
7. Disclaimer
1. All screenshots and organization names have been
fictitiously made up or cloned for this presentation
2. The attack techniques and methodologies are a true
representation of real connections with trusted third
parties
3. This is not a contrived attack scenario, the risk is very
real
4. We are enacting this scenario for many of our clients and
you would be scared at the amount of success, and the
over reliance or trust that is put in third party
organizations
22. Enumerating and Abusing
Active Directory Trusts
Active Directory trusts with suppliers or
outsourcing partners are common
Combined with overly permissive firewall rules
between each company
Frequently misconfigured to allow two way
authentication between organisations
Frequently allow all accounts to authenticate,
not just the required accounts
27. Cloud Cracking has given
access into Blorebank
Blorebank are using Jump Boxes / Bastion Hosts – a good
security practice
AWS Cloud Cracking reveals MS SQL Service Account
password
The attacker can now authenticate from the DS machine
using those creds, to execute an implant on the database
server
35. Key Takeaways
Trusted Third Party Attacks are REAL
Separate your Active Directory environments to
minimize your attack surface
Ensure strict firewalling between suppliers and
your assets, e.g. RDP
Heavily monitor and audit your authentication
events
Restrict access to critical assets to authorized
and dedicated accounts only
Deploy password managers, 2FA & utilize
Microsoft Group Managed Service Accounts &
LAPS
36. THANK YOU
Ben Turner @benpturner
Tom MacDonald @baffledjimmy
https://www.slideshare.net/nettitude_labs/trusted-third-parties-are-not-trust-worthy
Editor's Notes
BEN:
Thanks everyone for having us on the Dark Stage today.
We’re going to present to you the lessons of not trusting your third parties!!
BEN:
So whoami! My name is Ben Turner, I head up the Global Red Team @ Nettitude. I’m a managing principal security consultant.
I have direct oversight of all red teaming engagements and essential hack into backs for a living – ethically.
I have also created my own C2 framework that is called PoshC2 if you haven’t ever heard of it check it out.
MAC:
BEN:
Some other places you may have seen us is at Derbycon, we’re quite a keen attender of this conference.
If you like CTF’s check out some of the blogs we wrote off the back of the cons.
It will be sad this year its coming to an end – hopefully we can go out with a bang and maintain that 1st place position!
MAC:
Rick even mentioned this yesterday from FireEye that trusted third parties and supply chains are often a massive pivot point into your network
BEN:
BEN:
MAC:
News report detailing number of supply chain breaches.
ASUS HACK
Taiwanese computer maker says it fixed an issue that allows attackers to distribute malware via the company update mechanism
BEN:
MAC:
BEN:
MAC
Add Whitelist
Installs SSH Key, Apache etc
Updates SSL Certs – Lets Encrypt
Anti-Incident Response Techniques - UserAgents
DNS Records
Automated lookup against categorization sites and submits where necessary
MAC
Add Whitelist
Installs SSH Key, Apache etc
Updates SSL Certs – Lets Encrypt
Anti-Incident Response Techniques - UserAgents
DNS Records
Automated lookup against categorization sites and submits where necessary
BEN:
MAC:
MAC:
Specifically designed to look like a security bulletin email
Specially crafted for the target user of the organization with custom attributes such as the license code
MAC:
Explain the basic concepts of active directory trusts and how we can sometimes abuse them
BEN:
Enumerating the trusts of the organisation
Verify the bidirectional trust
Kerberoast the trust (active directory exploitation)
MAC:
MAC:
BEN:
RC4 Kerberoasting Hash Cracked in 23 hours and 7 minutes
With a combination of a custom wordlist and rules!
MAC:
BEN:
BEN:
Upload exe to abuse rdcman, as seen by process listing
Deploy socks tunnel to allow us to rdp to Jason’s workstation while he is away from this desk
MAC:
PowerUPSQL to get the sql instances from the domain and query the data as a low level user
CHANGE GREEN LINES TO SHOW TRAFFIC TUNNELING OUT TO THE INTERNET AND TO THE C2 CHANNEL
MAC:
Exfiltrate all the data from the SQL server via a jump station logging in as sqladmin_all