• Hacking Your Competitors For Fun & Profit

    DISCLAIMER

    The information contained herein is for educational purposes only. I do not condone nor encourage any form of illegal activity – and will not be held responsible in any way for the misuse of the information provided.

    My mission is to increase awareness of the issues surrounding cyber security, to better equip us all to defend our networks against the real-world attacks I have described in this article.


    Have you ever wondered how easy it actually is to break into computer systems? Well ladies and gentlemen – you’ve come to the right place. Today I’m going to deliver a no-holds-barred demonstration of how anybody armed with this article (and a profound desire to go to prison) can render the security of many small to medium organisations useless: in less than 24hrs

     

    WARNING

     

    The following scenario simulates a real-world attack. While the characters portrayed are entirely fictional – the motives, roles and technical execution of the attack are 100% representative of a real attack. The reality today is that you don’t need to be a computer security expert in order to breach computer systems and steal sensitive information, you just need to be a (semi-competent) cyber criminal – of which I can assure you there are plenty.

    INTRODUCING ..

     

    Kenny Rogers – CEO at EvilEngineering Corp

     

    This is Kenny Rogers. He’s on the executive board for EvilEngineering Corp. His company have been going through a tough time recently since HackMe Corp – one of their largest competitors, developed new ground breaking research. This research threatens to put them out of business, and in desperation, Mr. Rogers approaches a professional hacker by the name Switch to hack into their competitors network and steal their intellectual property.


    In the real world there are individuals that advertise their services for sale on the dark web to nefarious clients. It’s clear to see why a market for such a service exists – when some businesses are more than willing to gain a competitive advantage using illegal activity.

    Intellectual property theft isn’t limited to research & development (R&D) either – these attackers might:

    – Steal your customer records or information

    – Steal a copy of your sales database – taking your clients

    – Take the intellectual property that gives your business a competitive edge

    – Monitor communications for anonymous blackmailing and defamation

    Unfortunately for everyone, hacking the competition in business is becoming increasingly common.

    Let’s take a look at how Switch approaches his latest project – HackMe Corp, in 5 simple steps:

    Step #1 – Perform Recon

     

    9:48 AM

    Following a discussion with the Chief Executive @ EvilEngineering Switch decides to go ahead begin the first phase of his attack – reconnaissance. He starts by performing Google Searches on HackMe Corp. He’s looking for any information that might later be useful in building an attack.

    He visits their company website and social media platforms, searches news articles and press releases and researches their company structure to identify key individuals within the business.

    While searching online Switch comes across an article on www.superpentesters.com. Their latest news section lists HackMe Corp as a recently acquired client – making it likely that HackMe Corp have hired an external team of penetration testers to audit their network security.

    Switch decides that in this case he’d be better approaching the target with a two-pronged attack – blending social engineering with a technical exploit to gain a foothold inside their environment.

     

     

    10:32 AM

    Following some further searching Switch notices that HackMe Corp are currently advertising for a sales role on seek.com.au. At the bottom of the advertisement he’s able to see that the listing was posted by Felicity Baker – and jumps over to LinkedIn to begin identifying HackMe Corp employees.

     

    Felicity Baker – Secretary at HackMe Corp

     

    Within moments he discovers Felicity’s profile and performs a Google search for “*.*@hackmecorp.com”. This search query will return a list of company email addresses, allowing Switch to substitute Felicity’s name into their format for a working email address.

    His results show that they’re using a firstname.surname@domain.com format – giving him the address felicity.baker@hackmecorp.com

     

    Step #2 – Compose Spear Phishing Email

     

    11.22 AM

    Switch goes ahead and creates a brand new Outlook account using some false information, and then begins composing his malicious email. He poses as Johnny Cash – an experienced salesman that’s interested in making an application for the role that she’s advertising. He advises that he’ll attach his resume.

     

    Step #3 – Generate Malicious Payload

     

    12.14 PM

    Switch boots up his Kali Linux virtual machine and uses msfvenom to generate a malicious VBScript payload for an x86 Windows platform. This payload is a reverse TCP shell that connects back to his host machine and provides full command-line access on the compromised host.

    To increase its effectiveness the payload has been encoded using 10 iterations of Shikata Ga Nai  – a sophisticated encoding algorithm that will allow us to sneak the payload past even the most vigilant gateway or host anti-virus protection.

    For the technical folks amongst you – it’s a Polymorphic XOR Additive Feedback Encoder. 

    Say whaaaaaaat?

    The code that’s generated is split into two distinct sections – the first is the executable macro code which will be embedded into the Word document, and the second a block of data which will be appended to the end of the document (following the fake resume information).

    Since the macro code runs in the background and we’re able to make the text inside the data section white in colour, the entire thing will be completely invisible to somebody opening the Word document.

    Perfect! Below you can see Switch embedding the executable macro into his document.

    1:32 PM

    Once the file has been created Switch decides to upload it to www.virustotal.com. This website sends the file off in the background to all of the major anti-virus vendors and reports back on whether they deemed it to be malicious or not.

    This gives Switch an indication of whether his encoding has worked – and also whether he’s likely to bypass any AV protection that HackMe Corp might have in place.

    This isn’t the only way that Switch could approach the attack either. He could also send Felicity a URL to a malicious server on the basis that her operating system or web browser were not appropriately patched and up to date.

    This remote site would serve up an exploit for a vulnerable plug-in, for example in Adobe Flash, and then download the payload onto her machine – delivering a reverse connection back to Switch.

    We can see below that the original method has worked – the document has not been flagged up by any of the major AV vendors and is ready to be (hopefully renamed and) attached to the email.

    Now all Switch has to do is sit and wait. Once the malicious email has been sent to Felicity he configures a TCP listener on his Kali Linux machine which waits for inbound connections on port 1337.

    Switch has configured his gateway to forward all inbound traffic on port 1337 directly to his laptop which is waiting patiently to accept any inbound connections.

     

    Step #4 – Execute Your Code

     

    13:59 PM

    Felicity receives and opens up her email from Johnny and sees the following email.

    HackMe Corp are using a gateway spam filter on their inbound email system which has completely failed to pick up the evil attachment. They’re also running AVG Enterprise anti-virus and their network with real-time scanning, which has again failed to detect anything using signature based matching.

    This is because the payload has been obfuscated using an encoding algorithm. Like any unsuspecting employee receiving this email, Felicity decides to double click on the attachment, and is presented with the following message:

    How many of you can honestly say that you would not click Enable Editing? We see these prompts all of the time – and click through them almost subconsciously. Even though I’m aware of how these exploits work – I have no shame in telling you that even I’d click to enable editing, simply because Microsoft Office doesn’t display documents in single page view by default in Protected Mode.

    Once the victim has enabled editing on the document – it’s all but over. The macro inside the Word document executes in the background spawning a connection back to the attackers computer.

    We can see here that Felicity was running Windows XP Service Pack 2 – although this attack would have worked on all Windows versions up to and including Windows 10.

     

    14:03 PM

    The connection gives the Switch a ‘meterpreter shell’ – granting him unrestricted remote access to the system as though he was physically sitting there using it. What can Switch do? Well here’s a small list to give you an idea:

    • Watch the screen and take control of the computer at any time.
    • Browse and copy files without the users knowledge.
    • Turn on the webcam and record video or take screenshots.
    • Activate the microphone and record audio conversations in the room.

    Now that Switch has compromised a single machine it’s trivial work for him to begin moving through the network to compromise others. In this instance he’s been very lucky.

    Unfortunately for HackMe Corp Falicity has been given full access to the network shares which means that she can access resources from other departments. In this instance the files are stored on the Z: and Switch is able to access Z:\Engineering Department\Engineering Team\Top Secret R&D Projects. 

     

    Step #5 – Exfiltrate Data

     

    3.00 PM

    Using the meterpreter shell Switch is able to use the download command followed by Z:\Engineering Department\Engineering Team\Top Secret R&D Projects to pull down their entire R&D folder via Felicity’s machine.

    Felicity opens up what appears to be a regular looking resume and responds back to Johnny – who never makes contact again to follow up his application. There are no anti-virus alerts, no visible activity taking place on the screen and no indication whatsoever that the network has been breached.


    The Summary

    Now that Switch has copied the information from the network shares he removes any evidence of his attack and disconnects from their network.He then goes back to Mr. Rogers to advise him that the project has been completed much sooner then expected – and upon supplying the R&D data is paid exclusively in bitcoin.

    For those that have skipped through to the end and would like a short summary here it is –

    How To Hack A Business In 24hrs:-

    1. Perform reconnaissance on your target.
    2. Using your prior reconnaissance compose a well-crafted phishing email.
    3. Generate and encode a malicious payload to bypass AV. Delivery the payload via email.
    4. Execute your code on the target and gain a remote interactive shell.
    5. Begin data exfiltration from the target network.

    I hate to report that the attack scenario described above would work well against more than 90% of SMEs – with small variations. Modern businesses are in no way equipped to deal with the growing threats that are emerging from the cyber world. If you’d like to know how to protect your business against these emerging threats then subscribe to my blog today.

     

     

    Did you like the article? What do you think about the evolution of cyber security?

    Leave your comments and feedback below 🙂

     

     

     


    • Jason

      Fascinating article and quite frightening given the ease with which these tools are available. Unlike random invoice emails, someone like Felicity wouldn’t think twice about opening the attachment.

      Why is it not easy for AV vendors to creat algorithms to block obfuscated code?

      • Mike Carthy

        Hey Jason!

        Since AV vendors primarily use signature based matching (with hashing algorithms) – any change to the code produces a different hash. This results in there being no match. Polymorphic code changes each time it executes which makes it impossible for the AV to detect. Shikata Ga Nai roughly translates to ‘nothing can be done’ – which couldn’t be more accurate.

        Regards,

        Mike.

    • Pingback: How To: Hack A Business In Less Than 24hrs | Curtis Ryals Reports()

    • Jamie

      Great article Mike, really enjoying your blog! As well as the “protected view” warning, would you also have to allow macros (if blocked by default) before the code would run in this example?

      • Mike Carthy

        Hey Jamie,

        Thanks – I’m glad you’re enjoying them! If Office had been configured to block macros by default you’re spot on – that’d be one way to protect against these attacks. Network administrators could implement macro blocking via group policy. It’s rarely the case however and most organisations will allow the execution of macros by default (for user convenience or lack of awareness).

        I hope that answers your question.

        Cheers,

        Mike.

    • Jamie

      Thanks Mike, it does indeed. And similar to clicking “enable editing”, I would also be guilty of clicking “unblock macros” if only to get rid of the annoying warning! Will think twice in future 🙂

      • Mike Carthy

        Absolutely – it’s far too easy to click through the prompts, particularly when the email looks so genuine.

    • JasonC

      As I’m reading this article, I continually cringe like it’s a horror story and I know the ending. It would be interesting to see the “good guys” take on best practices and what should be done throughout the 24 hours. Security experts rely so much on systems and users to detect and stop threats but this is a prime example of how easy it is to successfully compromise a network with normal business actions.

      Step #4
      13:59 PM – Felicity doesn’t open the attachment because company policy requires all resumes to be uploaded to the HR site for proper analysis.
      14:03 PM – Endpoint protection identifies a new outbound connection from Felicity’s PC and alerts security staff.

      Step # 5
      3:00 PM – Data protection systems monitoring for abnormal data access notices an increase in Felicity’s access to Top Secret R&D Projects. Felicity’s domain account is immediately locked and all active data connections are disconnected. Security staff is alerted.

      I agree with Jamie – great article and blog, keep them coming.

      • Mike Carthy

        Great comments and feedback Jason! The outbound command and control connection should definitely be identified and dropped. Pushing out a group policy across the network to stop macros from running would be another a great way to mitigate attacks like this. I’ll go ahead and update the article this week with some countermeasures – or perhaps even do another small write-up.

        I’m really glad you’re enjoying the content – the blog is growing quickly and I honestly owe it to my first small group of subscribers.

        Thanks Jason!

    Pin It on Pinterest

    Share This

    Share This

    Share this post with your friends!