I'm going to use this post to elaborate on one particularly fun composite attack scenario that I helped put together a while back. This story involves a client working with some sensitive government agencies, a few different technical attack scenarios, and as the title suggests...a modern day version of the original trojan horse (quite literally). The client who hired our red team was concerned with two distinct threat actors with their own sets of capabilities and resources, this broke down as follows:
- An external hacking group with a range of members skilled in both web application and network exploitation. This group would only conduct attacks that could be executed purely from a remote perspective, which included any and all Internet facing systems/applications and a variety of email- and phone-based social engineering.
- A sophisticated criminal or terrorist organization that had resources to hire skilled hackers, again both application and network focused, as well as resources that wouldn't mind showing up at their offices to carry out their objectives. This particular threat actor had financial resources to purchase commercial tools, gadgets, materials for a variety of social engineering scenarios, etc. This threat actor also had the time to focus on targeting this company alone, not just hoping for an opportunistic attack before moving on to the next target.
The primary goal for this red team assessment was to obtain access to deployed, operational employee data or any intellectual property in the form of source code, algorithms, customer secrets, design documentation, etc. This organization was very concerned about attacks that, depending on what was stolen, could put the entire organization at risk with their government contracts as well as the safety of their employees.
We started the assessment much like any other, with a lot of reconnaissance and perimeter testing. Throughout this process we found a lot of interesting things that we felt would come in handy later on in the test, but found no glaring holes in the organization's perimeter defenses. During this we put together some phishing scenarios to use, but we held off on kicking those off until a little bit later. I'll jump forward a little bit into our onsite recon and testing efforts, leading into the main point of this story, I might reserve some other interesting parts of this particular engagement for future posts.
Before we showed up onsite, we learned that there were several satellite offices in addition to the organization's headquarters in a very close proximity to one another. This layout was primarily due to a period of rapid growth and the separation of duties between various employee groups. The network between these offices however was all seamlessly connected, with no segmentation between locations or resources. Additionally, physical access devices, such as smart cards were also interchangeable between offices.
The grand attack that we put together involved a large pelican case that was specially modified for this engagement, a delivery truck, some custom-made employee uniforms, and remote access tools from the good folks over at Pwnie Express. The pelican case was large enough (as seen below) to fit one of the members of our team.
We made the following modifications to the case:
- Two false locks on the front with big heavy pad locks, purely for show.
- Two actual latches on the inside of the case to prevent anybody from inadvertently opening the case.
- A spring loaded periscope on the top center of the case hidden under a logo, the periscope used a mini HD DVR camera so that the individual within the case could see what kind of location he was in before exiting.
We also outfitted the case with a kit of physical entry tools, pwn plug units, and wireless access points, all of which could be used to either move throughout the facility once inside and/or set up remote access capabilities for the rest of the team. Once the case was prepped, we had employee uniforms made up for the team member inside the case so that he could blend in while walking around the facility. The next step was to obtain a delivery vehicle, uniforms, and other accessories needed to pull off the actual delivery of the case.
We secured a large cargo van for our delivery truck and placed some magnetic logos along the side of the van to add a little bit of credibility. Our drivers wore uniforms and had the handheld units for signatures upon delivery. With all of this, we were set to launch our attack.
Towards the close of regular business hours, we loaded everything up into the case and the cargo van and made our way to the target's headquarters. Strolling into the headquarters as delivery personnel was an easy way to make it past the first security checkpoint. Once we made it to the drop off point, we greeted reception, dropped off the case, and had them sign for the package. We instructed the receptionist that the keys for the case would arrive, along with the designee the next day for "security purposes". Our trojan horse package was wheeled past the second security checkpoint and into the facility.
There were some other pretty fun parts of this engagement in particular that are worth exploring in later posts. This of course is not a scalable attack, but it was a lot of fun to plan and carry out! The only thing that was missing was mission impossible style helicopters, lasers, and face masks.