Part 2 - unravelling the hijack hack of a major retailer’s diverse endpoints and network
cont’d from Part 1
Threat Actor (TA)’s bitcoin-mining breach was methodical, slow and deliberately targeted to the corporation. It unfolded on multiple points. TA’s team took their time. We’ll never know for certain, but the exploit could have happened like this, unfolding over weeks, days and then hours:
Markus
Markus [not his real name] was an HR employee of the corporation when it experienced a prior data breach. Like all other employees in the corporation, his credentials were leaked. However, Markus was on his last day and was moving to a position with a different company. The person responsible for terminating Markus’s account was on leave. The terminating task sat idle. As Markus went out the door on his final day, he had no idea that his account was still viable. With the previously-leaked credentials in hand, the TA’s team went to work. They kept trying until they found one (Markus’s) that worked. It was all they needed. They didn’t need penetration tactics; they didn’t need to breach the firewall. They used a legitimate credential and then went phishing –> internally.
Trudi
Trudi [not her real name] was a new employee, still onboarding. She had no reason to distrust an internal HR email, even though it was not from her specific HR Representative. The email asked her to review an attached Word document. The email message also advised that it was an older HR document and she might have to enable macros to see the full text on her workstation. She opened it, enabled macros, and read through a rather vague and generic Code of Conduct policy. There didn’t seem to be any further action required. Trudi closed it and carried on with her day.
Iain
With Markus’s and Trudi’s inboxes now compromised, the TA team used them to create and send malicious emails targeting further employees, including the corporate IT team. IT Administrator Iain [not his real name] was the next internal phishing target. But this time, the payload Iain’s computer received contained a custom python backdoor. Next, from Iain’s computer, the attackers then dropped a persistent agent on multiple servers. The purpose of that agent was to constantly beacon back to TA’s network.
It was as though they had tentacles. TA’s team made lateral moves from Iain’s computer and created multiple Command and Control (C2) servers. Each C2 server was infected with a custom backdoor in order to maintain persistence on the network and continue the attack activities. While data exfiltration wasn’t the immediate purpose, it may have factored into their longer-term attack plans. The multiple backdoor exploits created the agility and ability to re-infect if any compromised systems were discovered.
Meanwhile, the attackers added malware on the infected endpoints. The malware had the sole purpose of harvesting passwords… enabling the attackers to log into other devices. This aided the compromise and conversion of key servers. A further malware exploit of SMBGhost (CVE-2020-0796) was successful on virtually all vulnerable endpoints.
All phished users were infected with a self-replicating coin miner. The initial self-replicating payload spread to hundreds of machines in a matter of hours. Associated financial networks, supplier networks and remote workers, all not under the control of the security team, beckoned with the potential of becoming a vast network of coin miners. TA’s team were undoubtedly thrilled with their luck and proud of their work.
Most importantly, the compromise was purposefully throttled down. It was designed to leave the retail facade fully intact and functional as it spread to more and more endpoints. All retail and corporate financial transactions were occurring as normal. Markus was happy in his new job at a new company. Trudi puzzled over why her computer took forever to load certain things from network drives. And Iain routinely examined CPU and GPU load on his PC’s Task Manager, one of his personal daily routines. On the surface, everything seemed like just another day before another big sale….
TO BE CONTINUED (DM for the full story)
