The Red Team, The IT Director and the Naysayer VP
As part of the services we provide, we do twice a year a generic digital posture assessment on our customers. A generic digital posture is the name we gave to checking the organization digital footprint and perfoming a very fast and shallow vulneability scan. Essentially we want to check if the organization has some has some very obvious vulnerabilities.
So, while we where scanning one of our biggest customers we discovered that a certain VP was using his corporate email to login and post to several off-road vehicles forums.
While this might look innocent, given who this VP was, it was a problem. Bad guys can use this to mount a simple social engineering attack and possibly gain access to the network.
We called the IT director, our contact person. We told him about all the things we found (including some systems with public facing interfaces that needed to be upgraded or tighten a bit). We mentioned to him that he needed to talk to the VP and ask him to stop using the corporate email on public forums. It was singling him out for an attack. The director is a great guy to work with, he understands security and he knows the value of Red Teaming, so he said he would take care of this.
A couple of days later we received a call from the IT director. He was furious. He told us that after trying, unsuccessfully, to convince the VP to refrain from using the company email, he was told to "get out of the office and stop bugging me, I am a VP and you are a director" by the VP. He tried to reason with the VP, but he was too full of himself apparently.
The director then went to the CEO of the company and explained our findings, he showed him the results of past projects we did for them and explained the CEO why the VP needed to stop posting with the corporate email. The CEO got it. And, quoting the director, he asked me to make sure the VP got it too....
So, the IT director was calling now to ask us for a simple project, go after the VP and penetrate his laptop or phone or all of the above.
Well, it was on!
We had a lot of the work done already. It was clear what our infil point would be: off-road fest!
To make this work we needed a domain, a web site, a bunch of exploits, backdoors and other attack code, a little research into the world of off-road driving and more importantly we needed to wait the right amount of time. We couldn't just do this immediately, the VP would be a little suspicious after he was told that his email might make him a target.
So, while we waited a few weeks we prepared everything.
Half the team worked on the website and the expo we were going to try to sell to this guy. They spread the word on off-road forums in many countries, leaving traces everywhere to make this look legit. The guys also sent "spam" emails with details of the upcoming raffle for a chance to win a prototype Wrangler Jeep. They did a great job.
Meanwhile some of the guys and I prepared the attack code for the website and the weaponized PDFs and Word documents we were going to use also to try to get a foothold on the VPs computer. The idea was to have as much code as we could that can possibly drop on him a small downloader that would ultimately download our backdoor, giving us a shell into the VP's computer.
Several weeks after we had everything ready and the word was out that the best off-road expo was coming to town we sent the VP 3 emails in 5 days. The emails cames from the organizers and not directly to the VP but to a list of top-rated persons of interested. These included (fake) VPs, C level execs and top people on other organizations. The idea was to really pick the curiosity of the VP. The emails were slightly different but they all contain links to our crafted website (with attack code in it) and a brochure with more information about the expo (a weaponized PDF that was designed to exploit two vulnerabilities, one on MS Outlook and the other on Adobe's PDF reader).
The first email was not successful. We saw the VP post on two forums asking about the expo. And since word has be out there, many members posted that it looked like a cool expo and that they were waiting to get more info (our website stated that general information about the presenters, will be published in a few weeks along with the general ticket sales).
So, a few days later we hit him with the second email. A more personal email to him.
This one worked.
He opened the PDF and since we knew the software he was running (the IT director did not send him the updates we recommended for the entire company) we knew that it would work on his laptop. The exploit downloaded and loaded the backdoor we had ready for him.
A few minutes later we had a shell to his computer.
At that point we decided to play with him and teach him a lesson. JS wrotte a little script that would download a random wallpaper with the most horrible colors and randonly make the changes on the VPs laptop. Then we would remotely move the icons and folders on his desktop and crete some of our onw with funky names. Then, on the 3rd morning, we set the theme to black and white with a font so big it would make the windows titlebars take 1/4 of the screen. It was something.
We installed a piece of code we wrote that would record the voice and video of the VP via the mic and cam of the laptop, and on the 4th morning we play some of his phone calls to him.
Needless to say he went running to the IT department. We were waiting for him there with the IT direftor.
He learned a big lesson.