The Secureworks® Adversary Group (SwAG) is a team of world-class ethical hackers that uses goal-based penetration testing to pinpoint vulnerabilities in customer environments. We use our findings to not only help those specific customers improve their defenses—but to better protect all our other customers as well.
Given that the holiday season is approaching, I thought I’d share the story of a specific engagement (appropriately anonymized, of course) with a Very Large Retailer. This story should be instructive to everyone reading this, since ransomware is a top threat faced by just about every organization. But retailers must be especially cautious in the coming months, since:
- Any downtime during the highest-revenue time of year can be very damaging to the business.
- This retail season is going to be tough enough as it is due to supply-chain woes.
- Hackers know this, so they may target retailers more intensely than usual, realizing that a successful ransomware attack will more likely result in a quick ransom payment.
How it started
Recently, this not-to-be-named Very Large Retailer hired our SwAG team for a Ransomware Simulation. This type of engagement is becoming more common for us as headlines about successful ransomware attacks motivate decision-makers to (wisely) take a closer look at their anti-ransomware posture.
We started by conducting the Open Source Intelligence (OSINT) gathering that helps us identify a customer’s current technology and employee base—both of which are crucial to the search for vulnerabilities.
That intelligence gathering immediately bore fruit. We quickly compromised more than 80 user accounts using a password spraying attack. Now—pay attention—the majority of these accounts were already using multi-factor authentication (MFA). That, of course, is a best practice which we strongly recommend. But MFA won’t protect you if you don’t implement it properly.
And, in this case, the customer had a serious MFA implementation problem. Several user accounts weren’t enrolled in the MFA mechanism for VPN access. So when our team compromised those accounts, we were able to simply enroll those accounts in the client’s MFA mechanism ourselves. Et voilà! We had MFA-legitimatized access to the environment.
At this point, it was Game Over. We jumped on the VPN, moved laterally, cracked hashes of service accounts, and got ourselves local admin and Domain Admin (DA) rights on the same day. We then deployed our simulated ransomware to the customer’s pre-defined targets and executed the files.
Rack another one up for the fierce fake felons of SwAG!
Happy to be Hacked
This seemingly bad outcome was actually a tremendous win for our Very Large Retail customer. After all, instead of shutting down their environment at the height of the holiday season and holding their business for ransom, we showed them exactly where they were vulnerable.
Our customers used the eye-opening speed with which we were able to execute a successful ransomware attack as an opportunity to petition upper management for additional funding. Anyone who works in IT security knows how vital this funding is because security is often woefully under-resourced. Worse yet, if you keep doing a good job, upper management may not understand why they should give you more budget.
But when SwAG comes in and mounts a successful attack, that “why” immediately becomes evident. And it’s much better to go to a CFO with a SwAG report than it is to fund the closing of your cyberbarn door after the digital horses have left the stable.
The SwAG engagement also helped the retailer evaluate its threat detection and response capabilities under fully replicated real-life ransomware attack conditions. They realized that, in addition to fixing their MFA implementation, they also would have benefitted from better visibility into our pseudo-nefarious activity during the period from the initial compromise to the implantation of the fake ransomware. That lack of visibility—as much or even more than the MFA snafu—is what led to our ultimate success. So the client used a good chunk of the funds they were able to shake loose from the powers-that-be to make investments in better detection-and-response capabilities.
Then they called us for a repeat engagement.
Hack in the Saddle Again
For this second engagement, our SwAG team leveraged the OSINT from the first engagement. Since we knew the customer had made investments in better threat visibility, we took things nice and slow to generate less “noise” for them to pick up. We further enhanced our stealth by only compromising about 20 accounts—and taking several days to do it.
The customer also made life more difficult for us by changing its MFA implementation. Nonetheless, we were able to use a compromised account to get into their Microsoft Office365 environment. There, we gained access to a user’s email—where we were able to find instructions on how the new MFA/VPN system worked.
So far, so good for the fake bad guys. But we were thoroughly hosed when it came to our basic attacks. Kudos to the customer! They had done a great job of shoring up their defenses.
But it’s not so easy to stop an ethical hacker with so much SwAGger. It was time to resort to social engineering.
Posing as an employee from the IT department, we successfully tricked a user into approving our MFA push notification by fabricating a story about having to upgrade to a new VPN. Once this user granted us VPN access, it was Game Over again. We moved laterally, cracked local admin and service accounts, and then leveraged those accounts to dump the domain controller. Within an hour, we were Domain Admins once again. We then deployed our simulated ransomware on the customer’s targets, bypassing their security controls.
The Very Large Retailer was even more pleased with this engagement. They were able to assess the efficacy of the controls and countermeasures they had put in place following our previous engagement. They were also proud of how well they’d detected so much of our activity and made life so hard for us, because it’s precisely those kinds of obstacles that can discourage real attackers and motivate them to look for an easier target elsewhere.
The fact that we had to rely on social engineering was also encouraging to the customer. Now they can shore up the human aspect of their vulnerability with user education, which is vital for any organization seeking to protect itself from today’s threats.
This engagement is a great example of how an iterative engagement with SwAG can pay off in multiple ways, including:
- Discovering technical shortfalls in your IT security posture.
- Demonstrating the need for additional funding to upper management in a concrete, convincing way.
- Developing a more effective user training program.
'Tis the season for ramped-up cybersecurity threats, and nobody wants to experience the nightmare of a ransomware attack before Christmas!
If you'd like to discuss how SwAG could provide a little holiday cheer by helping you identify vulnerabilities and improve your cybersecurity defenses, reach out to us today.
To learn more about what happens When Good Guys Go Bad, watch this video series highlighting additional SwAG customer engagements.
Beat the Threat: Adversarial Simulation Video Series - View now