by J.Tate
Chief Intelligence Officer bits & digits
This week, the news and underground Darknet forums indicates how little effort it takes hacking organizations to exploit companies/victims. As I write this article, I know the average company/victim is not in a position to enact change to prevent Cyber Security attacks. Let me be clear. This is NOT a how-to, but a call to action for organizations in the Middle East and across the globe to understand just how easy it is for hackers to obtain the most critical information with the least amount of effort.
I have decided to open Pandora’s Box and give a glimpse of the cyber exploitation framework. And, I will briefly narrate how easy a “red team” or a Hacking Organization aimed at your company would obtain some of the most sensitive data with little technical skills.
Company XYZ’s latest breach begins here:
A disgruntled employee has decided after working for Company XYZ for the past six years, they are hell-bent on causing damage for whatever reason. This trusted employee is the “gatekeeper” with access to badge codes and administrative rights to the backend system holding your email archives.
After a google search or two, the disgruntled employee downloads the encrypted anonymous browser “TOR,” also known as The Onion Router. This allows access to the underground gateway of the internet world where he/she can hire a hacker capable of stealing information from the company.
The disgruntled employee is now on the dark market forum going by the name “Hell.” (See the VICE-Motherboard article.) It’s a haven for undercover FEDs and hackers trolling for business to create havoc in an organization for a fee. Much more sinister activities take place in “Hell,” but we won’t open that door for now. With tools like SHODAN, NMAP, MALTEGO, and Google, “hired hacker” can map out company XYZ’s technical system configurations, email addresses, and the level of their security awareness training. Job postings can also expose company vulnerabilities.
With basic company information coupled with OSINT (Open Source Intelligence), the “Recon Phase” begins. The disgruntled employee along with the hired hacker are completely off the radar with access to valuable information. Armed with the company’s name, location, and senior leadership information, the hired hacker collects as much data about the organization as possible without triggering the company’s intrusion or perimeter detection systems.
After negotiations, the employee signs up for the hackers “Intermediate Package,” which includes a hands-on recon and data collection initiative to obtain as much sensitive information as possible. Imagine company XYZ being a prominent law firm in Bahrain dealing primarily with corporate law and also maintains very valuable information on their server. Information, which if exposed to competitors and other investigative agencies, would cause significant problems. Remember, law firms and telco providers are considered “intelligence values” (IV).
Plan of Attack…
In reality, it could take a seasoned hacker 15-20 minutes to breach and obtain as much confidential information as possible about the organization. If the disgruntled employee has passed on a significant amount of information to the hacker (i.e. the executive board, machine operating systems, Payroll, an IP address and domain name), it may prove detrimental to the organization’s IT infrastructure.
This means the collection of company XYZ’s emails (actual emails, not metadata) from employees to execs with access to confidential intel, it’s technical and platform design (Routers, ISP, MSSP) website, database configurations, business competitors, and any documents or information with intellectual property value to the institution is now in the hands of the hacker. Dumpster diving in the company’s trash bin for items of high intelligence value and reviewing job postings by the company have proven to be an effective tool to obtain information.
With a domain name and a simple query of XXXX.bh through a few easy to use tools such as SHODAN and NMAP, the unknown hacker has a much easier job to do. SHODAN can exploit a company’s unsecured database and has the capability of returning a vast amount of information to the hacker.
The unknown hacker’s next steps would be to ensure any further actions were done in as covert and non-intrusive way as possible. Kicking on a VPN and Virtual Box to load up a Virtual Linux Box with no signatures in the event the company has intrusion detection program. It’s simply better to be secured than sorry.
Below is a visual example of a SHODAN scan of company XYZ which resulted in an open mongo database. Such a scenario is quite common. The company configured an inappropriately secured database, which can render information accessible to anyone who wants to read it.
A review of the NMAP (open source tool used to scan networks for vulnerabilities and exposed machines) data indicated the ports available on this network were open to the internet, which indicates a poorly configured firewall. The “Bangladesh Bank Heist” is an example of this type of security breach.
OSINT is a hacker’s favorite due to the amount of information readily available and shared on the internet. Typical damage is done by employees improperly trained in the art of information containment. It is always an amazing revelation to see the information collected from Job Boards, audit records, and publicly accessible devices. These are the rules we will go into in the second part of this series.
This is a three part series to generally explain vulnerability to hackers who can exploit your company by using readily available information. With five hundred dollars or less, someone can unlock every digital key you have set in your company, and obviously, the keys that don’t exist. Again, it is better to be secured than sorry.
Stay tuned for Part 2, the “Art of Intruding a Middle Eastern Company.” Again this read is only a call to action for business owners to apply the needed value in the information they process. This series can save your company from Cyber Security Disaster.
Edited January 2020.
Original exclusive feature on “The Lens of Exploitation” in BizBahrain June 2016 issue, pg. 84 – 85.
by J.Tate
Chief Intelligence Officer bits & digits
This week, the news and the underground Darknet forums indicate the little effort hacking organizations take to exploit companies/victims. As I write this article, I know that the average company/victim is not in a position to enact change that will prevent Cyber Security attacks. Let me be clear, this is NOT a how-to, but a call to action for organizations in the Middle East and across the globe to understand just how easy it is for hackers to obtain the most critical information with the least amount of effort.
I have decided to open the Pandora’s Box and give a glimpse of the framework to cyber exploitation and will briefly narrate how easy a “red team’ or a Hacking Organization aimed at your company would obtain some of the most sensitive data with little technical skills.
Company XYZ’s latest breach begins here:
A disgruntled employee has decided that after working for Company XYZ for the past six years they are hell-bent on causing damage for whatever reason. This trusted employee is the “gatekeeper” with access to badge codes, and administrative rights to the backend system that holds your email archives.
After a google search or two, the disgruntled employee downloads the encrypted anonymous browser “TOR” also known as The Onion Router that allows access to the underground gateway of the internet world where he/she can hire a hacker that is capable of stealing information from the company.
The disgruntled employee is now on the dark market forum that goes by the name “Hell” (See the VICE-Motherboard article: http://csi.agency/1Tqur0P) a haven for undercover FEDs and hackers trolling for business to create havoc in an organizations for a fee, much more sinister activities take place in “Hell” but we won’t open that door for now. With tools like SHODAN (http://csi.agency/1U70Rro), NMAP (http://csi.agency/1OSwAjP), MALTEGO (http://csi.agency/1YRtBZc), and Google, “hired hacker” can map out company XYZ’s technical system configurations, email addresses, and the level of their security awareness training. Job postings can also expose company vulnerabilities.
With basic company information, coupled with OSINT “Open Source Intelligence” the “Recon Phase” begins and the disgruntled employee along with the hired hacker are completely off the radar with access to valuable information.
Armed with the company’s name, location, and senior leadership information, the “recon phase” begins and the hired hacker collects as much data about the organization as possible without triggering the company’s intrusion or perimeter detection systems.
After negotiations the employee signs up for the hackers “Intermediate Package” which includes a hands-on recon and data collection initiative to obtain as much sensitive information as possible. Imagine company XYZ being a prominent law firm in Bahrain that deals primarily with corporate law, and also maintains very valuable information on their server, that if exposed to competitors and other investigative agencies would cause significant problems. Remember, law firms, and telco providers, are considered “intelligence values” (IV).
Plan of Attack…
In reality, it could take a seasoned hacker 15-20 minutes to breach and obtain as much confidential information as possible about the organization. If the disgruntled employee has passed on a significant amount of information to the hacker, i.e. the executive board, machine operating systems, Payroll, an IP address and domain name may prove detrimental to the organizations IT infrastructure.
This means the collection of company XYZ’s emails (actual emails, not metadata) from employees to execs with access to confidential intel, its technical and platform design (Routers, ISP, MSSP) website, database configurations, business competitors, and any documents or information that may have intellectual property value to the institution is now in the hands of the hacker. Dumpster diving the companies trash bin for items of high intelligence value and reviewing job postings by the company have proven to be an effective tool to obtain information.
With a domain name and a simple query of XXXX.bh through a few easy to use tools such as SHODAN and NMAP the unknown hacker has a much easier job to do. SHODAN can exploit a company’s unsecured database and has the capability of returning a vast amount of information to the hacker.
The unknown hacker’s next steps would be to ensure any further actions were done in as covert and non intrusive way as possible. Kicking on a VPN and Virtual Box to load up a Virtual Linux Box with no signatures in the event the company has intrusion detection program, it’s simply better to be secured than sorry.
Below is a visual example of a SHODAN scan of company XYZ that resulted in an open mongo database, a scenario that is quite common. The company configured a database that was not secured appropriately and can render information accessible to anyone who wants to read it.
A review of the NMAP (open source tool used to scan networks for vulnerabilities and exposed machines) data indicated that the ports available on this network were open to the internet which indicates a poorly configured firewall, the “Bangladesh Bank Heist” is an example of this type of security breach.
OSINT is a favorite to hackers due to the amount of information readily available and shared on the internet. Typical damage is done by improperly trained employees in the art of information containment. It is always an amazing revelation to see the information that can be collected from Job Boards, audit records and publicly accessible devices. These are the rules we will go into in the second part of this series.
This is a three part series to generally explain vulnerability to hackers who can exploit your company by using information that’s readily available. With five hundred dollars or less someone can unlock every digital key you have set in your company, and obviously, the keys that don’t exist. Again, it is better to be secured than sorry.
Stay tuned for Part 2, the “Art of Intruding a Middle Eastern Company.” Again this read is only a call to action for business owners to apply the needed value in the information they process. This series can save your company from Cyber Security Disaster.
