‘HR Lady’s’ Security Breach

177870130 -- credit card securityI’m imagining you, too, would stop your web browsing for one minute and read an article titled How we tricked your HR lady into giving us access to every customer’s credit card number. I obviously did.

The piece posted by network and security firm Netragard on its website lays out in pretty compelling detail all the steps the company went through to test one of its clients, unbeknownst to the client of course, for its level of vulnerability and/or security through a method it calls penetration testing. For the sake of the anonymity of the large retail corporation being tested, Netragard refers to it as Acme Corp.

What got my attention reading through the piece was just how clever and good hackers have to be, not to mention the companies offering their services to protect them from their covert ways.

Like many a hacker, no doubt, Netragard started out by identifying a job opportunity posted on LinkedIn, in this case for a senior security analyst. Here’s just a small portion of the company’s lengthy description of the ploy:

“Interestingly, the opportunity was not posted on Acme Corp.’s website. When Netragard reviewed the opportunity, it contained a link that redirected Netragard to a job-application portal that contained a resume-builder web form. This form was problematic because it worked against our intention to submit an infected resume to HR. We backtracked and began chatting on LinkedIn with the lady who posted the job opportunity. We told her that the form wasn’t loading for us but that we were interested in applying for the job. Then she asked us if we could email our resume to her directly, and of course we happily obliged.

“Our resume contained a strand of RADON 2.0. RADON is Netragard’s zeroday malware generator, designed specifically with customer well-being and integrity in mind. … Shortly after delivering our infected resume, RADON called home and had successfully infected the desktop belonging to the nice HR lady [who] we chatted with on LinkedIn. Our team covertly took control of her computer and began focusing on privilege escalation.

“RADON was running with the privileges of the HR employee that we infected. We quickly learned that those privileges were limited and would not allow our team to move laterally through the network. To elevate privileges, we impersonated the HR employee [who] we compromised and forwarded our infected resume to an IT security manager. The manager, trusting the source of the resume, opened the resume and was infected.

“In short time, RADON running on the IT security manager’s desktop called home. It was running with the privileges of the IT security manager who also happened to have domain administrative privileges.  Our team ran procdump on his desktop to dump the memory of the LSASS process. This is important because the LSASS process contains copies of credentials that can be extracted from a dump.  The procdump command is ‘safe’ because it is a Microsoft standard program and does not trigger security alerts. However, the process of extracting passwords from the dump often does trigger alerts. To avoid this, we transferred the dump to our test lab where we could safely run mimikatz to extract the credentials.

You with me still? The good folks at Netragard then used those credentials to access all three of Acme Corp.’s domains and extract their respective password databases. They then exfiltrated those databases back to their lab and successfully cracked 93 percent of all the current and historical passwords for all employees at Acme Corp.

The total elapsed time between initial point of entry and password database exfiltration was 28 minutes. Let me repeat that: 28 minutes. That’s less than half an hour. And at that point, the company had reached what it calls “an irrevocable foothold” in Acme Corp.’s network. “With that accomplished,” its post says, “it was time to go after our main target,” the cardholder-data environment.

And this, mind you, was a company whose principals had told Netragard that they were highly confident they could withstand any attempted security breach or inadvertent lapse, and that no vendor (or hacker to their knowledge) had ever breached their corporate domain let alone their CDE.

Thank goodness Netragard was simply trying to protect them by revealing their weakness — a “nice lady” sitting in the HR department. Perhaps, on reading this post, you might want to set up some special communications with all the nice folks in your HR organization (?)

As Netragard’s post implores:

” … the differences between compliance and security are vast. In the past decade we’ve seen countless businesses suffer damaging compromises at the hands of malicious hackers. These hackers get in because they test with more talent, more tenacity and more aggression than nearly all of the penetration-testing vendors operating today. For this reason, we can’t stress enough how important it is that businesses select the right vendor and test at realistic threat levels.”

And self-promoting though it may be, I couldn’t resist including its sign-off:

“It is impossible to build effective defenses without first understanding how a real threat will align with your unique risks. At Netragard, we protect you from people like us.”