Social Engineering: Breaching Without A Trace, A Case Study

Social Engineering: Breaching Without A Trace, A Case Study

Social Engineering

Social Engineering To Breach Global Company

Overview  

This social engineering case study shares how we were able to breach a global company using some remarkably simple techniques. It shows how easily someone can become a victim of social engineering with only a few pieces of information, a little persuasion and touch of emotional manipulation.   

What Is Social Engineering? Social Engineering is a tactic used by individuals to manipulate and deceive others into disclosing sensitive information or performing actions that they would not typically do, through persuasion, influence, and emotional manipulation. 

Context 

Netragard was engaged by a large multinational company to assess the security of their internet-connected devices and applications with the primary goal of infiltrating their network and gaining control of critical assets without detection.  

We began our penetration test with passive reconnaissance using third-party services such as Shodan, Censys, and DarkOwl which regularly scan the internet and darknet. This enabled us to get a clear understanding of what technology was being used at the company and ultimately known vulnerabilities, how those technologies are configured, as well as detailed data about employees’ work and personal activities on the internet.  

Identifying a Target  

The research revealed that the customer’s external infrastructure was minimal in terms of connectable services, despite its large size. Moreover, it was clear these services were well protected from a monitoring perspective and properly maintained from a patching and configuration perspective. The chances of an attacker directly breaching any one of these targets in a covert manner was low unless the attacks were spread out over an extended period. Therefore, because keeping a low profile was a crucial aspect of our objectives, we needed to identify other paths to compromise. It was imperative that we avoided areas with a high risk of detection.  

Information gathered on employees revealed variations in their roles and responsibilities. We were able to identify a small group of employees who would be most beneficial in facilitating a hypothetical, irrecoverable compromise of the client’s infrastructure – and then ultimately, deciding on a single target employee that was one of the client’s trusted and respected IT security employees. We will refer to the target as Sam 

Given Sam’s job responsibilities and level of experience, it was likely that targeting him directly would not be successful. We surmised that his role would make him less susceptible to social engineering tactics, especially phishing and vishing. Nevertheless, we recognized that it was still possible to use social engineering indirectly to compromise Sam’s access. To achieve this, we sought help through the client’s Helpdesk, as it would enable us to impersonate Sam.  

Information Gathering  

Prior to being able to socially engineer the Helpdesk staff, we learned what processes and procedures were in place; particularly how employees were verified before receiving helpdesk assistance. We did this by placing exploratory calls to the helpdesk over a two-week period. This process produced actionable intelligence that explained how to socially engineer the Helpdesk & also what time/day they were susceptible. We established that the after-hours staff did not always authenticate users as they should. This was especially true when a user was frantic or under pressure. 

Launching the Attack  

With this knowledge in hand, we decided to launch our attack on a weekday at 9 pm. A call was made to the Helpdesk. We introduced ourselves as Sam (the real employee) and explained our situation with a panicked and urgent voice. We explained that we were unable to access the company network and had to complete a project by the next day. When we were asked why we could not access the network, we explained that we left the office in a rush due to a family emergency and in the chaos, we lost our cell phone while in transit. Then we stressed that we no longer had email access, calendar access, nor did we have access to authenticator app that was installed on the lost phone. To create more urgency, we told the Helpdesk engineer that we had a project to complete by the next morning and would likely lose our job if we could not get it done.   

The Helpdesk engineer skipped the authentication process like we had hoped, and went right into helping Sam. The engineer was compassionate, told us we should not worry and that he would resolve our problem. The first thing the engineer did was to help us reset Sam’s password. To do this he had us browse to a specific website that prompted us for our username, password, and one-time password (MFA). We did not have those, so the Helpdesk engineer provided us with a temporary password and code to bypass MFA. Once authenticated, we were able to reset Sam’s password to something complex and secure.   

Next, the Helpdesk engineer walked us through setting up a new phone for MFA.  They provided us with a URL to download and install the application, and the necessary information to configure and enroll our telephone with their authentication service. At this point we thought we were done and were ready to move forward. However, the helpdesk engineer continued to assist and asked us to open a web browser and authenticate to their remote access system. This was the first time we heard about this system so we pretended we could not remember the URL. True to form, the Helpdesk engineer provided the URL to us, then we logged in, said thank you in an excited and happy manner, and ended our support call.  

Exploiting the Information Obtained  

When we logged into the remote access solution, we saw the choice to connect to different computers.  We arbitrarily clicked on the first one which automatically connected us to Sam’s desktop. As soon as we connected, we noticed a web browser that showed authenticated administrative interfaces for AWS, Azure and M365.   We were able to confirm access by navigating the interfaces while taking special care to not to make changes other than creating Netragard user accounts to prove access to the customer.  

At this stage of the engagement, we thought it necessary to inform our client of our successful intrusion to gain control of critical assets without detection. Initially, they were skeptical because no alerts were triggered, and no unusual activity was detected. To confirm the compromise, we directed them to the Netragard accounts we had created. Upon realization of the gravity of our access, they expressed their appreciation for our efforts, but were perplexed as to how we achieved this without detection.  

We then explained that when attackers are able to compromise & operate from legitimate user accounts, particularly administrative accounts, their activities do not usually generate alerts. Additionally, we highlighted that by utilizing passive reconnaissance techniques and social engineering, we were able to avoid generating any traffic on their network until we reset Sam’s password and authenticated it to their remote access system.  

Key Takeaways  

  • Regular training and testing should be mandatory for all personnel with access to an organization’s infrastructure. This should include routine phishing exercises and advanced social engineering simulations at least once a year.  
  • Organizations should be aware of the potential for indirect attacks and take measures to protect against them. An example of an indirect attack is when Netragard was able socially engineer the Helpdesk to target a specific user. Another example would be reconfiguring a compromised printer to authenticate to an attacker-controlled SMTP server to capture its credentials.  
  • Establish a policy to always terminate administrative sessions when they are not in use.  
  • Establish a process for sending alerts via text or email when privileged user accounts are accessed, as this is a simple yet effective method for detecting the type of attack as described above.  
  • Establish a method for authenticating users before they are serviced by the Helpdesk.   
  • When a user contacts a Helpdesk, the Helpdesk should always send an email to notify them about the case and to enable them to track the case. This also makes it difficult to impersonate someone as we did above.   

About Netragard  

If your business is concerned about the threat of social engineering attacks, reach out to our cybersecurity experts at Netragard. We have the knowledge and experience to help you defend against these types of threats and keep your business safe. Contact Us today to learn more about how we can help. 

Blog Posts

- For More Information -

We Protect You From People Like Us.

Karen Huggins

Chief Financial, HR and Admin Officer
Divider
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Divider
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Divider
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.