Black Team War Stories Part 2: Twelve in one

The Target

The target was a multinational firm turning over billions of profit each year in the UK alone. They are responsible for collecting and storing substantial amounts of private data which would have been as damaging as it was valuable, should an attacker gain access to it.

As a general rule, the NCC Group Black Team do not set a specific number of days for a Black Team assessment. Instead the site is assessed from the OSINT and during the engagement to ensure the right amount of resources are dynamically allocated to a job as it is performed. Yes this usually results in longer engagements when compared with competitors who often recommend just 3-4 resource days for every type of business. This, however, is the difference between “kicking the tyres” assessments and a professional Black Team. This job is a perfect example of why.

Objectives

The client’s requirements were considerable for the amount of time they had requested. The ground team had a general time frame suited for one site yet the objectives set by the client were both specific and extensive:

• Breach as many/all of the UK sites owned by the client
• Locate and access sensitive physical data - list of over 10 specific items
• Achieve a command and control channel into the network
• Locate and access sensitive digital data - list of over 10 specific items
• Conduct spear phishing to support any of the above.

With a main office and tens of branches all over the UK this seemed impractical to say the least. However, the job was part of a global Full Spectrum Attack Simulation with NCC America and Europe all involved. With such a large job being carried out, the Black Team was eager to provide the client with the best possible value for their time. In addition, it was an excellent opportunity for some friendly inter-company rivalry between NCC Group’s UK Black Team and the rest of the business. For now though, the head office was chosen for the UK team as this was the most critical site.

Recon

The company had good OSINT awareness. There were limited photos of passes and office imagery was at a minimum. Maps provided the standard view of the entrances and exits but otherwise OSINT was more valuable to the cyber team for phishing/senior staff spear phishing. Or so we thought… but we’ll get to that later.

The onsite recon was exceptionally useful and bears testament as to why the extra days NCC requires for Black Team engagements raises the quality of assessments. Shorter engagements offer very little time to observe the target and the minimal amount of time available is spent waiting for chance opportunities rather than assessing the security posture of the target.
The first half day was spent observing from a distance. It was immediately evident that the building was shared with other businesses which were not in scope. This came with its pros and cons:
Cons. Following staff members to acquire pass imagery could be pointless. Until the image of the pass is captured it is not clear whether they even work for the target.
Pros? Staff from mixed businesses will unlikely be suspicious of unknown personnel when inside the main building.

As for the passes, unfortunately almost all staff had their passes turned the wrong way round in the pass holder to prevent attackers doing exactly what we were attempting to do. This raised the question of whether or not they were turning them the correct way round when they went back in. Well of course they weren’t, which meant we didn’t need to bother forging our own copies. Easiest pass I’ve ever made.

Main Site Breach

So, with blank pieces of plastic proudly on display the consultants tailgate into the main lobby and the car park. The car park is initially a bust. There are RFID controls leading from the car park (which is underground) to the main building, so without a second tailgate there is no way into the main building. It made far more sense to tailgate the main entrance where the traffic of personnel was much higher.

Upon breaching the main lobby, the two receptionists and security guard paid very little attention to the Black Team. This is partly because the consultants acted like they belonged, and partly because they chose a very busy time of day for the first breach.

Immediately the elevator is identified and avoided (sealing yourself in a metal box immediately after breaching isn’t actually a fantastic idea). Instead, the stairs are located. Unfortunately no floor plans were available when performing the OSINT, so a bit of wandering around and searching was required on this job. The stairs were quickly found and explored. You might ask how much is there to explore in a set of stairs. Well, firstly, the stairs were found to be regularly used, meaning they weren’t a safe zone. Secondly, on the wall of the basement stairs leading to the car park was a board detailing what businesses were on which floor – all valuable information for our next breach attempt.

The Black Team attempt to get a look at the target’s floor to see what access controls are in place and if there are any refuge areas in sight. This is done by looking through the window on the secure door which was extremely overt and could only be done one or two times. If staff notice a head peering through the glass door it will likely burn the consultant from the engagement. Fortunately, push button exit is immediately identified, so if the consultants need a quick escape they won’t find themselves trapped. Unfortunately, the office is small and no safe zones were identified. Because of this both consultants agreed that going in during working hours will likely result in detection. The best option? Night engagement.

Plan Plan Plan … Fluke it

So the engagement moves to after hours. This means no tailgating the entrances to the main building, so we needed a way in to the building and then into the office after hours. Whilst exploring during the first breach it was noted that every secure door was push button exit and magnetic locking. Knowing this, the plan was to go in the following day with a plastic bottle primed with three layers of duct tape stacked on top of each other. This could then be quickly removed from the bottle and placed over the magnetic lock at the top of any secure door. The result is the door still feels like it’s secured to the touch, but, give it a good shove and it will pop right open. Persistence to the building, check. – Credit to Monstro.

The next issue is the target office. Previously, the team leader for this job had created a couple of “under the door” tools for unlocking doors with handles. As these have been such a success in the past the plan was to create a similar tool for push button exits. By using the same rigid steel wire and attaching a borescope to the side of it, one consultant could manoeuvre the device whilst the other observed the camera giving directions to his colleague. If this sounds awkward, that’s because it is, terribly… but at night there’s much more time to spend getting things like this to work.
So the entrance from the car park to the main building had been compromised earlier in the day when tailgating was possible. Around the end of the business day the consultants tailgated the Black Team van into the car park (a first for the consultants). Everything is now set for the office breach, which leads us to the less glamourous side of Black Teaming: Two 6ft+ consultants confined for five hours in a small van. This was grim but the consultants have to be absolutely sure that no one is in the office. Being caught attempting to unlock a secure door from the other side with a makeshift tool is not a situation the Black Team wants to find themselves in.

At around 22:00 the consultants head, wearily, to the target floor to scope out whether it is empty. And this is Black Teaming for you. As a consultant walked to the door of the office a cleaner approached from the other side. Spotted, and too late to turn back, the consultant used the hand sanitiser on the wall next to the door to buy the extra couple of seconds so the cleaner opened the door first. All the planning and waiting; materials purchased and knees destroyed for a plan that was no longer required. Black Teaming. But this can go either way. Complex plans turn to simplicity, sure things to nightmare breaches.

The consultant waited a minute for the cleaner to leave and then let the second consultant in. The office has around four cleaners inside and the Black Team leader immediately impersonates an inspector. The second consultant catches what is going on and falls into the role. The assessment just went from covert to overt.

It’s often better to be overt and imposing rather than inconspicuous with cleaning staff. Unless you give them a reason, night cleaners just want to do their job and get home. They don’t want to know what senior staff are up to. If you act like you have a good reason to be somewhere people will generally believe you belong. A high-vis always goes down well in these situations.
The consultants engage with the cleaners and confirm that they will be finished in the next half hour. So, after parading around until the cleaners have left, a search for passes is conducted. If working passes are found then persistence is achieved. And, sure enough, visitor passes, staff passes and the CEO’s own pass are acquired. Pedestals; “easy pickings”.

Looting

It’s always exciting getting this kind of unrestricted access to a target but it’s important to have clear objectives and justification for any actions you take. It’s the same as rooting employee laptops and going through their files. Why do you need to do it? Do they have access to something you require? Door codes? Payroll system? Yes? Then great. No? Then leave it alone. Staff still have rights and “because it will be fun and exciting” is not a reason to smash your way through their files. It’s the same when you gain unrestricted physical access. Key loggers were placed on specific hosts such as the reception, what appeared to be the staff pass host and a number of the private offices. These could then be retrieved the following day and the passwords logged used to access the hosts.

Breach ALL the sites!

So the original request from the client was that they wanted all of their sites breached. Obviously this wasn’t possible in ten man days... except one of the rooms discovered on the breach was the mailroom. From the OSINT we had all of their site addresses and enough material to make up a fake employee benefits poster. This is a technique that the Black Team had been playing around with, but never on this scale. Twelve A3 posters were put together and placed in envelopes found in the post room. A “printed off email” was also included in each of the envelopes, instructing that they should be put up in staff break rooms and other communal areas. The sealed envelopes were then left in the “outbox”. When the Black Team returned the following night the postal room was still unlocked and all the envelopes left the previous night were gone. With such success the team made another 6 posters for other sites and they were sent as well.
The following days were unbelievable. Credentials started to roll in from the fake benefits site that had been created. Nearly twenty sites had technically been physically breached in five days without stepping foot in any but the head office. The scale of the success of this shocked even the Black Team.

Now the Domain

With complete access to the head office and login credentials to a number of hosts it was the perfect time to bring the Red Team in. With direct comms between the Red and Black Team, the site was breached at night again. A number of hosts were compromised with a channel back to the Red Team’s C2 server. Of all the jobs performed this was the most impressive. The Red Team got domain admin and persistence in around 5 minutes. This was a huge benefit to the Black Team as the later days of the engagement were riddled with late night security sweeps and staff members working late and there was still the physical objective to achieve.
These last few days raised a number issues around employee awareness and building security. On a very serious note, consultants avoided detection for a number of hours by scaling the outside of the building (which happened to be quite a few floors up), entering and exiting through windows and covertly moving around the office. In this case, the intruders were obviously just security consultants so there was no real risk. However, it clearly demonstrated that employees working late could not do so safely.

Lessons Learnt

This job got a huge amount of coverage. By breaching the sites remotely from the head office mail room the Black Team was able to spend a full 10 resource days on this one site whilst achieving the clients goal of breaching all the sites and in a way they did not expect/consider. This demonstrated that if you go right to the top, the rest of the business will fall. Each time the consultants returned in the evening the office had been left in a different state. On one night the server room that the consultants had not been able to break into was left open. Findings such as these would never have been possible on a two day assessment and the client would not have gained any real assurance from such an assessment. Although the Black Team had passes to get on site, these were only used when absolutely necessary, more of a safety net if a consultant had to make a quick entrance to an office to avoid detection. Each breach of office was facilitated either by doors propped open by cleaning equipment, door stoppers that had been forgotten or it was possible to tailgate. Any of these issues are critical findings and by breaching only once the majority of these would never be found. Reporting only one would leave the client at significant risk even after a full Red Team engagement that did not include the additional physical days.