​Black Team war stories: I never forget a face

Black Team war stories: I never forget a face

A ‘Black Team’ assessment is not in itself a new concept within the areas of physical or cyber security, however, its name is. It’s purely an attacking team sitting under the Red Team umbrella of operations.

The objectives may vary, but a Black Team challenges an organisation’s susceptibility to physical-based attacks, whether that be through social engineering, media drops, bypassing of barriers, attacking door controls and so on. The assessment itself may also be complemented by tactics such as surveillance, open source intelligence gathering, and the deployment of bugging devices.

War stories

To give an overview of our Black Team operations, we thought it appropriate to share some sanitised war stories, highlighting the importance of Black Team testing and how a physical breach might affect your environment.

I never forget a face

The target was an organisation that was supposed to be very secure with good physical security controls. The objective was to compromise the environment to gain access to an application in a somewhat segmented part of the network. Little more than that was known. Recon had determined the elevator to the target floor was protected by physical access passes, and security guards at reception kept an eye on the elevator. Security cameras were prominent throughout and to make it even harder, it was known that different security guards answered the office door at the secured target floor.

The challenge with any small office is a new face stands out immediately. A stranger would require a very good cover story. There also was not a high amount of footfall. Given the high level of security of the target it was expected that any lift and entry tailgating would likely fail. Other plans would be required.

The bottom floor reception area was open to the public, efforts were made to compromise the corporate wireless from couches in reception. It helped that free wireless was within range of the couches, so students and other Internet hungry members of public had found it a great place for free surfing. That said, after a while the consultant’s extended time on the couch drew the attention of one of the security guards. The security guard sat down on the small couch right next to the consultant and was clearly trying to view the consultant’s screen. It is always good to know the shortcut key/gesture to swap screens, as the consultant swapped from a suspicious console to a browser full of social media as the security guard sat down. The consultant sat tight for another ten minutes to avoid suspicion.

However, to the surprise of the consultant the security guard fell asleep in that period. It was a very comfortable couch. The consultant wanted a photo for the report. At the risk of the security guard pretending to be asleep in order to view the consultants screen, the consultant used his phone to inconspicuously take a photo.
Several days before, after some OSINT and active recon, a fake spam message received an out-of-office response from the Head of IT. The out-of-office was descriptive enough to provide the period he was away on leave.

With multiple scenarios being prepared in parallel, the consultants had also prepared a box of USB sticks with the company’s logo on them ahead of time.

With the failure to hack the wireless network, the time had come to attempt to deliver a box of USB sticks to the Head of IT. It was the perfect time while he was still away, as he would hopefully return to a box of USB sticks on his desk and be less likely to question where they had come from.

Thanks to thorough OSINT the antivirus in use was known, and custom malware was created to specifically evade detection. Malware was painstakingly copied to each USB stick and returned to the plastic sleeve as new.

The cover story was developed with the creation of fake courier delivery forms, clipboard, fake company collateral, and the company phone number of the form was even manned by a colleague during the operation. A Crumpler bag was filled with different fake parcels, the target’s parcel being wrapped in brown paper with a single note, promo pack please distribute.

As the consultant approached the building yet again, this time dressed with some lycra and other bicycle courier attire, a quick visual was conducted from outside the building to check the previous security guard that fell asleep wasn’t around. Satisfied the guard wasn’t on duty, the “courier” approached the reception desk.

At the reception desk the security guard that had been asleep on the couch days earlier was leaning far back in his chair, below the height of the reception counter. The consultant was concerned that his face may be remembered but had no choice to proceed as planned.

The consultant announced he had a delivery for the secure floor, but the security guard challenged with the procedure that no deliveries could be made unless they were registered. The consultant explained that it was his first day as a bike courier and pleaded for the security guard to just sign for it and take it up. After a bit of back and forth the security guard seemed annoyed and stood up and told the consultant to follow him to the security room. As they crossed the reception floor to the lift, the security guard changed his mind and said something along the lines of, “Don’t worry, I’ll take you up this time. But next time you have to make sure your delivery is registered!”

Up they went in the lift, and at the secure floor the buzzer resulted in a different type of security guard answering the door. When asked by the “courier” to sign the delivery form, he went off to find the Head of IT. He returned to explain he was away on leave and he signed for it himself and took it away to drop on the Head of IT’s desk.

It is always exciting when OSINT, recon, preparation and opportunity all come together, and a plan that has been in the works for so long works out exactly as planned. As a result, the consultant’s “thank you” to the security guard as they rode down in the elevator must have come across as the sincerest and most heartfelt he had received in a while. As he responded with a very gracious, “no problem, I knew it was your first day on the job, I never forget a face”. The consultant had to bite their tongue to stop from laughing. Only days before they were side by side on the couch together! Clearly, the security guard’s memory wasn’t as good as he thought.

Several days later the Head of IT returned from leave, and distributed the branded loaded USB sticks to his IT Admin staff. Which happened to be the only members of staff without USB port restrictions. Reverse shells rained from the sky and of course the project’s goal was achieved shortly thereafter.