Nixu Files: How to penetrate a company – tales from a red team operation

Anne Oikarinen

Anne Oikarinen

Senior Security Consultant and Content Creator

March 18, 2020 at 09:00


A nightmare to remember

Jani grabbed a free desk from the office, quickly glanced at his emails, and continued writing a report. After a good 45 minutes, he stretched his back and went to fetch some water and chatted with others. A regular day at the office? Except that this wasn’t Jani's office. He had infiltrated a company.

Meanwhile, Tommi entered the building. He nodded to the guard, swiped his access card, and went past the gates. After asking for directions a few times, Tommi arrived at one of the corners were printers were kept. He grabbed the large container labeled “to be shredded” and pulled it back to the entrance. He waved the guard goodbye, went to the parking lot, and loaded the container to the trunk of his car. Tommi had just stolen a bunch of confidential documents.

An hour later, Markku was distracted from his work when his computer beeped. A piece of malware he had sent yesterday to a few selected targets had just opened a reverse shell on one of the workstations. Markku was now inside the company network.

It sounds like a nightmare. Luckily, Jani, Tommi, and Markku all work for Nixu, and this was a red teaming exercise. Otherwise, this company’s security and privacy would be totally busted.

“ Red teaming is like a fire drill that tests your defenses.

 

Red teaming is like a fire drill that tests your physical security measures, network perimeter, and application security like you were facing a targeted attack. What’s most important, red teaming tests processes and people – something that an audit or an application assessment does not provide.

Red teaming is like a fire drill that tests your defenses
Red teaming is like a fire drill that tests your defenses

 

Cloned access cards and social engineering 

How Jani and Tommi got in? That turned out to be all too easy. The red team got a copy of the access cards: regular credit card sized RFID cards that you can buy online. It turned out that you can clone the cards easily in a matter of seconds. It could even happen when you bump against someone when a crowded bus takes a sharp turn, and the badge is in your pocket.

Do you think that a PIN-protected door would help you? Not unless there’s a shield limiting visibility to the PIN pad or you are blocking line of sight with your free hand. With bold shoulder-surfing and a pair of decent binoculars, Jani and Tommi were able to get hold of PIN codes providing entrance to classified rooms.

Certainly, someone is going to check the ID badge of unfamiliar people, right? The reality is that when you have 300 employees or more, various partners and contractors and multiple sites, you’re not going to remember everybody’s face. People come and go; change jobs, and you are busy running late to the next meeting anyway – no time to confront people. That person you had never seen before would probably just a new hire anyway, right? This is where it gets wrong in many companies. Probably yours, too.

In this case, checking the badge may not have helped. Tommi had browsed articles and interviews about the target company until he found a picture of one of the employees wearing the company badge. With the help of a photo editor and company logos and fonts grabbed from their website, Tommi crafted very convincing ID badges for everybody. Nobody questioned a thing. 

Rummaging around the network

Catch of the day? Usernames and passwords, an internal server without authentication with loads of interesting files, system design documents in an internal wiki. Getting access to the office network provides valuable information to corporate spies and curious gossipers.

Nixu’s red team didn’t settle for cozy office access only. Supplied with warm clothes and a powerful antenna, Antti and Markku circled the fence protecting the premises. They found a perfect spot: not too far from the building and sheltered by trees to cut line of sight to office windows. They set up a rogue access point, directed an antenna towards the building, and started waiting. They didn’t have to wait long though – pretty soon, a few laptops had switched to using the fake wireless network. With the help of few phishing tricks, Antti and Markku were able to collect the credentials of those unlucky victims.  

Threat modeling extends red teaming scenarios

During the exercise, only a few people in the company knew what was going on. To make the most out of the red teaming exercise and inform the rest of the IT and security staff, Nixu conducted a full-day threat workshop about the findings. 

In addition to briefing what happened, the workshop covered other possible scenarios that could have resulted in similar findings. In the brainstorming sessions, the participants thought about who would be motivated to attack and how far the attacks could have taken. We had valuable discussions on why the attack vectors worked and what the company could do better either with technology or process-wise in the future. 

 

Are you an easy target? If you want to test your defenses and monitoring capabilities, ask us about our red teaming services. Be it an office building, data center, or manufacturing site; we’ll customize a red team exercise that fits your needs. 

 

Nixu Files is a series of modern-day detective tales where we dive deep into some of our most thrilling client cases. The stories read like a nail-biting mystery novel, but we swear they’re far from fiction. Welcome to the world of cyber noir.

Related blogs