 Welcome to what we think will be episode one of many of how I got hacked and we're gonna talk about security we're gonna talk about the breaches which I've talked about I'm kind of one-off before but I wanted some really smart people so I got Xavier and Moe here. Hello. And they know a lot more about InfoSec than me. I really just run IT DevOps slash Defense. They run a little bit more offense. Moe on the social engineering side Xavier on the straight-up pony stuff. I've met sec. All things sec. Binary sec. Love sec. Yeah. So they're gonna help us along this journey and our plan is to get some stories together and really dive into because we all have we all of us have worked in here either through social engineering how things were compromised through bad engineering how many things get compromised or just sometimes through the weird series of happenstance it gets there so our goal is to kind of do some deep dives so behind the scenes share some stories because the big stories are always out there Equifax and the Target hack or any of those but we want to talk about some of the smaller companies that got hit some of these are really clever we're still gonna mention some of the big ones because he's sitting there right here Citrix got hacked. Oh this show was supposed to start 15 minutes ago. We open the news. Whoa Citrix. Let's go read about that. Hackers get to reading hacker news. We get carried away. Yeah so we're their goals that kind of talk about some of those stories and things like that so they say we all have kind of a background in it you're go ahead and start with Xavier here some of your background in tech so yeah so formally reduce myself my name is Xavier Johnson Xavier D Johnson to be specific there's a lot of Xavier Johnson's don't Google image me yeah my background I have a techno lust I've been doing technology since I can't remember all right some of my earliest memories were black screens with green letters on CRTs so I am a kid of the 90s I started my own company called Infinite Development Solutions when I was a senior in high school so that company seven years later I've done infotainment and worked with General Motors I've done a lot of cloud stuff over at General Electric and now I'm doing a lot of security stuff over at Dynatrace and so security's a passion of mine I've been pawning and owning for the last four years so yeah I'm just legally legally of course for big companies allegedly pawning and owning yeah what about you ma well my name is Maurice Nash and my background is social engineering I am self-taught I have had a techno lust since the age of 13 and I just basically can start with my hacker friends on new techniques I don't have an extensive background like these two but you know I'm learning you can speak of allegedly but he scares me more cuz you know like said we just talked me out of something and I tell you social engineering never ever underestimated it's still one of the most effective ways you know social engineering is fishing attacks it's that whole confidence conversation conversation you know you never know what you let go in a conversation I've talked about this when I've done talks like protecting yourself it's it's never letting your guard down that you you know next you know they ask you about your birthday that's on Facebook they ask you about you know what you use as a security question your dog things like that a lot of the hacks are not as clever as you think someone looked up someone's Facebook and next you know they they've pwned their emails they've they've got into their social media accounts because you left enough information out there that's social engineering it's a non-technical but equally important part of the hacking so it's like I said he kind of scares me the most I can lock down people can never lock down people never red team always wins any red team rule tell you red team always a team always wins you just got to figure out what it really is so that being said before we actually let's talk a little bit about the Citrix act because this is what got us off topic but we said before we start riffing more on it let's just hit record on the camera yeah so a little background on Citrix if you don't didn't know they developed some really interesting protocols you may have heard of like remote desktop so Citrix is well known for that a lot of companies use remote desktop if I'm not mistaken there's a license agreement Microsoft license is all the back end for remote desktop from Citrix so them exposing what sounds like may have been some of the source code for that is gonna offer some really interesting insight it's fun to say the least so it's the name of the group that did it was so there's an Iranian group here called what are called iridium and they have what they call TTPs right these technical procedures that they go through to be able to own these companies and what's special about this particular group is they have some unique ways of getting around two factor authentication to access VPN and other apps through a single sign-on so think about in corporate environments when you get the you know username which is at your email address in that password and allows you to go to your Slack and your OneDrive and all of those other things usually you have to put in some kind of multi-factor authentication two factor authentication is bare minimum they have ways to get around that so now I don't know I think all basically it's just no holds bars now you kind of got to watch your back once once you have an advanced persistent threat out there that can do that kind of thing and this is some of our plans to really dig down into these because obviously if they have a zero-day that they have purchased because there sounds like a government backed entity Iran it's fuzzy on some of those details but these are some of those things that we want to kind of get in behind the scenes a little bit more to kind of explain the details because the newest article right now is big and that's cool but I like that story behind the news we're gonna dive into in some of the future episodes like the actual tools on debriefs that we use and so from what it looks like from the initial information that's coming out they're saying that weak passwords are involved they're using what they're calling password spraying right so what I would call a brute force and since they have these techniques and procedures to be able to bypass multi-factor authentication and two-factor authentication when they do land on sale weak password because now people feel like passwords can be weak because they have MFA they can make it password so now when they last land on password they're expecting to get that text message with that code but they never get it and not the bad guys are in yeah and this is one of the reasons even like PayPal drives me nuts to this day because they're they're two factor authentication is still SMS I know and hijacking a cell phone targeted attack but it's a simple attack starts with social engineering you get that all you have to do is figure out my cell phone number and honestly I'm not challenging you want to do but I'm gonna say I realize I'm not gonna publish myself a number but don't bother publishing it but I know you could I know some other you know it only take a minute we know yes we respect it yeah respect but there's so there's we want to talk a little about some of those stories the other thing we're gonna do is do some of the dive into what refers to as the lateral movement so they got in they got an edge how did they move laterally through their networks and this is one of those assumptions that I always make from even my own network standpoint I always assume my attacks are gonna come from within so when I do my own auditing of networks or client networks we audit I don't audit from the firewall I audit the firewall but I actually put a device inside and start scanning I assume they've somehow have reached a firewall and that's what a lot of these companies don't do they just assume the firewall will protect everything and they don't segment their network properly so when something inside the network is attacked so we're gonna be doing some dives into the tooling use and how we methodologies for some of that right and if you want to hear more about that train of thought you should look into assumed reach testing that that's probably a good way to get your mind around how one would be able to operate as if they have already been penetrated or their firewall has already been compromised yeah it's almost an assumption you have to make because you never know when someone be plugs on as much as you may lock things down and segment things you still want to run those scenarios before someone else is running exactly maneuvers yeah so we don't unfortunately this is breaking news we just couldn't resist talking about Citrix because there's such a big name talking about that but I'm gonna start with sharing a little bit of story of a client and I did double check that this is fine for me to talk we know story time and so we change the name to protect innocent we are not the goal of this at all is never to name these companies but more provide an education on what occurred with the companies and so we've done some breach cleanups and you know it's always great when you have red team testing but unfortunately with small businesses their security gets tested in in real time yep and sometimes it loses most times it loses yeah most time it loses as well small businesses are in a really bad position here in 2019 because they make so many assumptions that they're too small for anyone to care and this company only has maybe 40 employees they're not that big big enough but not that big and it's a very sad state of affairs because the the point of intrusion was the email and the email and password was their address plus the street yeah I don't know how they guessed it I mean they took the company and you'd be shocked I actually went to a look up Johnny Christmas sometime and he does some of the talks you ever met him yeah yeah he's funny and he's someone who's talked about this publicly about passwords and when I was at one of his keynotes one of the things he commented on was it's almost so often they just guess the passwords but the passwords that work are the street addresses are one of them the company name plus the street address so if any of you have that as your password please stop watching this please go change it right now and the last one that is not how you guess a CEO is password but how you guess all the underlings Johnny Christmas let's say he learned this only in the last year that if you drop an F bomb in front of the company name that is frequently employees passwords because a lot of people hate their jobs very true and he never thought about they go so he loves this job so turns out you guys hate it so I hate this place turns out to be a password that staff uses but once again no two-factor was on there now the hacker got in it took them a few months of watching because they were being very very careful and this is what happens a lot they don't just come in and ransack the place they come in and they sit quietly and the quiet scene this particular company was manufacturing so they're trying to figure out how do we how do we get money out of this manufacturing company they're B2B so I'm not gonna steal some credit cards or anything like that they they're physical manufacturing it sells to other large businesses that the products they make so they lied and wait and there was a corporate junket as I like to call it but the CEO of the company was gonna fly down to this event and out of state and frequently when he flies onto these events they have a you know materials procurement things like that and so they crafted an email on behalf of the CEO who they had access to his email and sent it to the chief financial officer hey at this such-and-such place well-worded email and seems completely relevant I met this new company that has a great deal on said materials go ahead and send it here's a authorization for $25,000 here's the bank routing here's the standard process everything's good by the way they all they do is go through a sent email they have the forms that he used normally for these type of requests this was not uncommon but that's that social engineering aspect they have a tool for perfect social engineering everything in there then once they did all this the process was followed internally exactly as expected they sent the money they wired the money to it whole thing seemed fine done no one thinks anything of it until CEO comes back from vacation and he's like what are you guys talking about because they're all asking him we never got that material shit we can talk about and now it's also been a couple weeks by the way because you know if you're if you're going out in each junk it's always a nice place as you go ahead and it's a business expense so you enjoy yourself for the extra week and things like that this is not uncommon so that any person had access to their email even after matter of fact when questions back and forth they would answer them and then delete all the sent messages only the ones they sent wow and the good news is they had G Suite so we were able G Suite actually is great logging turned on by the way Microsoft doesn't the default out of the box setting for Office 365 is not to have compliance logging mm-hmm that is the default you have to turn that on an office Google defaults to having it why Microsoft why Microsoft why are you why are you defaulting to know yeah I don't know if that's changed recently but to my knowledge it hasn't we've done with that a couple times when we've had clients at an office you said also if they happen upon the main account they will turn that off immediately and purge all logs they didn't do that though even even on the G Suite when they did not purge any logs thank you because that made it easy to figure out which emails were sent when and blah blah blah because they did not have access like the financial controllers email so we've seen the emails we've never seen them in the set because they were being deleted oh boy so we help lock it all down secure it they went ahead I told them this is a contact the authorities thing we can lock down your email we realized it's how they got in we walked them through it what she told us his email password like I glazed over and so I know how they got it yeah done done and so the debrief of this also the reason I think authority involves cuz they call the bank the banks that you wired the money you fell off race important they had no cybersecurity insurance the banks that also you told us to send the money what that means the money was gone the bank account they sent it to emptied because the company didn't really exist but they did set up a shell company for this so some legal manipulating was done so they had something kind of to go on but the money had passed around we really don't know if the money was ever recovered by the FBI or not but are they said no let's be honest it's not very hard to open a bank account especially in today's society you just need an identity and a keyboard yes what did happen though was the bank did not give them a refund so it got lost on 25,000 it's all just because of the simple email password now they had the FBI they had to worry about a lot of other things they had to worry about what was in those emails what else may have been sold say a lot of other concerns the good news is the hackers didn't seem to care that we could tell there was nothing forwarded that we notice because the nice thing about the way G Suite is as well on the back end I can see the emails as a log transaction even though they deleted everything they sent so I could see set they weren't sending anything to external email addresses which was good there you go so at least they didn't do that they got away with them these are the type of things that happen a lot I know it's not like the most technical story but it goes that social engineering second one I'll share real quick this is a yeah this is a company that has a payroll hold on let's take a break what you are watching you should not attempt let's just throw that off there's our disclaimer all right like we are not endorsing that you do any of this because it does sound very juicy these are zero days but these are things maybe you if you're working with the permission of your client we've done things like this we've done some security auditing with our clients you go through and you see this and this is something a red team might do as well you have come in and a social engineer their way they stop at the front counter it's just a random person walking in a business this is what he does and ask a few questions to see if they can find out a few little details and then you start guessing people's and one of the things you can do is either go on LinkedIn or just grab a business card off their desk if you're actually going to the physical layer like that but once you know someone's email scheme you have their email scheme you can start the guessing process you shouldn't start that unless you're authorized to do so or you have some type of red team but these are some of those things that really should be tested your company should always have 2FA turned on and not be a SMS yep yeah these are these are this is happening constantly this is one little story from one little IT guy here in Detroit telling you that we've dealt with this now the next one a little bit deeper on the social engineering side but the same problem and password was compromised password stupid password is also the same one he used for his sports account he was doing the fantasy sports on yahoo and if we remember yahoo lost about how many passwords wasn't it all of them all of them really they must assumption be either because the password was stupid it was his favorite sports team I'm not sure why it was a Tigers fan either but whatever yeah it was Tigers 84 last time they won the series yeah rock yeah yeah yeah so they get into this this email same thing lion weight lion weight they're a well-crafted email that was rekt your rather cover is they knew that the guy wouldn't be in the office then this back this is this time to compromise the chief financial officer and I think the payroll was roughly 20,000 every week that they had to wire what they had to do is they had a process for the wire transfer where they would just email the payroll company in the bank and send the email to them and send it out well this became the opportunity CFOs out and so he said the person in email they sent the wire transfer immediately soon as that email got sent hook they sent another one on behalf as if they were the CFO of the company that second email was wait a minute I just sent the standard form I meant we're changing payroll companies this week wow and don't bother calling the office I'm out sick if you need to verify though anything just call so-and-so you know I got in this is that social engineering aspect yes he had kids yes he was at home with those sick kids so he says you know Bobby second out of the emails really nice he realized that he had a regular interaction back and forth at the banker he knew her personally so he made the email personal the hacker did not the CFO this is that whole reading through the emails understanding sentence structure understanding like the way they would have talked to him and then following through so it seems well you change payroll companies yeah you know we've been thinking about it which was actually a legit email they had considered changing payroll companies to another one so the bankers completely like oh yeah you mentioned that you know this is everything checks out the good news this has a happier ending banker was not allowed the bank has security protocols to save their body yeah the bank has to call has to and they called because it was a change in their standard going to a different bank houses has a little happier yeah but told turn the company and told panic attack and it turns out they had a lot more than a when we started doing it we just so we need to start rip wipe and replace man oh this is a rip and reload whoa they had pwned a lot of stuff because that same password Tigers 84 that was his team you're a password so everyone access things so we're not sure what all they installed but they had a lot of stuff the thing is there wasn't a lot to take because they don't the company didn't have nature of their business and not have a lot of credit cards thankfully or they would have set up a credit card scammer or something like that but these are those kind of hacks that happen so we did deep to get everything out we just started reloading all their equipment it was easier we knew what they had access to we knew what he had loaded team viewer on so we were able to pull through there so at least this one is a happier thing they didn't lose any money whoo but they care about security now so there's a double half landing they actually care see the other company cared but it cost them a call the FBI a bunch of money a bunch of our time this one really cost a bunch of our time no FBI the FBI is never excited I know it's their job but they're never excited to come out and deal with this sort of thing you know they're not excited to come out and deal with it also now you have the FBI at your office and that's a big distraction yeah because the rest of staff wants to know why the FBI is there your your staff gets nervous when I see that happen yeah but these guys and students that look serious oh yeah that's interesting no smiles on their faces there's a couple that I brought to share like I said they're they're more the social engineering side we plan to do a few deep dives where we're gonna get more technical this is the first episode and we want some feedback from our audience to figure out what you want to know about you know in a couple of inspiration for the show is Darknet Diaries we'll list all the hacker blogs that we read but you know everything from dark reading to there's so much security news that's why we feel it needs to be more of it because we need to raise more awareness and we want to really dive into a lot of the methodologies because that's what people you need to know how you're being attacked when I go to conferences the ones I'm excited to go to aren't other IT conferences is hanging out with people like him because I want to know how they're getting in so I can protect my clients better we're hoping to educate more of you so if you're in the position of a sysad man you're in a position to be in a defensive position because of your title at the company and you can wave the flag and get them talked into it which how hard is that sometimes so that's an entire episode worth of difficulty I can start to go into that but I'll put it to you like this without data and some things are very hard to acquire data on but without data you can never even start the conversation around increasing controls or increasing security because you've got to understand with security ends up truly being is a warm security blanket all right as a red teamer I know no matter I'm really a purple teamer as a purple teamer I know the red team in me will not even there are factors beyond what I can implement at the blue team level that that will always compromise and allow red teamers to win and so the part that's the reason why I'm purple team because for all those losses I get on a blue team I would love to get some wins as a red teamer so you know it's like said that's kind of the whole purpose of us putting this together in this is episode one so no we didn't dive as deep as we'd like to in all this but it's kind of wet the palette and get some ideas together we he's got actually a lot more context than I do so we're going to have some guests who have done some of the we want to get some red team people on here that have done some stuff people are excited about this yes we have a few of them that they they want to come on as guests on the show and we want to share these stories with you and things like that this is you can tell I'm smiling because I get excited about it it's the cleverness the the hacking side is it's exhilarating and being able to legally is very exhilarating yes yes illegally and stuff that we're not going to talk about it's overly exhilarating but it's a lot of fun and we all know each other too because we we host a local meet-up so if you happen to be watching this you need to trade area dc313313.org come on by please we are every other Wednesday if you are watching this let's say on a Monday it is the Wednesday of this week and come on by and have some drinks and have some beer and hack some machines we love to do hackthebox.eu free plug clink yep hackbox.eu that's going to be on March 13th so if it's past March 13 2019 it's long passbook don't worry we're trying to look us up dc313.org come visit us message us send us some air we're on meet-up meet-up we're on meet-up we'll leave all the contacts everything and of course you can always reach me through lordsystems.com I'll leave ways you can reach these two gentlemen as well and thank you let us know what you think thank you very much for your time and we will see you again yes thank you and you can continue discussion at my forums forums.lornsystems.com and things like that as usual all my usual things thanks thanks later simple