 Hello, everyone, and thank you for switching to the Retting Channel. I'm going to present how to compromise critical bank systems with very old hacker techniques. But firstly, a disclaimer. This talk represents my opinion and doesn't represent any position of my current or past employer. The information that I'm going to present today is widely public available on the internet. These vulnerabilities have been mitigated for the financial entity. The information related to the clients was never compromised and the systems have been tested only with restricted investigation purposes to find and mitigate critical vulnerabilities on the systems. So this is the agenda for today. We are going to review quickly what is suite, speed and space, the previous attacks in those systems, critical steps of the attack that I performed and some mitigation and detection for those critical steps. But before that, a little info about me. Right now, I'm working in one of the worst largest insurance companies. I love to learn new things. And in my free time, I participate in the mountains and CTFs with a pretty bad place in the leaderboard. Also, this is my second talk in DefCon. The first one was called how to obtain 100 Facebook accounts per day through internet searches. If you wanted to look at that talk, you can search the video in the DefCon channel. So let's begin. What are suite, speed and space? Mainly, there are systems used to transfer money between financial institutions with some difference. Suite was born to fulfill a need to establish a universal way to get money from one country to another and set standards for financial transactions. So the society for worldwide interbank financial telecommunication was created. Now, suite also sells software and services to financial institutions. Much of it for use on the suite network as ISO 9362. Similarly, suite uses banking and fire codes, popularly known as suite codes. Now, speed is a domestic payment system for US dollars transfers developed and operated by Banco Mexico. Speed sells same-day payments in US dollars among health in Mexican banks in Mexican territory. And this pay is a system to facilitate payments between financial institutions through their accounts and the health of their account holders in near real-time, 24 hours a day, every day of the year in Mexican territory also. Those systems have so far many security breaches in the past because the interest in these systems is high. They manage all the transactions between financial entities and the rest of the world. As such, as these systems could be an enormous risk because the goals of the threat actors are very profitable and easy to monetize. If we do a close-up in Mexico a while ago, there was a cybercrime group called Bandido's Revolution Team with headquarters in Mexico. They came to cybercrime through large-scale operations. They were charged with running one of the biggest cybersecurity breaches in Mexican financial history. Allegedly, they compromised the state systems in terms of banks in Mexico. The official reports say that the Bandido's Revolution Team never compromised the central systems of the state and they only took advantage of the weak environment that runs through those critical systems. The interesting part of this history is that they were arrested by Mexican cybersecurity police or any other related cybersecurity authority. It was only possible after a private financial institution filled a complaint about electronic fraud that the investigation began. Later, a financial authority started digging around the case. They reviewed the activities for an individual that owned three football soccer teams and had the intention of buying yet another team that they decided to step in. The Attorney General's office in Mexico then ordered a search of 11 properties in Guanajuato State and they found everything guidance from drugs, weapons, and cash. All the way to Lodoxib bicycles like Ferrari, McLaren, Lamborghini, etc. Six men and two women were arrested that day. Sounds like the plot of hacker movie rights. But do you really need to be an elite hacker to compromise those systems? We are going to check the critical steps of my attack and we can draw your own conclusions. Now let's rewind a couple of years before that, a client asked me to perform an assessment and the scope was, as you might guessed, some of the critical systems in their environment. Swift, speed, and space systems. For the assessment, I need to emulate the insider threat with access through the network and with the ability to gain local administrative access. Now let me show you the steps that I followed to compromise Swift, speed, and space. Using value access through the network previously provided by the client commonly called White Car. I start for scanning to identify some common services stealthily. And techniques like not being scanned, specifying ports, and using a complete connection are very effective to perform that scans. With the information previously obtained, I found a very common port, SSH, and I tried to gain access to the systems performing a brute force attack with default credentials. I used a common dictionary from Cal and I tested the same username as password. I found a default valid database user. The next step was loading into the system and enumerated valid user store in ETC password. Then I created a custom dictionary with the users and then I tested users with the same password policy, same password as username. Later, I found another maintenance account with more previous and interactive shell that user was in 80% of the host in my scope and it used the same bad password policy. So I was capable to login in a lot of hosts, but I had a problem. I realized that none of the conventional hacking tools were working well. They not only didn't support Solaris environments but even worse, the client had an outdated version of Solaris. Also, most of the tools are designed to be used in windows. There isn't even a native interpreter for that version of Solaris and call the strike doesn't have any auxiliary nodes for that. I spent a lot of time in enumeration like some offensive circuit exam. Long after I found that the system runs. I was so excited about in a moment of rush and without believing my TTPs before, I uploaded a Java interpreter. Then obviously, since my interpreter is well known binary, it was deleted instantly by some endpoint protection. A common number. I had to figure out a way to create an undetectable Java quickly since the time assignment for the execution was running out. All the tools have a level to do this are designed for windows, such as veil, shelter pro, etc. I found a very basic solution like all the techniques reviewed today. But powerful in an entry from null bytes love called use MSF console to generate command to obfuscate payloads and evade anti-readers detection. The entry in the null bytes love was current only one year before my engagement. So I will be very reliable. Finally, I had an undetectable Java interpreter and a interpreter's callback. At this point, I didn't have a root account yet in my research to find how to obtain root privilege in those systems. I read some previous investigative works that indicated that the NSA hacking group, Equation Group, have compromised a lot of Swift systems. I found the leak made by the shadow brokers and it had the commentations names of Swift systems compromises. And of course, exploits. Also, this is a very good tool for a conspiracy theory. I found a tool in the shadow brokers don't use to elevate privilege in outdated Solaris systems called extreme parts. And finally, I was rooting the systems. After that, the client asked me to wrap things up and not touch any database information clients or systems because the assessment was running in a reaction environment. Lastly, this is also a phase from my attack with 18 critical assets compromise. This slide could be as it says in the hall. Also, the hacksaw part is exciting. It is important to talk about how to mitigate and detect these simple activities in a critical system such as those. So let's begin. To mitigate port and granularity scans, you need to ensure that unnecessary ports and services are close to prevent the use of discovery and potential exploitation. Also, the use of an IPS and proper network segmentation helps to protect critical servers and devices. To detect it, you need to review the systems and network events. And with the help of network intrusion detection system, you can identify scanning activity. It is a basic attack, but very difficult to attack. So the data and events should not be viewed in isolation. It is better as a part of chain of behaviors that could lead to another activities such as natural movements based on the information obtained. To create a custom detection of this, I recommend creating a monitoring honeypot service in a common port that the technology doesn't use. And for example, 22, 443, 80, etc. To avoid successful brute force attacks, you need to use a robust password policy to prevent password from being guess it and the use of multi-factor authentication and solution to using passwordless logging. For example, using SSH-KHIN, for example, for detection, you need to monitor authentication logs for system and application logging failures of value accounts. If authentication failures are high, then there might be a brute force attempt going on to access to the systems using legitimate credentials. Also, monitor failed authentication attempts across various accounts that may result from password spray attempts. I recommend create honeypot accounts and monitoring failed attempts in the critical host and training user to not use the same password for multiple accounts and limit credential overlap across accounts and systems. Now, for the enumeration, this type of attacks cannot be easily mitigated with preventive control since it is based on the abuse of the system features. You can monitor process and command line arguments for actions that will be taken to better system and network information. I suggest monitoring the access to ETC PassWD and ETC shadow files and log failed access attempts. If of the obfuscation itself is not possible, it might be possible to detect the malicious activity that caused the obfuscate file, for example, the method that was used to write, read or modify the file on the system. The obfuscation tools can be used to detect these indicators in payloads. Obfuscation used in payloads for initial access can be detected at the network. Use network intrusion detection systems to identify a compressive and encrypted attachments and scripts. This is a difficult one, but you can use next generation upon security tools and monitor the possible future actions. So to summarize, those are the general recommendations. The main problems with those security apps were using legacy systems, default and reuse users, and passwords with APAP, password policy, no monitoring of privileged accounts. And the general recommendation to avoid those security apps, use a patch policy and its enforcement in critical assets, isolate the legacy systems, use a password and user policy that includes not the file user names with password rotation, add those and allow users to reuse passwords. Also, enforce activity monitoring in critical assets. With all this info, do you really need to be an elite hacker to compromise those systems? For my perspective, you don't need to be an elite movie hacker. Some critical systems have very basic vulnerabilities with a very bad security agenda. Financial entities need to enforce their security controls because the risk is real. As I showed you in the previous slides. Well, thank you very much. If you reach to this point in my talk, if you want to share some gags with me, this is my Twitter. Also, I want to give a shout out to all the 19 Floor Team. The Q&A will be on the Red Team Village Discord. Thank you for watching.