The Kill Switch – A Look into a Hackers Methodology

Alex Archondakis

Managing Consultant

Alex is one of our managing consultants here at Pentest People. Focusing mainly on web application penetration testing. Alex has spoken at many key events while with us, including BSides London and even DSS ITSEC Latvia.

The Kill Switch – A Look into a Hackers Methodology


We’re kicking off a new series of blogs featuring some of the best live and recorded content from our consultants with Alex’s ‘The Kill Switch’ talk as seen at the Future of Cybersecurity Event. Alex talks us through a hackers methodology. Focusing on threat sources, threat actors and how to analyse said threats.

He then walks through the methodology known as ‘The Kill Chain’. If you’re not aware, the cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat Ransomware, security breaches, and advanced persistent attacks (APTs) – read more about APT’s on our Red Team Assessment Page.

If you enjoyed this exclusive video why not subscribe to our Pentest People – YouTube Channel where we keep all our event talks, ethical hacker walkthroughs, exclusive interviews and more!

Video/Audio Transcript

Hi everyone. So my name is Alex ArkinDorcas, and I am the Managing consultant at pentest people. I specialise in application technologies, which is pretty much any HTTP protocol, from web to mobile to APIs. I've spoken at various events over the years, which we can see below.

So today, we're going to be talking about the kill chain, which is essentially the methodology that hackers used to research and compromise and then exfiltrate data from your systems.
So 2020 saw an absolutely massive rise in remote working due to COVID-19. A lot of companies were forced right at the last minute to implement untested and rushed remote access solutions. Something that people don't really seem to realise is that the majority of these solutions are not as out the box as they may be advertised. For example, Windows RDP is not particularly secure by standard and that leads quite a few steps to make sure that it is properly secured and that hackers can easily get into your network. Phishing is still the most likely way for your business to be compromised. And I don't really see this going away anytime soon. We're still seeing a massive rise in business, email compromised fishing, which we'll talk about a little bit more a bit later on.

Application technologies are continuing to become more advanced, we're getting more and more web applications every day, they're beginning to do really complicated things storing really complicated data. If we can compare the applications of today to the websites of 1995. For example, you can see just how far we have come with AR technologies. Whilst these technologies do get more advanced, there becomes a larger threat landscape.
Cloud based solutions are now becoming the norm. They present entirely new attack vectors that haven't really had time to be researched. Because it's a it's more common, sorry, it's more recent. So things like companies leaving unprotected s3 buckets or cloud storage buckets, for example. It's also become very clear that staff based awareness training is absolutely vital to every organisation. We see this by how often, phishing is actually used to exploit companies and how successful it really is, the success rate is just absolutely amazing.

So what is a threat source? A threat source is an organisation or group that may want to target your company. So this could be organised crime, Foreign Intelligence Service, services, competitors, activists, it really depends on what your company does, who they're competing with, and what kind of markets you're involved in. So for example, activists may be a big problem to an online e commerce Store that is selling for goods or animal goods.
A threat actor is the individual who actually carries out the attack against your company. This is typically a hacker for hire, it could be a foreign intelligence agent, or it could just be your bog standard criminal that someone has gone out on the street and found and hire to perform a task for you, for them.

So a couple of considerations to have when you are analysing your threat and trying to figure out where you're most likely to be targeted from or who's most likely to target you, or even how much impact they can have on your company. To start off with, we need to know how resourceful your threats are. So foreign intelligence services be highly resourceful, they have a lot of money, they have a lot of equipment, they have a lot of staff that they can use as well as threat actors. Activists, on the other hand, may not it may be you know, a really standard person that's just very animal, sort of animal rights driven, that might decide that they want to try and take down a company or they might try and take down an organisation. So we've seen this quite a lot recently with particularly vegans going to sort of butchers and protesting outside of them. But how long is it until this becomes in this cyber chain so activist trying to attack your organization's as opposed to just blocking business like that.

So we need to take into account their motivation. So whilst the activist may not be resourceful, their motivation may be significant. When it comes to animal rights when it comes to chumann rights when it comes to anything like this. Humans can get very carried away with how into things and how motivated behind things again, so the motivation is really, really important to consider. And then finally, what impact
Could they have on your company? Are they trying to steal financial data? Are they trying to steal money from you? Are they trying to affect your reputation? Could it be a competitor trying to steal your company's strategy plans? So one way to do this is to quantify to quantify your risk and try and figure out where you should be focusing your efforts. First is by having each of these on a measurable scale of say, one to five. So how resourceful your threat source so you choose your threat source, let's say it's the activists, how resourceful Are they not very resourceful will give them a two out of five, their motivation is incredibly high. So we'll give them a four out of five or perhaps a Five out five, and they could probably have a medium impact on your company, so three out of five. So from this, we can calculate our risk score by times in the resource score by the motivation by the impact. Doing this over all of your risks can help you understand your threat landscape, and who may specifically be trying to target your company, how likely they are to actually have any impact on your company as well.
So what is the kill chain? The Kill Chain is a process that hackers will typically undertake when choosing and exploiting targets. Whilst we are going through this in a very step by step methodology. Sometimes there is a little bit more complex than this. And there are a few more steps involved. But this is just a standard kind of methodology that that is followed by hackers. So we start off with reconnaissance. So if I had six hours to chop down a tree, I'd spend four hours sharpening my axe or whatever the same is here. This works in a very similar way for hackers. The longer you spend researching your targets, reading about them and finding out about them, the more likely you are to have a successful impact when exploiting them. intrusion. So gaining a foothold into the company network exploitation, so actually running some kind of exploit within privilege escalation moving from a normal user privileges to administrative privileges, lateral movement between the network so moving between networks, compromising domain administrators and maybe even trying to branch out into other networks, and then data exfiltration. So be this stealing money be the stealing your your financial data, your strategy data. exfiltration can take many different forms. Again, though, we'll be looking into all of this in a bit more detail now.
So reconnaissance is a data gathering stage, how much information can you find out about the company or the organisation that you are trying to hack? Often at this stage, an attacker will decide whether they're going to target your organisation or not. If they cannot find any valuable data about your organisation, then chances are they're probably just going to jump over to the next one, unless it is a specifically targeted attack against you. For example, using the activists example as as we did earlier, so we'll typically start off our data gathering stage with port scanning. So running a scan against your applications and your servers to see what services are externally facing. See, if you have anything that's really dangerous that we can then go and exploit to gain a foothold into your network. With remote working being so common now and being so rushed during the setup. A lot of web servers have remote desktop ports externally facing haven't been properly secured. This is one attack avenue that an attacker may explore open source intelligence gathering, what information have you or your employees posted online, about your company or what marketing material has been posted online about your company, we did a physical intrusion exercise for a large company a while ago. And when the building that they were in was being created, a load of marketing material was released online, they gave us full floor plans fire escape plans, and information about the actual security systems that were in place so that the wired fence with an alarm on it and that kind of thing.

Google Dorking is a really powerful way of using search engines like Google or Yahoo, or whatever search engines you're using to actually search for specific issues within websites. So say for example, if a website has a path that is slash vulnerable dot ASP x, we could specifically search Google to bring back all applications that come back with slash vulnerable dot ASP x as one of the file paths can also be used to look for things like specific file types. If you're looking for company data, you know, we'll look for pen test people and then documents that end in PDF, so any PDF documents
Should have been published with the pen test people name in software versions are also really common during this stage. So often, the software that you're using all the technology you're using will show the exact versions within either their headers or when connecting to them. If we can figure out the exact version of software that is being run on an application or on an underlying server, then it's really trivial to Google the software version and often find pre written publicly available exploits that will allow us to click essentially download an exploit clicking play and compromising application. The reason that this is scary is because any 12 or 13 year old could do this from a standard laptop in the basement somewhere, it really doesn't require any technical skill at all. On top of that, leaked software versions can be searched using tools like showdown. So we can search specifically for versions. And if your site has been crawled, and that version is in your headers, then it will bring that back. So if we know that ASP 4.0 point 3319 has a load of critical vulnerabilities related to it, we can search for that software version and bring back any applications associated to it. So what we could do is go online, find a vulnerability that we particularly like things that affect a certain version, find applications, running that version, and just exploit them. So you really do need to be hiding your software versions from headers and responses. Leaked credential, so your employees have used your email address their their work email address to sign up to a website, that website has been hacked, and the credentials have been leaked online. If your employees reuse their passwords, and they can quite often be compromised through this, you can use have I been poned as as a search to see if there are any leak credentials relating to your email addresses. And then pen testing companies often have their own mass gathers or mass stores of leaked credentials that they will search. In this stage, we also use a lot of DNS and mail lookups to try and find out more information about the application about the DNS configuration, and anything that might be in there that can help. Once we've looked at the reconnaissance phase, and we decided that now it's time to go and attack this company, we need to get an attempt we need to get a foothold in the network. So we've already scan to find any external services that are publicly available. So if we found any of these services that are exploitable, either through brute force attacks, or whatever, at this stage, we might try and exploit them to get into the network. We might go down the route of physical intrusion if we've looked at the building, and we've researched it and we found out that the building is insecure or we can get in easily and plug into a server, then we won't even bother using technical attacks, an attacker will often try and break into the premises and plug directly malicious email attachments which are the most likely way your users being tricked by phishing, either downloading ransomware or remote access Trojans or whatever kind of malware the attackers decided to load in phishing pages with key loggers. So again, this is through phishing, but it's telling users to log into a phishing page that's designed to look like your company website, or your office 365 email or similar kind of client.

So exploiting web application vulnerabilities is another way. So if you have web applications hosted on your servers, can you SQL injections pull Password data out, if it's vulnerable command injection, you can get reverse shells you can you can add users, you can do pretty much anything you want depending on your your your privilege level, and path traversal, where you can use relative dot notation, which is dot dot slash dot dot slash, to traverse through folder structures on a web server and pullback sensitive files. exploitation, once a foothold is in the network, an attacker will actually start looking for technologies to exploit. They'll start off by looking for things like dangerous internal services such as SMB, SMB, was a service that was exploited in the wanna cry ransomware attacks. And they might try brute force attacks against some shares. Look for any outdated software or versions that they can exploit. Again, if you can find internal versions, and they're already exploits available relating to it, then it becomes a really trivial really simple attack to perform. Kernel vulnerability. So are there any issues with the actual kernel or underlying operating system themselves that they can exploit as well? So once we've exploited them, we've got onto the network and we've got a user, we can access some information at this point. So potentially whatever the user has on their machine, but this isn't really great to us, because we may have just compromised the standard basic workstation with a couple of documents. What we're really after is the domain admins. straighter or some kind of administrator account that has high privileges or superuser privileges on the network, so that we can exploit further. administrator reports root or super user accounts have the power to extract and change password files. For example, if we're running as admin on your domain administrator, or even a normal workstation will be able to pull your system account management accounts which has password information for using Linux systems, you can get into your excetera shadow account and make data changes there. This all being said, if they have administrative access in your network in the first place, you have far bigger things to worry about than this. However, it is not uncommon to add another user through one of these methods, so that you can essentially put a backdoor exploiting files running as a superuser. With incorrect permissions. If I can edit a file that's running as administrator and get it to perform actions as administrator, then I can just send a reverse shell back to myself with administrator privileges. brute forcing these accounts is quite common. weak passwords are still probably one of the most painful things for companies, and also one of the easiest attack vectors for hackers. And pass the hash style attacks which we won't get into too much more detail of during this talk, it is a little bit more complicated. Lateral movement. So again, as we said, chances are the machine you've exploited is not the crown jewels. Now that we've got our users on here, now that we've got an exploit, now that we potentially got a higher user account, we might move through the network and try and access different machines through shared drives, poor user group roles, and quite a few other security misconfigurations that could be exploited in this area. So what about exfiltration? When we're actually inside the network? How do we get our resources out of it? What are our resources? Are we trying to pull financial resources, data? Are we just trying to leave a backdoor in there, or we might even be potentially trying to steal money from a bank, which we'll have a look at a case study shortly that will be going into that in a little bit more detail. So when we're extracting resources from the network, we need to bear in mind that there may be egress filtering, which is preventing us from actually sending data outside of the network, your network should all have some form of egress filtering in place that is there so that it is a backup. So just take the assumption that you are going to be compromised. And if you are how could you stop hackers from actually taking the data out of your network? Leaving a backdoor, as we were saying before, it's really common. If you have an RDP service open, then the chances are the users or the attacker is just going to create a new RDP user with administrative privileges to come back in when they want. Or they may try and do something a lot more subtle than this. So we're going to take a bit of a look at a case study of the carbonite hacking group. The reason I absolutely love this as a case study is because you hear the occasional lucky jewellery heist or something where people steal a few million pounds, get away with it for a couple years and then get caught in some kind of sunny country somewhere.
So the carbon out group to my knowledge have never been caught. They have stolen over a billion dollars through cyber attacks. And really what they do is very, very clever. They start all of their emails with spear phishing. So we'll talk a little bit more about spear phishing and business email compromise after this. But Spear Phishing is essentially the act of researching your targets and creating emails that specifically target them as opposed to sending 200 emails that don't really make sense to people. So once the carbon hack hacking group were on the one side sent a spear phishing emails, and whatever attachment had compromised the network. They were performing manual reconnaissance of it. So they were watching everything that was typed by staff through key loggers. They were recording CCTV footage, there are watching people through their webcams so that they can simulate real transactions. And they can learn about how the employees interact with each other, what they do, how they act, and even how they talk to each other. Which is fairly important when creating the spear phishing emails. Because chances are once you've compromised one account, you're then using that account to email other people with your malicious attachments. You need to sound like that person a lot of the time. Large amounts of money obviously billions of dollars were transferred through swift networks by ATMs, and through creating high value bank accounts. So we mentioned spear phishing earlier. Phishing is the act of sending a mass email to hundreds of people with little or no prior knowledge. So victims. So we've all received some dodgy legit Nigerian prince emails trying to, I don't know, tell us to send them money or scam us in some way. They aren't related to us in any way, shape or form. And chances are, you aren't gonna click on it. Funnily enough, there is a bit of psychology research behind this, it does state that some attackers will do this on purpose because the people that they want to click on their links and not just discard it, you know, the people that are more likely to fall for this kind of thing they want that audience that is their target audience is the sort of lowest 1% of technical ability people that they will be targeting to that, and then falling for an email like that immediately tells you that you're going to be able to play more with them and get more information out of them. Spear Phishing is a targeted email attack where an employee is actually researched and a custom email campaigns created for them. For example, you know, I guess it is more of a personal example. And it's always good to take this security into your personal life as well. But a C suite employee may have gone on holiday, posted a picture of themselves on the beach with the hotel in the background, you know, as everyone does, showing off telling them when they're having a great time. And we might see this and send an email to the hotel to get their email footer back just a generic question like do you have disabled facilities? For example, something they won't really question their reply to. From here, we have that email footer and we'll then try and spoof the domain. Once we've spoofed a similar domain, or completely spoof a domain or registered a similar domain, should I say, we can then send an email to the employee saying something along the lines of you've left a load of hive that or someone's left high value goods in a room that you've been staying in? Please can you have a look at these pictures? And let us know if it was you. And chances are they're going to click on it even though they know they didn't leave anything because they'll just be curious. So I liberated this slide from Kaspersky, but is very good. They were the original researching firm, when they're when this carbon hack attack happened. So we started off with the infection, carbon AdSense a backdoor as an attachment to an employee, this would have been done through spear phishing emails, they likely would have spent a lot of time researching the employees beforehand, and creating custom tailored phishing campaigns to know that they'll click on them. These emails have exploits which essentially recording staff credentials and sending it back to the attackers. So the attackers in this instance did manage to infect hundreds of machines, but because they couldn't escalate their privileges through the network, because all of the technical controls were in there and locked down. So they couldn't just exploit an out of date software version and one of the machines to get admin access, they needed to wait until an administrative user actually logs into a computer so that they can get the credentials through the keylogger. So they sent an email from one of the compromised user accounts to an administrator, asking them to come and have a look at their computer saying they have issues. Once the admin came along and logged into the computer. They then had administrative credentials, which worked across the domain. So now they've actually got into the network, they start watching and harvesting the the intelligence from the clerk screens, as we were talking about earlier, seeing how they talk to each other, seeing how they're acting, seeing what systems they are actually accessing, and what they are doing to transfer money and create bank accounts. This is almost like a post reconnaissance before actually exfiltrating the data. So finally, they wanted to exfiltrate the data which exfiltrate the resources which in this case is a lot of money. Start off with they use online banking, so money was transferred to forces accounts. This is quite simple and easy. E payment systems pretty much the same thing. They were transferred to accounts mainly in China in the US inflating account balances so already registered accounts, giving them a lot more money and then potentially taking them off and controlling ATM. So they were essentially hiring thugs or they were using the threat actor of a criminal to go and collect money from a ATM whilst they're dispensing money from it.

So really interesting attacks, lots of different exfiltration techniques that they have used here. And with what we were talking about at the beginning between the difference of threat actors and threat sources and actually calculating your risk, she thought it would be worth going through this. So the risk analysis the threat source here is organised crime so the carbon caffeine group are an organised crime syndicate. The threat actor is a hacker for hire. The motivation is huge financial gains as we can see from the billions of dollars that have been stolen, and the impact could be seen significant financial loss and potentially loss of reputation for the company itself. So looking at the carbon at kill comparing the carbon AP group attack to the kill chain. During the reconnaissance phase, they were researching bank employees to create targeted spear phishing attacks and emails. As we said earlier, spear phishing is all about researching the individuals and creating a more tailored campaign. During the intrusion stage, they use the key loggers and malicious email attachments to get credentials. Exploitation they were logging in sensitivity systems with the credentials gathered monitoring screens and the behaviour and movement of employees. The privilege escalation was when they called the administrative user to actually type in the admin credentials to the screen so they could get them and the lateral movement, they would have moved between systems to get to diff.
Different places in the Hyatts exfiltration. Finally they were moving the money from the high bank accounts as we saw through the several different techniques earlier. So what we're looking at here is a standard methodology that attackers will be using. Please bear this in mind when doing your risk analysis of your network. What information can attacker find out a recon stage? What information can they find out an intrusion stage? What can they do? What can they exploit? Can they escalate their privileges? And can they get data out of your network? If you start assuming that the last that the previous step has been accomplished by an attacker and hardening your network and your security at each step, then it makes a lot more difficult for attackers. Thank you all very much for coming. And I really appreciate it. If you have any questions, please let me know and I'll try and answer them. Thank you. Cheers.