I Never Forget a Face

24th of April 2019

War story from an NCC Group Black Team assessment, by Tim Dillon

Rogue delivery

In this Black Team operation, the team was challenged by the small size of the target organisation, as a new face would stand out immediately, and would require a very good cover story to be able to intrude on company premises.

The target: a supposedly very secure organisation with good physical security controls.
The objective: to compromise the environment and gain access to an application in a somewhat segmented part of the network, and leave a trail for the Head of IT. 

Little more than that was known to the team. 

The Black Team’s original plan was to compromise the wireless network, and in case of complications, we would move on to Plan B, which was to deliver malicious USB sticks to the IT department.

Day 1 – Compromising the Wireless Network

The bottom floor reception area of the target company was open to the public and efforts were made to compromise the corporate wireless network from couches in the reception. The open guest wifi was within range of the couches, so students and other Internet-hungry members of the public had found it a great place for free surfing. And the consultant was no exception. 

After a while, the consultant’s extended time on the couch drew the attention of one of the security guards. The security guard sat down on the small couch right next to the consultant, and was clearly trying to view the consultant’s screen. It is always good to know the shortcut key to swap screens, as the consultant switched from a suspicious console to a browser with social media as the security guard sat down. The consultant sat tight for another ten minutes to avoid suspicion.

To the surprise of the consultant, however, the security guard fell asleep after a few minutes - it must have been a very comfortable couch. To document the experience, the consultant used his phone to inconspicuously take a photo for the report. 

Unable to hack the wireless network, the team stopped the operation for the day and initiated Plan B.

Day 2 – “Promo Pack: Please Distribute

Several days before the first attack, after some OSINT and active recon, our consultant sent a fake spam message and received an out-of-office response from the Head of IT. The out-of-office message was descriptive enough to provide the period he was away on leave. With multiple scenarios being prepared in parallel, the consultants had also arranged a box of malicious USB sticks with the company’s logo that would come in handy when initiating Plan B.

With the Head of IT still away, now was the perfect time to attempt to deliver the box of USB sticks. He would hopefully return to find them on his desk and would be less likely to question where they had come from.

Thanks to thorough OSINT, the antivirus in use was known, and custom malware was created to specifically evade detection. Malware was painstakingly copied to each USB stick and returned to the plastic sleeve as new.

The cover story was created, with fake courier delivery forms, a clipboard, fake company collateral, and the company phone number on the form was even manned by a colleague during the operation. A bag was filled with different fake parcels, the target’s parcel being wrapped in brown paper with a single note: "Promo pack: please distribute".

As the consultant approached the building yet again, this time dressed in lycra and other bicycle courier attire, a quick visual was conducted from outside the building to check that the previous security guard who fell asleep wasn’t around. Satisfied the guard wasn’t on duty, the “courier” approached the reception desk.

At the reception desk, the security guard from earlier was leaning far back in his chair, below the height of the reception counter. The consultant was concerned that his face may be remembered by the guard, but had no choice and had to proceed as planned.

The consultant announced that he had a delivery for the secure floor, but the security guard challenged him with the procedure that no deliveries could be made unless they were registered. The consultant explained that it was his first day as a bike courier and pleaded for the security guard to just sign for the package and take it up. After a bit of back and forth, the security guard seemed annoyed and stood up and told the consultant to follow him to the security room. As they crossed the reception floor to the lift, the security guard changed his mind and said something along the lines of: “Don’t worry, I’ll take you up this time. But next time you have to make sure your delivery is registered!”

Up they went in the lift, and at the secure floor, the buzzer resulted in another security guard answering the door. When asked by the “courier” to sign the delivery form, he went off to find the Head of IT. He returned to explain he was away on leave, signed for the package himself and took it away to drop it off on the Head of IT’s desk.

It is always exciting when OSINT, recon, preparation and opportunity all come together, and a plan that has been in the works for so long works out exactly as planned. As a result, the consultant’s “thank you” to the security guard as they rode down in the elevator must have come across as the sincerest and most heartfelt he had received in a while. The security guard responded with a gracious “no problem, I knew it was your first day on the job, I never forget a face”. The consultant had to bite his tongue to stop from laughing. Only a few days before earlier, they had been side by side on the couch together. Clearly, the security guard’s memory wasn’t as good as he thought.

Several days later the Head of IT returned from leave, and distributed the branded loaded USB sticks to his IT admin staff. Which happened to be the only members of staff without USB port restrictions. Reverse shells rained from the sky and, of course, the project’s goal was achieved shortly thereafter.

This story was originally published by Tim Dillon on 1 March 2019. Read the original story here