Blackbox Pen Testing
Protecting financial borders
The client is an international bank with total assets of USD 2.5 billion. Our penetration testing team was tasked with simulating a real-life hacker attack on the bank's Central European branch as part of a customer data security and compliance review. The penetration test was conducted from a "black box" perspective (i.e., zero initial information other than the name of the target organization). By building an attack, we were able to gain access to the main processing systems and the SWIFT system. Moreover, the team found a way to transfer money from one bank account to another on behalf of other clients. Thus, the test goal was successfully achieved.
WHAT WAS DONE
TESTING FEATURES
Preparation
To ensure accurate results, our team used both manual and automated testing tools and methods. At the beginning of the penetration test, we identified a vulnerability in the bank’s external network. We developed a dropper (a type of trojan) to install our malware on the target system. Using a phishing attack, this dropper was downloaded to a computer on the client’s network. The dropper contained malware that replicated itself in multiple locations for resilience and migrated from one process to another. Initially uploaded as a text file, it was transformed into malicious code using macros in such a way as to avoid detection by antivirus scanners. Thus, neither security systems, nor firewalls and antivirus solutions detected the malicious activity taking place on the network.
HTTP connection compromise:
Next, we discovered that the https connection was being made through Amazon CDN. Thus, we registered a domain on Amazon, which served us to create an alias and compile the bank’s requests, redirecting them to our own server. In this way, the bank’s IT team understood that the connection from their internal network was directed to Amazon, which, however, could mean sharing any updates. Thus, the implicit connection allowed the “intruder” to go undetected.
Hacking scenario:
Gaining full access. After penetrating the internal network, we collected private user data and basic credentials, elevated privileges to the domain administrator role, took over the domain, and gained full control of the system. Our task was complete. However, hackers in the real world would have been able to move on to the main data processing systems and conduct unwanted transactions.
RESULT
The simulation of the enemy’s actions allowed us to demonstrate the full path of compromise by exploiting a single vulnerability in an external network in combination with a single successful phishing attack. During the remediation phase, we worked closely with the client’s IT security team to immediately address all vulnerabilities found and apply security best practices. Thanks to this penetration test, the bank managed to avoid compromising user accounts and mitigate business risks, such as loss of finance and data, as well as reputational damage. As a result, our client developed best security practices and was able to meet the highest level of compliance and regulatory standards.