Bank cyber security, Pen testing

TESTING STAGES

Reconnaissance:

• It took us a week to study the client’s systems. We gathered information about the software, OS, browsers, antiviruses, email clients, etc. used by employees. We also focused on the email format and other elements of corporate identity, news and events in the company – everything that could make the email, phishing site, and targeted attack more credible.

FEATURES

Despite the maturity of the client’s cybersecurity, after a week of reconnaissance, we managed to bypass security services and penetrate the system using one of the classic tricks – sending emails with malicious attachments.

Sandbox bypass vulnerability:

• We found that the client uses a sandboxing system that analyzes attachments to detect malware. This system executes untrusted code in a restricted environment, analyzes what actions it performs on the system, and determines whether the file is safe or not. This method prevents phishing attacks via attachments of any type.

We applied special training methods to determine how to bypass this filter. By analyzing how the system runs and learns the file’s process tree, we were able to develop malware that tricks the sandbox. We prepared a new payload that passed through anti-virus, file signature and behavioral analysis, and activated the code after only a few days without being detected as malware.

Hacking scenario:

• Despite the variety of creative approaches aimed at misleading employees, from a technical point of view, it all boils down to two actions: phishing to steal account data and running an executable to infect the device. In our case, opening and launching an email attachment was the trigger for the script’s successful operation.