Bank cyber security, Pen testing
Testing the borders, strengthening protection
The client is an international bank with total assets of USD 900 million. The bank offers a full range of banking services for private and corporate clients. We were asked to conduct a penetration test using social engineering and try to gain access to the bank's internal network by manipulating its staff. In this way, the Client wanted to test the effectiveness of existing security solutions in combination with cyber hygiene awareness campaigns among employees.
WHAT WAS DONE
TESTING STAGES
Reconnaissance:
- It took us a week to study the client’s systems. We gathered information about the software, OS, browsers, antiviruses, email clients, etc. used by employees. We also focused on the email format and other elements of corporate identity, news and events in the company – everything that could make the email, phishing site, and targeted attack more credible.
FEATURES
Despite the maturity of the client’s cybersecurity, after a week of reconnaissance, we managed to bypass security services and penetrate the system using one of the classic tricks – sending emails with malicious attachments.
Sandbox bypass vulnerability:
- We found that the client uses a sandboxing system that analyzes attachments to detect malware. This system executes untrusted code in a restricted environment, analyzes what actions it performs on the system, and determines whether the file is safe or not. This method prevents phishing attacks via attachments of any type.
We applied special training methods to determine how to bypass this filter. By analyzing how the system runs and learns the file’s process tree, we were able to develop malware that tricks the sandbox. We prepared a new payload that passed through anti-virus, file signature and behavioral analysis, and activated the code after only a few days without being detected as malware.
Hacking scenario:
- Despite the variety of creative approaches aimed at misleading employees, from a technical point of view, it all boils down to two actions: phishing to steal account data and running an executable to infect the device. In our case, opening and launching an email attachment was the trigger for the script’s successful operation.
RESULT
Having identified the sandbox bypass vulnerability, our malicious email passed the security stage and the dropper was activated on one of the employee’s devices. Next, we established a connection and, through file sharing, found an opportunity to hijack certain accounts, find misconfigured backup access, and work our way through the network to take over the domain. After completing the testing, we provided a list of possible measures to restore the required level of security and helped the bank to patch the security gaps as soon as possible.