Hacker Series - Playing Hard To Get
OR...5 Ways To Stop Hackers In Their Tracks
I am a hacker. After scouring one million IP addresses in the United States, I compiled a list of plump targets ripe for exploitation. (If you missed part 1, click here). While I wait for the rest of my scans to complete, I salute the hammer and cycle, thank my almighty leaders for giving me the opportunity today to cripple evil capitalism, and also pray I get my daily allowance of rice or bread. It’s cold in the barren north country outside, but inside, I have harvested a bountiful crop, of suckers.
From the scan list I created, I have a list of specific hardware and software systems. Now I find some easy victim who hasn’t kept up with their upgrades and updates. The easiest of all systems is a wide-open Windows computer. In fact, if you put any computer on the open Internet, it will be hacked in seconds and you will deserve it!
Hackers Prefer Easy
Same is true for any Internet router using a default or weak password. Might take a little longer, but when faced with any device requiring a login, we always try the easy stuff first. Why? People are lazy, remember? Everyone wants to hit that easy button. Easy for you means easy for me. When I see a NetGear, Linksys, or TP-Link device, I get excited! Why? They have default user names and passwords and they are the same across every device. Of course, this is starting to change, but think of all those old boxes that haven’t been touched since they were installed.
I’m not picking on NetGear, but the most popular NetGear Internet Router at Wal-Mart is about $115 and currently has ten (10) open vulnerabilities on Mitre’s CVE list (Link). That’s actually true of EVERY vendor out of the box. So, go ahead and accept those defaults to get the Internet up and never go back and update them. I don’t mind.
Hackers: The Invisible Consumer
Another viable option is to buy breach data from the Dark Web. What is the Dark Web? It is a magical place where people like me can shop for all the latest passwords and personal information. In reality though, I am a frugal, state-sponsored hacker with no budget. I must make my own way. I would only use the Dark Web to find access information for companies I specifically wanted to target.
Take my cousin the Hacktivist. She hacks not necessarily for money but to win hearts and minds against greedy corporations, rival political gangs, and anyone who would dare wear a real fur coat. It’s personal with her and I wouldn’t cross her. She will search for specific individuals or company information and buy access. I’ll show you how I make money on the Dark Web in the next blog post. Read about the Dark Web here (Link).
I found myself a nice, juicy corporate firewall, an unpatched FortiNet ForitGate. The news has been on fire how anyone with fingers and eyeballs can access one of these with little effort. I read up on the vulnerability on Mitre. Then I find a step-by-step guide to exploit the vulnerability on Google. Props to YouTube for keeping these mostly cleaned off but it’s a little harder to filter a Google search.
Once I run the exploit, I get administrator access to the firewall. What can I do from here? Oh, the fun I can have! I first attempt to create my very own admin account with full privileges so I can log in whenever I want. I make it look as close as possible to other accounts for mistaken identity. I might also open a few ports here, a few ports there, but the real gold at this stage is pulling a list of internal IP addresses from the logs. And the logs have tons of information on a firewall. I can tell if there are any open ports from the outside, where they go, what they do, and figure out how to exploit them.
In reality, my favorite target is an old Microsoft Exchange server for email. They always required access through the firewall and give me direct access into a Windows Server. Because the software is old, I know the box I get into will not be updated either. Web servers are another great option, though not many people host their own web content anymore. Another favorite is video surveillance systems. Someone will always open a firewall port to allow some manager to view the camera feeds remotely. Think about what I can do with access to the camera feeds?
Really, though, I’m content with my Exchange and old Windows server. The fact they’re still running tells me this company isn’t interested in security. There are 28 CVEs open on Exchange server in 2023 alone! No way the admin kept up with all that! I can run a simple exploit and get a command line on the Windows Server in minutes. A command line means I can run programs on that computer without knowing a single login. I have full administrator privileges. So what do I run first?
All I have to do is point to a website and install one file. This is Malware. In this case it is a very simple remote control application that is always running, always talking to me. Sure, it’s possible someone might see that connection in the logs, but if the admin isn’t installing updates, they are definitely not monitoring. And, because it’s an email server, it will have access to talk to any computer in the world in order to properly send and receive email.
Backdoors and Persistence
Now that I have a foothold in this system, I want to ensure I keep it. So, I drop in a few additional safeguards to ensure ongoing access. I’ll drop the Malware install into the startup, just in case the server reboots or the antivirus realizes its Malware and removes. Odds are though, if it installs the first time, nothing is blocking it. It’s a standard Windows program and typically won’t be noticed by the really expensive software, like CrowdStrike or SentinelOne. Sorry, boys. I keep it simple. I’ll also use the Windows Scheduler to routinely try to install it again, in case one of the admins gets wise. So much is hidden in the Windows Scheduler you’ll never find my addition.
Now that I am in on a trusted system as the admin, I can go almost anywhere. Yes, I still need to get access to other systems and find all the cash cow files, but next step is covering my tracks. Every system will keep log files of access. Even an absent-minded admin will turn on some logs in case they are hacked to show how the hacker got in. Except, when I hack, I also remove all traces of my access. If I create a new admin account on the local computer or the network, I also remove any trace in the logs I did that. Lucky for me, none of the corporate production servers includes a native protection for log files. I can make it look like the current admin created a back door and let him take the fall for it. Nah, I’m just here for the files.
That’s it? I’m into this well-funded corporate system? Yes, and the first line of failure is business owners. The C Levels refuse to accept that a strong policy with a hard-line stance against defunct technology is important. Wait until they see the ransom I set. Even then they’ll blame the IT staff, or the vendors, or fire the CTO or CIO. And the policies will never come. If you are a business owner and your company get hacked, find a mirror and start pointing fingers. You are to blame, and I love you, you big fool!
Five (5) ways to stop hackers dead in their tracks:
1) Update, update, update! – As a company or an individual, you need a list of all the systems you have. It needs to include EVERYTHING with Internet access. If the vendor doesn’t have an update and you find a vulnerability on Mitre, replace the hardware. Cut it off! It’s better to be maimed and safe than whole and hacked. If you must have it and it’s vulnerable, separate it from your production network. You can’t let the leper mingle with the healthy! Corporations have no excuse for not using patch management. Some packages are free!
2) Monitor everything – And then look at the logs. Keeping logs of every system is great as long as you have a system watching for specific indicators of a hack. New accounts, password changes, and access elevation should immediately triggers alerts, alarm bells, and red flashing lights. Again, some log correlation software is free!
3) Outsource – If you can’t be bothered finding and keeping quality IT talent, outsource. When you are on the call with your attorney and insurance adjuster discussing why they refuse to pay the ransom because you lied on your insurance forms, the cost of outsourcing will be pennies on the dollar. You wouldn’t fill out your own taxes or represent yourself in court. You really shouldn’t pretend you understand the complexities of IT.
4) Policy’s First – If your organization doesn’t have a policy regarding protecting the computer network, drop everything and do it now! If you have cybersecurity insurance and no policy, you lied on your legally binding forms! Business leaders, take responsibility before you find yourself liable. You should have most of the written policies listed in the NIST SP 800.53 framework (Link)!
5) Regular Penetration Tests – Bring in a White Hat Hacker to test your systems, both inside and out. Again, if you have cybersecurity insurance and don’t have regular PenTests, you lied! PenTests are the ONLY way to see what a hacker sees and gives you the best blueprint to fix the problems, before I find them.
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.