Milan (Lombardy, Italy): Palazzo Lombardia, modern building hosting the government of the Region: the glass ceiling of the court

To serve and response

A recent cyber-attack on a government office led our incident responders to defuse a challenging cyber event, where creative, outside-of-the-box thinking was needed in order to eliminate the threat.

This is how it played out:

8:42 pm

A customer calls our incident response hotline to report weird logs coming out of their DLP products. Our response team rapidly establishes a secure remote connection in order to see what’s going on.

A quick overview indicates data exfiltration activity, although in a very low volume. Further investigation leads our team to inspect network traffic while searching for suspicious activity.

10:22 pm

A dubious client-server communication is spotted, where the client is located within the network and the server is outside. An IP geolocation investigation points to a server that is in fact in a different country. At this point, our team decides to install internal tools on the suspicious endpoint in order to gain better visibility, while maintaining zero interruptions on the attacker’s activity.

11:07 pm

It is now clear that we are dealing with a sophisticated attacker who has managed to bypass almost every control the office has to offer. After a successful lateral movement, he’s gained access to several endpoints across the organization.

12:15 am

After informing the management team on the customer side, we begin to take action. The first step is to implement honey pots so that we can learn about the attacker’s techniques and the tools he’s using. This is a great success – the attacker fell for almost every honey pot we deployed.

The next step is to use the credentials he’s using to communicate with his servers and evaluate what information he’s gained access to so far so that we can later on destroy it.

Finally, the last step is to stop his malicious activity using tools like Cynet and others.

2 days later

Our team heads over to the customer site in order to brief everyone at the office on the chain of events, including our successful incident response activity.

Doctor's desktop with medical equipment, computer and X-ray of human lungs.

Your vital signs’ monitor may need critical care

Hospitals around the globe rely on many types of medical devices to deliver the most up-to-date patient care. They also spend hundreds of millions of dollars in backup systems, redundancy, and business continuity to ensure the 100%-functionality of these systems, which are critical to saving lives.

Doctors and nurses rely on these devices on a daily basis, as it allows them to focus on the challenges and complexities that require their human expertise. But there is a scenario that no medical professional is prepared for during their training, and something that is often overlooked by hospitals. That is – how safe are medical devices in the face of a cyber-attack?

This case study will examine how a major hack on a hospital’s medical monitoring technology can directly affect patients’ lives.

Patient monitoring devices provide a snapshot of a patient’s health status, including a full vital signs’ analysis, like heart rate, temperature, blood oxygen levels, etc. This allows medical staff to quickly evaluate the patient’s status.

Samples can be taken every few hours, or, in cases where patients are being monitored consistently, a staff member can observe several patients at once from the nurses’ station. If the monitor detects a deviation from the normal level of measurement, an alarm goes off at the nurses’ station, prompting the staff to check on the patient.

Recently, a known monitor manufacturer asked BugSec to conduct a security product evaluation. We quickly discovered that the communication channel between the monitoring devices and the reporting unit at the nurses’ station was based on a simple radio frequency (RF) protocol, which would allow us to freely receive and transmit data above the channel with the right tools.

After sketching an attack surface, we decided to go with this approach. We connected the monitor to a live person and measured his signs. We also set up a mock nurses’ station with screens showing data from the demo patient.

During the simulated attack, we used sophisticated tools to pick up the frequency that the device was transmitting on. After learning how every sign is interpreted by the system, we started playing around with it a bit and managed to transmit different messages on the same pattern, causing the device to relay false patient data to the nurses’ station. This, of course, is a serious vulnerability, not only due to the impact on patients’ lives, but also because hospitals are a public space and the ease of access by a malicious party is so great.

We immediately reported the vulnerability to the manufacturer, including our recommendations on how to mitigate the threat, and they were able to immediately stop the false transmission.


Elevated attack

How vulnerable can a building guard’s desktop be? Really, it should only be allowed to access the automatic doors controls and maybe a game of Solitaire, right? Think again.

Several months ago, a major real estate company asked BugSec to conduct an external takeover of their IT system. This provides the company with a comprehensive view of various areas of exposure that they might have, which can be taken advantage of by malicious parties. All discoveries were of course reported to the customer.

We began our reconnaissance on a famous office building. A quick look at the guard station revealed that a vulnerable computer operating system had been installed, which was a possible entry point. An additional search of the premises led us to an exposed Ethernet outlet, and like good white hat hackers, we decided to plug in.

Once we were in, we managed to bypass the NAC system and gain access to a local IP address. A quick assets scan revealed that this was the guard’s station endpoint, which wasn’t even concealed as it was called “GUARD-PC”. We were able to exploit the previously discovered vulnerability on this endpoint to get a remote shell on the Guard PC, and from that point we were inside the system.

Moving onto the next stage towards privilege escalation, it took about 15 minutes until we had accessed the domain admin. For many ethical hackers, this would have been the jackpot and they would have called it a wrap. But our team was just warming up.

We decided to manipulate the building’s digital signage system, changing the direction of arrows, switching between corporates names and floors, and adding fictional names and signage, like “Dr. Smith – to the right.”

We continued probing until we gained control of the elevators. We were able to stop and restart them, lock people inside, and perform many other operations that would be quite worrisome if carried out by a real hacker.

All issues were reported fully to the customer, who was both surprised by the gaps in their system and happy to have us on their side in order to resolve the issues.


Somebody’s watching me

Have you ever felt like somebody is listening to your private conversations? Would you believe that this could happen within your own living room?

A recent POC carried out by the BugSec research team exposed vulnerabilities in a smart TV operating system sold by a well-known telecommunications company. The team discovered that hackers were using malicious applications to access the TV operating system and were able to listen to any conversations that took place in the vicinity using built-in microphones designed for voice commands.

This is how we figured it out:

It began with a simple penetration test that BugSec’s Red Team conducted for a smartphone manufacturer. The manufacturer was extremely pleased with our findings, which showed our innovation and outside-of-the-box thinking when it comes to HW/SW manipulation. We were then asked to perform a smart TV penetration test, which of course, we agreed to right away.

In general, smart TVs operate similarly to smartphones. They have common known hardware, use a compiled version of an open source operating system (e.g. Android TV), and have a flexible UI that’s designed and developed by the manufacturer. They also have an applications-ready platform which allows developers to gain access to certain hardware components such as microphones and data stored in the TV drives. A penetration test for smart TV is no different than a penetration test for a smartphone as far as the techniques and attack landscape go.

Our smart TV test focused on a very common app that is widely used and installed across many customers. After successfully exploiting a vulnerability, we were able to gain full control of the TV set. Through various manipulation techniques, we were then able to manage the hardware components – from there, it was a short path to opening a built-in microphone for voice tapping.

What are the key take-aways form this? The more a device is connected and behaves like a computer, the more hackable it is. The manufacturer was happy to get the test results, of course, while we continue to search for new vulnerabilities so that we can get to them before the bad guys do.


Nothing is bulletproof

Companies that collect sensitive customer data (like credit card details and social security numbers) must adhere to the strictest regulations and industry standards, which include data segmentation and separation. But can these companies claim that their data is “100% safe?”

BugSec’s cyber-attack simulation is designed to test this. Using multiple modern techniques such as reconnaissance, social engineering, phishing, asset mapping and more, we launch a pretend attack on the organization’s infrastructure. The main purpose is to test the existing security shields, see whether they operate in a synchronized manner, and provide an answer to the question – am I safe?

Several months ago, a PCI-DSS compliant organization from the credit card industry asked us to conduct a cyber-attack simulation to test whether its data – the holy grail for any hacker – was secure. The company’s decision makers were anxious to find out whether their security measures were bulletproof due to the sensitivity of the data they collect and in light of recent cyber-attacks against industry competitors, like Equifax.

At first glance, we must admit, the organization’s policies and controls were very strict and operated in perfect harmony – it was a real beauty from a security perspective. But we dug a little deeper and discovered the weakest link, [the human factor]. We were able to deliver our malware throughout this channel.

Once we were inside the system, it still wasn’t easy to get to the data. As we all know, a PCI-DSS environment is very committed to data segmentation and sometimes even physically separated. But, we were eventually able to gain access after successful privilege escalation and holding a domain admin account (once again, the human factor). From this point we progressed toward the trophy – PCI DB, and once achieved and exfiltrated out (with extreme precautions), we presented it to the customer who remained speechless.

Unfortunately, there’s no patch for human error – that’s our response when companies ask us what’s left to purchase or install in order to prevent it? This brings us back to a very basic axiom – user awareness to cyber threats costs 0.1% from a known control and efficient 10 times if not more.


Lights security doesn’t have to be light security

Megacities around the world no longer consider operational technology (OT) as a standalone system when it comes to city operations. As metropolises change over to a “smart cities” model by connecting most of their critical infrastructure into one major operational network, they also face greater exposure to certain cyber threats.

SCADA and ICS infrastructure are considered dinosaurs as far as their technology goes. They use old operating systems, old-fashioned authentication techniques, non-security-oriented networks, and many other outdated systems expose them to modern threats. Up until a few years ago, OT assets were relatively protected from cybersecurity threats since OT infrastructure wasn’t integrated with any of the city’s IT systems. But, due to the smart cities revolution, which has led to the interconnectivity of OT and IT, they are now exposed to the same risks that the IT world has been facing for years.

During a recent successful POC, BugSec exposed the vulnerabilities within the lighting system of a major European city. Our team was able to use remote code execution on a specific server, and after a few lateral moves, could eventually control the city’s entire lighting system.

This is how it’s done:

During a standard penetration test on a web application used for soccer ticket sales, BugSec gained access to a vulnerable server through remote code execution (RCE). In a short time, we had full control. We then performed a quick lateral move within the system and gained access to an operator workstation, which controls the lighting system of the whole soccer stadium. From there, we could easily connect to the city’s major lighting system network. This led us to understand the immense vulnerabilities of this system and just how easy it would be for a malicious hacker to take over the city’s lighting network, leading to a game-over situation.

This demonstrates how cybersecurity is extremely non-mature when it comes to SCADA and ICS systems, and proves that for many reasons SCADA and ICS manufacturers aren’t paying attention to security issues as they seem to be following an ancient perspective where security equals non-operation. This notion, of course, doesn’t jive with modern technology or with the integration of OT and IT systems. BugSec’s POC, along with other similar ones and real breaches within the SCADA and ICS industry, are a strong proof point that the time for change has arrived.