Breach Background

The company, BigRedBox, was first alerted to a breach when its security team noticed unusual network traffic patterns. Upon further investigation, the security team found multiple unresolved security alerts dating back six months.

Initial Compromise: Phishing

The initial attack vector was a phishing email sent to employees of a third-party vendor of BigRedBox. The email contained a malicious link, which when clicked, installed malware onto the employee’s computer. This malware was able to gather sensitive information such as usernames and passwords.

Pivot and Escalate: Credential Stuffing

Using the stolen credentials, the attackers carried out a credential-stuffing attack on BigRedBox’s vendor payment webserver. The attackers attempted to use the stolen credentials to gain access to other systems and systems of third-party partners.

Persistence: Malware Injection into Client Software

To maintain a presence on BigRedBox’s systems, the attackers injected malware into the company’s client software. This allowed the attackers to persist even if the stolen credentials were discovered and changed.

C2 and Exfil: HTTP as Exfil

The attackers used HTTP as the protocol to exfiltrate sensitive data from BigRedBox’s systems. They used this protocol as it was less likely to be detected by security systems compared to other protocols.

Wrap-Up Incident 3

This fake attack kill chain is similar to the real-world Target 2013 breach. The attackers initially gained access to the company’s systems in the Target breach through a phishing email sent to a third-party vendor. The attackers then used the stolen credentials to pivot and escalate their access, injecting malware into the company’s point-of-sale systems to persist. The attackers exfiltrated sensitive data through an internal staging server via FTP data transfers.

Reference Link