The big question we usually ask our clients is “are you secure?” To get an answer to this question you need to know your organization, and the adversary, how he operates, which techniques he would use to attack your organization and where your weak points are.
Cybia was once contracted by a foreign government to conduct an adversary simulation on their tax department. The goal was: hacking their tax systems to prove the possibility of gaining access to citizen’s data and tamper with it. The scenario was external breach to full takeover of tax systems.
Cybia engaged the project by doing some simple recon on the tax department. After discovering the email address template of the organization it was easy for us to gather emails of victims in the tax department.
We designed a very sophisticated spear phishing attack on one of the employers of the tax department. Before launching the attack we learnt exactly what kind of security systems was present in the organization to tailor the attack payload. The attack succeeded and bypassed all security systems.
We had a reverse shell into the organization. Now we had to understand where the tax system was to be able to breach it. We started with the endpoints in the organization to understand how the employees worked and what kind of programs they where using. Usually the employees dealing with taxes has their own developed programs. We enumerated the endpoints of the organization and found out that all of the users where using a specific tax program.
We started to analyze this program to understand how it worked. We found out that the program was communicating with a remote server. We analyzed the communication with this server and started analyzing the server. We found a critical vulnerability on the server allowing us to execute arbitrary commands on the server remotely.
We had now reached the tax systems and were able to execute commands on the server. We were not exactly sure what kind of information was stored on this server, but we knew it had something to do with taxes.
After analyzing the server a bit more we found another vulnerability allowing us to reach the database of the server. We quickly understood what kind of data we had access to. Game Over.
We were now able to read tax data of citizens and change it. You can imagine what the consequences are if a malicious actor had gained access to this data.