How We Paid 100,000 Rubles for Phishing

Now in Innostage open cyber testing program there is one main unacceptable event and three intermediate ones with a smaller reward. And on July 19, the ethical hacker prorok took the required 100 thousand rubles for compromising an account. How did he manage to do this? We tell you in more detail.

To get into our infrastructure, prorok used good old phishing.

Preparing for an attack: letter, addresses and leverage

For phishing to work, you need to know the potential victim well, in our case, the company's employees and internal processes.

In our open cyber testing program, phishing is only allowed through corporate email, so prorok had an action channel immediately identified. The hacker found all the data needed for the mailing using OSINT.

Addressees

The address list contained about 1,000 recipients. Most of them were found using The Harvester, a tool that automates OSINT. Contacts were also collected through social networks, in particular LinkedIn and VK.

“I didn't filter this list, I decided to launch it with what was there – I wanted to test the hack faster. I was blocked somewhere in the middle, that is, the letters did not reach all users. If I had spent time filtering, I would most likely not have been identified so quickly, but when the information security service saw the mailing, including to dismissed employees, they immediately recognized everything.”

Letter

SOC experts and employees who noticed the phishing agreed that the letter was of very high quality and almost indistinguishable from our corporate mailings.

1. Sender

The sender was listed as the Technical Support Department. The mail domain looked like innostage.com.ru, but since the additional domain [.com.] added to the middle of the address after .ru, it caused much fewer questions.

2. Special dies

All external Innostage emails are marked with a special label. Prorok discovered it back in early July when he was conducting reconnaissance and sending an email to Innostage's general address. The response retained a version of the original email in the format that its internal recipient would see.

3. Text of the letter

It wasn't without the help of neural networks – the letter was polished long and hard to get the perfect tone between official and friendly. The text itself was scattered with facts that allowed to hide the phishing.

1. The new mail server explained the strange, different domain.

2. New server for vpn explained incorrect link.

3. The “new” mail and vpn servers had similar domains. In addition, even the signature used the same domain [.com.ru] — because of this, the difference with the real address was not noticeable.

4. The letter contained a reference to the automatic marking “External Mail”.

And also leverage was used:

1. Losing all emails and calendar appointments could bring work to a standstill for employees in a large team like Innostage.

2. The mailing was on Friday, and the potential move was on the “weekend”, so there was no option to postpone the actions from the letter.

Time to attack!

There were two waves in total: at 11:08 and at 13:21.

During the first wave, employees received 287 emails with a phishing link to vpn.innostage-group.com.

Prorok was able to bypass the corporate email security solution by using a specially crafted link that led to a phishing resource.

How to get authentication data

Sender domains and target URLs were mimicked to look like legitimate company resources vpn.innostage-group.ru.

“I assumed that an organization like you wouldn't do a VPN just over a domain account, and there would most likely be a second factor.”

When a user entered credentials into a form (even if they didn't exist) and clicked on LOG IN, he was automatically redirected to a page for entering the 2FA code. Here, too, the trick worked: the loading icon was spinning, creating the impression of the login process. After 20 seconds, the system again asked for the 2FA code, hiding behind an error. The trick worked – several employees entered the code twice.

A total of 3 accounts were compromised. In one case, the employee provided all authentication data, including the 2FA code (twice!). 0 percent conviction rate, 100 percent assignment rate for the phishing course at the corporate academy.

At 12:02 prorok connected to VPN from address 87.251.78[.]223 from a non-domain device.

Getting a foothold within the network: a good try, but no luck

The intermediate event condition is compromise and consolidation. The bug hunter failed to achieve the second: SOC was one step ahead and managed to analyze and block the malware downloaded from the phishing resource.

“I was unable to quickly penetrate the system because I downloaded the necessary VPN client after I had received the account data. I just didn't think about it. I acted alone, but perhaps if we had a team, colleagues would have prompted me to do this, and the fixation would have taken place.”

But this is how it should have been.

After entering your credentials and clicking the login button, the executable file “vpn-client-2.1.1.exe” automatically starts downloading, mimicking a legitimate VPN client, and redirects you to a page for entering the 2FA code.

When this executable file is manually launched (it does not launch automatically), the following chain of events occurs:

1. The object “vpn-client-2.1.1.exe” copies its body to the directory “C:\Users\Public\vpn-client-2.1.1.exe” (all users have write access to this directory).

2. An HTTP GET request is being made to resource 5.8.38[.]130:8000 to get the malicious DLL: HTTP://5.8.38[.]130:8000/REMOTE.DLL.

3. The remote.dll library is loaded into memory without being stored at the file system level.

4. The Python archive is downloaded: https://www.python.org/ftp/python/3.10.2/python-3.10.2-embed-amd64.zip and then the contents are unpacked into the C:\Users\Public\Python\ directory.

5. Runs the script through the Python interpreter, which loads the shellcode into memory, configures memory allocation and thread creation using Windows API functions (VirtualAlloc, CreateThread, WaitForSingleObject), and executes the shellcode in a new thread within the process.

SOC's Countermove: How the Innostage Team Reacted

“I was not prepared for such prompt work by the security department. They responded quite quickly and blocked me.”

The first reports of possible phishing were received by the SOC at around 11:30: vigilant employees did not click on the links, but immediately sent a suspicious message to the company's Cyber ​​Threat Countermeasures Center.

At 12:06 the first reports of phishing in corporate chats appeared.

In parallel, the SOC was already responding to the incident. At Innostage, we have implemented our own Orchestrator product to manage the response, which allows us to act comprehensively in the event of attacks, managing all the information security systems from a single window.

At 12:18 the sender's mailing address support@innostage-group.com[.]en was blacklisted on the mail security tool.

At 12:32, the phishing resource was blocked by domain name and IP address on all the company's firewalls. At 12:34, the mail server from which the mailing was sent was blocked.

'Domain name vpn.innostage-group.com.ru successfully blocked'

'Host 31.31.196.104 successfully blocked'

'Domain name server141.***.ru successfully blocked'

To minimize the risk of user compromise, a script was launched on Orchestrator that removed phishing emails.

At 12:39, we found compromised accounts — all three were from the first wave. We broke all VPN sessions and blocked users on our domain.

40 minutes later, the second wave of mailings began: this time from a postal address support@lnnostage-group.com[.]en (31.31.196[.]33) another 300 emails were sent to a new list of recipients. The second wave ended faster than the first: SOC employees understood what they were dealing with and blocked all resources – the sender's address, the mail server, and the phishing site, and also deleted all phishing emails in just 15 minutes.

'Address 5.8.38.130 successfully blocked'

'Domain name vpn.lnnostage-group.com.ru successfully blocked'

During the investigation, our correlation rules were triggered, which revealed an abnormal connection of the compromised user to the VPN: the device and IP address were different from those collected in the profile. The connection address was also blacklisted by the ITU.

Conclusion

First, it's good that these were open cyber tests and not a real attacker. The reward for the attack was 100 thousand rubles, and if it had been a real fraudster, the damage could have been much greater.

Secondly, we were once again convinced that phishing, like love, is subject to everyone. So it is important to remain vigilant and regularly conduct training within the company.

By the way, in July the number of attacks on Innostage increased to 330 thousand, which is almost 15 times more than in June. “Ethical” hackers are actively conducting reconnaissance of our infrastructure. We invite you to try your hand at the open cyber testing program at platform for security researchers Standoff Bug Bounty.