The 100 Million Dollar Getaway - Horror Stories 2015

Price McDonald, Director Labs Professional Services

In today's security landscape, companies face daily threats to their reputation and intellectual property.  The typical response to these threats is to purchase a tool or a service claiming to be a magical silver bullet that can respond to all "cyber" threats.  In reality, the quest for a security silver bullet is a fool's errand, and any solid security program will revolve around continuous evaluation and training against emerging threats.

One day a client of Coalfire's decided to bring us in for a Red Team assessment with a specific goal in mind: gain access to their finance management platform in order to prove or disprove the possibility of taking control of their multibillion dollar brokerage accounts.  This would not only allow them to test their security controls, but it would also have the added benefit of testing their response capabilities in the event we were able to access this proverbial treasure trove.

 After weeks of meticulous planning, Coalfire launched several successful attacks of spearphishing, physical and technical attacks, and eventually gained access to the target’s facility as any one of their numerous third-party contractors would.  From there, the assessors roamed around the facility for hours using fake badges culled together from various open source platforms.  While the main goal of this assessment was to access the keys to their financial kingdom, there was also significant emphasis put on staying undetected.  For the next several weeks, Coalfire maintained persistent access and ultimately reached their end goal with the bonus of also gaining access to their accounts directly through their financial providers.  As it turns out, multi-factor authentication is less than helpful when someone leaves their accounts logged in.

While it is not uncommon for Coalfire to be successful in these types of engagements, what came to light was truly shocking.  Not only did Coalfire have access to transfer millions of dollars, the target was unable to correlate any logs or data that would allow them to track the source of the breach.  Had this not been an exercise, they would have had no idea how or when these actions had taken place.   While major breaches are not uncommon, our simulated attack clearly proves the value of training response staff and continuously testing to ensure any blind spots are addressed before an evil hacker creates a nightmare for your organization.

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Price McDonald


Price McDonald — Director Labs Professional Services

Recent Posts

Post Topics