The presentation I gave in Login2020 (Eset track). The question is - why no one stops the robbers

1. UNDER THE HOOD
DARIUS POVILAITIS
DARIUS@ESEC.LT
HTTPS://TYRIMAI.ESEC.LT

2. MASSIVE REMOTE WORK – CHALLENGES IN THE
BEGINNING
What challenges arise when people massively started remote work ?
• The massive shift to remote work overwhelmed organizations internet links ( e.g. remote user count
increased 1200% )
• That caused problems for security patch install over those saturated internet links
• Service quality issues while video communications are forced to go over VPN
• Security scanning of remote workplaces might be impacted as well
• People started to use more and more online services be it public or private sector.
• Etc.

3. SOLUTIONS ?
These problems caused by massive instant shift for the remote work can be managed by redesigning your
network, process flows, etc.
Split tunneling might be the case for the saturated internet links. But this cure might cause another
problems – e.g. for the security:
• In split tunneling situation remote employees might lose additional protection provided by enterprise
defense systems. So the security risks arise even at the operational level.
These are indirect security risks caused by some major changes in the infrastructure and are / were
temporary. But let's look at the direct security risks.

4. MAJOR SECURITY RISKS
• Social / technical attacks
• Technical attacks

5. SOCIAL / TECHNICAL ATTACKS
• Due to CORONA, massive shift to collaboration platforms occurred.
• Those platforms has attracted increased attention from the hackers and some of them had
some serious security vulnerabilities ( e.g. Zoom ). People were well informed regarding
those vulnerabilities.
• Other popular collaboration platforms like Teams/Office365 did not receive so much attention.
Meanwhile most organizations using Office365 have authentication setup which might expose them to
the social-technical attacks.
• During the quarantine period people were forced to use more and more public services online.
The same is true for the financial institutions – all went online. Activities not directly related to work
also might bring some dangers.

6. O365 AUTHENTICATION METHODS
• User / password
• User / password + 2FA ( e.g. SMS or Microsoft Authenticator )
• Federation (here you can use digital certificates)

7. O365 - TWO FACTOR AUTHENTICATION
If an organization wants to implement O365 in a secure way, they are considering all the above-mentioned
authentication solutions. User password authentication is insecure – everyone understands that.
Federation with certificates – are legacy – that's what I was told by local solution providers. The winner
here is two factor authentication – 2FA – that's what is said
• Username / password with SMS (or Microsoft Authenticator ) solves all authentication risks. Really ?
Do you have such a setup ?
• What would you say if just one email or SMS could break all your security ?
• The biggest problem here is that organizations don't even understand that they could be very easy
target since they are assured that 2FA is very secure.

11. DEMO / MOVIE
• https://tyrimai.esec.lt/movies/ivairus/o365/all1.mp4

12. MICROSOFT O365
• It was nothing new :) The time to setup the interception just took several hours.
• It is very easy to enumerate the organizations which are using O365
• After that – just some spoofed SMS or emails – and you might be exposed

13. CHECK YOUR ORGANIZATION SETUP
During the break you can ask to try that on your organization. Sometimes it is very challenging to see that
someone else is inside your organization :)

14. ORGANIZATIONS USING O365

15. THE CYBER KILL CHAIN
The kill chain in cybersecurity defines various phases of an attack . Attacks may occur in phases and can be
disrupted through controls established at each phase.
The biggest challenge and the most important / difficult steps in containing an attack is to:
• Identify and prevent an attack in advance
• Mitigate an ongoing attack
Let's look at some real attack mitigation examples

16. MITIGATION CAPABILITIES / CURRENT SITUATION
• Companies usually do not boast when the intrusion occurs. So it is difficult to estimate the real situation
in this area
• On the other side we do see multiple cybersecurity incidents that are in the mass media. Let's analyze
them. Let's pay attention how these threats are mitigated when they are identified.
• The examples provided would show how real attack could be identified and stopped / mitigated. That
way we can estimate our capabilities to mitigate attacks.
• The conclusions you should make yourself :)

17. MAIN HACKERS TARGET
• In 99% cases – they are after money or something that lets them to make that money. Remember that.

18. SOCIAL / TECHNICAL ATTACKS - 1337 SMS
• Massive SMS subscribe to expensive services using number 1337.
• Mostly done using hacked websites .
• Attacks are not stopped for years.
• Here is a short movie how these attacks look like:
https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=35

19. YEAR 2018

20. YEAR 2020

21. MITIGATION RESULTS – 1337 SMS
• Search the google for the keywords – 1337 SMS – you will see fresh complaints from multiple people

22. LINKS
• https://www.delfi.lt/mokslas/technologijos/ispeja-apie-nesuvaldomus-sukcius-uztenka-vienos-sms-kad-
is-jusu-nesustabdomai-siurbtu-pinigus.d?id=84490425
• https://www.delfi.lt/mokslas/technologijos/ispeja-apie-gudriai-veikiancius-sukcius-uztenka-vieno-sms-
kad-is-jusu-nesustabdomai-siurbtu-pinigus.d?id=78880551
• https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=35

23. SOCIAL / TECHNICAL ATTACKS - CREDIT CARD
STEALING

24. KRISTIANA ESHOP

25. HUNDREDS OF WEBSITES IN THE END OF 2019

26. EMERGENCY RESPONSE CENTRE – NUMBER 112

27. CREDIT CARD STEALING - MITIGATIONS
• In some cases can be done rather easily. Current biggest credit card stealing botnet in Lithuania can be
easily stopped by just blocking several small networks.

29. ACTIVE MITIGATION ACTIONS
• Nothing that I know
• Some institutions – e.g. Bank of Lithuania or Gaming Control Authority block access to illegal websites.
• Why this cannot be done to stop stealing credit card data from Lithuanian citizens ?
"Show Must Go On" ...

30. LINKS
• https://www.delfi.lt/mokslas/technologijos/tiriama-ar-buvo-isilauzta-i-kristiana-el-parduotuve-galimai-
pasisavinti-klientu-duomenys.d?id=84499591
• https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=52
• https://www.lrytas.lt/it/ismanyk/2019/12/12/news/sokiruojantis-tyrimas-400-lietuvisku-interneto-
svetainiu-slapcia-vagia-vartotoju-pinigus-ir-duomenis-12894109/
• https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=55

31. PUBLIC / FINANCIAL SERVICES ATTACKS
During the quarantine period people were forced to use more and more public services online. The same is
true for the financial institutions – all went online
• Incorrect implementation of SMART-ID / Msignature has led to massive attacks against users.
• Obvious problem that has been before everyone eyes for several years
• Very slow problem fixing
• Problem fixing speed changes instantly if the attack hits certain organization

32. SMART-ID / MSIGNATURE
• Attack hit banks. To be more precise – the banks users. Remember – target is money.
• Due to the incorrect authentication implementation also all Egovernment services ( more than 600 )
were impacted
• It took more than half a year for Egovernment services to become not impacted ( not verified very
carefully)
• Some organizations were very fast fixing that problem – took it seriously ( State Enterprise Centre of
Registers )
• Some organizations are still impacted

34. OWASP TESTING GUIDE

35. NKSC

36. IGNITIS

37. DEMO / MOVIE
• https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=48

38. LINKS
• https://www.15min.lt/verslas/naujiena/finansai/sukciai-seb-banko-vartotoju-atpazinimo-kodus-
paprasciausiai-atspedavo-spraga-bandoma-uzlopyti-662-1256248
• https://tyrimai.esec.lt/index.php?option=com_content&view=article&id=48

39. THANK YOU!
DARIUS@ESEC.LT