This will be a thread discussing a real world breach involving a drone delivered exploit system that occurred this summer
Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability.
🧵🚁 🎮🖥️🦠
During this summer an east coast company specializing in private investments detected unusual activity on their internal confluence page that was originating on their own network.
The team isolated the confluence server and began incident response.
During the incident response they discovered that the user's who MAC address was used to gain partial access to their WIFI was also logged in from their home several miles away
The team deployed embedded WIFI signal tracing and a Fluke system to identify the WIFI device
This lead the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered.
The Phatom was carring a 'modified Wifi Pineapple Device'
It appeared neatly landed and was not damaged
While the Matrice was carrying a case containing "A Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another wifi device'
It was located near a HVAC / Vent system and appeared to be damaged or hindered, but still limited operable.
During their investigation they determined that the DJI Phantom drone had originally been used a few days prior to intercept a workers credentials and WIFI.
This data was later hard coded into the tools that was deployed with the Matrice.
These tools were used to directly target the internal confluence page in order to target other internal devices from credentials stored there.
The attack was limited success, and it appears that once the attackers were discovered they accidentally crashed the drone on recovery.
To summarize this setup was estimated over $15,000 USD for a one time attack scenario.
Attackers are spending this range of budget in order to target your internal devices and are ok with burning it.
This is the 3rd real world drone based attack I have encountered in 2 years
To clarify 2 of these were real world offensive actions against a house and a business
And 1 of these was my red team during an engagement
Learn from your attackers
Adapt your capabilities to identify, detect, and mitigate.
This is the reality we live in now.
Another thing to note and as stated - this was a primitive system compared to what is capable - yet it still worked.
Implement regular inspections of areas that can be droned and MAC address wifi security is not enough even for guest or limited access networks.
For red teams building capabilities I would recommend the Phantom 4 as it can carry approx. 6 pounds and its not insanely expensive.
That can hold a case with @Hak5 and @flipper_zero tools which would be ideal in many attack scenarios.
But i am not a drone expert so YMMV
A few people were asking why the initial drone was not recovered and left there.
Honestly I do not know either, there could have been a plan to recover it later, a failed recovery attempt, weather/battery issues, maybe it was YOLO all the way
Burn that money to get those credz
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't.
This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.
So my first month at working at eEye in late 2006 good ol Microsoft announced Office 2007.
They said they added a shit ton of security including safe int, sandboxing, code analysis, and malformed doc detection.
I told my boss I was gonna break it.
So I started fuzzing by hand
I'm the kind of sicko who can open a Microsoft office document in a hex editor and start telling you what it is all about just by scrolling down.
I have spent an embarrassing amount of time looking at BIFF format in a hex editor, trust me it's nothing special
A 🧵I wanted to share one of my more recent successful red team campaigns so others can test & tabletop
The client, like many others recently, implemented an approved internal AI interface for code questions and searches
This was essentially a wrapped chatGPT UI + file search
The site was 3rd party developed and has several implementations before rolling out in stages to all departments
For this scenario the goal was to compromise a separate dev and finance team with limited access in order to gain access to the production environment and financials
The attack first created a spoofed Google cloud and email to appear similar to the 3rd party company who used this service.
At this point a spoofed email was sent to several junior developers and low level HR people on the target teams posing as the AI portal dev team.
It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience
💀💀💀💀
This is at a hotel bar
They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard
Guys they are discussing WordPress security and how one is their previous companies had to wipe everything "because a baddie broke their WordPress and shit"
Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?
This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.
For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.
How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.
This information comes from Microsoft Windows System Assessment Tool aka WinSAT. It has been implemented since Windows Vista and can be read all about here:
PSA In the last week I have seen 3 examples of a relatively new strategy targeting telcos & iPhones of victims
With the increased measures against SIM Swapping, it seems attackers are switching over to 2 other methods to compromise phones
- Call Forwarding
- Parental Tools
Both attacks are similar in which attackers (likely related to Lazarus) are either social engineering telcos or using an insider at these companies to conduct these attacks.
In all of these cases it was leading up to ATO of iCloud and/or password managers
The call forwarding attack is relatively straight forward:
Attacker calls in telco and social engineers the operator to convince the agent to switch a line to call forwarding because of vacation.
The attacker then forwards the number to a VOIP number they control
So for all my followers who are wondering why TikTok is being investigated and potentially banned is because of several reasons heres a 🧵
A. they used data from their app to geolocate whistleblower journalists and physically go to their location
B. They violated policy on data
Harvesting by using their inapp browser instead of the supplied mobile browser, this obtains much more data than what is normally collected and it's shady practices
C. They have repeatedly been caught using methods that get information using your phones gyroscope and other
Sensors on the phone in order to locate you and track your location even without geodata and tracking enabled
D. they have questionable ties to the Chinese government even when they deny it. This is the same group of people that hacked many sensitive data repositories and