Breach Recovery

Started by deanwebb, March 28, 2017, 09:06:57 AM

Previous topic - Next topic

deanwebb

My daughter tells the tale of what happened at her workplace. It's a small 20 employee operation. The boss' wife decided she needed to be able to work from home, so she installed "work from anywhere" software on the main server so that she could do work on it.

There is no actual firewall for the enterprise.

The owner, who is totally not technical, installed firewall software on the server, which runs Linux, and called it a day.

This arrangement has been in place for about a month. Yesterday, one of my daughter's coworkers noticed that the mouse was moving independently on the server screen.

The boss thinks scanning for viruses and removing them will be sufficient. I say not. I had a brainstorm about how hacked they were and had so much fun with it, I wanted to present the situation to you and have you think of all the ways this business could have been hacked.

Don't ask questions: just assume the worst.

GO!  >:D
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Ctrl Z

They've probably been part of a botnet for awhile now.

dlots

#2
Probably have a few root kits on there, it's probably just counting down to 2 years or it notices a large date change (like a restored backup), at which point the ransom-ware kicks off and that's 2 years of data they have to pay to get back.

Till then the hacker is just making a few bucks with it hosting child porn, which is drawing Anonymous's attention, and the FBIs.  Their gear was recently hacked by Anonymous, and all their data stolen, and their company is about to be well known for being pro-kiddy porn then all the servers will be taken as evidence in the child porn case, and their backups are infected with ransom-ware and the person setting it up was incompetent and now you can't even pay to get it back.  Their only hope of getting the data back is trying to buy it from the Anonymous hacker that is selling it on Dark-Net.  However since the owners who setup the servers are now being arrested for hosting child porn this is the least of their concerns.

deanwebb

Quote from: dlots on March 28, 2017, 02:21:41 PM
Probably have a few root kits on there, it's probably just counting down to 2 years or it notices a large date change (like a restored backup), at which point the ransom-ware kicks off and that's 2 years of data they have to pay to get back.

Till then the hacker is just making a few bucks with it hosting child porn, which is drawing Anonymous's attention, and the FBIs.  Their gear was recently hacked by Anonymous, and all their data stolen, and their company is about to be well known for being pro-kiddy porn then all the servers will be taken as evidence in the child porn case, and their backups are infected with ransom-ware and the person setting it up was incompetent and now you can't even pay to get it back.  Their only hope of getting the data back is trying to buy it from the Anonymous hacker that is selling it on Dark-Net.  However since the owners who setup the servers are now being arrested for hosting child porn this is the least of their concerns.

:yeahright:

Now THAT is some worst-case stuff!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

The Quickbooks files are all copied off the servers and there are now several dozen stolen IDs getting LOTS of credit cards and buying LOTS of gift cards with said credit cards.

It's also now got a mail server running on it, shooting spams all 'round the world.

Also also it is now a TOR exit node.

Also also also it is now recording everyone using it as a TOR exit node.

Also also also also it is a launching pad for *real* Russian hackers, who are now very happy to have another base IP address in the USA.

OK, those are bad, but I can't get close to dlots' scenario above. Daaaaaaaaaaaaaaaaamn, that's bad!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

In all likelihood it will probably be the usual: spam forwarding, botnet hosting and then one day, cryptolocker.

Dieselboy

Best case scenario, it's just the bosses wife trying to work from home  :XD:

On Friday I was working out a QoS problem between sites, so I called up the office to speak to the only person who'd arrived for the day to explain I will be controlling a phone there so I didn't freak her out.