I attended a fascinating talk yesterday at Blackhat given by Sinan Eren from Immunity in which he described a recent for-hire Information Operation.
In the talk he took pains to differentiate between a standard penetration test and the kinds of things they were doing; the primary differences being time scale and scope. In this case the time scale was long (though undisclosed) and the goal was compromise of some particularly sensitive data. He didn't say but it was probably product design or source code.
To maintain a stealthy ingress they decided to avoid easily exploited client side weaknesses and instead found something much more difficult to detect, a poorly implemented anti virus scanner on the mail transfer agent. After fingerprinting, building an equivalent MTA in their lab, and coding a unique one-time exploit of the poorly implemented AV file parser, they were in. Consolidation and expansion was done at a leisurely pace, greatly aided by the social engineering benefits of the MTA's access to all of the email traffic. Within a reasonable period of time they were able to relationship map many of the target's personnel, expand to the other side of the firewall, quietly exploit a number of client machines, and gain a good understanding of who was likely to have access to the information they were looking for.
Then interesting stuff happened.
IO in the Cyber Domain, Immunity Style
Sinan Eren, VP of Research, Immunity
This presentation will discuss techniques to attack secure networks and successfully conduct long term penetrations into them. New Immunity technologies for large scale client-side attacks will be demonstrated as will a methodology for high-value target attack. Design decisions for specialized trojans, attack techniques, and temporary access tools will be discussed and evaluated.
