Episode Two – The Mobile Threat

Summary and Translation of Episode One, Setting the Hook.
In Episode One, we saw Ian and Myles send a mass email with a malicious link disguised as a Facebook friend request, phishing for victims. We’re not sure how many others fell for the fake email, but we know that Nancy at Acme Widgetco clicked the link and, seconds later, Myles and Ian were watching her via her webcam and exploring the files on her local hard drive.  Episode One is available here.

“Jake, I have an important meeting with potential investors in 12 minutes and I need to be able to connect my phone to the network to access my presentation”. Mr. Peters had apparently just discovered Chromecast and was planning to use his newfound streaming prowess to impress the potential investors. Jake quickly weighed the options and decided that allowing Mr. Peter’s phone to access the internal network and keeping his job was better than pointing out what a horrible idea it was while he was being escorted out the door with a pink slip and a little folding bankers box with his personal effects.

Jake knew it was a bad plan, that’s what the guest network was for, but the CEO title tended to include super powers and IT Best Practices didn’t’ stand a chance. That was how it started.

With the meeting only [now] 10 minutes away and attendees already starting to pile in, Jake decided it would be easier to just disable MAC filtering and ease the firewall rules for the meeting rather than trying to customize them for the Chromecast and then tighten things back after the fact. It wasn’t the way to do it right, but it was the way to do it right now, and that would have to do.

“Great job Jake, the presentation went off without a hitch. I appreciate that you were able to get it going for me on such short notice. Not only was I able to show the presentation, but several of the potential investors were able to connect to the wifi and download a copy to take back with them. We really knocked this one out of the park.” Mr. Peters bragged and, as he walked away, jokingly said “and I didn’t even break it”. Jake was a little irritated at the snarky comment but was glad it was over and was ready to lock things back down.

Nancy’s computer at Acme Widgetco had proven to be a huge catch. It had been a few weeks since Myles had broken in and there was no indication that anyone knew. As a result, Ian had given Myles some ‘creative freedom’ to be a little more aggressive in his search for new victims and tactics. Myles knew that the ‘creative freedom’ meant ‘enough rope to hang himself’ so he was careful, but his standard practice was to setup a virus bomb to encrypt everything (and then demanded a ransom paid to a made-up bitcoin wallet in exchange for a non-existent decryption key) in case he ever had to make a quick exit and didn’t have time to clean up his tracks. This scorched earth approach meant that anything left on the box would be destroyed, but this left the box equally useless to the victim and the forensics team. Myles had been working on mobile virus and now, with Nancy’s computer as a waypoint (with no ties back to he or Ian), he had a way to safely test it.

The new virus was brilliantly simple. Once installed on a mobile phone, it forwarded the details of the phone to Myles and then just waited for new wireless network connections. Once it connected to a new network, it did a quick scan and sent a detailed list of computers on the network to Nancy’s computer, which notified Myles that there were new targets available. Myles could then view the list and, if there were any sufficiently high-value targets, attack the targets directly through the phone. The beauty was that the phone enabled them to completely bypass any firewalls, since the phone was connected to the 3G, 4G or LTE network and the victim’s wireless network and all of the traffic went over TOR, so it just looked like secure web traffic to the casual onlooker (or snooping systems admin).

“Ian, looks like we’ve got one!!”, Myles was having trouble containing his excitement. Ian had been sure that it was a dumb idea, but Myles had spent most of the previous morning loitering at the local coffee shop spreading his new virus to unsuspecting patrons. Until now, Myles just had a list of mobile phones that were supposed to be scoping out new networks, hardly worth the effort and certainly didn’t justify Myles getting to hang out at the coffee shop. Now though, someone named “Tom Peters” had connected to a network and the quick scan confirmed that there was a Windows Server on it, PAYDIRT. The virus did exactly what it was designed to do and, by the time Myles was able to pull up the scan it had identified the Windows Server that hadn’t yet been updated with the latest security patches, so an easy target. Not knowing how much time he had before he lost connection via the mobile phone and comfortable that there were two layers of obscurity between the new victim and him, Myles worked fast and a little less cautiously than he normally would. He pounced on the Windows Server and had domain admin rights within minutes. With persistent access to the network in place, he stepped back a moment to see what else his new toy could find.

Now that the meeting was over, it was time to put things back in place. Jake had made a backup of the firewall before lowering the fences and had decided to just restore that backup to lock things back down. Trying to ‘undo’ his changes meant that he may overlook or forget something but the original configuration was hardened, tested and confirmed good. Before reverting it back though, he saved the traffic logs just in case. He didn’t think anything happened (after all, Mr. Peters reassured him he hadn’t broken it, right?), but better safe than sorry. Logs saved and a quick firewall reboot later (fingers crossed that no one noticed), and he was good to go.

“Not only did we get the Peters, Bradford and Johnson network (he couldn’t help but snicker at this, PB&J), but we also nailed a couple of more phones in the process that had email accounts for different companies” Myles said, and couldn’t have been more proud. It seemed that the old days of sending out fake Facebook friend requests, ADP payroll errors and the like (not to mention having to maintain those fake website) were over. The future was sitting in coffee shops, sipping latte while unsuspecting victims connected to the coffee shop’s ‘free’ wifi.