My key takeaways
- Hafnium exploited the vulnerability shortly after M$ showed it in the MAP program group. Coincidence?
- A DC usually runs DNS, so easy to find for an attacker
- patch before the FBI will do it for you
- pretexting might be even more effective then phishing
- example: Teenager compromised Twitters god mode panel through calling twitter employees in 2020
- "Cialdini’s Principles of Persuasion" needed for pretexting
- Reciprocation
- Commitment & Consistency
- Social Proof
- Liking
- Authority
- Scarcity
- Unity
- Social engineering pro tip: let your target know what information you already have, will make you more believable and give authority
- Kevin Mitnick’s warning about the "Darkside" group
- looking up insurance policies to understand limits for ransom
- offering day traders to sell shorts on victim
- Demo "Exchange" (Hafnium)
- Demo "VM VSphere Vcenter"
- Target of this attack: steal a snapshot of memory of the DC to offline extract credentials from it, using windows debugger and mimikatz
- Vcenter should be internal, not internet facing. Mitigate risk by putting it behind an additional VPN
- Bad actors phish local workstation and the proxy through it to Vcenter. Mitigate by segmenting your network properly
Env
- Provided by KnowBe4
- Presenter: