On April 7, 2020, the San Francisco International Airport (SFO) released a notice confirming that two of its websites, SFOConnect.com and SFOConstruction.com, were targets of a cyberattack in March 2020. The attack has been attributed to a hacker group that was attempting to steal the Windows logins of the airport’s employees.
When we hear news about cyberattacks, a few typical, yet crucial questions spring to mind: How did the attackers perform the cyberattack? Why did the airport authorities take so long to discover the breach? Could the breach have been prevented? And most importantly, am I at risk too?
The attack involved the use of the Server Message Block (SMB) protocol, a client-server communication protocol used for sharing access to files, printers, and serial ports in a network. In order to acquire a deeper understanding and examine the possible reasons behind the breach, we took up the mammoth task of simulating the breach on our end.
STEP 1: INTRUSION
If you observe the highlighted region in the image above, you will notice that the src (source) points to an image on a remote system (file://18.104.22.168/icon.png). As you have probably already realized, the code inserts an image into the website’s HTML.
STEP 2: SETTING UP A NETWORK SNIFFER ON THE ATTACKER’S SYSTEM
We now need to set up the attacker’s system, or the remote system from which the code is trying to fetch the image from. The system can be a non-domain system too.
A network sniffer, a tool that captures any request coming from other hosts, must be installed next.
The above image is a publicly available PowerShell script that poisons all Link-Local Multicast Name Resolution (LLMNR) requests.
We will examine LLMNR in detail in future blog posts, but for now, all you need to know is that LLMNR is like a backup DNS server used for resolving hostnames when the DNS fails to find a hostname. Below is a visual representation of the attack.
The above is an example of an SMB-relay attack.
STEP 3: DUMP VICTIM NTLM HASHES TO THE ATTACKER’S SYSTEM
- \\Serv1 in the above representation is the PNG file injected into the website.
- The victim user’s browser attempts to locate the image using its UNC path FILE:// from the attacker’s system using the SMB protocol.
- Thanks to the network sniffer, attackers are now able to retrieve the NTLM hashes of the victim.
The prospect of being on the receiving end of one of these attacks is scary, but there are ways to prevent them.
NOTE: The attack outlined above is a similar concept to the San Francisco International Airport breach, but the actual tools used and the attack method may vary.