Black Cats and Black Hats: A Spooky Cyber-Cautionary Tale
It’s officially spooky season, so it’s time for a scary campfire cautionary tale. We’ll learn how – without the right cyber security protections – small attacks that go bump in the night can turn into lurking, herculean abominations.
Once upon a midnight dreary, a hacker pondered superior and sneerily,
“How do I mess with the plastics giant MegaPetroCorp?”
What did they do to invoke her ire? Could it be their pollutants sending the planet haywire?
Or the corporation’s current human rights quagmire?
Important matters, yes, but not the focus of what’s about to transpire.
Time for her to go gently rapping, tapping at their virtual chamber door.
As autumn enters our view, our hacker plans what she feels is due.
She logs into her hacking tools as le_petit_chat_noir.
“The small black cat”, her hacker nom de plume. Carefully, she utters a digital mew.
Sniffing around the corp’s network to find where her answers are.
“Halloween’s a great time to strike! Their last-minute Christmas supplies can take a hike!”
Oh, what ideological havoc she’ll cause!
But here come flooding her reservations – our natural need for self-preservation.
Bravado diminished – maybe she can do something small to give the workers pause.
Yes, just this, and nothing more.
Ducking the aging firewall, just past this node, their intranet appears in plain HTML code!
A replaced image here, some tweaked copy there,
Exposing the company’s perceived ills, “The people will discover what really pays their bills”
But mind what you leave in your stead, script-kitty, beware.
She slinks out of the network, thinking “that’s that!”
But our true villain is not the small cat,
She just unwittingly left the backdoor open for any black hat.
An amorphous horror has entered the chat.
This opportune digital door, left ajar – news reaches the dark web, quite afar.
Awaiting the right party to spell disaster.
For on the dark web, an eldritch daemon waits, dreaming. A shadowy cabal begins scheming,
To please their masked, hidden paymasters.
Yet where the black cat’s curiosity led, could easily kill MegaPetroCorp dead.
Or perhaps a ravaged, rotting zombie – not quite alive.
The kitty’s highly visible hacks barely even covered her tracks.
It’s only a short time before the police arrive.
So, knowing not to blow their cover, the criminal group gratefully discover,
The company’s intranet – restored to its former glory,
Being used by all – remote workers, satellite branches, offices, factories big and small.
Yes – a persistent attack is the best way to progress this story.
With optimal stealth, and in pursuit of wealth,
The hacking group’s primary priorities,
They infect the intranet with an advanced persistent threat,
Away from the prying eyes of the authorities.
This tenacious malware scamp propagates across the network and sets up camp,
On all of the machines it meets.
Acting as criminal eyes and ears, the corporation’s entire infrastructure automatically appears
It’s like the group are in a shop full of Halloween treats!
The corporation’s global network is a goldmine.
From aging, unprotectable IT that does not age like fine wine,
To folks working from home without proper defences,
(Remote cybersecurity was deemed a strain on expenses)
To industrial control factory floor mechanisms at their European plants,
To city-centre offices with their flow of tech-reliant sycophants.
With persistence established and open eyes, the band plan their own spooky surprise.
But what? Ransom? Credential theft? Social Engineering?
“How about a smattering of all three?” Like a banshee wailing the gang’s fait accompli.
Their plan crystallises before them – the corp’s fate, ever nearing.
With attention turned to the firm’s main German factory, they find an authoritative target – most satisfactory.
The unit’s on-site director, one Herr Schmidt.
A busy business guy with a stylish spark – not to mention his own space on the car park.
And with that located, the criminals’ plan is legit.
And so, concealed by the dead of night, an agent enacts stage two of the criminals’ plight.
You see, Schmidt likes to post car pics on LinkedIn.
An Audi he treats with true reverence, but with numerous images as reference,
Locating the space doesn’t take much thinking.
And so, on Monday morn, near the driver’s side door,
A tech morsel blesses Schmidt’s peepers.
In a cruel twist, this flash guy will be taken down by a flash drive.
But he’s thinking… wait… what’s German for “Finders Keepers”?
Now the trap has been sprung, yet the fear not yet realised
Yet before he even reaches his desk, Schmidt’s plans for the drive are idealised.
To store his pics from his business trips – far off climes, but all very metropolitan.
So, what’s on there? Just a gif of a dancing skeleton.
Just a goofy, dancing bone man – but one with a sting in its coccyx,
Because in the background, hides malware, quickly unravelling its logic.
Henceforth broadcasting every keystroke – a password here, a debit card there
The hackers follow his digital movements everywhere.
With sensitive SCADA control passwords stolen, as silent as a mouse.
The criminals achieve a horror fan’s worst nightmare – the call coming from inside the house.
Passwords to hand, our hacking behemoth begins their two-pronged attack.
Using Schmidt’s login to give the corp’s factory floor a whack.
They invisibly tinker with the chemical makeup of MegaPetroCorp’s biggest selling plastic Making it less firm, less hard-wearing – even somehow oddly elastic
A week passes by. The faulty product is out.
“What on Earth did you do?” their customers shout.
Not just their customers, but their customers too,
The whole supply chain is sent askew.
With chaos abound, the PR team panic,
And for stock control, the situation is titanic.
With confusion high and productivity slowed,
It’s time for the hackers’ final payload.
As the 31st dawns at MegaPetroCorp locations around the world,
The hackers’ end game becomes unfurled.
Entering an unfirewalled yet networked SCADA device,
The hackers spread their malware, and they’ve named their price.
Corporation PCs across the globe freeze and blink,
Their IT department is brought to the brink,
As the malware, cross the network slinks,
And all company PCs declare, in sync:
“MegaPetroCorp Beware – You’re in for a scare!
Your IT has been haunted and your industrial systems thwarted!
Pay 3,000 of that new crypto, spookycoin, to our wallet – and to adjoin,
Do it by the witching hour… or your data will be gone – totally devoured!”
And so, worldwide, over Zoom,
All the directors asked “what shall we do?”
“Are they the ones who mixed up our chems?”
And “Is the witching hour midnight or is it 3am?”
Yet with jobs, PR, and customer businesses on the line,
The corporation decided to pay on time.
Their data was back – even then, they were lucky.
Some hackers take the money and the data – that’s really sucky.
With their balance sheet ransacked and their IT exploited,
How could this cautionary tale be avoided?
Well, Just Firewalls help companies of all kinds.
From big to small, spreading cyber peace of mind.
Yes, we help large enterprises too!
So don’t wait until your own cyber-Waterloo.
Take heed – call us ahead of time, And check out these bullet points that fail to rhyme.
What did MegaPetroCorp do wrong? How could these attacks have been avoided?
Let’s investigate what network and cyber-protection MegaPetroCorp should have had in place and how it would have saved them from disaster.
- Intrusion Prevention Systems (IPS), network monitoring services, and (to an extent) next-generation firewalls will have noticed the first hacker as soon as she started snooping around the private network. IPSs and network monitoring will likely have been able to flag the backdoor that she left open too.
- Managed Detection and Response (MDR) tools are designed to detect persistent threats, with many modern antivirus platforms getting better at persistence detection too. An IPS system and/or network monitoring service would have been able to detect the persistent threat, and indeed the ransomware, spreading across the network.
- Good cyber training should have been given to all staff, regardless of seniority – everyone up, down, and across the chain of command should receive training appropriate to their role. Mr Schmidt should have been taught not to be tempted by USB-bait! This is an attack strategy that is surprisingly common – but it’s only common because it works!
- Multi-Factor Authentication (MFA) helps to secure and authenticate logins, like those stolen from Mr Schmidt’s machine through the keylogger. If those logins were protected with an extra authenticating factor that could have only come from him, they wouldn’t have been able to get the access that they did – even with passwords.
- The SCADA systems on the factory floor should have been installed “behind” the firewall (and any intrusion prevention measures) or at least ringfenced from the rest of the network in some way. All too often, industrial systems like these are connected directly to the internet with no protection, yet they also connect to the same network as your regular IT. This means that they can be used as an easy way into the rest of the network infrastructure, as we saw above.
- The ransomware infections could have been easily found, stopped, or at least slowed down by heuristic antivirus tools like sandboxing.
[Disclaimer – this tale is totally fictitious, no likenesses are intended, and we’re not trying to make a statement. (Apart from promoting good cyber security practices). It’s just a bit of fun – enjoy!]
So whether you’re large or small, international or local, Just Firewalls can help you avoid cyber disaster. Drop us a line to book your free cyber health check – it’s a friendly chat that’ll only take an hour of your time.