Retail: Fortifying The Cybersecurity Posture Against APT

US & Canada | Retailing | B2C

• Company size: 250,000+ employees 
• Service: Digital, physical and social attacks 
• Client since: April 2021 

Overview

Our client is a global business-to-consumer (B2C) retail organization operating a considerable IT function that serves their customers through e-commerce platforms and retail sales, as well as supporting their 250,000+ internal staff.

They maintain a mature cybersecurity posture including their own Security Operations Center (SOC), internal pen testing and red teams.

CovertSwarm was engaged to strengthen their security posture by acting as an external Advanced Persistent Threat (APT). This involved attempting to breach their assets in any way possible to identify and remediate their vulnerabilities before the real bad guys can exploit them.

Challenge

The client’s main question was “how do you get an outside view if you employ everybody yourself?”

Objectives

They required CovertSwarm to work in an effective closed-box manner to think about how we could breach their infrastructure without any prior knowledge of the code, architecture, or system design. 

Our team had to act as an effective external APT, working autonomously to find and breach unknown gaps using methodologies not employed by their team but that real-world attackers could.

After successfully attacking and breaching previously unknown vulnerabilities, CovertSwarm offered support to their internal team to remediate them.

Our Approach

A new member of staff, still in the onboarding phase, received a CovertSwarm spear phishing email and clicked on the link, mistakenly believing that it was part of the onboarding process. As a result, the CovertSwarm team was able to steal their user credentials and the Multi-Factor Authentication (MFA) tokens. Within approximately 60 seconds, the user realized their error and suspected that they could have been phished.

The employee reported the incident and alerted their security and IT teams. This instigated the accredited ISO 27001 process for phishing breaches, which led to the termination of the user’s access and forced a password and MFA reset. However, the response process failed to terminate the VPN access that the CovertSwarm team had automatically gained as part of that initial attack.

Due to this oversight, CovertSwarm was able to establish persistence and move laterally, undetected, within the estate.

The CovertSwarm team found the Citrix platform, which is used to enable secure remote access to applications and data. Although we were unable to access any authenticated Citrix applications, we could exploit any unauthenticated ones. Then, another Swarm member with a different set of skills, took on this challenge and utilized a weakness within an application exposed through Citrix, enabling Remote Code execution.

Using Remote Code execution, we were then able to install our own Command and Control infrastructure (C2) on that Citrix host. This allowed the team to further move laterally behind that host inside of the client’s critical estate.

Additionally, we were able to exfiltrate data without being detected or blocked by the client’s security systems.

The Results

• Provided guidance on updating ISO 27001 process to ensure that it fulfilled its risk and capability objectives as intended.
• Recommended improvements to the client’s detection of lateral movement to ensure that if an attack like this happens again, it will be detected at an earlier stage.
• Improvements to Citrix to prevent the use of unauthenticated apps.
• Identified that being able to breach the host meant the Endpoint Detection Response (EDR) didn’t work effectively, leading to improvements being implemented with CovertSwarm’s guidance.
• As a result of CovertSwarm gaining access to Command and Control (C2) infrastructure, the client was able to update their Security Operations Center (SOC) and Security Event and Management (SEAM) rules to detect this type of anonymous traffic and adjust their firewall rules accordingly.
• Additionally, further SOC, SEAM and firewall rules were implemented at a secondary layer to contain any breaches and avoid data exfiltration.

Conclusion

The spear phishing incident exposed critical vulnerabilities in the company’s security, allowing CovertSwarm to breach their systems and lateral move undetected within their network.

This led to impactful changes in a variety of areas, such as updating the ISO 27001 process, improvements to the client’s detection of lateral movement, Citrix, and EDR, as well as the implementation of SOC, SEAM and firewall rules.