A Day in the Life of an Infosec Engineer Incident

PepperoniAndFingernailPizza

80173

852

Well, I figured, why not write this? I've been in IT for 10 years and in Infosec since 2019. I got into Infosec because I had dreams of being a hacker, but I'm not good at it, so I stuck with defending.

Here's a story about a breach I experienced at my last job; details have been changed to protect the identity of the company.

My last company was in telecom. I started in their NOC (Network Operations Center) and moved into Infosec. During my time in the NOC, I learned a lot, especially about how the company's VoIP product worked, which ended up being helpful for my story. I used to dive into the logs to figure out why a customer was having an issue. I was also really knowledgeable about the entire backend and how everything flowed. Eventually, I got promoted to the Infosec team because of this knowledge.

On Day 1, we were notified of a customer reporting that someone had logged into their account and was making calls to some number that racked up hella charges. We called them premium numbers, like the old 900 sex lines. The Infosec team was tasked with figuring out how this happened; which, in hindsight, was weird. But I dived into the logs and spent the next hour figuring out what had happened. I found an IP from Bangladesh that had logged into the account and had also logged into the admin account, creating a bunch of accounts to make calls to premium numbers.

The goal of the threat actor was to use these company accounts to call premium numbers they owned and rack up charges for profit. Pretty smart, tbh. The mistake they made was using their own IP and email addresses. My team and I started to investigate and discovered they had gained access to our Microsoft Office 365 account for one of the teams. They then scraped data from my company's SharePoint, which had user accounts and passwords that our professional service team had stored. The worst part was that a commonly used password was used for all these accounts.

The threat actor took this info and then spent the next three months logging into our customers' accounts, of which they had literally thousands. The company login page was bad; it was never designed with security in mind. The threat actor was using Burp Community Edition for the simplest use of it, just to password spray the login page and find accounts they could access. Burp has a lot of uses, primarily for web application hacking. I've only scratched the surface of what the tool can do, but password spraying is amateur hour. Yet, they were successful in gaining access to customer accounts and logging in.

At one point, my company had the Infosec team manually blocking IPs, which didn't do anything to slow them down since they started using a VPN provider. We added thousands of IPs to the list. Eventually, I started blocking the entire CIDR block of a VPN provider as soon as I saw it. This did affect some of our customers, but I argued they shouldn't be using our service behind a public VPN service as it would drastically effect call quality.

So, I had been spending months trying to figure out who the hell this person was that made my life hell for the last six months. While I can't give you their name because I'm still under NDA at my last company, I can say for certain they were in Bangladesh. We had called him Muna because that's what his email contained, which just means "Man" in his language. But eventually, he slipped up, and I was able to find his personal Facebook. This guy had made so much money from his attacks; he had bought a Mercedes and was showing it off on his Facebook. He also enjoyed playing PUBG on his phone with his buddies located around the world, including the Philippines, which is an important detail. This person he played with in the Philippines happened to be an employee at my last company.

The employee had helped give him access to our company's O365 account and was working with him to make money off his employer. Unfortunately, we weren't able to arrest him since they never notified the authorities of what had happened, but they did shit can him. After that, all this stopped and I finally got to sleep. I still have some trauma from this even though it's been 3 years since I worked there, even typing this causes me some stress, but it's an interesting story.

Update: I want to add that I left the company for a bunch of reasons, the big one being that Security was not a priority. If you get into this field, make sure that the company has executive buy in, otherwise you're wasting your time. My team did everything we could within our power, but it was all futile as no one was willing to make a change because it didn't affect anyone else but the Infosec team. I'm at a new company for the last year and a half. While it's not perfect, it has a lot of things that I would have killed for at my previous company.

security

infosec

adayinthelife

stress

wtf

vegivamp

Company:

- has an infosec division

- stores passwords in disappoint, I mean SharePoint

Either the security people weren't very good, or the company doesn't listen to them. Someone needs to be kicked right in the jewelry for that.

2 years ago |

The security team was good, we had no support at the executive level. We had a premium password manager for all our employees. It's just that not everyone listens to security. We can make the policy, but not everyone always listens unfortunately

PrfctDrk

As someone who's 37 and "missed the boat" I believe when it comes to IT, I applaud your work

idk3500

tkdtkd

That's definitely an interesting ONE. Did you ever get to TALK to the guy responsible for the breach?

No, if I did I would end up cussing them out

BryanTenn

I remember Linus Tech Tips YT account getting hacked a while back.. all it took was an attachment file opened (claiming to be a PDF of a possible sponsor agreement), it was able to easily send the browser snapshot (not sure actual name)- which allows access to any websites you are already logged in on that browser. DO NOT OPEN ATTACHMENTS!

FWIW_ I am not currently subscribed to LTT. The stuff that happened several weeks back made decide to unsub. I do hope they get their ish figured out - for their employees' sakes.

TheGlow

Nothing like an inside man. I used to work for a car service company in NYC. Hotshots, bankers, lawyers, etc. 1 of the companies didnt like if we had no cars, so they had multiple accounts with other car companies. But they were too important to bother learning account numbers for multiple companies and insisted the same credentials across ALL companies. I found out later my manager would pick up girls on AOL, have a company car chauffeur him around like he had money. No one ever figured it out

frbnsfreak

Good read.

HashMaster9k

On the one hand, what a shitty scammer and that inside man who helped him... On the other hand, your company was storing login credentials in plaintext on a sharepoint site? That kind of lack of security is just BEGGING to be hacked. Not to say that you personally could have changed or fixed that, but your INFOSEC team was just as culpable as the hacker for what occurred. It sucks that it happened for half a year and cost you time and sanity, but it seems like your team failed to silo properly.

It wasn't the Infosec teams fault, we provided everyone with access to a password manager. It was a failure to follow the process that caused this. They took security awareness training every month, but everyone thinks it won't happen to them so they follow these shitty practices

Myrealnameisunusual

Hiya. Incidents are nasty things. On the plus side - it's often what it takes for an organisation to take cyber seriously and invest.

Radix865

Did you try the banana hack?

Neurisko

I used to be in networking. I kind of miss it. Shout out to my AS4200 brothers and sisters!

Troillort

I'm an analyst in a big CIRT and have had a few of these incidents that make you lose sleep. It's super fun though and I wouldn't do anything else.

Mammothmadness

Currently a NOC tech, I wanna be you when I grow up!

stigxenon

Spraying with burp community edition is awfully slow and throttles after just a few tries. They probably used admin:password lol

It might have been a paid version. Or maybe they bootlegged it, idk

FrankPembleton

I'm concerned with the last part of the first paragraph. Being knowledgeable about attack methods is paramount to effective defense.

You're 100% right, and while I suck as an attacker, I understand the concepts for attacks and how they work. Its not to say I haven't spent several weeks on HTB 😉 but hit me up some time and we can talk shop

ojioni

I don't see any mention of actually fixing the fundamental security issues that allowed this to happen. For example, storing account and password information on sharepoint. If you have to save that kind of thing, you encrypt the file. +

And why didn't you immediately require everyone to reset their passwords? That's the first damn thing you should have done.

They did, but the password being reset allowed any password to login after. Great design, right?

Lovely. Password resets should use a unique code sent to the contact on file, though contact info changed since the intrusion is suspect. It sounds like the entire infrastructure was designed to be easily compromised.

No comment

I understand. I've been in the situation where I wanted to tell a manager, "are you effing stupid?"

afterdarkart

Hey @OP. I as well moved from IT / IA into Infosec in 2019! And one year later my entire Hospital was taken down by Ransomware. Fun times!

You poor poor soul

ShiftingPattern

Thank you so, so much for sharing. It's an illuminating story.

perlninja

"They then scraped data from my company's SharePoint, which had user accounts and passwords that our professional service team had stored" - you're in Infosec, and didn't stomp their guts out the minute they started doing that?

Oh trust me... someone got in trouble for that. They started using a secrets management tool for PS services for. customers so they didn't need to know the password and were able to easily hand it over to the customer. PS actually did what they needed to after.

CnerdRun

You would be surprised to learn how toothless a lot of infosec departments are. And I mean that in the sense of how powerless they are to effect change

Without executive sponsorship, Infosec is just a compliance box

Wraid

The biggest issue I see here is that all of this caused you a lot of stress. That's no bueno. This wasn't your fault, and it didn't have any effect on your actual life - just your employer. So it's your employer's problem, not yours. Gotta leave stressing out to company execs; *they're* responsible for all the decisions surounding the core issue - not you, so let them pay that price. You gotta leave that behind when you clock out for the day. Being a hero only harms you and your teammates.

Aaronb1138

In enterprise IT you can hit a tier where the buck stops with you. And the executives are managers asking you for what they need to do next. I've never understood the responsibility and ownership avoidance thing here.

It's not just a hand-waiving "I don't like responsibility" thing. There's a leadership structure with a clear delineation of roles and responsibilities for a given domain. Unless you're in this leadership pool and have the ability to construct the corporate vision and execute on the strategy, then the responsibility of owning the results isn't yours to take. If the buck stops with you, then you're in a leadership position and are most valuable strategizing - not doing individual contributor work

Mandatory on call was why. Lots of 2am phonecalls "We see a brute force alert." This is one of a bunch of reasons I am not there anymore

gracefulone

"The call is coming from inside the house!"

GrkTheDerp

I would like to DM you for some insight about infosec. Nothing about the company, I'm just super curious about your field.

Sure, I'll answer what I can. If I can't, I'll point you to resources

nytespy

Dev team's security is like a screen door on a submarine: looks good, stops nothing, and everyone's gonna get wet.

3 months ago |

ConfederacyOfDunces

FP with 44 points? Imgur, what has happened, babe? You used to have so many followers.

NOYLL

Well for one thing, their app for Android is absolute garbage. Also, they removed private albums. Started cramming ads in everywhere they could. @sarah isn't around anymore. Mods are fickle. Honestly I think the only thing saving imgur is that the comments format is better than reddit.

Sh4dowWalker96

I dunno, I prefer Reddit's comment system. I just come here for memes.

jasjourno

You actually PREFER Reddit comments? You sick fuck.

Good points. I use it exclusively on Android and really don't have issues recently. If you have any issues now, try uninstalling and reinstalling it (I know that's dumb, but may of my issues were fixed this way). I'm lucky that I somehow got free Emerald. Before then my ad blocker worked well (Blokada). But yeah, all your points are good.

Occasionally clearing cache has helped between major code changes.

Kehy

I have to close and re-open the android app multiple times- it would slow to a crash if I don't

Try uninstall/reinstall. No lie, ever time I've submitted bugs to imgur super 3 they start with that advice and 90% of the time that fixed it for me. (I actually have reported real bugs, too)

I get the fun "report issues screen" crashing on me

goboltz

This is her now !

Mxlespxles

Thanks for the story! Sorry that it caused you distress to relive it for us, but maybe someone will get more than just entertainment, too!

108

Thank you. Therapy taught me that it's good to talk about the trauma

[deleted]

2 years ago (deleted Oct 19, 2023 4:06 AM) |

Long days and nights. Stress you'll miss something. I get it. I'll never wish this on another person

DreamWeavr

Glad sharing the story helped you process the experience. I read it in Jack Rhysider's voice.

Love to meet a fellow Darknet Diaries fan

Comments (108)