“Puss in Boots” APT campaign
#1
Bug 
Quote:
[Image: puss-in-boots-EN-featured.jpg]

Have you ever thought about what your answer would be if your precocious child asked, “What’s a politically motivated APT attack?” In fact, it’s straightforward. Just dust off your copy of Charles Perrault’s Puss in Boots and read it together with an eye on the cybersecurity aspects. After all, if we ignore the artistic liberties, such as a talking cat and ogres, the tale represents a marvelous example of a complex multivector APT attack against a (fictional) government. Let’s unpick this cybercrime together.

The tale opens with a miller posthumously leaving everything to his sons. The youngest son’s share of the inheritance includes the contact details of a person who goes by the pseudonym Puss in Boots and is obviously a hacker-for-hire — as you may remember, in Shrek 2, this silver-tongued cat wears not only his trademark boots, but also a black hat. After a brief exchange with the client, the cybercriminal hatches a dastardly plan aimed at seizing power in the country.

Establishing the supply chain

1. The cat catches a rabbit and presents it to the king as a gift from his master — the miller’s son, posing as the fictional Marquis de Carabas.

2. The cat catches two partridges and delivers them to the king as a gift from the marquis.

3. The cat continues presenting wild game to the king for several months, all supposedly from the marquis.

If at the start of the operation, the Marquis de Carabas was a nobody, then by the end of the preparatory phase he is known at court as a trusted supplier of wild game. The royal security service committed at least two glaring errors. First, security should have become wary when an unknown entity started sending game to the castle. After all, everyone knows there’s no such thing as a free lunch. Second, when making an agreement with a new supplier, the first thing to do is to check its reputation.

Social engineering to open the door

4. Next, the cat takes his “master” to the river, where he persuades him to remove his clothes and enter the water. As the king’s carriage drives past, the cat calls for help, saying that the marquis’ clothes were stolen while he was swimming.

The cat is applying two levers at once here, claiming that the wet young man is not a stranger but a trusted supplier of wild game, and that, having given his help selflessly, the cat now needs assistance. The fake marquis cannot identify (or authenticate) himself without his stolen clothes. The king falls for this simple trick, mistaking a fake identity for the genuine article. It’s a classic example of social engineering.

Watering hole attack via the ogre’s website

5. The cat arrives at the ogre’s castle, where he is received as an honored guest, and asks his host to demonstrate his magical abilities. Flattered, the ogre turns itself into a lion. Pretending to be afraid, the cat says that anyone can turn into a large beast — how about shapeshifting into a small one? The gullible ogre turns into a mouse, and the cat’s claws end its life quickly.

To complete the deception, the marquis needs a website — what kind of supplier doesn’t have one? Creating a site from scratch would be foolhardy: It would have no history, and its date of creation would look suspicious. Therefore, he decides to hijack an existing site. Here, Perrault vaguely sketches a vulnerability involving loose access permissions. The cat logs in as an external pentester and persuades the local administrator to play around with the access control system. The administrator first raises his own privileges to root (lion), and then lowers them to guest (mouse). As soon as that happens, the cat deletes the account with “mouse” permissions, effectively becoming the sole administrator of the website.

6. The king visits the castle and is so pleased with the reception that he decides the marquis is a good partner for the princess, and thus proposes inviting him to court and making him an heir to the throne.

This is what happens when social engineering works as intended. The victim visits the now-malicious website and concludes a deal there, giving the hacker access to valuable assets (in this case, the throne). Not directly, of course — here it’s through giving his daughter away in marriage to the bogus marquis.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Intel to release another microcode upda...
Intel confirms 13th/...harlan4096 — 09:12
Adobe will disable Adobe Elements 2025 t...
Adobe announced ne...harlan4096 — 09:11
iOS 18.0.1 fixes iPhone touch screen pro...
Apple has released...harlan4096 — 09:09
K-Lite Codec Pack 18.5.5 / 18.5.7 Update
Changes in 18.5.7:...harlan4096 — 09:32
AdGuard Browser Extension 5.0.128
AdGuard Browser Ex...harlan4096 — 09:31

[-]
Birthdays
Today's Birthdays
avatar (47)Konradsuiz
avatar (37)haupeadvoge
avatar (41)RobertBrura
Upcoming Birthdays
avatar (46)Michaelaceve
avatar (36)QuadirLigh
avatar (37)Mblippek
avatar (40)guerigGep
avatar (43)viecontAceve
avatar (48)wohnkwagVib
avatar (43)Michaelsen
avatar (36)armaMIZ
avatar (47)lambrnag
avatar (48)AlbertDig
avatar (48)beipHit
avatar (44)Wendigortup
avatar (37)Timothynet
avatar (40)MichaelHig
avatar (36)icebywiwy
avatar (44)Cameronreoxy
avatar (40)BrendaRusia
avatar (46)maggiebz16
avatar (37)MarthaWes
avatar (46)vikgoMam
avatar (39)Michaelcrini
avatar (37)DonaldSoM

[-]
Online Staff
There are no staff members currently online.

>