Compromising Organizational Systems Through Chaining Attacks

Image credit: giphy

Abstract

Amid an unprecedented COVID situation there are huge spikes in the increase of cyber-attacks through multiple attack vectors like malware, phishing emails, fake mobile applications, fraud payments, etc. Companies are spending lots of money to improve the security of organizations and applications. As the famous quotation goes by, “Humans are the weakest link in the information security chain”. Despite the millions of dollars, companies spend to harden the security of applications, the simplest mistake made by humans for temporary comfort or fix leads to severe security breaches.

This short talk focuses on a detailed analysis of how we chained multiple simplest mistakes made by humans to save time or as a temporary fix that led to complete company compromise of one of our multi-million dollar clients. We are going to explain, the way we leveraged the bugs, crafted payloads, and exploited them makes this a unique presentation.

Outline of the presentation:

  1. Reconnaissance to SQL Injection.
  2. SQL injection to Remote Code Execution (RCE).
  3. Bypassing up-to-date Anti-Virus (AV) to gain persistent access.
  4. Remote Code Execution to Internal Systems Compromise (includes backup server).
  5. Internal Systems Compromise to support Gmail 2FA bypass.

Date
Sep 29, 2020 12:00 AM
Event
Location
Virtual
Rewanth Tammana
Rewanth Tammana
Senior Security Architect

Rewanth Tammana is a security ninja, open-source contributor, and an independent consultant. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc. Rewanth speaks and delivers training at multiple international security conferences around the world including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others. He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.

Related