OOTIKOF / KATZENJAMMER


The OOTIKOF, an internationally renowned society of flamers since 1998, invites you to join in the fun.
Clicking on Casual Banter will get you to all the sections.
 
HomeHome  PortalPortal  Latest imagesLatest images  RegisterRegister  Log in  

 

 A Day in the Life of an Infosec Engineer Incident

Go down 
2 posters
AuthorMessage
The Wise And Powerful
Admin
Admin
The Wise And Powerful


Posts : 111040
Join date : 2014-07-29
Age : 101
Location : A Mile High

A Day in the Life of an Infosec Engineer Incident Empty
PostSubject: A Day in the Life of an Infosec Engineer Incident   A Day in the Life of an Infosec Engineer Incident EmptyThu Oct 05, 2023 4:25 pm

A Day in the Life of an Infosec Engineer Incident ZMVjUks_d

Well, I figured, why not write this? I've been in IT for 10 years and in Infosec since 2019. I got into Infosec because I had dreams of being a hacker, but I'm not good at it, so I stuck with defending.

Here's a story about a breach I experienced at my last job; details have been changed to protect the identity of the company.

My last company was in telecom. I started in their NOC (Network Operations Center) and moved into Infosec. During my time in the NOC, I learned a lot, especially about how the company's VoIP product worked, which ended up being helpful for my story. I used to dive into the logs to figure out why a customer was having an issue. I was also really knowledgeable about the entire backend and how everything flowed. Eventually, I got promoted to the Infosec team because of this knowledge.

On Day 1, we were notified of a customer reporting that someone had logged into their account and was making calls to some number that racked up hella charges. We called them premium numbers, like the old 900 sex lines. The Infosec team was tasked with figuring out how this happened; which, in hindsight, was weird. But I dived into the logs and spent the next hour figuring out what had happened. I found an IP from Bangladesh that had logged into the account and had also logged into the admin account, creating a bunch of accounts to make calls to premium numbers.

The goal of the threat actor was to use these company accounts to call premium numbers they owned and rack up charges for profit. Pretty smart, tbh. The mistake they made was using their own IP and email addresses. My team and I started to investigate and discovered they had gained access to our Microsoft Office 365 account for one of the teams. They then scraped data from my company's SharePoint, which had user accounts and passwords that our professional service team had stored. The worst part was that a commonly used password was used for all these accounts.

The threat actor took this info and then spent the next three months logging into our customers' accounts, of which they had literally thousands. The company login page was bad; it was never designed with security in mind. The threat actor was using Burp Community Edition for the simplest use of it, just to password spray the login page and find accounts they could access. Burp has a lot of uses, primarily for web application hacking. I've only scratched the surface of what the tool can do, but password spraying is amateur hour. Yet, they were successful in gaining access to customer accounts and logging in.

At one point, my company had the Infosec team manually blocking IPs, which didn't do anything to slow them down since they started using a VPN provider. We added thousands of IPs to the list. Eventually, I started blocking the entire CIDR block of a VPN provider as soon as I saw it. This did affect some of our customers, but I argued they shouldn't be using our service behind a public VPN service as it would drastically effect call quality.

So, I had been spending months trying to figure out who the hell this person was that made my life hell for the last six months. While I can't give you their name because I'm still under NDA at my last company, I can say for certain they were in Bangladesh. We had called him Muna because that's what his email contained, which just means "Man" in his language. But eventually, he slipped up, and I was able to find his personal Facebook. This guy had made so much money from his attacks; he had bought a Mercedes and was showing it off on his Facebook. He also enjoyed playing PUBG on his phone with his buddies located around the world, including the Philippines, which is an important detail. This person he played with in the Philippines happened to be an employee at my last company.

The employee had helped give him access to our company's O365 account and was working with him to make money off his employer. Unfortunately, we weren't able to arrest him since they never notified the authorities of what had happened, but they did shit can him. After that, all this stopped and I finally got to sleep. I still have some trauma from this even though it's been 3 years since I worked there, even typing this causes me some stress, but it's an interesting story.
Back to top Go down
https://ootikof.forumotion.com
oliver clotheshoffe
Regular Member
oliver clotheshoffe


Posts : 1723
Join date : 2019-02-04
Age : 65

A Day in the Life of an Infosec Engineer Incident Empty
PostSubject: Re: A Day in the Life of an Infosec Engineer Incident   A Day in the Life of an Infosec Engineer Incident EmptyThu Oct 05, 2023 5:15 pm

I hope the police grab the guy and give him a good caning   Twisted Evil
Back to top Go down
 
A Day in the Life of an Infosec Engineer Incident
Back to top 
Page 1 of 1
 Similar topics
-
» Life In A Box
» A DAY IN THE LIFE OF A TEACHER
» Ideas to Aid You In Life
» Boating Life
» Life comes at you fast

Permissions in this forum:You cannot reply to topics in this forum
OOTIKOF / KATZENJAMMER :: Casual Banter :: Odd, Weird, Strange, Creepy, Freaky, and Downright Bizarre-
Jump to: