Quando o Simples Vence: Anatomia Real dos Ataques que Continuam Funcionando

Good afternoon everyone. First of all, I would like to thank the B-Sides organization. It's been a long time since I came, I think it's been about 8 years. I participated in many editions, I think I was the first to create a Capture the Flag by Red Team, a little over 10 years ago. I've been working with this security area for almost 30 years, although it doesn't seem like it. I'm probably older than you think. And the idea today is to talk a little bit about what's happening in the real world of attacks. Before I talk about myself, I'd like to understand who is from the security area, who works here. From those people who are from the security area, who is from

Red Team? Do you have contact with Red Team? Who is from Blue Team? and who wants to manage. So, I'm going to adapt the language for you. Currently, I'm the owner of a cybersecurity consulting firm. We monitor more than 60 companies. I have a team of Red Team, Blue Team, and the goal is to bring the experiences we had, especially in the treatment of incidents, so you can understand what technique the threat actor is using and why they are being so successful. The moral of the story is that the basic well-done is not being done, and this basic well-done is missing a lot.

The first question I ask you, that I do for you, is why do you think that companies in Brazil are paying the ransom? And more companies than you imagine are paying the ransom? Many of them say they didn't pay the ransom. There is a "Caixa 2" within the Bitcoin brokerage for payment of ransom, I'll explain a little how it works. And Brazil has grown exponentially in attacks of ransomware threat actors, mainly because of the fact that companies are paying. But why do you think the company pays? Most of these companies have a backup. And why do they pay? Lack of time. Now imagine the following context: you have a building that took you 20 years to build.

This is the technology infrastructure of a big company. This building is demolished. And then the staff has a very basic vision of systems. Look, I restore SAP in 24 hours. But they don't know that to restore SAP in 24 hours, you need to restore an application server, you need to restore a bank. The AD has to be standing. It has APIs connections. So this process that the directors are confident about, they hit the chest and say: "Look, restore a company in at most two days." In all the cases we took, these two days became two months. And the companies realized that. And then what happens? Medium and large companies have partners who are clients, many

of them banks, companies with a very high level of compliance, and the business stops. I've already got a case where it's a 30-year-old company that makes big softwares, and the owner came to me crying: "Ricardo, if I don't come back, I'll break it. Two thousand families will be unemployed. My backup is here. We can't restore it. To restore everything, we don't know, maybe it'll take a year. What are we going to do?" So people are choosing to pay for not having defined strategies. And I don't know if you know, but in this cycle, cybercrime has become extremely organized. When you do a negotiation, you're not negotiating with a hacker group of threat actors. It's a third-party

company that they use, yes, it's a third-party company, responsible only for collecting the money for payment of ransom, to the point of having work shifts. This email here, I was talking to one of these guys, and he told me: "Ricardo, now there will be shift of shift, I have to go, I'll pass it to my colleague here, he will continue the treatment, the negotiation, and there is a whole code of conduct of them. So, what I want you to understand is that unfortunately Brazil is being one of the biggest payers of cyber attacks due to lack of efficiency, due to lack of planning, due to lack of understanding of what is security for the real world. How many of you have seen managers

based on decision of tools by Gartner's magic quadrant? Instead of investing in people, give people knowledge. And then, what we are going to talk about exactly is a practical experience in the battle. So, I'm bringing here 62 cases of attacks that we answered, from January 1, 2024 to May 1, 2025, and 30 cases of Red Team exercise. Extremely important point: "Wow, Ricardo, When do the attacks happen? While you're sleeping, while you're at a barbecue. The hacker doesn't work on a commercial schedule. When I say hacker, it's the threat actor. Look how crazy it is. "Hey, the security team has a shift here from 8 to 18, but your company won't be attacked from 8 to 18. Maybe the security team, whoever else you

need, those monitoring skills, It has to be at night. And then you see a shock. The strongest guys in the shock are in the commercial time period. Usually the platoon members put there full-time juniors, weekends too. But that's when the attack happens. All these attacks happened either on holidays, on holidays, or on Friday or Saturday morning, or outside the commercial time. Normally, the attacks happen more frequently in the middle of the week, between Tuesday and Wednesday. Because if it happens on Friday, you will give the company some time to try to recover and on Monday it's still on. So, within these attacks, a higher percentage happened from Tuesday to Wednesday or on the eve of the holiday, right at the beginning. Another

important point, 74% of these attacks were human operated handswares. What is the difference between a common handsware and a human operated handsware? Human operated handsware is a manual work. It's the threat actor, without tools, understanding what the company has, customizing the payload, customizing its tactics, TTPs, right? Tactics, techniques and procedures. This is extremely important. And 26% were in APIs. APIs are also a big problem. Where we get the most failures in an external environment, pre-internal, are APIs, mainly problems related to authentication. Authentication, wrong logics. And APIs, Red Team people know very well, there is no good tool that tests API. API is experience, it's you understanding the business, it's almost a job, it's like the alfaiate who makes that turn over measure, and

the man is irreplaceable, and companies are not doing this job. But the worst thing is that 100% of these attacks could be avoided. "Ah, Ricardo, you're saying that there's a lot of attack, but how are hackers, the threat actors, they are entering into companies?" 85% of these more than 60 cases, are credential management. And then I'm going to tell you a case so you can understand what is happening, including the involvement of the PCC. We have a recorded case that happened as follows: Case 1: They got in touch with someone from the call center, they copied him, bought the user, the second authentication factor. How did it start? They scanned the LinkedIn of everyone who worked in

the company's telemarketing. They crossed this list of telemarketing with a Serasa SPC database. They saw who had debt. The people who had more debt, they contacted to buy the password. Cost of each credential with the second authentication factor: R$ 1,500. So I think: "Wow, I worked hard, I did the right job, I put my second authentication factor, I put a strong password, but my password was sold. It was sold to someone inside. And then, from inside, the threat actor calls the guy from the call center on the cell phone, we did the investigation, he passes the second factor, he logs in via VPN. Today we know that remote work is essential, everyone will need it. So how do we deal

with this kind of problem? In which the reliable agent provided that access. This has been happening a lot. Another important point: 40% of these 85% related to weakness came from stolen credentials that were already on the internet. 35% of the passwords and second authentication factor were sold by collaborators, so it means that there is an organized crime now, specialists in buying credentials and second authentication factor to put a hands-on inside the company. 10% was facilitated by the Insider collaborator. What is this 10%? We even have recordings, and it's amazing, I'll talk about it later. Imagine someone inside the company, and then the hacker calls him: "Now you're going to take this little program here, you're going to download the Ndesk Portable, you're going to log in, I'm

going to control your machine, from the control of your machine I'm going to install a C2, I'm in the company. So now we're suffering a lot with organized crime working within the context of cyber attack, because he saw that Brazilian companies are paying, but with a very aggravating factor, with the participation of the collaborators. What does that mean? That if we don't monitor better, If we open many exceptions, the attacks will increase exponentially. So sometimes it's what the director asks: "Look, make it easier for that person to access, leave this VPN open, open more doors, we have to deliver the project quickly." This is making a lot of difference in weakening the environments of companies. So,

it's crazy, right? And then, when we talk about the simple, "Wow, you dealt with more than 60 incidents, you participated in a lot of things, the hackers are the ninjas, they know everything." They are using the basics. The most used software for C2 that we took was the VPN software, it makes a VPN mesh network. So what does the guy do? He would get inside a machine, somehow, he would put the Ifer software, that until this moment was not detected by CrowdStrike, Sentinel, Microsoft, which are the three considered the best EDRs. And from that, it had a mesh, which is as if it were inside the company. And it's amazing that 85% of the cases, the C2 was

the Ndesk Portable or the Software-Ether VPN. Here we are talking about Shadow IT. But these guys don't need privileged access to be installed, they're simple, they're small. So how are we monitoring? If you put a standard EDR, it won't detect these guys as malicious. The signature is perfect, it has a digital certificate, it has everything. Another important point, 60% of the privilege escalations... So I got into the company. "Oh, I went to use a... C2, super complex, with DNS reverse beacon, or ICMP reverse beacon. No, I'll do the simple. I use this guy that will come out via HTTPS, or Ndesk that will come out HTTPS, will bypass FHIR, will bypass the company's controls. If I have content filter software, like Netscopes, Scaler,

it also lets it pass in the standard policy. And then it was gone. Then the guy is inside the company. He is already like an insider. How does he scale privileges? 60% of the privilege scaling was finding passwords within network sharing. Who here has already searched for passwords? Make a basic script, you can even use GPT, to enter each open sharing. and search for content with keywords like passwords, passwords and other things inside the company. The infinity of passwords you will find. So why do I need to use an exploit of privilege scaling, of operational system, that will draw attention if the users are already giving it away. Or the support staff themselves, in many cases,

it was a failure of the service desk team or technical support, who created scripts for automations, and inside these scripts there were the users and passwords. So, it's an extremely complex situation. And when the privilege escalation happened, 70% of the privilege escalation was the coercion of the Active Director. Who here already knows this Active Director Coercion technique? Active Director coercion can be done in some ways. I'll explain one of the techniques. Usually the company has a certification authority, a CA, to generate digital certificates inside the AD. If this CA is configured as standard, you make a direct attack to the CA, making a relay to the AD, so as if you were mirroring the connection of the AD, it will take the AD's hash, will play it to CA

and will generate a root certificate. This root certificate you transform into an administrative Kerberos ticket and you already have privileged access to the AD. And that's funny, there in the company we have a big team of red team and all the infrastructure tests are invading the ADs with coercion. lost the fun. I even joke, Molina is here, who is the team manager, Red Team people are here behind, I said: "Hey guys, you are very lazy, you are only using coercion, because it became very easy." So, imagine the following: the threat actor entered the company, aimed at the AD, out of every 10 ADs that he enters, 8 he has a chance to use the coercion

technique and it works, became the administrator of the domain, he made an AD sync, made a secret dump, something, took the entire database of the AD. It has the credentials, the next step, it will do the collection of everything to be able to do the exploration. So when I say that the basics are not being done well, that's exactly it. For you to have an idea of ​​simplicity, how the threat actor is scanning the network. It's an older tool than me, called NBTScan. This tool is from the 80s, 90s. It's a graphic tool that antiviruses don't detect. You run it, it will map the network. So, normally, what does it do? It enters, runs the NBT

scan, takes all the IP addresses, and from that it will spread the ransomware. How does it spread the ransomware? Basic lateral movement, TCP 445 port.

Another important point, which is very funny, and I'll talk about why later, of the cryptographed environments, of all these cases, none of these environments had EDR in VMware. Has anyone ever seen putting an EDR on VMware here? If VMware is such a critical environment, which is providing all the virtualization for the company, why don't I have an EDR inside it? and it's an environment that is becoming easier to be cryptographed. Another important point that we noticed: a few years ago, when the ransomware was spreading, it was going to the entire company, the workstation, the servers. Threat actors have become more effective. They don't want to cryptograph workstations. 90% of the cases I've put for you here only had cryptographed servers. No

workstations were cryptographed. And very specific focuses: virtualization environments, application environments and file server. So, what is the crown jewel for the threat actor? First, it's the virtualization environment. If I cryptograph a hyper-v farm, I'll stop the company. Then, file server. There is an important point that we also notice in these cases, the filtering is usually only from the file server. What is the tactic that the threat actor is using to be more effective? I cryptograph VMware, file server, application, but if I cryptographed VMware, uploading, filtering the virtualized disk takes a long time, because there are several teras. So I take the file server, filter the data from the file server to put it on the wall of

shame, to embarrass the company, and then after that I announce what happened. But what we realized is exactly that, the focus is on servers, of these VMware servers, 100% were with SSH active, and had identity management flaws. What are identity management flaws? The same user that was admin of the domain was admin of the VMware farm. So, the user-administrator generates administrator of everything, just like VMware. This also happens a lot with the cloud, which is allowing the threat actors to delete the backups in the clouds. So, there's a super critical environment, I do my backup in the same cloud tenant. But why? If the guy will already have access to everything, of course he will delete the backup. So why not create another tenant to

do all this? Let me just go back one more here, then I'll come back. So, within this context, if you look at everything I put, it's extremely basic. So the threat actor is getting the password very easily, or he buys it, or he finds it on the internet, many companies don't have the second authentication factor, unfortunately, and they will be victims, or he uses an insider. In a few cases, we are seeing real explorations. Look, I got an application, explored, I entered the company, so this process takes a long time and is very complex. So the... Threateners want exactly that: more money, more compromised environments, more companies paying. And there's an important point, which I told you

about the Bitcoin 2.0 box. So how is the payment of the rescues in Brazil working? "Wow, Ricardo, I need to pay a ransom." The last one we negotiated was 10 million reais, and it was even a small amount. Unfortunately, the company paid for it because of this matter of time. So, the brokers in Brazil have a scheme that, look, what can they normally do? They take a wallet, put this Bitcoin in the wallet, it is not providing, it is not selling directly, they put a wallet there, gives you this wallet and you pay a service fee for this company. So, you didn't transact Bitcoin. So, there are several ways that this is happening, that big companies that

you have no idea, that we know were compromised, don't disclose, say that nothing happened and life goes on. Which is not a good thing. So, we have a job there, to make it harder to get in. So, what exactly do I have to do to make it harder to get in? First, I have to understand what I have exposed outside, both of leaked credentials, devices, understand very well what I deliver to the internet world so that it is not used against me. So, one of the big points of attacks, which are basic things, look, you still have a CITRIX RDP environment exposed directly on the internet, you still have a VPN without a second authentication factor, even if it's

something linked, you don't have a password blacklist, Today, the Entry ID already allows this. So you say: "My company has 14 characters and complex." Then the creative guy will put the company's name, @202512345. It already gave 14 characters and the threat actors know that. So the first thing I say, to defend, we have to understand how the threat actor's mind works. Otherwise I won't be able to be effective. And the Red Team has been getting a lot of success with this, the hackers have been getting a lot of success with this. Another very important point concerns the behavior monitoring. What is behavior monitoring? Look, there is a user who normally accesses from 8 to 5. Why is he accessing at 2 in the morning? And this was

the way we detected the sold passwords with greater effectiveness. In the call center, usually, people sold the password and many people from 8 to 5. Why do you have access to the VPN of someone from the call center on Saturday at 2 am? So, the company's serious failure in allowing authentication to be carried out, serious failure in non-detection of behavior. Why do you have access within the commercial time, which is the time that the guy accesses, but coming from another country or from a dirty VPN IP. So, these are small details that make the difference. The detection capacity is increasingly complex. There are large EDR tools on the market, but what makes it more effective is to

understand the company's behavior and create the rules based on these behaviors. I'll give a very simple example. Almost nobody does that. I told you that the handswares are still being spread by TCP 445 port, which is a very basic thing, that the servers that don't share files shouldn't have the port open. If I have five hits on the 445 port in less than half an hour coming from an origin, this is a lateral movement, it's a trigger that you should have. So, maybe here with ten rules, we could already predict 80% of these attacks that happened. So, rules of time behavior, rules of behavior of origins from other countries, rules of an origin making access to many hits, rules of an origin having,

in a small interval of 30 minutes, many hits in the EDR or in the IPS, So, they are simple things. And another essential thing that I suggest you do on Monday, create a little script, go to the file server and look for files with password keys. Password, password, and see the amount of files you will find. So, it's impressive. You take one, two days working, you will see that there will be passwords that will give access to administrative interfaces, administrative privileges in VMware, in servers. So it's a sad situation that shows how the security is still immature and how the threat actors are moving forward quickly. Now, what's the point of the company investing thousands of dollars in the best of the best

tools? It buys the best EDR, the best CIEM, it buys the best content filter. That won't do magic. Who are the wizards? It's you, not the tools. The tool is a simple instrument for the wizard to use. If it's not well managed, if you don't understand what has to be done inside it, it will be just another tool. Side movement, I talked about AD's coercion attack. Who here has already run the pingcastle on AD? So, Monday you will enter the pingcastle site, it is a free tool. Then you will get it, run it on the AD without any privileges, and you will see the score of the AD. Probably the score of the AD will be

100% negative. We have already taken cases where privileged passwords were not exchanged for 15 years. The password of the user "krbtgt" was not exchanged since the company installed the AD for the first time in 2000. So, since 1999/2000, 25 years have passed, the same password was there. that the company has the certification authority, but it's configured as basic, it will be invaded, that the ADs are not protected by relay. So, a simple tool, you won't spend R$1, you will execute and understand the risk. Another very important point, that I suggest you do, is to have a good baseline of security, What is a good baseline for security? It's based on the best practice, take SysControls, use SysControls. Simple,

it will already remove most of the vulnerabilities I mentioned here, from memory-collected credentials, among other things. Side movement, TCP 445 port, block, you don't have to have this port open, only for the file server, Active Director, who doesn't share files doesn't need this port. Enumeration techniques, there's a nice PowerShell script called netsease that does that. Another super common point, sharing of ECH keys in Linux. You enter a server, from that server you access all the others without authentication. So this is a serious failure. Here the image is not cool, but you will receive the material, there's a checklist of everything you should do within the environment. So it's a simple checklist, I suggest you do it. Basically, here is the step-by-step

planning of these actions I mentioned, so you avoid being compromised. And it tends to get much worse. As I told you, Brazil is among the first payers, criminals are looking back at Brazil, because they know we paid, the maturity is low, The managers are much more focused on Power Point and buying Gartner's tool than real safety knowledge. And the only people who can solve this are you, not tools. So my advice is that the best defense is to understand the attack. So before you want to defend, you should know how to attack, at least the basics, and create the basic-based strategies. We see that even patch management, a simple thing, is not well done until today. How difficult is it for

you to maintain an environment of an updated company? Credential management, companies don't do well. You're going to run the pingcast or you're going to get credentials that have not been changed for administrative reasons for 20 years. Then you try to change the credential, which is a credential that is stalled in SAP. "Oh, you can't." "Oh, but that credential, then you find out it was SAP@2014." during the project. So, invading is very easy, but defending is very complex. As long as we have this distance, we are losing the game. This is the message I wanted to give you. If you have any questions, I'm available. There are 10 more minutes. There was one case where the company lied. There is a case, a very important curiosity: "Ricardo, of these

cases, the people who paid received the keys? Of all these cases, the ones who paid received the keys. But there was a case that I know that did not receive, which was that the company lied. So the company was negotiating with the threat factor, And she asked for the key, "Oh, no, I only have five encrypted servers and such." The guy said, "It's X." The company paid him and said, "You lied to me, it wasn't five, it was 100. I won't give you the key and you lost your money." And that's it. Please. In your opinion, do you think there would be a good way to identify the insiders who sell the credentials of the second authentication factor? There's an important question here: "What

extra care should I take with that insider who sells the credential?" Well, first, you have to have effective monitoring and effective blockings. How do I make the restriction? As I said, the insider, if he uses the credential, he will have to use it only at his working time and only in his country. So, restrict. I know the guy will have to connect in Brazil at that time from 8 to 5, if he goes at night, from 8 to 18. Second, avoid simultaneous sessions. If the guy is working from 8 to 18, or he is working, or there is a hacker in his place. The two can't be together. So it's behavior monitoring. And the third one:

awareness. You tell everyone in the company that this is happening. And put the sanction, saying: "Look, folks, this can happen, someone can get in touch with you, if they get in touch, let me know, this is a serious case, it's a police case, it's a serious crime, we want to protect them from this situation." So these are the simplest ways to deal with this situation. Toshio. These were the cases we worked on, only from my company, but then you can send me an email and we'll send you a report. We've already taken, we've taken within these scenarios, there are cases of movement from on-premise to cloud and from cloud to on-premise. From cloud, what happened? The credential of

service leaked within the cloud was a Credential that should have access to APIs, but it had access to the management interface and was without the second authentication factor. Then the threat actor entered there, it was a Microsoft Cloud, he got access to the Entry ID, through the Entry ID he managed to enter. It was also easy internally, because he took the credentials of all users, saw who was the privileged user, from these privileged users he used the account, accessed the cloud, from the cloud he downloaded the virtual machines, the instances, deleted everything, deleted the backup, and the company was left with nothing. Yes, because... When we talk about security, what is the company's greatest capacity? It's not avoiding the

attack. The attack will happen one day. No tool is 100%. It's you detect and contain. Normally, where is the containment done? In the infra layer. a non-made containment, it will spread to the entire company and is where the threat actors have the commitment and total control. So, the weak point, the Achilles heel, is the infrastructure. Web layer is usually a little entry gate, but this little entry gate should be kept. Any questions? So, I'll finish here, okay? Whoever wants my email, let me open here, I'll write it. I'll put it on a drive, I'll put it for the event organization staff. I'll leave my personal email: ricardo@tavares.io So, I'm at your disposal. I was happy at the event today,

I saw many young faces. At the time I started attending the event, there were very few people, usually much more nerd people. Today people are not so nerds anymore. Before it was much more nerd, you can be sure. And this is an area that I suggest you really study. There are more than 3 million security professionals missing in the market. Of every 10 professionals you need to hire, there are only 6. It's an area that will still have a lot of problems, it will get much worse before it gets better. And as I grew, you have the same chance. I started with you, from the bottom, as a technician, today I have my own company, and everything I got was through knowledge. So, what I

say to you is: study, use your knowledge and apply it for real. Because the worst thing is the security professional who only stays on PowerPoint. This professional, well, he has to end. And security is strategy, is the knowledge of how things happen so that later you can make a good defense. So thank you very much, guys. Have a good week.