Building a better world
Designing and deploying a cloud-based hacker toolbox
I had the amazing opportunity to end my last year of Cloud & Cyber Security with a 13 week internship at EY. During this internship I got to work on a project which combined everything I wanted, this way I had the opportunity to really show what I was capable of to both the firm and my school.
For my internship I wanted a big company with a high quality
specialty in cyber security. EY offered me exactly that. EY is an
international company that offers Assurance, Tax, Consulting and
Strategy services to their clients. Their headquarters is located in
London. They have over 300.000 employees in over 150 countries.
I was lucky to score a place in their office in Diegem.
During my internship I was part of the cyber security consulting team. Cyber security at EY is further divided in FSO (Financial Services Office) and Industries. The FSO team’s clients exist out of banks and financial institutions while the Industries team, the team I worked with, deals with all the other industries. The cybersecurity consulting at EY is even further divided into four kinds of services:
- Cyber security Strategy, Risk, Compliance and Resilience
- Data Protection & Privacy
- Identity & Access Management
- Next Generation Security Operations & Response
Of these four services my project and the people in my team leaned more towards the last service. This is also the service that deals with the very technical assessments like pentesting.
As the topic ‘Design and deploy a cloud based hacker toolbox’ is still pretty broad, I had to further define the goals to find what to realize during my internship. The outlines were simple, it had to be related to cloud, infrastructure as code and hacking. Combine this with where I saw business value and SecuritEY was born.
"Your talent determines what you can do. Your motivation determines how much you’re
willing to do. Your attitude determines how well you do it."
— Lou Holtz
SecuritEY is a platform built for cyber security training and awareness. The platform focuses on teaching the latest attacks. This way, ethical hackers will have a playground to test out tools and techniques for topical scenarios. The two modules that I already created are the Supply Chain Attack and the ProxyLogon. Everything is of course neatly protected by a login page where you can only register using an EY email address.
As mentioned above the platform is flexible to all kinds of modules. These can be just a very in-depth explanation, but they can also be combined with cloud-native lab environments. The restrictions to the lab environments are simple, if it can be built using infrastructure as code and cloud, it can be used on the platform. The current state of the platform offers two modules.
SecuritEY provides a platform where the researchers and ethical hackers can take on the roll of instructor and provide explanation of how an attack works as well as a walkthrough of the hack using the provided infrastructure. This means the user will be presented with the technical information and background and also a lab environment. After the user has gone through all of the information, they will be presented with the option to start the infrastructure. After clicking this button, a Terraform script will connect with azure and first create the necessary virtual machines. After this has finished, another Ansible script will run to apply all of the needed configurations and to put everything in place. When clicking on the stop button, all created resources will cease to exist. This way the user can experiments as much as they want and will always have a fresh and clean environment ready to use.
Supply Chain Attack
Supply chain attacks are becoming very trending. They happen more often and
can have a very severe impact. A well trained ethical hacker has to know how these work
and understand the risks. That’s why it is also the first module of the platform.
When booted, five virtual machines will be created and configured. One for the user, a hacking environment, and four to form a supply chain. The user will only be provided with a website, the one of HelloJava, a fictive company that provides Java applications to its customers. On this dummy website the attacker can abuse the contact form since it uses PHP’s eval function without input sanitation. This results in remote code execution and access to the web server.
When the connection to the web server has been established, the user can use this connection to read sensitive files as well as scan the internal network. They will find a new server that will turn out to be the distribution server of HelloJava’s software. Combining sensitive information from the web server and password reuse on the app server, a connection to the app server can be established. On this server you can add malicious code to the software they provide. Then, after a while, the two clients in the lab will use the software and be compromised. During the lab the user will also make use of a command and control server to keep a connection with all the compromised targets.
At the end of the lab the user will have executed a full, basic software supply chain attack. This lab is the ideal demonstration of how a small vulnerability can have an immense impact and how you getting hacked does not have to be your own fault.
ProxyLogon is the name given to one of the latest vulnerabilities of Microsoft’s Exchange Server. Combining two previous known exploits, together they result in remote code execution on all of the following Exchange servers:
- Exchange Server 2019 < 15.02.0792.010
- Exchange Server 2019 < 15.02.0721.013
- Exchange Server 2016 < 15.01.2106.013
- Exchange Server 2013 < 15.00.1497.012
A lot of companies may not have the knowledge, infrastructure or time to immediately
patch their Exchange server and so they remain vulnerable. Back in March of 2021 this
was a big issue in Belgium and all over the world.
The module provides an environment with a Microsoft Exchange Server that is vulnerable to ProxyLogon. After spawning the infrastructure the user can use one of the many exploits available on GitHub to find out how easy it is to hack these vulnerable servers.
The business value of this project really comes down to the current popularity of these attacks. Most platforms either test skills and don’t really explain much or they bother you with outdated exploits such as EternalBlue, a cyberattack from 2017 created by the NSA that exploits a common Windows service. A company that can educate its employees on upcoming and trending attacks will only benefit from this in the future. Besides just benefiting from understanding these new attacks, the modules provided can also give the users the chance to see how their tools will react with these new attacks and techniques. In the end, this sandbox-like environment can be used for whatever purpose serves best.
Besides educating the current cyber security staff, it will also be available to use for demonstrations. You could give a demo to the Supply Chain team to create awareness. Or you could use it to give a demo to students to demonstrate the capabilities of EY and maybe spark their interest in cyber security. You could even show clients why certain things are necessary and which impact it can have may they choose to neglect their investment in cyber security.
It was an amazing opportunity to work in such a fun and experienced team. For me it was the perfect combination of freedom an guidance. I had a project that really challenged me, but was still something I managed to finish in the end. I got great feedback and learned a lot from working on such a professional level.
Even though we were still suffering from the impact of COVID on our daily life, the team put in a lot of effort to keep everything running smoothly. We had a lot of meetings and even got to meet someone new during a coffee break every week. During my time at EY, I had two mentors guiding me with both their busy work life going on. Nonetheless they still always found the time to help me and give me answers and feedback for which I'm extremely grateful.
All in all it was definitely one of the best experiences during my time at college. The team, the project, the fun and the new things I learned, it was all truly amazing and way more than I expected. I'm happy with my result and with my grades and absolutely recommend an internship at EY.
28 May, 2021
Andreas Van Den Broecke
Cyber Security Engineer @ EY
Senior Cyber Security Engineer @ EY