Recently, there was claims a breach into the Italian Red Cross network, where the threat actor managed to infiltrate despite the presence of EDR/XDR technology, particularly Trend Micro Apex One, which proved ineffective in detecting or blocking the breach. With just a simple PHP shell, the threat actor gained access to the network and easily became the administrator of the company’s Active Directory.
Surprisingly, the breach did not involve sophisticated techniques like kerberoast or s4u, and the machines accessed from outside were vulnerable to various known exploits, facilitating Local Privilege Escalation (LPE). The threat actor discovered that the ‘master’ password, ‘Sviluppo.1864′ or ‘Sviluppo.1864!’, was widely used across local and network accounts.
Taking advantage of the company’s nighttime activity, as the EDR system sent alerts/events to the internal JIRA system, the breach was executed without much difficulty. The only hiccup occurred when the threat acto rstumbled upon 13TB of internal and non-internal videos, which were excluded from the data dump to avoid causing disruptions.
The breach yielded access to internal source codes, databases, backups, and more, but ransomware was deliberately avoided as the threat actor considered it unnecessary and amateurish. As a parting note, the threat actor encouraged others to mirror the data, citing issues with DMCA and Gofile’s policies. Additionally, a hidden backdoor for future access was hinted at, available upon request via private message.