This blog is the second post in our annual 12 Days of HaXmas series and was co-written by Jonathan Stines and Tommy Dew.

As the holidays come to a close, the “busy season” has again come and passed for Santa and his elves, giving the North Pole time to regroup and begin focusing on the next year’s holiday season—including their security posture!

Planning

With all the holiday competitors Santa has to worry about in the industry—such as the Thanksgiving “T-Day” Turkey and the Easter Bunny—it is very important that the North Pole’s security is on the up-and-up. Last year, Santa hired an outside security consultant, Snapid Kevin, to come in and evaluate the North Pole’s password security posture. This year, Santa decided to once again bring Snapid back in, since he did such a fine job. However, this time, Santa wants to ensure his physical and personnel security is evaluated and tested for vulnerabilities.

When discussing the scope of work with Santa and his team, it was determined that the physical assessment was to simulate a malicious actor as part of a red- and green-team effort. But we’re not talking about just any malicious actor here: APT#1122, aka T-Day Turkey! The assessment’s code name? Operation THUNDERGOOSE.

OSINT and recon

There was no doubt that Snapid had his work cut out for him, so he immediately got to work. He first started by performing Open Source Intelligence Gathering (OSINT) on the North Pole. He looked up the organization on LinkedIn, Facebook, and Twitter to gain an idea of its overall workplace culture. While reviewing photos, Snapid observed elve candy maker interns wearing North Pole badges—and not just any badges, but ones with HID Low-Frequency, which is a legacy system vulnerable to replay attacks.

He also caught a photo of what the elvish floor employees’ badge identification looks like so that he could impersonate one himself. Snapid then purchased the domain “thenorthp0le.santa,” which appeared similar to Santa’s legitimate “thenorthpole.santa” in case he needed to perform phishing while onsite.

With knowledge of the North Pole’s badge type and the spoofed domain email set up on his phone, Snapid brought his badge cloner and began casing the outside of the facility, acting like a lost elf who needed directions. As he asked the other elf workers how to get to the nearest toy parts store, he was actually cloning badges! Snapid left the area and returned later that day with his cloned badge and spoofed badge ID cards, then dressed up in a candy delivery elf outfit. He was set to enter and engage the North Pole toy factory.

Entering the facility

Upon entering, Snapid noticed there were no badge readers on the door, but rather an elf receptionist at the front desk. He approached with a dolly and boxes in his hand, explaining he was there for an urgent candy delivery. The receptionist said he had not been notified of his presence.

Snapid had already written an email to be sent to the receptionist in case this happened to help solidify the legitimacy of his pretext. With knowledge of the North Pole’s email syntax learned from OSINT, Snapid knew the receptionist’s email address from the nameplate on his desk and sent him a spoofed email from Santa that indicated an urgent candy delivery was to be made and that he should be let in immediately. Snapid set the boxes down and sent the email from his phone. When the receptionist received the email, he let Snapid into Santa’s factory.

Gaining a foothold

Once on the factory floor, Snapid found an unattended workstation. Using a malicious USB stick loaded with tasty Operation THUNDERGOOSE tools, Snapid inserted the drive into a legacy Windows 2003 server without host protections. This created a custom reverse chocolate and peanut butter shell back to his Command and Control Candy (C2CC) server. With a persistent (and delicious!) shell connecting back to Santa’s internal network, Snapid was well positioned to emulate APT#1122’s techniques, tactics, and procedures.

First, Snapid passively monitored the North Pole broadcast traffic, carefully inspecting LLMNR and NetBIOS requests and responses. Using a small script, Snapid slowly port scanned Santa’s network for exposed ports, including TCP port 445. After identifying his target, Snapid deployed his custom Holiday “HO-HO-HO-OH-DAY” exploit and compromised a Windows 2008 server.

Using access to the Windows server, Snapid then dumped the server’s SAM and LSASS, discovering Domain Administrator credentials in cleartext! Leveraging these administrator credentials, Snapid extracted the NTDS.dit database on Santa’s Domain Controller and exfiltrated the goodies back to his C2CC. Snapid then consulted with his password research expert, Patty Lavender, on the best way to crack the North Pole's NTDS.dit database. Using an offline cracking machine to crack the passwords with specialized rule sets, Patty helped Snapid crack over 90% of the NTDS.dit and found that Santa had been naughty when it came to following Snapid’s recommendations from 2017!

Accessing the recipe lab

As Snapid continued to roam throughout the North Pole facility, he came across the Extreme Peppermint Candy Coloring lab room, a specific room Santa said unauthorized individuals were absolutely not allowed access to, considering it had all the North Pole’s prized candy cane recipe research and development. Snapid noted that the room employed multi-factor authentication (MFA) in that a unique PIN and badge was required. Snapid tried on the badges he cloned earlier and guessed the PIN “1225.” Sure enough, the door unlocked, and he walked in!

Exploring the lab, Snapid quickly threw on a Santa lab coat to blend in with the environment and other elves in the area. No one questioned his presence. He went in to the recipes filing room, documenting his presence in the form of shameless selfies. Additionally, Snapid found Santa’s unattended office and left his business card with cookies and milk on his desk.

Conclusion

Once Snapid delivered the completed report to the North Pole, Santa was pleased with Snapid’s assessment and scheduled a debriefing call to cover the findings. During the debrief, Santa had Snapid walk through the report while he answered any questions that Santa and his security team had. This engagement ultimately structured and guided Santa’s sugar security budget and peppermint policy for the 2019 year.

Next year, we’ll see how the North Pole’s security posture has evolved and improved based on Snapid’s recommendations and hard efforts from Santa’s security team.