The Luxembourg Job

The client

For us, client confidentiality is key. So, while we can’t reveal names, know that the world’s leading organizations trust their offensive cybersecurity needs to us.

The focus of this attack was a large global financial organization.

The brief

The organization needed to assess the physical controls and local processes at their European remote offices, including an assessment of site security, physical vulnerabilities, untested environments and security blindspots.

The mission

Our cybersecurity specialist (let’s call him Doug) was dispatched to the client’s Luxembourg site for a physical security and social engineering engagement.

After deciding against entering via the slow moving door of an underground car park, Doug simply gained access by tailgating a delivery driver into the reception area.

An empty room in a quiet part of the building was the chosen spot to set up a laptop, which then deployed a ‘dropbox’ preconfigured to attack the company’s domain in order to gain admin privileges.

As the scripts ran, Doug was able to sit at his post for almost three hours, entirely undisturbed. However, we have to admit that, in this case, things didn’t go exactly as planned.

Doug decided to explore the office, making sure his phone was set up to receive remote updates. After helping himself to coffee and chatting with the staff, the MD arrived and, as there was no record of Doug signing in at reception, he was immediately suspicious.

Although holding up to some intensive questioning from the MD in a locked room, Doug decided the game was up when he saw two police officers entering the building. To prevent the situation from escalating, he produced his letter of authorisation, signed by the company’s Chief Technology Officer and validating what he was doing. His ‘get out of jail free’ card.

The MD was pleased to have identified Doug as an attacker, thinking he had managed to stop him before doing anything malicious. That is until Doug flashed his phone, still connected to the dropbox, which now displayed the message ‘Domain Admin Obtained’.

The takeaway

Doug managed to identify several weaknesses within the physical security posture and processes of the business, as well as finding a number of vulnerabilities on their network.

These vulnerabilities could easily have put the company at risk, not only by enabling access to sensitive information, but by giving permissions that could lead to the takeover of the network and, potentially, access to other areas of the business.

Following our thorough insights report, the organization took steps to prevent this from happening in a real-life scenario.

As you can see, our work isn’t just about sitting behind a screen. We also go on location to attack from every angle – whether it’s monitoring staff traffic, scoping entry and exit points or identifying and replicating staff lanyards.

Our proven expertise in conducting realistic physical security attacks will give you complete confidence in what should be your first line of defense.