Pwning The Deus Group

Actual Photo of the Deus Group

Mr.Robot Season 4 Episode 9 just aired, and Elliot, Mr.Robot and Darlene take down the Deus Group by stealing their money. This might not be important to anyone else, especially those of you who read my blog for “real cyber security” tingz, but after all this is the Shitty Cyber-Security Blog. Anywho, I wanted to explain and breakdown how exactly Elliot pulled this hack off in honor of finally taking down the “top 1% of the top 1%” and essentially ending the shows initial purpose…

Preparation:

Lets start from the beginning. Elliot and Darlene set out to hack the Deus Group by transfering all of the money out of their Cyprus National Bank accounts, but first they need access to a Cypress National Bank account that has transfer privileges. Elliot does some recon and finds Olvia, Susan Jacobs contact. She’s the only US account manager for the Deus Group, so Elliot plans to pwn her somehow. He breaks into her house and exports all of her browser credentials using ffpass and then imports them onto his laptop:

ffpass import --from olivias_passwords.csv

Soon after this he discovers that a OTP is required to log in. He also discovers that Olivia is addicted to oxy, which he can use to blackmail her for the OTP. His plan fails and he ends up sleeping with her, but secretly steals a OTP from her key generator and sends it to Darlene. Darlene then finds out that Olivia doesn’t even have transfer privileges…

REEEEEE

After doing all of that for nothing, their only option left is to break into Virtual Realty.

Fast forwarding through the Virtual Realty hack, Darlene and Elliot successfully create a network/security admin account on proxy.cyprusnationalbank.com via the Domain Controller. This allows Elliot to intercept all proxy traffic from Cyprus National Bank logins. Since someone who has transfer privileges needs to log in so Elliot can steal their credentials, he blackmails Olivia into calling her boss to check for an invoice. Now Elliot and Darlene have everything they need to pwn the Deus Group.

Like A Boss

The Hack:

In order to rob the Deus Group, Elliot and Darlene have to complete the following:

  1. Get the Deus Group in one location
  2. Grab all of their numbers using an IMSI Catcher and verify them against the CNB database
  3. Initiate a transfer, intercept all 2fa codes using an SS7 exploit and confirm the transfer

As seen in the episode, things don’t go as planned and no one shows up to the meeting. Mr.Robot comes to the conclusion that if Whiterose made a change in plans, he’d notify all of the attendees. Using Tyrells old phone snapshots, he imports all of his passwords using ffpass once again:

ffpassimport import --from /tmp/passwords/T_Wellick_passwords.csv

Visting Tyrells iCalendar account shows that a scheduled event had been updated. Attached to the update is a link to 07f1rxpbxus9jhphmzja.sh. It’s password protected but Darlene opens signal and somehow magically there is a password: KTa7Yob0t&IJdSI5+

Wayment

This leads to the following image:

Venue Change

Darlene goes to the new location but Mr.Robot stays to hack Whiteroses phone. Soon Darlene realizes she can’t break into the meeting building because of how heavily secured it is. She films an fSociety video exposing the Deus Group to lure them out building. To ensure the Deus Group doesn’t leave via the parking lot, she uses a HackRF One to record the signal of a remote which controls a car blocker, then replays the closing signal repeatedly using hackrf_transfer. She leaves her HackRF One behind and goes to where all of the Deus Group members have piled up outside and executes simple_IMSI-catcher.py which dumps all IMSI numbers around the area. Then she runs the number verification script:

python imsinumberverify.py

bts disabling gsm encryption
running packet capture

sudo tcpdump -ni -s eth0 -w IMSI.pcap

moving to background capture
importing existing pcap file from wireshark
locating imsi in pcap

identifying captured phone numbers
hashing phone numbers with sha-256
locating phone numbers in cyprusnationalbank database

This does exactly what it says and iterates over all of the phone numbers around Darlene in an SQL query against the Cyprus National Bank database:

SELECT 'firstname','lastname' FROM 'accounts' WHERE 'phone' LIKE {sha-256 phone goes here}

Once Darlene has 99 numbers verified, all they need is Whiteroses phone number to initiate the transfer. Elliot notices a cell tower in front of Whiteroses location. Using recon-ng he finds the email addresses of the telecom employees who work at Gallatin and starts a phishing campaign:

sendphishmail.py -f procliamse@riseup.net -r gallatin.txt -s 'SSL Error, Please Log In!'

After many of the employees submit fake credentials, he finally gets valid credentials for VPN access:

Username: emurabahti@gallatintelco.com
Password: QS2d77FUGE

Using the access he has, he is able to intercept all GSM traffic using tcpdump and Wireshark. Multiple devices were connected to the cell tower, therefore Elliot couldn’t tell which phone number belonged to Whiterose. He sends the PCAP file to Darlene and she runs the phone number verification script on it. Once they have Whiteroses phone number, Darlene can now initiate the transfer. Using smsautoretrieve.py starts the bank transfers and sends a 2fa code to every Deus Group member, then logs it to a PCAP file. Elliot intercepts Whiteroses 2fa and sends it to Darlene, then 2fa-intercept.py is executed. It takes the 2fa PCAP file and searches for all 2fa codes, submits them automatically, and transfers all of the money to a dummy bank account… (which is possibly buying bitcoin and tumbling it, judging based on previous episodes)

and just like that, Elliot, Darlene and Mr.Robot pwned the Deus Group!

It's over

Written on December 2, 2019