Fudan Microelectronics Breach

I just recently pulled off my biggest breach and wanted to share with you. A few weeks back I was contacted about a job. Before accepting I did some research and the intel I gathered made me think I wasn't going to be able to take this one. The target was large, the location was tricky, and what the client was asking for seemed a bit too much for me to handle by myself. But the price we were discussing was too good to give up on. I asked for a down payment and it came through. Since they were serious buyers, I had to go for it. So here is the story of how I breached the Shanghai Fudan Microelectronics Group.

This is always a test to see how easy or difficult a job is going to be. I checked out the website at first and after gathering intel I checked some stealer logs for creds. I managed to get some and landed ssh access. This start was strong but I needed to get further than here so after enabling their VPN I set up my tunnels. Now I had a reliable set up and could dive further. So far so good. 

Now that the tunnel was set up it was time for recon. A quick ping sweep and some nmap commands. SSH was open on some of the hosts internal to the network. So I took a shot in the dark. Surprisingly after a few attempts, success again. I got root on a workstation because of their weak password policy. First root access was achieved and host recon begins.

Well I found some Weaver OA servers. I got what I wanted from here and moved on. As I kept moving I couldn't help the feeling that I needed to leave a piece of me behind. So I decided to drop a little something for the admins to find later. WIthout going into details the payload aprtially decodes to "Free IntelBroker". IB if you ever see this we all miss you Legend.

Next came the goldmind I was looking for. win2003WanGuAD.fmsh.com.cn. Oh god... Windows Server 2003 SP2. They are basically asking for it now. I expected more from a tech company. Let's try reusing some creds. Can they be this stupid?

I won't make you wait. The answer is YES. It's time to get to work. I didn't want to be interupted so I disabled a ton of accounts and dumped the .dit.

Seriously tho. Look at some of these. Am I punching below my weight? I'm not sure it's even hacking at this point. More like natural selection.

RIP & BRICK

Now that I can get just about everywhere it was time to do the job I was hired for. Let's pillage and burn. The FTP server was a good place to start. I grabbed everything then looped a quick rm 0rf and checked for backups.

Next, I found their source code repo and did the same. I know I said goldmine when I landed on the DC but in reality, this was the box that gets me paid.

Now the Proxmox VE. After turning on my cheats I 360 no scoped this one. CLIP THAT, CHAT!

The backups almost made me spit out my coffee. "Linux 2.6.32-642.el6" They are running on a kernal from 2009. After I collected myself off the floor I pressed on.

Then came something new. Kingdee (K3) EAS. Honesly never heard of this one. But this was a day for firsts. Turns our it was juicy. The client will be happy.

Let's not leave out the Docker Hosting their gitlab. Sorry not sorry.

At this point my eyes are tired and I want to get paid. What is the equivalent of burning the building on your way out?

Answer: Turn all those expensive switches and routers into expensive paperweights. Turned off sysloging, deleted firmware, and erased the configs.

I'll be honest. When I was first contacted for this I thought I was going to have to decline. But it just goes to show that you don't know until you try. Now the easy part. Let's get that money.

So what do you all think?

Are they cooked, chat?