Pronico: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 13: | Line 13: | ||
* https://www.prensacomunitaria.org/2022/03/solway-la-minera-senalada-de-espionaje-a-periodistas-rechaza-acusaciones/ | * https://www.prensacomunitaria.org/2022/03/solway-la-minera-senalada-de-espionaje-a-periodistas-rechaza-acusaciones/ | ||
* https://www.prensacomunitaria.org/2022/03/secreto-minero-una-investigacion-sobre-las-estrategias-de-una-mina-rusa-en-guatemala6/ | * https://www.prensacomunitaria.org/2022/03/secreto-minero-una-investigacion-sobre-las-estrategias-de-una-mina-rusa-en-guatemala6/ | ||
* https://elfaro.net/es/202203/centroamerica/26055/Filtraci%C3%B3n-de-documentos-confirma-cooptaci%C3%B3n-del-Estado-guatemalteco-por-empresa-minera.htm | |||
== Hack == | == Hack == | ||
| Line 22: | Line 23: | ||
=== Video === | === Video === | ||
The hackers published a video showing in detail how they hacked Pronico, downloaded files and emails to leak, and then repeatedly sabotaged the company's computers over the course of 6 months. It can be downloaded [https://enlacehacktivista.org/hackback.webm here] or watched [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T here.] Credits for the video's soundtrack is available [https://enlacehacktivista.org/guacamaya_soundtrack.txt here] | The hackers published a video showing in detail how they hacked Pronico, downloaded files and emails to leak, and then repeatedly sabotaged the company's computers over the course of 6 months. It can be downloaded [https://enlacehacktivista.org/hackback.webm here] or watched [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T here.] Credits for the video's soundtrack is available [https://enlacehacktivista.org/guacamaya_soundtrack.txt here] | ||
==== Video Timeline ==== | |||
<nowiki> | |||
0:51 Introduction | |||
2:05 ProxyLogon | |||
5:35 Other methods of initial access | |||
7:15 Get Domain Admin via dumping LSA secrets | |||
13:35 Lateral movement onto other servers | |||
15:40 Backdooring a switch | |||
21:42 Golden Tickets | |||
25:08 Eternal Blue | |||
32:56 Enabling wdigest and dumping passwords with mimikatz | |||
33:53 Grabbing VPN and saved browser passwords of sysadmin | |||
40:26 Scanning for SMB shares | |||
42:45 Exfiltrating files | |||
49:09 Enabling file sharing via group policy | |||
54:35 Exfiltrating email | |||
1:03:22 Wiping company's storage servers | |||
1:11:31 Wiping computers with Kaspersky | |||
1:13:07 Wiping servers using diskpart | |||
1:14:46 Wiping Office 365 | |||
1:24:16 Wiping windows domain with Bitlocker | |||
1:40:28 Stealthy persistence and avoiding AV with dnscat2 | |||
1:45:28 Avoiding AV with mimikatz | |||
1:47:03 Wiping storage servers via iscsi | |||
2:06:18 Avoiding AV to exploit PrintNightmare | |||
2:13:35 Wiping windows domain with sdelete | |||
</nowiki> | |||
Revision as of 19:12, 8 March 2022
Pronico operates the Fenix mine in Guatemala, which has a long history of human rights abuses, environmental damage, and resistance by the surrounding communities.
News
English:
- https://ddosecrets.com/wiki/Mining_Secrets
- https://forbiddenstories.org/case/mining-secrets/
- https://www.theguardian.com/global-development/2022/mar/06/indigenous-groups-oppose-restarting-guatemala-nickel-mine
- https://www.occrp.org/en/investigations/mining-secrets-major-nickel-producer-accused-of-polluting-guatemalas-largest-lake#
Spanish:
- https://forbiddenstories.org/es/case/mining-secrets/
- https://elpais.com/internacional/2022-03-06/asi-se-compra-un-estado-como-una-minera-rusa-corrompio-a-todos-los-poderes-en-guatemala.html
- https://www.prensacomunitaria.org/2022/03/solway-la-minera-senalada-de-espionaje-a-periodistas-rechaza-acusaciones/
- https://www.prensacomunitaria.org/2022/03/secreto-minero-una-investigacion-sobre-las-estrategias-de-una-mina-rusa-en-guatemala6/
- https://elfaro.net/es/202203/centroamerica/26055/Filtraci%C3%B3n-de-documentos-confirma-cooptaci%C3%B3n-del-Estado-guatemalteco-por-empresa-minera.htm
Hack
The hack was done by a group calling themselves 'Guacamaya'
- Statement by the hackers
- Interview
- Screenshot of a statement posted to Pronico's website by the hackers
Video
The hackers published a video showing in detail how they hacked Pronico, downloaded files and emails to leak, and then repeatedly sabotaged the company's computers over the course of 6 months. It can be downloaded here or watched here. Credits for the video's soundtrack is available here
Video Timeline
0:51 Introduction 2:05 ProxyLogon 5:35 Other methods of initial access 7:15 Get Domain Admin via dumping LSA secrets 13:35 Lateral movement onto other servers 15:40 Backdooring a switch 21:42 Golden Tickets 25:08 Eternal Blue 32:56 Enabling wdigest and dumping passwords with mimikatz 33:53 Grabbing VPN and saved browser passwords of sysadmin 40:26 Scanning for SMB shares 42:45 Exfiltrating files 49:09 Enabling file sharing via group policy 54:35 Exfiltrating email 1:03:22 Wiping company's storage servers 1:11:31 Wiping computers with Kaspersky 1:13:07 Wiping servers using diskpart 1:14:46 Wiping Office 365 1:24:16 Wiping windows domain with Bitlocker 1:40:28 Stealthy persistence and avoiding AV with dnscat2 1:45:28 Avoiding AV with mimikatz 1:47:03 Wiping storage servers via iscsi 2:06:18 Avoiding AV to exploit PrintNightmare 2:13:35 Wiping windows domain with sdelete