Avast’s Threat Lab Team Lead Jakub Kroustek deciphers the terminology, techniques and tools used in the latest episode of Mr. Robot
Episode five begins with a bang. It’s Monday morning at E Corp. Elliot sits down at his cubicle and attempts to log into his company account. It’s been locked out. Did somebody try to access his domain too many times or did E Corp spot his shipping hack? We know from the previous episode that it’s the latter and Angela is to blame.
Elliot, oblivious to his impending fate, borrows his colleague’s machine to check his monitor server. He notices an update failure. His log files show that the Dark Army tried to launch stage two which includes the destruction of the downtown facility. Luckily, Elliot’s patch stopped them. But without a machine and access to the E Corp system, it’s only a matter of time before an alternative route is discovered.
MH: Hi Jakub - Elliot logs onto Kibana a couple of times during the first few scenes. Can you explain what the platform is and how it’s used in a security capacity?
JK: Kibana is an open-source software that visualizes data stored in the underlying Elasticsearch engine. Its dashboards can be configured to show you what is going on in the area you are most interested in. For example, we at Avast Threat Labs use Kibana for monitoring the latest threats and trends. By using Kibana, Elliot noticed Dark Army’s attempts to update the UPS batteries in the datacenter with malicious firmware i.e. they tried to start stage two. However, as we described in one of the previous episodes, Elliot has already patched these batteries so they cannot be updated by an untrusted code, rendering the Dark Army’s attempt unsuccessful.
With a security team present to hunt down Elliot and escort him out of the building, he leaves his cubicle and an in-office pursuit breaks out. He finds a computer and loads the log data from the Dark Army’s backdoored machine. The group is using the account of a code-signing colleague to sign their own firmware and bypass Elliot’s patch. Doing so will blow up the recovery building.
MH: Would you be able to explain how the firmware could find its way around Elliot’s patch and blow up the building?
JK: Elliot’s patch means the UPS batteries can only be updated by digitally signed firmware. The Dark Army now wants their malicious firmware to be signed by an E Corp code signing program located on the 23rd floor to bypass Elliot’s patch. To do so, they need to copy the whole system i.e. make a backup of it.
To stop them, Elliot needs to get to the hardware security modules on the 23rd floor - not an easy task with security on his tail and a pass that doesn’t work. Security wins and escorts him out of the building.
Darlene is waiting outside. She tells Elliot that she’s been working with the FBI and explains Angela’s involvement with the Dark Army and Tyrell. In a state of bewilderment, Elliot recalls the moment he, not Mr. Robot, saw Angela and Tyrell together (episode 3.3). This is his runtime error.
In the next few scenes, the E Corp building is raided with violent protesters with Angela stuck inside. She is instructed by Irving to deliver a package to Elliot that contains hardware and information on how to back up a computer on the 23rd floor. However, in the chaos she is unable to deliver the package to Elliot and takes the task into her own hands.
Angela reaches the computer and successfully runs the backup. She leaves the room and confirms to Irving that she, not Elliot, completed the backup process. The hardware is returned to a Dark Army employee patiently waiting at reception on her office floor. But somebody else is also waiting. Elliot. He wants an explanation.
Similar to episode 3.1, there was a scarcity of hacks this week. But with the recovery center on the precipice of being destroyed, what practical measures will Elliot employ next? And how will the dark cloud of betrayal from friends and family affect his decision making process? We hope all will be revealed next week.
Small to medium sized businesses are an easy target for cybercriminals, and too few are performing the necessary security patches to protect themselves.
RSA attendees can learn about cryptomining, take part in the challenge, and even win a prize.