War Story: Accounting Company20th of February 2018
An accounting company invited FortConsult to perform an internal penetration test in order to assess their cyber risks and identify potentially critical vulnerabilities that could pose a danger to their critical data and business continuity.
An internal penetration test is performed with the assumption that the attacker has already gained access to the network. There are multiple scenarios where this starting point is likely (e.g.- successful phishing or physical attack, through an insider threat, etc.), which is why some clients choose to perform internal and external penetration testing separately.
We started by connecting to the company’s office network Ethernet connection and scanning for open ports and vulnerabilities. The vulnerability scan revealed servers that were vulnerable to the EternalBlue exploit, which is an NSA tool that had recently been leaked and freely available online.
Exploiting the EternalBlue vulnerability allowed us to gain access to a server with System NT Authority privileges. Extracting credentials using Mimikatz revealed a domain admin, and we were able to move laterally while impersonating the user. We were successful in using the credentials to compromise other servers and log into the domain controller. This allowed us to perform a dump of the password hashes that were stored on the domain controller. At this point, FortConsult effectively had complete control of the company’s network, servers and workstations.
The client was alerted as soon as this was accomplished, and advised to apply the necessary patches immediately. The backdoor was promptly removed and the system patched. We verified that the vulnerability was no longer present on the targeted server, and scanned the network range for other servers that would be vulnerable to EternalBlue, reporting our findings to the client immediately.
We continued to look for potential attack vectors that could lead to a compromise of the company and performed an Nmap scanning. We found a string of services with default credentials (e.g. – “admin”, “root”, etc.) and passwords that were easy to brute-force, such as 12345678, which gave our consultants access with high privileges. Already having a field day, our consultants’ most noteworthy trophies were:
- Access to a backup server, where a potential attacker would be able to manage disks, formatting, deleting, encrypting drives, etc.
- Access to a user’s workstation, as a result of a default password on a desktop sharing system installed at an external office location
- Access to VOIP servers, allowing an attacker to record and eavesdrop on conversations
- Access to printers, allowing an attacker to send prompts and access cached documents
- Access to security cameras with default credentials, allowing an attacker to monitor the physical security in the company or disable the cameras in case of a physical breach
- Access to a projector with enabled WiFi, allowing an attacker to take over the projection
Finally, while testing the guest Wi-Fi network, we found server that could be used to gain access to the corporate network, posing a significant risk to the company, as the guest Wi-Fi was public and reachable from outside of the company’s premises.
This penetration test, as many others similar to it, serves as a seemingly trivial, but, as evidenced here, a much-needed reminder that hackers don’t care about how complicated and inconvenient fixing security issues might be for your business. They will search for the easiest way in, and are unforgiving when it comes to exploiting your vulnerabilities.
In this particular case, the client was breached with the help of EternalBlue, a well-known and publicised vulnerability at the time. The company had a patch management policy, and did apply patches to thousands of servers, but had overlooked three that were still vulnerable. Just one vulnerable server combined with a lack of appropriate segmentation is enough to leave the whole network exposed. This goes to show that merely having a policy in place is not enough – you need to actually execute on it and have processes in place to ensure that it is enforced and audited. Additionally, well-established network segmentation would have limited the damage that an attacker could do in case of a compromise.
Meanwhile, default credentials in services and systems present an easy win for an attacker that is already inside the network. Establishing a process to ensure that they are removed and never added when new systems are implemented, would therefore go a long way in raising this company’s security posture. Lastly, a hole in firewall rules or a misconfiguration of the guest Wi-Fi network are easy to oversee, but can have serious consequences if it leads to a breach of the office network.