Luckily, it was only a test.
During penetration testing for two international companies, our team found numerous vulnerabilities. In both cases we had total control over all systems within the clients’ network and could easily shut them down, siphon data from critical customer-facing systems, take over PCI assets, and more. If we were the bad guys, the damage would have been catastrophic. Here’s a quick look at each case.
An international company with an orphaned system, which are systems that have fallen out of their inventory management system for one reason or another but still connect directly to their network. This company’s system was at risk for a breach due to an old Telerik vulnerability. As our team dove into the system further, we found that the vulnerability allowed us to upload a malicious ASPX file to the device and gain full SYSTEM access since the IIS server was running at the highest privileges possible for Windows. From there, we were able to gain Domain Admin (DA) credentials within a few minutes because a DA was running a service on the device and a feature known as wdigest was turned on. With that feature, we dumped the DA password in cleartext, which gave us full control over their network. The exploits we used are public knowledge with proof of concept code already released.
In the second case, we found vulnerabilities due to one of the most common issues in security: weak passwords. Our team commonly sees DA and even Enterprise Admin credentials at or shorter than 8 characters. These passwords usually get cracked within minutes. In fact, some credentials are so weak we can even guess them. For example, a recent client test had a DA that was for a fax system, whose credentials were literally along the lines of faxsystem2019.
As we uncovered vulnerabilities, we found that there are typically two problems that can arise, which lead to a total compromise of the network.
The first problem is a patching issue on orphaned systems, which we found during our pen testing for international company number one. The second is bad passwords. With bad passwords, hackers will password spray against mail servers, and all other login pages. It’s a shock there aren’t more breaches taking advantage of that weakness.
These are just two examples of vulnerabilities uncovered by our team. In looking at these specifically, there are proactive measures your organization can take including:
Dealing with orphaned systems:
- Be sure to conduct ongoing scanning against your entire network range to identify any systems that don’t exist in your inventory management.
- If you do not currently have an inventory of servers, workstations, and other network-connected devices, put one in place. This also helps with patch management.
Improve your password strength:
- Leverage built-in features for Microsoft Active Directory to create random local passwords by leveraging tools like LAPS.
- Put Doman Admin accounts in protected user groups and leverage tools that create complex passwords that rotate on checkout.
- Move your employees to a password management solution to ensure passwords are complex enough to include domain accounts.
- Finally, conduct health checks at least semi-quarterly on your passwords to ensure complexity.
While bad actors will continue to wreak havoc on network systems, conducting ongoing pen testing can help you minimize the damage that can result from a breach.
by Quentin Rhoads-Herrera | Offensive Security Manager, CyberOne
November 11, 2019