Friend
Professional
- Messages
- 2,671
- Reaction score
- 1,104
- Points
- 113
Rapid7 reveals details of an extremely entertaining cyberattack.
Rapid7 recently conducted penetration testing to identify security vulnerabilities in one of its customers. During testing, significant problems were found in network segmentation and access settings, which led to serious consequences for the security of the client's company.
As part of the test, the researchers tested how easily a potential attacker who penetrated the domain could navigate through internal systems and gain access to critical data. Among the tasks was also to find out how vulnerable the client's Amazon Web Services (AWS) infrastructure is and whether it is possible to gain access to systems with confidential information.
Pentesters managed to hack the domain in just an hour and a half, using common attack vectors. First, they used the Responder "network poisoning" technique to obtain low-level network credentials, and then used Active Directory Certificate Services (ADCS) web registration vulnerabilities to elevate privileges to the domain administrator level.
One of the key points was the lack of proper network segmentation and access control policies. Rapid7 testers noted that their device could access subnets containing users ' devices due to the lack of appropriate settings. Properly configuring these settings could make it much harder to navigate the network and protect sensitive resources.
Attempts to gain access to the company's confidential Google Suite resources required multi-factor authentication (MFA), which made the task more difficult for pentesters. Also, RDP sessions were securely protected, which prevented access to them from the attacking network. However, hacking experts found a way to circumvent these measures using the Impacket utility, using the "wmiexec" script to examine the file system on the device of one of the software developers.
A hidden AWS directory with active credentials was detected on the developer's device. This data allowed Rapid7 researchers to gain administrative access to the AWS console. The created account provided permanent access to AWS, which simplified further penetration into the company's systems.
Attackers gained access to a variety of sensitive resources, including event monitoring systems and GitLab. The most important achievement was the penetration of the company's secret vault, which opened up access to security devices, on-campus cameras, and a badge printing system.
White hackers obtained all the necessary data to create a digital pass with full access to the company's facility. Detection of combinations for locks and alarms, as well as access to the Network Management Center (NOC) keys, would allow attackers to easily enter the company's physical premises.
This case, disclosed by Rapid7, clearly demonstrates how internal software vulnerabilities can lead to serious consequences for the company's material security.
To prevent such incidents, strict measures are needed to protect and segment critical assets, implement multi-factor authentication for all confidential systems, and conduct regular penetration tests to identify and eliminate vulnerabilities.
Source
Rapid7 recently conducted penetration testing to identify security vulnerabilities in one of its customers. During testing, significant problems were found in network segmentation and access settings, which led to serious consequences for the security of the client's company.
As part of the test, the researchers tested how easily a potential attacker who penetrated the domain could navigate through internal systems and gain access to critical data. Among the tasks was also to find out how vulnerable the client's Amazon Web Services (AWS) infrastructure is and whether it is possible to gain access to systems with confidential information.
Pentesters managed to hack the domain in just an hour and a half, using common attack vectors. First, they used the Responder "network poisoning" technique to obtain low-level network credentials, and then used Active Directory Certificate Services (ADCS) web registration vulnerabilities to elevate privileges to the domain administrator level.
One of the key points was the lack of proper network segmentation and access control policies. Rapid7 testers noted that their device could access subnets containing users ' devices due to the lack of appropriate settings. Properly configuring these settings could make it much harder to navigate the network and protect sensitive resources.
Attempts to gain access to the company's confidential Google Suite resources required multi-factor authentication (MFA), which made the task more difficult for pentesters. Also, RDP sessions were securely protected, which prevented access to them from the attacking network. However, hacking experts found a way to circumvent these measures using the Impacket utility, using the "wmiexec" script to examine the file system on the device of one of the software developers.
A hidden AWS directory with active credentials was detected on the developer's device. This data allowed Rapid7 researchers to gain administrative access to the AWS console. The created account provided permanent access to AWS, which simplified further penetration into the company's systems.
Attackers gained access to a variety of sensitive resources, including event monitoring systems and GitLab. The most important achievement was the penetration of the company's secret vault, which opened up access to security devices, on-campus cameras, and a badge printing system.
White hackers obtained all the necessary data to create a digital pass with full access to the company's facility. Detection of combinations for locks and alarms, as well as access to the Network Management Center (NOC) keys, would allow attackers to easily enter the company's physical premises.
This case, disclosed by Rapid7, clearly demonstrates how internal software vulnerabilities can lead to serious consequences for the company's material security.
To prevent such incidents, strict measures are needed to protect and segment critical assets, implement multi-factor authentication for all confidential systems, and conduct regular penetration tests to identify and eliminate vulnerabilities.
Source
