Type: External Penetration Test
A large financial institution turned to us to perform a penetration test to evaluate the security of its infrastructure and test the potential for sensitive internal and client data theft. We focused on web applications operating in various hosting environments as well as the company’s infrastructure itself as part of this external penetration test.
In the first phase, we focused on testing the security of the company’s external systems and its web applications. Only a few services were active on the exposed systems and the test of web applications found several low-profile vulnerabilities. We also selected three vectors of attack using social engineering that according to information acquired in the opening phase (OSINT) had the highest probability of accessing the firm’s internal systems.
The first attack vector was a visit to a branch office under the pretext that we represented an auditing firm that was tasked by the financial institution with performing an IT audit as part of implementing GDPR standards. In this case, the employees of the branch gave us access to all the computers in the office. We launched a stager generated using the Empire post-exploitation framework. The stager was modified using our own internal processes before being implemented in order to avoid detection by antivirus programs.
The second vector of attack was a reply to a job posting using a web form on the company’s website. We created a profile for a fictitious candidate on a professional social network and sent a reply with her CV that contained a harmful macro. The last vector was the delivery of an invoice for GDPR consultation services to a specific email address in the finance department acquired during the OSINT phase of the test. This document also contained a macro that connected to our C2 server.
The first vector was only partially successful. The branch office employees notified IT about systems possibly being compromised after our visit and the connection between the systems was terminated shortly afterwards. The other two vectors targeting the HR and finance departments succeeded and the compromised systems gradually connected to our C2 server over several days. We acquired the VPN configuration and passwords through social engineering: A notification of a connection error message appeared and requested a password. We also accessed unsecured passwords saved in Windows Credential Manager.
The VPN connection made it much easier to advance further into the corporate system. Within the client’s network infrastructure, we were able to acquire a readable password saved in the thermostat, while the thermostat did not request authorization on the telnet. This password proved to be shared with other infrastructure elements, such as disk fields, switches, and even some database servers. The login information from users in the HR department also resulted in the acquisition of very sensitive internal corporate data and we were able to access the email web interface.
The knowledge acquired from the penetration test allowed the client to better define the necessary level of corporate infrastructure security. The test also supplied a detailed overview of the limitations of the security technologies currently employed, the state of the systems under operation, and the internal processes used.