Case studies. Security

Social engineering

During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.

The challenge

The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.

The solution

The project had severe time constraints, but it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and create internal attack scenarios that could further the infrastructure compromise.

How we did it

The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.

The Attack Lifecycle

Reconnaissance

The team discovered external vulnerabilities in the infrastructure, abusing unrestricted file upload for phishing and payload staging. In addition, phishing targets were collected with OSINT methods.

Resource Development

Custom initial access vectors and payload loaders were developed for the engagement. Mailing infrastructure, domain fronts and C2 servers were set up and configured.

Initial Access

A phishing attack was successfully carried out.

Execution

Hand-written download/execute macros, self-unpacking LNK files and custom shellcode loaders were used for execution.

Persistence

Registry persistence was used for the payload.

Discovery & Privilege Escalation

Kerberos table service accounts and vulnerable folder redirection profiles were discovered and abused for domain privilege escalation.

Defense Evasion

Custom-built loaders and execution techniques were used to bypass EDR.

Credential access

Available web sessions and password stores were dumped to gain access to local credentials.

Impact

Impact simulation was not conducted to avert business disruption.

Conclusion

The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities. Instead, the attackers relied on the human factor, weak password policies and password reuse, service and Active Directory misconfiguration, and weak segmentation measures to achieve the goal. Also, flaws in threat detection and response, endpoint protection, wireless protection, and security policies were discovered, something that is usually out-of-scope for an infrastructure penetration test.

Despite mitigating all vulnerabilities discovered by a third-party company, the Client remained vulnerable to attacks and methods which a penetration test does not cover. Adversary simulation, in this case, has offered a completely different viewpoint on the security infrastructure of the Client, which allowed for preventing a threat of a similar real-world attack in the future.

Your Cyber Resiliency is Our Passion

schedule a call

WHY WORK WITH TENENDO?

Reducing high-severity vulnerabilities’ exposure by up to

97%

Reducing the cost of security testing, audit, and consulting by up to

30%


About security testing:

Post navigation