27 August 2021
The goal was to simulate an external threat in order to access a specific internal application, without being detected nor blocked by their internal security team. To do so, multiple intrusion vectors could be used.
After finding the press office phone number (often exposed), the team called numbers following the same format, during non-working hours, looking for voicemail boxes such as “you have reached the voicemail of <name/surname>, please leave a message”.
Once a few names were gathered, an investigation has been performed on each identified person, in order to define the most adapted scenario.
A calling platform has been used to spoof source telephone numbers. The reception desk has been called by spoofing the employee’s phone number, telling them that two “consultants” will be arriving in the morning and claiming that he/she will not be able to pick them up because of some problem: “Could you please make them two badges? They came in the past, they know the house”.
Once in, with a badge, an exploration of the premises has led to a room that seems perfect for hiding a physical implant.
Once the implant has been connected to the network behind a printer, Wi-Fi access was provided to the team waiting in a car outside, allowing them to access the internal network.
A few low–hanging fruits later, a valid user account allowed exploiting a misconfiguration on the domain controller to retrieve local admins accounts clear text password. A few jumps later, the Domain Admin account was compromised.
The main goal was to have an authenticated access to a thick client used by some employees. After identifying people who have access to the application, in-depth searches were carried out on their computers. This allowed direct access to the thick client while the employee was having lunch.
Many lessons could be learned from that story:
This story is part of the 2021 edition of the Security Navigator.Download Security Navigator