Reports from the Field: Part 1

To defeat and deter cyberattacks, it’s essential to study the attacker’s methods and motivations to avoid falling into traps we accidentally leave for ourselves (e.g., missing patches, default passwords, etc.). After all, it's the determined mind of an attacker that pinpoints and exploits unintended behavior, misconfigurations, and inherent vulnerabilities.

In this three-part series, we’ll describe real-world examples that showcase how perceived ‘low-risk’ vulnerabilities can turn into critical, business-impacting issues – especially through attack chaining.

The first example we’ll explore is the reuse of credentials.

Reusing Credentials from Recovered Backups

The quick take: Leveraging recovered data can uncover widespread security issues.

The full story: While continuously testing client perimeters, we often obtain what we call “loot” during investigations – data such as usernames, email addresses, credentials, internal DNS information, or anything that may help us understand the client’s environment and attack surface better. This data can be obtained during different stages of our investigations, but it is often acquired during post-exploitation activities or enumeration performed after we gain privileged access to client infrastructure. This loot, combined with tribal knowledge gained from continuously testing our customers’ assets, gives us a unique insight into common issues and exposures that may exist within environments.

The nitty gritty: During an engagement, our team accessed a WordPress backup for a blog, that was associated with a subsidiary of a large financial services company. Within the recovered backup information was a database dump, which contained plaintext credentials for an employee. Given our previous experience with credential reuse, we saw the employee’s credentials as a potential entry point to other systems the company is using or has used in the past – meaning even more sensitive data could be in our reach. Using the recovered credentials, our team identified several instances of credential reuse to increase the impact of the finding and was able to access several web applications owned by the subsidiary.

The ’loot’: One of these web applications was an email marketing platform that allowed for the creation of custom emails that could be sent to all the company’s subscribers and clients, totaling 1.7 million subscriptions. An attacker with access to this application could create mass email campaigns to perform a variety of attacks, including credential phishing or fraud schemes against the company’s subscribers and clients. As the emails would be sent from the company’s email servers, from a legitimate company email address associated with a valid email subscription, the likelihood of success would increase substantially.

The power of déjà vu: Several weeks later, while enumerating client-owned cloud ticketing applications, an instance from the same subsidiary caught our team’s eye. We recalled the prior issue of credential reuse and confirmed that the application could be accessed with the same credentials that had been retrieved during the previous investigation, as the employee had not changed their password for this account. The spread turned out to be broader than originally known, which then got the team wondering just how much more they could access with those same credentials. At this point, our team was armed with two things: an accurate inventory of the customer’s attack surface (a lot of locks) and known credentials (a misplaced key). Then, it was a matter of methodically trying that key in every lock the team was aware of. This sort of attack takes determination and persistence, exactly the level of dedication of adversaries that our team emulates.

Stick around for Part 2, as we dive into exposed configuration files. To explore the approach of today’s sophisticated attackers and how continuous offensive security platform can help you stay ahead of threats – download "The Wolf in Sheep's Clothing" eBook.