Confidential (Finance industry)
Internal Infrastructure Audit
There is no general way of doing audits. Sometimes things go hard, but sometimes, everything goes as you plan. In 2018, a company requested to perform an audit on its internal infrastructure. They recently invested in information security and wanted to know whether they are "impenetrable". Although the IT department was confident about their new investment, management still worried about the overall security.
Usually, in-house IT administrators don't think much about security. They are responsible for the smooth run of all computer systems to provide a digital environment where business activities can take place. This is certainly not an easy task to accomplish. Security is therefore not a primary task, which can someday lead to catastrophic consequences.
This case study demonstrates a perfect example of the environment, where modern technologies and state-of-the-art systems are deployed. Although systems are deployed, it is the responsibility of the people to properly configure them. Let's see how far we got...
One of the first obvious things was, that the company has an Active Directory domain. Since most of their assets run Windows, AD became our primary target in this audit.
We started by catching network credentials (using Responder), and quickly got our first hash. Usually, the domain password policy makes it harder to crack the credentials. This time we had luck. Password had six characters, which indicated poor password policy.
After testing the credentials across the whole network, we discovered that it has local administrator privileges on one system. Bingo! We immediately run triage on the host, dumped credentials using mimikatz, and got... nothing.
Turns out that there were no cached credentials on a machine. We had to come up with another solution. We tried a technique called Kerberoasting, which utilizes Kerberos TGS to obtain credentials. As well as in the previous case, this account has a short password which we successfully cracked. Another valid credential in our hands.
Logging into another machine (where this user was, again, local administrator) allowed us to dump cached credentials from LSA. We were lucky this time, since we got Domain Administrator!
With domain admin account in our hands, we wanted to demonstrate the highest impact for the company. Running internal reconnaissance for days, we started to get a pretty good overview of services running on different systems.
We had access to all the financial records, personal data of customers, and much more. We even found future products and plans for the company. If real attackers had access to this data, it would have been devastating for the company. However, this wasn't the end.
Although we successfully compromised Active Directory, it wasn't our only target. Numerous services were running on an intranet, not integrated into Active Directory. Many of them had a default configuration which presents security problems. The list of devices that we were able to access:
The purpose of the audit is not to access the critical data and devices, but explain the business risk to the customer. After the technical part, we started working on the report. Often seen as the easiest part, the good report usually takes several days to perfect.
We described our methodology, findings and provided extensive recommendations for the customer. Backed up with the real data, describing the business risk was simple. The status of their infrastructure was nowhere near acceptable. The actions had to be taken immediately.
The company took our recommendations and started fixing the discovered issues. They significantly reduced the attack surface and lowered the risk associated with their critical data.
They continue to work with us regularly. The audits take place each year, we also provide monthly monitoring for them.