Password = CompanyName2022!

Password = CompanyName2022!

Early one morning, a TrustedImpact staff member walked into a busy CBD office tower foyer. He approached the row of lifts and took the lift to the floor where our client’s office was located. He walked to reception desk and introduced himself explaining that he was starting as a contractor and a security pass had been arranged for him. He was handed the pass and signed in. He approached the door behind reception, tapped his security pass and let himself into the office. ?

We were conducting an engagement with this client and our task was to gain access to one of three sensitive IT systems. By the end of the engagement, we were able to enter the office with a valid security pass and had the ability to access these highly protected systems. This was achieved through the discovery of a single email account with an easily guessable password and then by following a standard internal process masquerading as a trusted staff member.

Reconnaissance

We began with some initial reconnaissance of the client’s internet facing systems. The organisation had very limited internet presence. They had a brochureware website hosted externally, a Citrix Gateway requiring multi factor authentication and mail hosted in Office 365. There were no other internet facing services exposed. We discovered that the Citrix Gateway was hosting one of the sensitive applications so we considered investigating ways that we might be able to bypass multi factor authentication via phishing emails and social engineering. After a bit of investigation, we discovered that all three of the sensitive applications were accessible from within the office and when physically onsite, didn’t require multi factor authentication. So, we began to look into ways that we could gain physical access to the office.

A visit to the client’s office foyer high in a Melbourne CBD tower found that there were two doorways into the office, both requiring an RFID card to access. Staff wore a visible identity badge and were vigilant about security, making tailgating a risky option. We would likely only have one shot at that if we tried it.

A quick check from the lifts outside reception for any wireless networks found a corporate and a guest network. To avoid raising suspicion we conducted testing of the wireless network via a long-range antenna from a multi-story car park across the road. After a couple of hours of testing we found that the corporate wireless network only allowed connections from trusted devices with a pre-installed client certificate and the guest wireless network was properly segmented from the internal network. Access to the internal network via the wireless network was not a viable option.

We considered other options for gaining physical access to the office including utilising some equipment that we have which we use to clone RFID cards. This often works in busy and crowded areas as it involves being close enough to someone with an RFID card for the equipment kept in a laptop bag to clone the card. However, as there were many tenants in this building, it was going to be very difficult to identify and target a staff member from that organisation. The foyer where the lifts are located had security staff stationed at a concierge desk and loitering in the area would soon be noticed and was not practical.

Targeting User Accounts

We started to take a closer look at the Office 365 configuration and discovered that multi factor authentication wasn’t required to access Office 365. Using some OSINT tools, we compiled a list of several hundred email addresses for staff along with a list of likely passwords based on a combination of the organisation name and the year as well as a list of commonly used passwords. We used this to conduct a very slow ‘account spray’ attack. This involved using a script to attempt to login to Office 365 using each of the user accounts with the same password. This only attempted to access one account every few seconds and we slowly cycled through the other passwords over a 48-hour period to avoid locking out user accounts and reduce the likelihood of detection.

Initial Access

The account spray landed us six valid user accounts. Some were generic type accounts which were of some use, but at least three were valid internal staff members. Based on the user’s LinkedIn profiles, we knew that these staff members accounts would be able to be used to access sensitive systems if we could find a way to bypass or be onsite.

We worked our way through each of the Office 365 logins and through the email accounts, OneDrive and SharePoint files which were accessible to gain an understanding of internal systems, procedures, and workflows. We were able to gather passwords for other internal systems and a further four Office 365 accounts. One of the user accounts which we had access to was for a new staff member and in their inbox were their onboarding and induction details. This included how to access the LMS (Learning Management System) as well as the service desk to log IT support calls. Both were third party cloud hosted systems accessible from the internet and used the same Office 365 credentials to authenticate.

The LMS contained details about building access including instructions on how to request an RFID building pass for staff using the IT service desk application. So, we put together a request for an RFID pass for a few days’ time for one of our staff members. We set up some Outlook mail forwarding rules to forward any replies to this request to go directly to a subfolder in outlook which would prevent the user from seeing the email and allow us to interact with the service desk staff when they replied. After a bit of back and forth we received confirmation that the RFID pass would be ready for pick up at reception.

Physical Access

From there, it was just a matter of arranging our staff member to present himself at reception, pick up his pre-arranged security pass, let himself in and find a free desk and workstation to login.

Conclusion

It goes without saying that all internet facing logins should have multi factor authentication (MFA) enabled by default. Check all your internet facing systems and consider whether they need to be exposed to the internet. Don’t forget about legacy or staging systems.

Conduct an audit of your user accounts. Do you still need that fax@ account which was set up over 20 years ago or that particular marketing campaign user account and mailbox? What about old vendor accounts which may even have privileged access and may fall outside of your standard password policies? Do all accounts need the ability to login externally and do they need to be mailbox enabled?

Look into your onboarding and offboarding processes, ensure accounts are disabled and that there is a process to delete them when staff leave. And finally, avoid using the same temporary password every time a new user account is created. Also avoid using the same temporary password when resetting a user’s forgotten password. It was the temporary password assigned to a new user account which had remained unchanged which gave us an initial foothold in this engagement.

Darren Arnott. August 2022