IT are people too...

Over the last few months, we have been tasked in multiple engagements, to target IT helpdesks with typical social engineering (and non-social) tactics. Most organisations these days, think that the IT team, because they are technical and look after systems, know better (and they should) and that because they are tech savvy, they are automatically security savvy, therefore they don't need as much focus or security training as general staff.

This common misconception couldn't be further from the truth. For many years on engagements, I have had great success targeting I.T. and in a lot of circumstances have had more success targeting IT then standard users.

So how does this happen?

Lack of training

We put a lot of effort into training and phishing standard employees as they are often the weakest link, but IT teams need to have just as much if not more of a training focus. They need focused targeted training both during onboarding and at regular intervals. These are the guys that hold the keys to your kingdom don't forget.

And you should always remember that just because they know IT, doesn't mean they know anything much about security and common TTP's (Techniques, tactics & procedures) used by threat actors.

They trust in Systems

On a recent engagement in December & January, I was working on an engagement whereby a client had a helpdesk login presented to the internet for users to log in, and log tickets. I see this all the time, companies usually employ systems like servicenow, manage engine SD plus or similar, and most of the time without MFA :(

I had managed to gain access to a single user's password, they are a 365 company, had all the right things in place, MFA for 365 and their VPN, conditional access policies, alerting, restricted service access to M365 etc. They were also using code input for MFA which was great (as with push notifications I just keep nagging the users util they accept or just tailor the push request to be at the time when a user would normally log in). Using the users credentials I logged into the company's service desk portal and logged a ticket with this in the detail:

Not overly complex at all, a simple, standard user request with a few bits of social engineering in them (sense of urgency, a number to call etc).

How would your IT guys fair receiving a request like this via your ticketing platform?

30 mins late I got this:

Very simple, very effective, I reset the MFA and logged into their VPN. I've had other engagements where the service desk called me to verify I am who I say I am and my details. Which is positive, however in another engagement I had connected to their AAD via PowerShell (as no MFA on the AAD service console access) and extracted all the user details such as name, location, position, manager etc and explained that my number changed and verified using these details. That's all I've needed to get passwords reset, MFA reset etc.

They Trust in Users and each other

For most IT Teams they trust that their users are the real users and if it comes from an internal system it must be legit. Email is great for that. On a recent engagement I had compromised into an end-users mailbox, setup a mailbox rule to hide my trail for any comms, and emailed the helpdesk from that users mailbox, and was instantly trusted and actions performed. Teams has also worked well for me too in the past, sending a teams message direct to a helpdesk person (harder to be stealth) but just as, if not more, effective.

Need more evidence?

In a recent engagement we performed for a client, the IT manager asked us not to advise the helpdesk of our activity and secretly setup some whitelisting for us to send a mass campaign against the organisation to identify how many people would visit our phishing website and hand over creds. In this engagement, 60% of the helpdesk team responded and handed over their creds, with one of the IT guys using the same password as their admin account. This was over quite quickly...

IT Teams need to trust and verify, always, which leads to my next point..

Poor Hygiene

This is an issue on nearly every engagement my team perform. A lack of simple network and AD hygiene often leads us all the way to Domain Admin. This includes:

• Legacy/Ancient accounts still in AD (Like service accounts) which people have forgotten about, and with weak passwords. Some engagements we have seen passwords on these accounts as old as 2001.
• General Weak Password usage/adoption.
• Lack of account segmentation for admins and admin functions and a lack of usage of Group Managed Service Accounts (GMSA's) as an example.
• Passwords stored in descriptions in AD fields.
• Disabled accounts not deleted. This one we see all the time, and usually these accounts have weak passwords, often domain admins, and with limited delegation or rights we can re-enable these accounts and have used them to gain access to other systems.
• Unsecured Data. We have seen countless engagements where we have found open shares containing passwords in text files for service accounts and systems, we often find backup files, for example veeam backups that we can just mount and extract the SAM or NTDS or use mimikatz against to gain credentials and/or hashes.

So what should we be doing?

• Your IT guys should be getting trained on Social Engineering tactics and performing trust but verify, and this training should come from external security guys, not internal IT people (far more effective).
• There should be processes in place to periodically review and cleanup accounts from AD/AAD as well as review all shares on the network and 365 locations like SharePoint locations for sensitive data.
• Segmenting of accounts & roles, basic security best practices.
• MFA on your helpdesk portals is a good idea!.
• Implement a unique support code system for the users that they need to supply to verify who they are, and that this code is not stored in a user data location.
• Make sure your pentest firm(s) are performing helpdesk testing as part of your engagement to get a true adversary simulation.

Hopefully this article gives you some food for thought on where you may have processes and training gaps that you can plug to make sure IT are not your weakest link.

If you would like to get a true penetration test of your systems, users and most importantly IT, don't hesitate to reach out.

#danweis #nexon #pentest #penetrationtesting #socialengineering #helpdesk #hacking #hackproofyouself