As technology advances, we tend to think that advances in security should run in parallel. This is only partly true. End to-end encryption is now standard in instant messaging chats. Bug bounty programs are commonplace, with companies handsomely rewarding ethical hackers who report software flaws. Companies are hiring security teams to track bugs. However, despite these defensive measures, attackers still manage to enter networks and intercept internal communications.
There are so many modern ways to communicate, that there is no excuse for remaining out of touch with someone, unless of course you don’t like them! You could email, SMS or instant message. You could use WhatsApp, Facebook Messenger, WeChat, Telegram, Discord, Signal – the list goes on. You could even make a phone call! In the corporate world, MS Teams, Slack and Google Chat dominate. So with so many media options it’s hard to decide what to use for what purpose. For example, you need to share a credit card number, API token or password with a colleague. Which of the above would you use? WhatsApp? Perhaps Slack or email?
Before you answer, consider how you would respond if I told you that an attacker needs about one minute with your device to gain access to all your private communications, including those credit card numbers, API tokens and passwords you shared.
The answer is pretty clear: many of us are unaware, or worse, unconcerned about an information security threat until it hits us directly. Only then do we comprehend the importance of keeping our information safe, both at rest and in transit.
The Attacker Perspective
As an active red teamer, once I gain initial access to the organizational network, my focus is to obtain sensitive data. To do so, it’s necessary for me to think out-of-the-box. Most employees keep data on their own desktops and it’s easy for them to overlook the risk they expose their organizational and personal information. A good red teamer will seek to exfiltrate the information via physical or remote access.
Show Me What You Got
(Based on true events)
#1 Physical Access:
Imagine that you’re in an organization’s reception area. The receptionist asks you “Would you like something to drink?”, you politely ask for a cup of strong, black coffee, the hacker staple.
The attentive receptionist heads off to make that coffee for you and you take a look around. Behind the front desk is a closet. You carefully open it a little and spot an unused MacBook Pro. You grab it and head back to your seat. When you open the lid you notice that the IT department has kindly left the password written on a sticker on the keyboard, saving you the trouble of looking for it. You log in and realize that this is a recently used device and hasn’t been formatted.
#Screenshot 1 – Illustration – Really, your password is 123456?
You start nosing around on the device. The Macbook contains more than just photos of your grandma’s fluffy cats! Quite a lot more, in fact.
You quickly realize that this Macbook belongs to an executive manager. She has left her Slack messaging application logged in and her DMs contain a veritable treasure trove of sensitive organizational information.
She is not alone. Go ahead and check your organization’s Slack: type the word “password” in the search area and see how many times you and your co-workers have used Slack to send passwords to one another other.
#Screenshot 2 – Slack – user and password exposed
#Screenshot 3 – Slack – AWS credentials exposed
And then there’s the Macbook’s internet browser. This is an easily accessible repository of saved passwords which can be viewed and exported in a couple of clicks. Each will provide you with full access to another online resource.
#Screenshot 4 – Google Chrome – Autosaved credentials exposed
#2 Remote Access:
We were hired by a company to conduct a red team exercise. We connected to a Windows workstation in the organization’s network via ‘Anydesk’. At first glance there’s nothing too exciting. Their network did not contain a domain environment and they have a flat network.
After some looking around, we understood that a generic local account is used on several workstations. With no real effort, we were able to bypass the Windows Defender restrictions and extract the generic account hash using the ‘mimikatz’ exploit.
#Screenshot 1 – Windows Defender – Disable Real Time Protection
#Screenshot 2 – Mimikatz – Extracting NTLM Hash From lsadump
Our next step was to run Kali Linux on a virtual machine. There we utilized ‘crackmapexec’ in an attempt to successfully pass-the-hash to every single workstation in the network.
#Screenshot 3 – Kali Linux CrackMapExec- PassTheHash Attempts To Workstations In The Network
At this point we noticed that we were unable to obtain the remote CMDshell. There are two main reasons of this:
1. Windows 10 has a registry restriction, the registry key
‘HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemLocalAccountToken’ doesn’t exist and isn’t set to 1 by default. When set, this key enables non-RID 500 account connections that result in a successful pass-the-hash.
2. Windows Defender detects a pass-the-hash behavior and blocks it immediately.
Fortunately, the compromised account was a local administrator on the vulnerable workstations, so we were able to use the ‘smbclient’ utility to connect to these workstations. We found sensitive PII stored on many desktops, including names, phone numbers, email addresses, birth dates, vouchers, and IDs.
Furthermore, at some point, we exposed Okta and Salesforce credentials from a PNG screenshot on the account’s desktop. Okta is an identity management platform and as such exposed Okta credentials risk giving an attacker access to multiple applications and platforms. But the icing on the cake was yet to come.
#Screenshot 4 – A Picture – A Screenshot Of Compromised Okta Site Password
#Screenshot 5 – A Text File – Credentials Of Salesforce Found In Cleartext
We were able to replay the user’s entire ‘Google Chrome’ profile and obtain an active ‘Whatsapp Web’ session. Again, we and our client were truly amazed at the type and amount of information that employees shared over DMs.
#Screenshot 6 – WhatsApp Web – Compromised Salesforce Credentials
Mitigation (Trust Me, I’ve been there)
Taking precautions goes a long way to reduce the information exposed to malicious actors:
- Search for words like “password”, “admin”, “credentials” and more in your DM messaging history
- Delete any sensitive data that was transferred over DMs.
- Delete hardcoded sensitive data from files.
- Usage of password manager:
- Cloud password manager, such as LastPass or 1password
- Local password manager, such as Keepass
- Minimize storage of organizational files in unsafe manner:
- Consider the usage of cloud storage services.
- Lock files with complex passwords
- Terminate the devices session once an account is inactive/deactivated
- Enable multi-factor authentication wherever possible to eliminate account takeover
- A reputation EDR installed on all workstations will alert on any suspicious behaviour such as mimikatz, powershell etc.
It is important to internalize that hackers are very creative at getting credentials to your organization in unpredictable ways. In order to make your “crown jewels” more resilient, OP Innovate strongly recommends challenging them through regular pen tests and red teaming.
- Conduct a Red team exercise at least once a year
- Conduct a penetration testing based on the organization security workplan
For more information on how OP Innovate’s offensive services can help preempt attacks on your organization, please contact Shay Pinsker [email protected]
We are human and we make mistakes. Most of the time hackers use social engineering to penetrate into organizations, but we can reduce these attacks by overcoming our bad habits. Inheriting a security best practice is a good way to keep our awareness of unpredictable scenarios. I hope you learned a lesson or two from this article.
About The Author
Yehonatan Harizi worked for two years as a security analyst before transitioning to a security researcher role. He has been tinkering with computers since back in high school. He has attained OSCP certification and a CISO diploma. Yehonatan joined OP Innovate in 2020 as a Penetration Tester and Incident Responder. He enjoys surfing and lives in Harish with his wife and son.