Red Team Stories

Medical records and health care information is among the most personal, sensitive, and exploitable data that exists. An organization devoted to gathering, securely retaining, and disseminating resources related to that data should have protections in place to ensure the confidence of their users. A not-for-profit organization that provides healthcare data products hired us to provide social engineering and penetration testing services against their organization. Our team compromised the CEO's email and notified the company staff that their network was compromised.

​

Our security consultant began by gathering information about the organization, including email addresses, staff titles and phone numbers from their website, Google, and other information services like LinkedIn. Public information was used to gain additional information into the email format of their organization and to learn details about staff that can be exploited through social engineering. The goal was to craft an email that looked credible as part of a larger phishing attacks. Using the collected data, our security consultant put together a list of known and likely user accounts and sent them targeted emails containing a code that, when triggered, sent the users' encrypted passwords to his server. This was successful several times, allowing our security consultant to capture and crack these passwords.

​

Additionally, our security consultant performed telephone phishing attacks by posing as an IT admin. He informed potential victims about issues that supposedly happened when they tried to update their computers. To ostensibly troubleshoot the issue, he directed them to a fake website that asked for credentials. Several users, including the CEO's executive assistant, entered their credentials into the fake site. Using the captured credentials, he searched their emails for keywords that revealed additional information allowing him to then setup an account on a trusted zone within their firewall.

​

Once inside the firewall, our security consultant scanned for systems using Remote Desktop. Knowing that systems often use names corresponding to usernames, he located and logged into a vault with a name matching a previously captured username. He found a system with personal health information (PHI) after again correctly deducing that such a system would be named after individuals with potential access. Targeting users with potential access, our security consultant sent emails instructing them to check their access to the systems. Additional emails were sent to users using the account of the CEO's executive assistant. These contained an embedded malicious Excel macro and asked for assistance in confirming the functionality of the macro. This macro created a connection to the victim's computer. Ultimately, our security consultant used a social engineering email to capture the CEO's account, letting everyone in the organization know that their security had been thoroughly breached.

​

Our team demonstrated how even one weak point in an organization's defenses can be leveraged for an expanded network attack. In this case, the organization was vulnerable to multiple social engineering efforts via phone and email. It is important to train employees to detect and defend against social engineering attacks and to adopt tools, techniques, and policies to avoid and mitigate such risk. Understanding the risks to their organization, our team helped the client secure their network and protect all of their sensitive data.