Red Team Stories

​

​

Our team was hired to test the physical security of a large national health insurance company to determine if a malicious adversary can infiltrate their environment leveraging social engineering. Our security consultant performed reconnaissance and observed that plain white RFID badges, requiring no PIN, were used to access the office. He collected information on office behavior across the organization and noticed that the office receptionist would take a lunch break at a specific time. Office access was requested by ringing a doorbell, which would send an employee to screen visitors.

 

Our security consultant purchased nearly identical RFID badges from an online retailer and approached the office, then rang the doorbell and flashed the counterfeit badge at the employee. He created a fake story about being hired to deliver mobile application development services for the organization in an attempt to gain access to the environment. He explained that his RFID badge was not working and was issued a visitor's badge without having to prove his identity and status with the organization. He was then left unattended in the printing and delivery room with an unlocked workstation. The workstation was logged in with a domain account and had local administrative rights. He used this administrator account, along with a payload uploaded via USB, to create a service that would communicate to a command and control server for use at a later time in the event that he was asked to leave.

​

Our security consultant was in the room for four hours and was not questioned by any office staff. In this time, he enumerated usernames and emails from the domain controller. He also accessed proprietary company data, an Excel file with customer usernames and passwords and a virtual machine containing personally identifiable information such as Social Security numbers and addresses through an open network file share. Afterwards, he roamed the office unchallenged and performed various attacks unchecked, accessing unattended and unlocked computers to gain local admin privileges using an exploit predicated upon a troubleshooting tool built into certain Microsoft Windows operating systems to diagnose problems during system startup.

​

Turning his attention to the server and network room, he found that it was locked by an RFID card that would not work with the card he had been issued. Attempts to enter did not alarm or alert security, failing electronic methods to access the room, our security consultant manually picked the door lock. Once inside the network room, he had access to the servers, networking equipment and security camera systems. It was very possible that our security consultant could have disabled or compromised these other systems. 

​

Our security consultant also performed a spear phishing attack and sent 138 emails containing an Excel document with a macro that would open a remote tunnel between the client and his attack server once those macros were enabled. Three users opened and enabled the macro. This access allowed him to dump 181 passwords of other users that had certain processes running on the host. In 48 hours, our security consultant cracked 78 passwords. 

 

We reviewed our work with the client leadership team responsible for security and helped provide recommendations that resulted in meaningful changes across their organization. For instance, the client created new processes across the company to validate individuals at the entrance and strengthened internal security systems. The client also adopted social engineering education and awareness trainings and made it a mandatory training requirement for all employees. Our security consultant successfully demonstrated that vulnerabilities can be found by observing basic routines; taking advantage of the common inclination to be trusting, polite, helpful, and non--confrontational; and through patience and persistence.