Case Study: Lateral Movement

Mitnick Security successfully infiltrates financial enterprise company to uncover vulnerabilities and recommend improvements.

CASE STUDY

The Threat of Lateral Movement

over shoulder view of man in green sweater looking at code

Unveiling The Hidden Cyber Threats for Financial Enterprise Company 

 

At Mitnick Security, the Global Ghost Team™ works diligently to provide the highest value engagements in an ongoing effort to educate and help companies achieve a hardened security posture. This is done by creating unique scenarios that often require coming up with new tactics, techniques, procedures, and even tools to achieve the outcome.

This case study showcases how a threat actor might move laterally once a system has been compromised, and subsequently, the information that can be discovered by skilled threat actors who make it their business to know how to search for sensitive data within your network.

Steps Taken

Azure Compromise and OneDrive Access

 
The assessment team was able to gain access to an employee’s account, which was compromised through NTLM password cracking. This account allowed them to log into Azure without the need for two-factor authentication.

Code Repository Access

 
  • After gaining access to Azure, the team looked for specific role types that are employed by the company and identified a Senior Software Engineer—a good target to gain access to the source code for the Operations platform. 
  • A file very clearly marked as containing credentials was located on the employee’s OneDrive, which contained passwords to the Operations platform. Instructions on how to connect to the instances and the build machine were also found. Most interesting were the credentials for a BitBucket account, which is a Git-based code hosting and collaboration tool.
  • The BitBucket account provided access to the Operations project and its repositories, which the team exfiltrated using Sourcetree and the previously obtained domain admin credentials.
  • Source code was also accessed using credentials found in Google Chrome, which included other credentials that had access to the BitBucket project where the source code was kept.

Dumped Password Hashes Cracked

 
  • Thousands of hashes were exfiltrated and used to crack many of the privileged accounts. Using the Mitnick Security password cracking rig, many of the hashes were cracked within a short time.
  • Because of the previous work, the team was able to access a production VM and remain as a persistent threat for several weeks without detection

There is of course more to this story than what has been selected to display here, but the key takeaway is how easy it is for threat actors who are well-versed in red team TTPs to gain access in ways that most companies do not consider. This case study also highlights the importance for strong cyber hygiene and security awareness training for employees.

Lessons Learned From This Engagement

2FA Implementation

Always implement 2-Factor Authentication (2FA) on every account.

Documentation Audit

Review OneDrive for any passwords, confidential information, or secrets stored in plaintext. Restrict access to these documents to authorized users only, and consider using an alternative method for sharing sensitive information if necessary.

Endpoint Detection & Response

Conduct an inventory of all servers and workstations to determine which ones do not have an EDR solution installed. Install EDR on all systems that are currently without it to reduce the risk of compromise.

Update Password Requirements

Change the password policy and complexity to at least 20 characters with no requirement for using cases, numbers, or symbols. Train users on choosing a passphrase like "I had lunch at Cowboy Chicken."

Update Password Requirements

Change the password policy and complexity to at least 20 characters with no requirement for using cases, numbers, or symbols. Train users on choosing a passphrase like "I had lunch at Cowboy Chicken."

For service accounts, use at least a 20-character, fully random password since 2FA is not applicable.

Security Awareness Training

Conduct regular security awareness training for all employees to ensure that they are aware of the latest security threats, such as phishing attacks, social engineering, etc.

While these high-level actions are not fail-safes, they drastically reduce the immediate risk for breach. 

REVIEW MORE SECURITY INSIGHTS

Penetration Testing Resources

The 4 Phases of Penetration Testing Blog

The 4 Phases of Penetration Testing

before you choose just any pentesting vendor, it’s vital that you understand the ins and outs of a penetration test engagement, including its four main phases.
Red Teaming: Everything You Need to Know eBooks

Red Teaming: Everything You Need to Know

Red Team engagements utilize the latest and greatest hacking methodologies to pinpoint the most hidden vulnerabilities in your network to strengthen the defense of your security posture.
5 1/2 Easy Steps to Avoid Cyber Threats eBooks

5 1/2 Easy Steps to Avoid Cyber Threats

In this checklist, you will learn the steps Kevin Mitnick and his Global Ghost Team recommend to raise your security posture this year.

Interested In Working With The Global Ghost Team?

You can explore our security services to see how our elite experts can best assist your business and it's unique security needs.