Skip to the content

A Hackers Guide to Remote Working

Remote working for a hacker is brilliant, and not in the sense that they can work from home in a dark room wearing a hoodie. But because remote working means that a business is intentionally giving a path into the internal network that could potentially be accessed by anyone on the internet. This blog post covers some of the things that we have encountered across the team over the years.

whoami

Your password

You would be surprised at how easy it is to generate a list of potential usernames. Some are a bit more refined than others. All it takes is a quick browse on LinkedIn, and you have the first and last name for a lot of employees. Add in breach lists, sites like hunter.io, statistically common usernames and any metadata you can scrape from documents available on company sites.

You end up with a good list of potential users. Some services even let us validate usernames, which is nice! This allows us to refine our username list.

From this point, you can just use password spray attacks against those remote access portals and see if you get lucky. For example, when Bob in Finance is using Password123!

 

 

Access Granted

Unfortunately, there was no multi-factor authentication in place this time. We have just walked straight into the Office365 suite / Citrix / VPN and can now access all the information that the user account lets us. You can use the standard methods to try to escalate and gain a bigger foothold on the network. We are going to spin off from this and cover some of the more interesting avenues it has taken us.

Helpdesk – How can I help?

We've gained access to a user's O365 account, checked out their emails, but we've not found passwords or other account details. Jump onto SharePoint - again, nothing all that useful for giving us further access. No passwords hidden in text documents, no VPN configuration data.

This may sound like a dead-end, but there are some dangerous possibilities – a firm favourite being phishing other employees via the compromised mailbox with malicious attachments and links. This time we do a bit more digging through the mailbox and find an interesting email that explains how to have your laptop set up for remote working. Perfect!

All we need to do is raise a ticket with support, and they will arrange a time to access the device with TeamViewer and get it setup.

Time to do a bit of research on the person whose account we have compromised and set up a virtual machine (VM) with a desktop that looks like those we see on the helpful marketing pictures companies put out on social media. A bit of housekeeping is done, like installing TeamViewer and making a few configuration changes to make the VM able to pass the initial inspection.

An email is then sent to the central helpdesk to raise the ticket, and an appointment is scheduled for the following day. A few minutes before the appointment, we call the helpdesk and let them know we are working from home and ask if that is a problem. The very helpful engineer tells us it is not a problem at all and proceeds to access our VM and begins working on the ticket. Thanks to the conducted research, we direct the conversation towards topics they are interested in and try to keep them half distracted from the task at hand, so they don't realise how rough around the edges our VM is. Finally, the VPN is installed and configured, and an excuse is made to end the call so we can both continue with our working days.

Phew – sigh of relief that we weren't caught out. Now we can connect to the internal network and access even more information and ultimately compromise it entirely.

 

Hacker Scams IT Help Desk

Our helpdesk won't fall for that!

Not everyone is going to be susceptible to social engineering, and it is one of the riskier methods of gaining access - you can lose the compromised account if discovered. So how else would we get access to the internal network from the outside?

Many businesses love to share information across the various teams on a structured platform. Often this is SharePoint. We find a plethora of useful information in there. Like step by step guides on how to set up your remote access VPN connection and wireless network passwords.

We will then drive to a suitable location and point a not-so-suspicious antenna towards the building and connect. Then, my personal favourite, we find text files containing lists of credentials for various services. Many of these give us additional ways to increase the foothold and access more information.

But multi-factor authentication will save the day?

Multi-factor Authentication (MFA) definitely makes life harder for a hacker and is a fantastic layer of security that you should have on external services. But you can always trust hackers to try and find the easiest ways around this. The most common method is to phone the person whose credentials you have while pretending to be from the help desk or IT Support and claim that you are sending them a verification code which they must read back to you.

Also, there are man-in-the-middle phishing attacks which will capture the session cookie during the login process, which gives the hacker access to that account.

 

Multi-factor Authentication (MFA)

At Chess, we have used both these methods successfully. Once access is gained to the internal network, it almost always leads to a full compromise. For this reason, it is important to have a layered security approach and to identify even the small weaknesses in those layers.

About the author

Chess

Chess

Chess is one of the UK’s leading independent and trusted technology service providers, employing 300 skilled people across the UK, supporting over 20,000 organisations.

 By leveraging world-class technology, Chess helps you to connect your people, protect your data, grow your business, reduce your costs and work better together, which means your business, your people and your customers can thrive.

At Chess, we’re passionate about our unique culture and our continuous investment in our people to be industry experts. We’re extremely proud that our people voted us No.1 in ‘The Sunday Times 100 Best Companies to Work for’ list 2018, and we continue to celebrate more than ten years in the top 100.

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
Sales
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.