Stuart White is Penetration Test Team Lead at Chess. With over 10 years of experience in the IT and Security industry, he helps our customers identify weaknesses in their networks and provides practical advice how to protect their data.
In 2020, companies rapidly enabled remote working at large scales. Often security was left as an afterthought and attackers took advantage of the newly created vulnerabilities in the system and the social panic.
Home networks are predominantly insecure:
- People tend to use the default settings on their router, which do not provide the highest level of protection.
- With the increase of smart home appliances, the home attack surface is increased, and hackers can use, for example, your smart TV to gain access to your home network.
- Children nowadays are often technically versed and can adjust settings to optimise their gaming experience but open the home network to attacks.
Nevertheless, some of the most common vulnerabilities found in companies last year are not necessarily just linked to this new way of working. Instead, they are recurring mistakes our penetration testers come across day in, day out.
Stuart White, our Penetration Test Team Lead, summarised the latest top five vulnerabilities that our security experts find in our customers' networks, which enable them to break into a corporate network within minutes.
Lack of end-user awareness
Lack of end-user awareness and cyber education continues to be one of the main gaps in businesses. Unsurprising result considering there's still organisations that do not invest in cyber training. It leads to the easy success of social engineering* campaigns such as phishing and vishing. We've seen rapid and substantial results by keeping the phishing emails simple. Spam filters are becoming better at capturing suspicious communication, but by not including 'spoof' M365 or corporate wording and branding in the emails, we can easily go around that. Short messages relevant in today's world can lure the victim into clicking to the phishing page. Take the following as an example:
Clicking the link, the victim sees what looks like an M365 login portal. For all intense purposes, it is - it is the real M365 portal just via my webserver. This means that any credentials entered can be reused, including to gain access to the corporate VPN or other remote working solutions. Unfortunately, this is all too often the scenario we come across.
Furthermore, if the victim uses MFA, we will also capture the M365 authentication session cookies as they are sent back from Microsoft to the victim (via our server). Then we can import the cookies into our browser – bypassing the need for MFA and any other conditional-based access rules. #WIN!
Access to data on Microsoft 365 or SharePoint
Once we have access to the corporate Microsoft 365 or Sharepoint, it can merely be a case of searching for 'password,' giving us further access to remote access solutions or other internal systems (lateral movement, as it's known in the industry).
Unfortunately, we also find that this can reveal VPN connection details to your customer networks, i.e. supply chain attacks. While penetration testers will not rummage into external/ supplier networks as it's out of the assignments' scope, hackers will take advantage of the opportunity to steal more data and compromise other organisations. Therefore, an attack will not only cost you your reputation and maybe business, but also the collateral damage that can be done to your customers' and partners' networks is critical.
Is your cloud harbouring a storm?
Have you recently rolled out remote working across your organisation or are you wondering whether your Microsoft tenancy is set up correctly? Your cloud could be harbouring a storm, so watch our two-part cloud security series to learn more.
Lack of Multifactor Authentication (MFA)
Once hackers have that "sweet, sweet nectar," credentials, either via phishing, password spraying weak accounts or further credential discovery via existing access, there's plenty more damage to be done. During tests, it's far too common to reuse these credentials on systems that do not use MFA, further imprinting our 'foothold' into the networks and the data.
For example, some customers are surprised that we got in via their Citrix system that uses MFA (assuming the route we took). However, they forgot about the dev systems for testing or the old VPN solution they used 'years back' which they never took offline.
Weak Wi-Fi credentials
Often enough, it can be trivial to crack a WPA-PSK (Wi-Fi Protected Access mode). With most offices unattended, the personnel previously present to catch that odd-looking car with an antenna sticking out the window isn't there. All it takes is a quick de-authentication frame to a Wi-Fi connected IoT device (including a smart fridge, kettle, TV, etc.) and you can attempt to crack the Wi-Fi password offline. Once cracked – you're in!
Weak passwords continue to be among the most common vulnerabilities we come across during tests and why this is still a problem in such a modern world; we do not know. With more exposed services (new, old, forgotten) it doesn't take much to scrape the organisations LinkedIn page and look for staff members. After the attacker has a potential username list, armed with a few trivial passwords like COVID19, LockDown2, Winter2021, and password spraying, they will access your network and data.
Read our whitepaper, 12 Common Vulnerabilities Found During Penetration Testing to:
- Help you make a business case for penetration testing.
- Learn more about the sorts of vulnerabilities that you might unknowingly be allowing on your network.
- Prepare your team for the sorts of results your penetration tester might uncover.