One Weak Password Leads to Compromise

by | Aug 17, 2022 | Blogs

The only constant in IT today is change. That change might be an all-encompassing digital transformation brought on by a global pandemic, or merely a change of employee credentials. Either way, there is constant change in our organizations today.

The risk associated with that change does not always have a direct relationship with the level of effort to implement that change. Whether the change is extensive or trivial, when combined with other threat vectors that exist on the attack surface, it can put your organization at serious risk. That risk also depends on what data bad actors have been able to collect on you or your organization during their reconnaissance stage. Chained together with any weaknesses present, the change may have introduced a low severity misconfiguration that could lead to a critical impact.

Here’s an example of a minor change that led to a major impact. Our autonomous pentesting platform, NodeZero, discovered a customer’s host that had not appeared in previous pentests. This new host was either not online or not communicating on the network previously ­– but NodeZero saw that it was actively sending packets across the network via LDAP to communicate with Active Directory.

Just as an attacker would, NodeZero sought to exploit this potential opportunity by executing OSINT, Open-Source Intelligence, on the company and its employee base. NodeZero then generated multiple potential usernames, password sprayed for potential valid user accounts, and was able to compromise a valid credential in a matter of seconds. Subsequently, NodeZero leveraged the successfully obtained credential and chained this together with other data that it had found via enumerating network infrastructure. NodeZero fingerprinted several other hosts, before it finally found a host that this credential had local admin privileges on. Node Zero was finally able to dump the credentials from the SAM database, the LSASS service, and LSA secrets.

The customer was convinced that the NodeZero results were a false positive. However, with the full transparency and depth of information of the attack path and as well as the proof that NodeZero provided, we provided the user with insight on how one single changed credential could be reused on multiple hosts and lead to numerous critical impacts. One of these impacts led to domain compromise – NodeZero was able to successfully log in to the domain controller via four different domain admin credentials and via four separate attack paths.

Prior to running the pentest, our customer expected to find no critical impacts and/or any credentials compromised. Much to their own disappointment – though that disappointment turned to surprise and appreciation – NodeZero still harvested 776 credentials and 43 file shares. These led to several critical impacts including, but not limited to, domain compromise, numerous domain user compromises, and sensitive data exposure.

Many organizations adhere to regulatory bodies or are required by their internal/external stakeholders to adhere to certain standards. Almost all the standards, policies, and regulations in some way, shape, or form require a strong password policy in place, implemented, and enforced. NodeZero empowered the customer with insight into how their weak password policy allowed a minor change in credentials of one single user to lead to several critical impacts.

It is crucial to continuously assess your network and identify the most critical weak links that could potentially be exploited by cyber threat actors. A weak link that doesn’t exist today doesn’t mean that it won’t exist tomorrow. Change is inevitable so when it comes to security, and our advice is to continuously run pentests to find and fix any exploitable vulnerabilities and verify that they are fixed.

NodeZero is a true self-service SaaS offering. It is safe to run in production and requires no persistent or credentialed agents. NodeZero combines the lower cost and high frequency testing capabilities of automated pentesting with the expertise, thoroughness, and precision of manual pentests performed by highly skilled security professionals. The result: the ability to run continuous purple team exercises at a low annual cost.

Want to see it in action? Schedule a demo today.

This article was written by Habibeh Deyhim, Customer Success Leader with Horizon3.ai. You can find her on LinkedIn here

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.