Tales From The Road: Gone’ Phishin’!

How DirectDefense leveraged the pandemic to exploit remote access security for a large corporate network through an email phishing campaign

While most of the world was busy adapting to the Work from Anywhere #WFA movement that the pandemic suddenly brought on, a certain segment of the population saw a unique opportunity to get into an otherwise secure corporate network and got busy preparing their “tactic” box to do a little “phishing”.

When the COVID-19 pandemic hit, our client, like hundreds of similar companies, sent employees home and quickly developed a remote working infrastructure. With network access now scattered across the United States, DirectDefense was called upon to test the company’s remote access security through a phishing attack. Read on to find out how they did!

Remote Working is Here to Stay (so Remote Access Security Needs to Be Too)

While our client had many security controls in place to protect their large, corporate network, our team was able to gain access to their internal network through a phishing attack that preyed on their remote work environment. If the same act had been conducted by someone with ill intent, the results could have been devastating. 

Did you know that according to survey data…

  • Two-thirds of employees, 66%, are currently working remotely at least part of the work week as a result of the coronavirus pandemic? Reference
  • The percentage of workers around the world that are permanently working from home is expected to double in 2021 as productivity has increased during the coronavirus pandemic? Reference
  • COVID-19 has kicked off the great remote work migration and the Work From Anywhere #WFA movement is here to stay? Reference

Stats like these reveal that while the pandemic will eventually go away, remote working is here to stay. This is why there has never been a more crucial time to conduct security assessments to ensure that your remote access security is fortified to protect your network from attackers.

Taking the Bait: Compromising an Internal Network Through a Good Day of Phishing

Our team put our client’s remote access security to the test with a three-pronged phishing attack:

  1. Assessing Email Auto-Responders: First,we sent emails to numerous employees and simply assessed the security vulnerabilities present in any auto responders or out-of-office emails we received. 

Inside Tip: These out-of-office replies typically includeemails and phone numbers of multiple other individuals. Similarly, auto responders alerting to a bad link or attachment can also provide information about the company’s security technology, as well as what rules are being applied to flag suspicious emails. This type of information may seem benign, but it can provide an attacker with enough to further compromise the company’s security.

  1. Baiting Employees to Share Personal Information:  Next, we gathered publicly-available information regarding the company’s help desk solution and employee email addresses, and then created a fake domain for the help desk that was just slightly different from the existing, legitimate URL. Pretending to be the help desk, we sent emails to more than 800 employees notifying them that their password had expired and needed to be reset. When a user clicked the link in the email to reset their password via the company’s SSO portal, we were able to see in real time that they had submitted their credentials, and once they authenticated their information through the MFA process we could access their session. 
  1. Launching a Kerberoasting Attack: Despite having compromised several users’ accounts using our first two phishing schemes and subsequently gaining remote access to their virtualized desktops, we were unable to take any real action because these lower-tier users had no admin access – preventing us from being able to access much of the internal network. But we didn’t stop there. Although the virtualized desktops were largely locked down and restricted, we eventually located an editor function that allowed us to execute code and launch a kerberoasting attack, which provided hashed passwords for dozens of users with high internal network privileges. Using our password cracking array, we recovered a plain-text password for a highly-privileged domain admin user. We were then able to authenticate as this user from our own remote desktop and fully compromise the internal environment. 

Inside Tip: Email phishing is common, and kerberoasting is a popular attack vector that will most certainly be tried by an attacker who has gained access to the internal network. Attackers are not going to stop just because one tactic didn’t work – and an attacker only needs to be successful a single time.

To Beat an Attacker, You Need to Think Like One

If it had been a malicious attacker who gained this access, they would be able to create new users, dump passwords, access sensitive company data for both internal and external individuals and processes (including customers and partners), and access cloud-based services and applications through the third-party vendor. 

Think your network security is airtight? Think again! If it’s not tested and assessed by an entity like DirectDefense that is able to think like an attacker, someone who actually has malicious intent can find a way in. Even post-pandemic, the sophistication of attacks is only increasing, and the controls you have in place may not be effective enough to withstand them. 

Can your network security stand up to the inherent risks of remote access?

Contact us today to find out! Our security experts will work with you to create a path forward for ongoing remote access security. Visit directdefense.com or call us at 1 888 720 4633.