So, the basic story is this. Alice‘s company is hired by Bob to conduct a penetration test against Bob’s company. Bob is pretty sure that the network is secure but he’s hearing a lot of stories about how Mallory is wreaking havoc on law firms, medical facilities and even high end managed [technical] services companies with everything from massive data breaches to expensive ransomware and wants to make sure that, to the extent that he can, he has all of the proverbial i’s dotted and t’s crossed.
Alice and Bob agree on the details and the test commences. With very few exceptions, Bob has given Alice free reign operate just as a Mallory would act, understanding that it’s going to be better for Alice to find the weaknesses and work with him to fix them than for Mallory to find the weaknesses and use them to either leak confidential data or encrypt all of Bob’s files and charge a ransom to [hopefully] get them back. Based on the scope and her recon, Alice decides to take an ‘outside-in’ approach, trying first to find exposed services like VPN or Remote Desktop that she can exploit to gain access to the internal network from the Internet. She continues moving in and ultimately hits gold when an administrative assistant falls for a phishing email.
Ultimately, the firewall was solid, systems were up-to-date, antivirus was up-to-date, networks were properly segmented, etc. For the most part, Bob was doing all of the things. The one fly in the ointment though was a spreadsheet on that administrative assistant’s workstation called ‘passwords.xlsx’. To be fair, it was a password protected spreadsheet, but bypassing the password was a simple Google search away. Once the password was bypassed, that spreadsheet had the boss’s username and password (as well as things like his mother’s maiden name, pets name, credit card info [including CVV], etc.) in case she had to operate on his behalf (send / receive email, purchase airline tickets, etc.). That username and password gave Alice access to the Remote Desktop logon which, of course, had admin rights on the bosses workstation. With those local admin rights, Alice was able to dump hashes and get domain admin rights and log onto the server (as a domain admin) and it was game over.
The lesson learned
Lesson one, the network is only as secure as it’s least secure component (in this case, the administrative assistant). The shiny boxes with blinky lights are nice but user training is just as important. Lesson two, Excel is not a password manager. To some this will seem obvious but it’s not an unusual thing to find files like passwords.txt, passwords.docs or passwords.xlsx with a treasure trove of information (i.e., the Sony Pictures breach). Password managers are cheap (free) and easy to use and, as long as the password (to the password manager) isn’t something like password, they are a far better option than a text file, document or spreadsheet (with our without a password). Lesson three, many times a vulnerability can be very difficult to spot by an insider. In this case, Bob likely had no idea that his administrative assistant was keeping a cache of data on him and she likely never saw it as a vulnerability but as a way to be much more efficient (and, after all, she password protected it).