The year 2022 has wrapped up and I find it helpful to share some of the most common findings I have encountered throughout the year. Some of these may not be surprising as they are covered in almost every cybersecurity awareness training course there is. However, it highlights that low-complexity attacks are still some of the most effective when testing an organization’s security posture.
In 2022, I saw that weak passwords are still one of the most effective attack vectors. Employees will use the season and current year, the organization’s name, a local sports team, and many other easily guessable names in their passwords. Even with constant cybersecurity awareness training, people still practice poor security in the name of convenience. You need to implement technical controls to enforce security and encourage better passwords.
I found that some organizations implement a firm password policy but do not enforce it retroactively. This means that accounts with never expiring passwords can maintain their weak passwords despite the new policy. This is a common practice as changing these passwords can break the functionality of some Active Directory-connected software.
For authentication best practices, refer to NIST Special Publication 800-63B. This will cover Authenticator Assurance Level, Session Management, Threats and Security considerations, and more in-depth.
Assume you successfully password-sprayed a user’s Microsoft O365 account. The next action item is to check for misconfigurations. Using MFASweep, you can test the compromised user’s credentials against a suite of Microsoft services. These include
- Microsoft Graph API
- Azure Service Management API
- Microsoft 365 Exchange Web Services
- Microsoft 365 Web Portal w/ 6 device types (Windows, Linux, macOS, Android Phone, iPhone, Windows Phone)
- Microsoft 365 Active Sync
Organizations left these protocols as single-factor login on multiple engagements. I compromised a user account via misconfigured legacy protocols and password spraying. Most instances where I compromised an account had one thing in common, MFA was enabled. There was no need for me to social engineer the user since there was a fault in the technical controls. I gained access to their email accounts and found mishandled private information in every successful breach. Disable all legacy and unused protocols to reduce your attack surface.
If the Microsoft services were adequately configured, but MFA wasn’t, there is still the opportunity for a successful breach. I have written about Multi-Factor Authentication before, so we won’t cover that in depth here. Instead, I will reiterate the importance of MFA applications without push notifications. MFA fatigue is real and leveraged to gain access to your account. In 2022, I confronted a couple of instances where only one or two users had push notifications enabled, but that was all I needed. I sent the request to the user’s phone over and over at different times of the day and at different intervals. Eventually, one of the users grew annoyed enough to hit accept and be done with the notifications. After giving in, it was time to read emails and look for sensitive information.
Mishandling of Sensitive Information Within the Network
The following is a list of things I have found on actual engagements in 2022
- Passwords in plain text
- Social Security Number (SSN)
- Date of Birth
- Date of Death
- Home Address
- Personal email address
- Bank Account Number
- Routing Number
- Signature of both endorsers (digital copy of check)
- Medical Information
- Photocopy of government-issued ID (front and back)
- Pictures of family members
- Information relating to social work gatherings
- Employee’s personal phone number
- Private client financial information
Most of these should not be found simply by looking through an employee’s email or browsing a document repository all employees can access. There is a false sense of security when sending information to and from company email accounts or saving a document in a company repository. Mishandling this sensitive information can lead to fines, lawsuits, reputational damage, and other negative consequences. It is imperative to remember that dealing with this type of information, you should treat it as if someone is already reading your emails. Follow security best practices, and please refrain from sending sensitive information via email.
One of my most memorable highlights in 2022 was multiple successful social engineering attempts. Despite all the technical strengths present within an organization’s network, humans can still be the key to circumventing all of them. Being friendly, smiling when speaking, and engaging in light conversation with a target significantly improved the outcome of my vishing attacks. Everyone I talked to for more than a few minutes was very forthcoming with information, including their username, password, and MFA code.
It was incredible when I successfully logged into a user’s account guarded with expensive third-party MFA protections, firewalls, challenge questions, and so on. Technical controls are imperative to an organization’s continued network security; however, they are not the answer to human vulnerabilities. Continuous security awareness training and reinforcement of good behavior will help reduce the number of successful social engineering attacks, but similar to technical controls, how are you testing the effectiveness of your training?
As a user, you should be cautious of people using different tactics to gather information. Some tactics often used are fear and urgency. You might receive a call that claims your child is hurt or some other unimaginable event that happened to create a sense of fear and urgency. You might receive a call about a tax bill, immigration status, or any different number of things that will scare you into answering questions. It would be best if you also were cautious of the very nice folks. Ask yourself what is being asked of you and if you should offer that information freely.
You might have the best cybersecurity training, software, and technical controls, but it doesn’t hurt to test against them. If any of these common vulnerabilities are of interest to you, contact TCM Security and help us strengthen your organization’s security posture.
This blog was written by Steven Amador.