A healthcare organization with a strong security outlook wanted to test the security of their external presence. Our Profiling team was asked to complete an External Penetration Test, which identifies and exploits vulnerabilities from the perspective of an outside attacker. Additionally, an External Pentest detects weaknesses in a system or network that may result in a compromise. SecureState’s pentesters have a high success rate of compromising an organization’s network during an external attack. In this case, a simple vulnerability providing information disclosure on an external facing website eventually led to full compromise of the internal network. This vulnerability was identified on a web application that was designed and implemented by a third party service provider.
Why it’s Important
It’s important for an organization to do their due diligence and due care when seeking assistance from a third party service provider. Hiring a service provider does not absolve the organization of all responsibility. The organization must ensure that the proper controls are in place and network security is maintained. If a breach occurs, the organization, not the third party service provider, is ultimatelyheld accountable. In this particular engagement, the client was unaware of the vulnerabilities left by the third party service provider which could be used to compromise additional systems or allow unauthorized access to sensitive information. To help with this issue, our experienced consultants put a plan in place outlining the necessary steps to remediate the issue.
What the Consultants Had to Say
“Well, now that we have a list of valid users, let’s attempt a few logins,” said one pentester while the other configured a tool to do just that. While taking precautions to prevent locking out accounts, they watched closely as each login attempt was made. “I’ve got one!” the pentester exclaimed. “It seems to be an administrative account too. I’ll generate a PHP reverse shell and upload it to their site. Go ahead and set up the listener. Moments later, SecureState’s other pentester was ready. “Alright, the listener is ready,” he said. “Browse to the URL and we’ll see if it worked.” After a few seconds had passed, the pentester called out, “session is open, we’re in. Let’s pivot through this connection and see how secure their internal network is.”
From this point, SecureState’s pentesters were able to identify vulnerabilities on the internal network which eventually led to full internal compromise. This is a perfect example of Vulnerability Linkage Theory because of multiple lower-risk vulnerabilities totaling a compromise. Examples of lower risk vulnerabilities include: information disclosure of usernames, weak administrative passwords, firewalls allowing egress traffic, and more. “It’s a good thing we discovered the vulnerabilities and exposed the potential impact to the client,” said a SecureState pentester. “It’s better that we find it before an attacker does.”