Pentester notes: quarantine, remote employees and how to live with it

3 min

Against the background of universal quarantine and the transition to udalenka, some colleagues in the workshop began hard to sketch escalating – they say, there are already a lot of hacked companies around. I want to talk about what can be done in a short time, to crack you was much more difficult.

I hope I don’t open the veil of secrecy that RDP to the outside is bad, even if this RDP leads to a hop server in a DMZ network – in this case, attackers can attack other users of the hop server and start attacking inside the DMZ. In our experience, getting out of the DMZ into the corporate network is not so difficult – just get the password of a local or domain admin (and the passwords are often used the same) and you can go deeper into the corporate network.

Even if you have a completely updated server and you think that there are no exploits for RDP, there are still several potential attack vectors:

  1. Password selection (moreover, attackers can not select passwords, but accounts for them – the so-called password spraying)
  2. Attackers can ruin their life by blocking accounts by picking up passwords many times, which will cause account lockout.
  3. The default administrator passwords.
  4. I will repeat about possible attacks on RDP itself using public exploits.

A good solution would be to use Remote Desktrop Gateway (RDG), so you do not open out RDP. True, do not forget that at the beginning of the year 2 critical vulnerabilities were found (2020-0609 and CVE-2020-0610) and you need to update your servers – however, it is always worth doing this, and not only when critical vulnerabilities are released.

An even better solution would be to use VPN + RDG, as well as configure 2FA for all services. Thus, the problem with the removal of RDG to the external perimeter will be solved and access to it will be only through the VPN, which will make it easier to track who accesses the RDG. In addition, using 2FA will help to cope with the problem of possible simple passwords: by picking up a password, but without 2 factors, an attacker will still not be able to connect to VPN RDP.

Do not forget about VPN service updates. Just the other day, Cisco published in the advisory that several new attack vectors with the CVE-2018-0101 vulnerability were found. And, although at the time of writing the article there is no public exploit code yet, given the situation, it’s worth updating your devices.

Some people use VDI systems for remote access (for example, Citrix and VMware) – there may also be problems. Starting with the ability to select passwords and further gain access to the desktop / application, ending with attacks on unpatched systems and installed default accounts / passwords.

If an attacker gained access inside VDI, then the so-called exit from application mode can serve as an attack: when the keyboard shortcuts are incorrectly configured, you can exit the application in the OS and then use the command line to attack the OS and users.

Not only remote access systems, but also other corporate applications can attack. For example, many now open OWA applications on the external perimeter, through which employees can receive mail, open Jira for task tracking, forgetting about possible attacks on these applications.

Any web applications can be attacked and used for further attacks. If possible, you should give them access through a VPN or at least apply basic security measures, such as patching, blocking multiple password reset / password requests.

Attackers can attack applications as follows:

  1. Exploit vulnerabilities in the services themselves (for example, CVE-2019–11581 was found in Jira last year, and during the Pentest projects we repeatedly found vulnerable servers).
  2. Try to pick up passwords or accounts.
  3. Take advantage of the fact that systems have default accounts enabled, and passwords from them are not changed.

Of course, employees are a vulnerable link: they can be attacked by phishing and then use their devices to penetrate the internal perimeter of the organization. Again, if antiviruses are most likely installed on work laptops, then in the case of personal devices there is no such certainty – they may well be infected.

For these reasons, when people work from home, it is necessary to take additional measures to increase their literacy in information security issues – do additional training through courses or webinars, do newsletters with warnings and talk about new types of phishing.

For example, here is our instruction for employees – how to work remotely and stay safe.


Leave a Reply