Attackers can exploit default credentials to escalate privileges within systems, endangering sensitive assets.

Internal Network Penetration Testing is typically done by organizations for compliance reasons, either for HIPAA or for PCI DSS Compliance. But regardless of why most companies invest in it, it’s an essential part of ensuring that your security controls are being managed effectively, and your sensitive data, protected.

HALOCK Security Labs’ Internal Network service addresses what happens if/when the external perimeter is breached.

One example of such an engagement was performed for a client in the healthcare industry. In this scenario, HALOCK Security Labs manually reviewed open ports and services on a web server that was observed to be running a digital signage application used by the hospital to display various information, such as partial patient names and current wait times. This application utilized vendor-default credentials for the “admin” account which led to finding detailed application logs that revealed user credentials. These credentials were being insecurely passed as part of a URL query string. This subsequently led to the team escalating privileges on the domain where Domain Administrator Access was achieved.

All HALOCK Security Labs penetration tests are performed with consent in controlled environments.

How did this exploit work?

During testing, HALOCK manually reviewed open ports and services on targeted hosts. A web server was running a digital signage application used to display various information, such as partial patient names and current wait times. While the application did require authentication to access, it was configured to accept the well-known vendor default administrator account. This led to HALOCK gaining privileged access to the application where configuration and logging data could be reviewed.

While reviewing the application logs, HALOCK found that sensitive data (namely, user credentials) was being insecurely passed as part of a URL query string and recorded in the application log entries. The observed credentials were found to be valid domain account credentials, which provided HALOCK with authenticated user-level access to the domain. This particular user account was subsequently observed to have local administrator access on several workstations and servers. This local privileged access was abused to laterally move to one of the affected servers using the obtained account.

When the new server was accessed, HALOCK discovered that it was running Endpoint Detection & Response (EDR) software. By abusing local administrator access, HALOCK determined there were misconfigurations in the EDR software and temporarily disabled it. With the EDR software temporarily disabled, credential material was extracted from the Windows LSASS process memory which revealed a Domain Administrator user password hash.

Using a pass-the-hash attack (PtH) with the obtained Domain Administrator account, HALOCK gained widespread privileged access to workstations and servers within the domain. This method bypasses standard authentication steps and system access controls using stolen password hashes. In this engagement, it resulted in extracting all domain account password hashes from the Domain Controller as well as accessing numerous network shares where insecurely stored Electronic Protected Health Information (ePHI) was discovered.

EPHI is defined in HIPAA regulation as any protected health information that is created, stored, transmitted, or received in any electronic format or media.

What did we learn, and how can this type of exploitation be prevented?

This exploit chain began with vendor default credentials on a simple digital signage application and ended with the attacker having unfettered, privileged access on the network. Had this been an actual compromise in the real world, it would have resulted in the loss of thousands of records of sensitive patient data (ePHI), disabling endpoint protection software, and installing Ransomware. Effectively, it could have shut down hospital operations for an indeterminate amount of time.

Preventing this kind of exploitation requires a multi-pronged approach. First, vendor default credentials should be changed immediately, and strong, unique passwords should be used. Second, domain accounts should be reviewed for excessive permissions and should adhere to the principal of least privileges. Finally, web application assessments should be performed to identify application misconfigurations and vulnerabilities, such as the ones exploited by HALOCK during this assessment. It only takes one compromised machine or application to potentially expose and infect an entire network.

Aaron – Network Security Testing