Red Teaming

We performed a Red Team Assessment for a bank, which aimed to recreate realistic attack scenarios in order to gain undetected access to the internal network without the company or the internal Blue Team detecting the attack.

To accomplish this, the first step was to search for information about the company using  freely available sources (OSINT). As no valid passwords or vulnerable systems could be identified, the next step was to send phishing emails to selected employees. The company was well prepared, as one phishing email was recognized and reported immediately. Another phishing email was not recognized and the payload was basically executed by the employee, but the code execution was blocked. Employees on the systems were not allowed to execute new programs, therefore the attack was mitigated.

For further analysis of the internal servers, internal tests were carried out from a notebook provided by the company. This revealed several vulnerabilities that could have been used to extend rights. The company was again well prepared and the Blue Team responded very quickly to the received alerts. As the company was already well prepared , it was recommended to continuously harden the internal systems and to further strengthen the security awareness among employees.

We conducted a comprehensive red team assessment for a renowned bank, specifically aimed at identifying vulnerabilities related to technical phishing attacks. The goal was to test the bank’s phishing attack surface from the perspective of an employee and identify potential security gaps that could allow attackers to access confidential systems.

Besides other vulnerabilities, one stood out as the most critical: During an internal “assume breach” assessment, we discovered outdated system images on accessible network shares that could be accessed by any domain user. These images contained credentials for an active domain admin account, posing a significant threat to the overall infrastructure.

This assessment highlighted the importance of conducting thorough and ongoing security evaluations. Critical vulnerabilities, such as old accessible system images, along with other identified risks, can provide attackers with access to confidential areas of the IT infrastructure and cause significant damage. Identifying and addressing such vulnerabilities early is crucial to ensuring the long-term security of IT systems.

A database management system for buildings was examined for vulnerabilities for a large software company. A red team approach was used, therefore the blue team was not informed about a check being carried out. The starting point for the test scenario was a stolen notebook.

Several vulnerabilities were identified during the test. Access data was transmitted via an unencrypted connection to a higher port. The applications running on the system were written in JAVA and were susceptible to deserialization vulnerabilities, which can lead to code execution. After consultation with the customer, the execution of code was  refrained,  as it would have affected  a production system. Cross-site scripting vulnerabilities, outdated software and privilege escalation vulnerabilities were also identified. The actions of the testers did not cause any alarms, therefore their actions were (unfortunately) omitted from the blue team.

It was recommended to only use encrypted connections, apply patches to mitigate deserialization vulnerabilities and software updates, clean up and encode any user input, and further harden the system. In addition, it was recommended to sharpen the alerting and detection on the notebooks.