Living on the Edge: An Adversary Playground

In the world of cybersecurity, living on the edge isn’t about adrenaline-fueled stunts or hair-raising exploits—it’s about grappling with the precarious perimeters of your network. In this digital era, the edges of our networks are no longer just boundaries; they’re bustling gateways, where the battle between data protection and infiltration is fiercest. From routers to VPNs, firewalls to mail servers—these components are not merely infrastructure; they’re the front lines. And if you think "default passwords" are obsolete, think again. You're in for some "I can’t believe they still use 'admin123'" moments that will make your head spin.

Project Scope

ApolloSec’s Mission: Turning Cyber Fortification from Fiction to Fact

At Apollo, we take a holistic view of cybersecurity, which means no stone goes unturned, no digital nook unscrutinised. Our project encompasses the entirety of the business, not just a snapshot, but a comprehensive battle against potential breaches. From subdomain enumeration to deep dives into infrastructure, we pull back the curtain on how easy—or daunting—the path to unauthorised access can be.

Living on the edge in cybersecurity terms means fortifying these outermost layers—routers, VPNs, firewalls, and mail servers—that serve as the first line of defense. While many envision cyberattacks as swift and devastating, like ransomware encrypting an entire company’s data in one fell swoop, the reality is often more gradual. Adversaries typically need to first breach the network’s perimeter. Once inside, they can establish a foothold on edge appliances, allowing them to 'live off the land' and remain undetected for extended periods. This initial intrusion through the edge is critical as it sets the stage for deeper network penetration and more severe compromise.

Our engagements dive deep, exploring each vulnerability, from exposed services on port scans to the careless mishaps of leaving a company Trello board wide open. Yes, you heard right—sometimes, the key to a company’s digital kingdom is hidden in plain sight on a sticky note in a Trello comment.

Emphasising Real-World Applications

Our approach isn’t about hypothetical threats; it's rooted in real-world tactics that adversaries use to breach defences. Through the engagement scenario described here (to protect client confidentiality we’ll use a fictitious name - let’s call them "EdgeCorp"), we demonstrate the attack paths that could have lead to serious breaches.

The Attack Path: How We Exploit the Edge

Diving Into the Depths of Digital Perimeters

The digital foray into EdgeCorp's network began with subdomain enumeration and port scanning, a critical first step in understanding the organisation's attack surface and the extent of potential exposures. These initial scans were essential for setting the stage for deeper investigation - as you can't test what you don't know.

The majority of the organisation's attack surface consists of applications, prompting us to begin with testing various OWASP top 10 vulnerabilities to see if any critical vulnerabilities could be the key to entry. This led to some interesting findings, from XSS to an SQL injection in a map functionality. Although these are high-risk findings that should not be underestimated, none provided the breakthrough needed for initial access.

Returning to our reconnaissance efforts, our Google dorks unearthed a publicly accessible company Trello board. After crawling through boards, we found a link within the comments to an employee's public GitHub. It turned out this repository was used for testing internal infrastructure and included access keys for a now-obsolete AWS service. When it comes to cloud red teaming, these findings are crucial for the initial compromise and subsequent stages of an attack. In the context of cloud-based environments, access ‘tokens’ or ‘keys’ are pivotal for allowing attackers to interact with the internal estate.

Despite the initial excitement, these keys turned out to be expired—a digital anticlimax indeed. However, this discovery directed us towards an S3 bucket where we were able to extract some sensitive files (more on this in the 'Road Less Travelled').

Despite these findings, the true essence of "Living on the Edge" remained out of reach until we circled back to our initial scans. We revisited our vulnerability scans, refined by our custom YAML scripts and EPSS (Exploit Prediction Scoring System), which filtered the findings to highlight exploitable vulnerabilities. Among the usual suspects of trivial bugs, two vulnerabilities stood out: CVE-2023-46805 and CVE-2021-40438.

An Ivanti VPN server had not been patched against CVE-2023-46805, and an Apache server was still vulnerable to CVE-2021-40438. PoCs were just a Google search away—two clicks, and we were set to test our mettle against these vulnerabilities.

The Apache SSRF exploit attempt was unsuccessful, thwarted by robust server configurations that left us somewhat deflated. However, persistence pays off. After tweaking the PoC for the VPN, we achieved a breakthrough. We were not just peeking into admin users or infrastructure; we had created a local user account and secured our digital foothold. Here’s a sample command for early stage testing used to confirming the host was vulnerable.

This moment wasn't just about gaining access; it was a testament to the importance of continuous vigilance on the often-overlooked peripheries of our digital domains.

The Road Less Travelled – But Equally Informative

While our main entry exploited the outdated VPN, our curiosity didn’t stop at the front door. We ventured down other paths, examining exposed cloud buckets brimming with sensitive documents.

Sure, these didn’t grant us initial access, but they painted a vivid picture of potential data breach nightmares. And let’s not forget the invalid AWS tokens found in another employee's GitHub—a ticking time bomb just waiting for a refresh.

Amidst these explorations, we even attempted to brute-force the fortified RDP service. No dice this time—the default passwords had been updated (a round of applause for EdgeCorp's IT team!). But it’s a stark reminder: if your RDP is like a castle gate, your credentials are the guards. Equip them well, and even the craftiest of cyber thieves might think twice.

Closing Remarks

Reflections and Revelations: Securing the Digital Kingdom

As we wrap up our tale of digital conquest and cunning, it’s clear that securing modern networks is more akin to guarding a dynamic, sprawling empire than a static fortress. Our journey with Edgecorp illustrates the necessity of vigilant, proactive security practices in a landscape where attackers are ever-persistent and increasingly sophisticated.

Threat actors are now reallocating significant resources to target and exploit emerging network edge environments, such as remote workers and the cloud, shifting away from solely focusing on the core network. Securing these new environments, including new technologies and converging systems, presents unique challenges. For instance, the widespread transition to remote work has not only multiplied the number of end-users and devices connecting remotely to networks but also expanded the attack surface in ways that are not always apparent. These peripheral areas of our digital domains are becoming hotbeds for innovative cyberattacks, requiring equally innovative defenses.

This shift underscores the importance of evolving our security strategies to protect not just the traditional perimeters but also these increasingly utilised edge environments. By strengthening our understanding and oversight of these frontier zones, we not only protect individual points of entry but fortify our entire digital kingdom against the sophisticated threats of today and tomorrow.

A Final Thought: Security isn't just about putting up walls; it's about understanding every nook, cranny, and shadow of your digital domain. By focusing on strengthening your credentials and monitoring your perimeters, you not only protect your network but transform it into a resilient stronghold.

At ApolloSec, we believe in not just defending but dominating the cybersecurity landscape. Follow our journey, adopt our strategies, and together, let’s turn cybersecurity from a battle to a victory parade. Get in touch to discuss how we can help!