黑客为公司铲雪,获赠网络管理员权限。
Hackers shoveled snow for company, were rewarded with network admin access

原始链接: https://www.theregister.com/security/2026/07/02/hackers-shoveled-snow-for-company-were-rewarded-with-network-admin-access/5265240

在本期《PWNED》中,两名专业红队人员成功演示了物理安保漏洞如何导致整个网络被攻破。他们在冒充新进 IT 员工并主动帮维修人员铲雪以博取信任后,成功进入大楼,并在会议室发现了一个未受保护的以太网端口。 他们将一台树莓派(Raspberry Pi)隐藏在垃圾桶后,从而获得了内部网络的远程访问权限。尽管该设备曾被维修人员发现并引起保安调查,但两周内仍未被察觉。利用这一初始立足点,测试人员执行了密码喷洒攻击,使用弱密码“winter2023!”获得了数十个有效凭据。最终,他们利用活动目录证书服务(ADCS)的漏洞,取得了域管理员权限。 此次事件凸显了三个关键的安全缺失: 1. **人为因素:** 员工过于轻信,仅凭表面上的乐于助人就允许未经授权的人员进入。 2. **网络控制:** 会议室端口缺乏网络准入控制(NAC),导致未经授权的硬件能够接入。 3. **身份安全:** 弱密码策略和缺乏多重身份验证(MFA)使攻击者能够轻易提升权限。 核心启示:安全漏洞很少像好莱坞电影中那样惊心动魄;它们往往是利用了人性中的善良与糟糕的基础设施防护。

《登记》(The Register)近日刊登了一篇报道,讲述了几名员工因协助公司除雪而被授予网络管理员权限的故事。 随后在 Hacker News 上引发的讨论聚焦于导致此次权限提升的安全漏洞。评论者指出了该公司薄弱的安全态势,并指出许多账户使用了可预测的密码“winter2023!”(或其细微变体)。 参与者批评了强制密码过期政策,认为这迫使用户采用容易猜到的季节性密码,而非使用高熵值的替代方案。该讨论串批判了那些重频率轮换、轻实际安全强度的过时密码策略。
相关文章

原文

Security

Fortunately, they were professional red teamers. Unfortunately, they pwned the network

PWNED Welcome back to PWNED, the column where we document serious security failures in hopes we can all learn from others’ mistakes. This week, we’ll talk about how a lack of physical security can allow threat actors to take control of your network.

Have a story about someone leaving a gaping hole in their network? Share it with us at [email protected]. Anonymity is available upon request.

Our story comes to us from two professional red teamers, who get paid to break into offices and networks in order to find holes in the security system. Kristopher Johnson was working as an offensive security consultant at Echelon Risk + Cyber in 2023 and his manager was Dahvid Schloss. We spoke to both.

Johnson and another employee named Michael were called upon to challenge the security at a client’s office while Schloss supervised remotely. It was winter and the maintenance crew had the maintenance door open. They walked through it and into the mail room, where a woman confronted them and asked what they were doing there.

The two intrepid testers talked to the company maintenance crew and told them that they were new IT employees without working badges. They said that they had almost slipped on the ice and offered to help shovel, an offer the maintenance team was happy to take them up on.

While Michael kindly helped the maintenance crew shovel snow, Johnson asked if the maintenance folks could let him in so he could go upstairs and start setting up Michael’s laptop for work. They let him in where he was free to explore the building as his partner brushed away a large section of ice and snow.

Inside the building, Johnson looked for a place to plug in his Raspberry Pi. The idea was to connect this single-board computer to the network, where they could access it remotely and use it to attack the network from afar. He tried plugging his Raspberry Pi into an Ethernet port in the AV closet, but the company had network access control enabled, which prevented it from connecting. The Raspberry Pi had an LTE radio, but it couldn’t connect from the closet either.

So Johnson instead moved his Raspberry Pi into the middle of the conference room and found an active network port that didn't have network access control enabled on it. However, he realized the Pi would be visible to anyone who entered the conference room, and they might find it suspicious. So he took some trash cans and used them to hide the device.

Johnson had a hard time getting out of the building after that. He tried to go out the front door, but it required him to swipe a badge he didn’t have and strangers would not swipe their badges for him. But when he went back through the maintenance entrance, they were more than happy to swipe him out. He waited in the car while Michael finished his shoveling assignment.

The next day, Johnson found out that his security breach had been detected. When he and Michael came in to meet with their contact at the company, the head of security confronted them. They had been “caught” because someone from maintenance went up to the IT department and wanted to thank the IT team for Michael’s help with the shoveling.  However, the IT team had no record of new employees named Michael or Kristopher, so that raised suspicion.

Before learning that they were professional red teamers, the building security had been suspicious and had looked at camera footage tracking their movements. They had even tried to get information on the license plate from Johnson’s rental car. However, they never did find the Raspberry Pi, which remained plugged into the Ethernet port in the conference room for two weeks.

During that time, Johnson’s team was able to connect to the company’s Active Directory, find where the domain controllers were, and start password spraying accounts to see if they could gain access. They tried using the password “winter2023!” and got 50 or 60 hits among the employees.

“So we used those credentials to kind of map out the rest of the network,” Johnson told The Register. “Network shares and things like that and then, towards the end of the test, we enumerated the certificate services - ADCS (Active Directory Certificate Services).”

The red teamers found eight templates that were open to ESC1 and ESC4 vulns. They also found that the certificate authority was vulnerable to ESC8. They were then able to exploit those holes to gain domain administrative access. The janitor found the Raspberry Pi two weeks after they broke in, but by then it was too late.

There are a lot of lessons here, but they start with training every member of the team to be suspicious of people coming from the outside, without badges, no matter what they say or do. Schloss noted that, if someone looks and acts like they belong in a space, most people will treat them that way.

“First and foremost, what most people believe is crime is not crime. It's a Hollywood myth of what crime looks like,” Schloss told us. “I call it the ski mask bias. Everyone assumes you're not getting robbed until a person comes in with a ski mask and a gun yelling.”

The maintenance team at this company should have been more suspicious of people calling themselves new employees and asking for a swipe in, even if they were willing to help shovel snow.

The company also should have restricted network access to the port in the conference room so that an unknown device like a Raspberry Pi could not make an Ethernet connection from that spot. 

Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password. And they should have enforced multi-factor authentication on those accounts as well. ®

联系我们 contact @ memedata.com