Raxis performs breach attack simulation for companies around the globe. When performing internal network tests, Raxis achieves full network administrative level access without detection over 85% of the time usually inside a very limited time window.
You might wonder, why is this important? Add social engineering to the mix, and it becomes clear that attackers can gain internal network access more easily than you may expect.
When Raxis performs full scale attack simulations, we gain access to internal networks nearly 100% of the time. This article highlights some of the ways that we do that.
On one encounter, Raxis was engaged to gain access to a high security financial institution. While surveilling the building our team discovered several potentially exploitable vulnerabilities, including standard proximity badges required for access to the premises. Our team took up position near a back door that appeared to be a smoker’s hangout, and, with our weaponized badge reader hidden in a shoulder bag, we waited. As employees walked out to take a break, we simply walked beside them, digitally replicating their cards as we passed. Later we used these replicated cards to gain access to the facility while in view of armed security guards, who did not see anything amiss.
Often when people here at this attack, they think it is unrealistic and that our team would struggle to replicate it. The reality is that the devices we used can be purchased online for less than $800 and can easily be assembled by anyone with moderate technical skills. Utilizing this system, a majority of proximity badge systems can easily be compromised.
In another recent endeavor, while surveilling a building, the Raxis team discovered an ADA compliant entrance door. Because of the accessibility requirement, it had a very slow open and close rate. Raxis was able to monitor this door from afar while receiving no notice from security. As the door opened, our team strolled through the door without garnering any attention and easily tailgated into the building. Once inside we used a combination of canned air attacks and door manipulation to quickly gain access into the heart of the facility. We planted small network devices that gave us persistent access to the internal network from the outside the facility, as well as cameras and other AV devices to allow us to monitor activities within the facility using audio and video.
Other common methods we use to gain access to internal networks include standard phishing and vishing attacks as well as wireless attacks.
While maintaining a very safe distance from the target company, the Raxis team uses high gain antennas to attack existing wireless networks and wireless devices. For instance, manipulating the signal from a vulnerable wireless mouse while sitting in our vehicle is a team favorite. Another choice attack is creating a rogue hotspot that mimics the company’s wireless network, enticing devices to join automatically, sending the wireless key to our system in the process.
The reality is that many companies have a false sense of security because their networks are located inside a locked facility or are even in a virtual private cloud. There are many ways an attacker can gain access to a network to exploit it. Once inside, they can acquire access to sensitive information and cause potential business disruption.
In most cases, once we find ourselves inside a physical location, the Raxis team is rarely challenged. It is not uncommon for our security engineers to simply sit down at an unattended desk and hack the network while staying on premises. This applies to businesses of all sizes and in all verticals.
How hard would it be for someone to walk into your place of business, plug a device into the network, and leave without being noticed? How likely is it that they would be challenged if they walked around looking and acting like they should be there?
Now that you have a better understanding of some of the methods attackers use to access internal networks and physical locations, we encourage you to treat them as high-risk and to implement redundant controls, including employee training, to protect them. It is vital that you not only secure them but also have proper methods in place to test and monitor your internal and wireless networks as well as your physical locations for illicit activity at all times.
Interested in seeing firsthand how we do some of these attacks? Check out our YouTube channel youtube.com/@raxisone
By Brad Herring, VP Business Development at Raxis