Common vulnerabilities uncovered in network security testing

Whether they be SMBs, large enterprises, or government entities, Australian organisations rely on networks to maintain operations and serve customers. This reliance on networks has also created ample opportunities for experienced and opportunistic threat actors to steal data and cause disruption to businesses that we all need. In FY2023, the Australian Signals Directorate (ASD) responded to 143 cybersecurity incidents reported by organisations that self-identified as critical infrastructure.

Network security testing aims to prevent attacks on organisations by testing for and identifying key vulnerabilities. In the following sections, we will cover the specific vulnerabilities we see and target in our testing process and their impacts on your organisation if left undiscovered.

Source: ASD.

Certificate-based attacks

Certificate-based attacks occur when threat actors exploit vulnerabilities in digital certificate management. These attacks often involve forging or compromising certificates to gain unauthorised access or intercept secure communications. Countering these threats requires effective mitigation strategies. One key step is using Extended Protection for Authentication (EPA), which monitors and secures endpoints against certificate-based attacks. Using the rule of least privilege enforces control over certificate writing and permissions, which ensures only authorised users have access. Enabling SSL for web interfaces also lowers the attack surface of certificate attacks.

Contiguous environments

Contiguous environments refer to integrated staging and test environments within the corporate network. These less secure test environments often focus on ease of access, providing an easier pathway into the environment. This can be leveraged to elevate privileges in this environment, perform reconnaissance on the technology used, and possibly allow the jump into the production environment with higher-level privileges. Securing these requires the environment to be isolated from production, with strict access controls applying the rule of least privilege. It is also ideal to use dummy or non-sensitive data, prevent shared credentials across the environment, run regular updates, and meticulously manage domain trust settings to prevent exploitation.

No access control when sharing files

Leaving file access ungoverned can lead to sensitive information becoming easily accessible and creating security risks to your organisation. Commonly unprotected data includes passwords, RSA keys, certificate files, and confidential personal or business information. This issue often occurs during file migrations or technology upgrades when there is an oversight in securing transferred data.

Microsoft System Center Configuration Manager (SCCM)

SCCM is an older service for managing and deploying applications and devices across enterprise networks. Common issues in SCCM configurations include weaknesses in the Preboot Execution Environment (PXE) and credential storage. These vulnerabilities allow attackers to masquerade as legitimate network entities or access stored credentials, leading to unauthorised network access or privilege escalation. Tools such as PXEThief and SharpSCCM enable them to achieve this. Preventing these threats requires regular updates to SCCM, strict access controls, monitoring network activity for unusual patterns, securing the PXE boot process, and diligently managing stored credentials.

Group Policy Object (GPO) modification

Group Policy Objects (GPOs) are used to control users and computers in an Active Directory environment. While rare, they can be vulnerable when overly permissive write permissions are granted to them. Threat actors can exploit this to add backdoor accounts to machines, upload their own malicious code or perform other attacks that could grant extensive control over network resources. Tools like SharpGPOabuse specifically target these vulnerabilities, allowing attackers to write to these misconfigured GPOs. To mitigate these risks, your organisation must regularly audit and review GPO permissions to apply the rule of least privilege, monitor for anomalous changes, and use advanced security measures to detect and prevent unauthorised GPO modifications.

Vulnerabilities in Layer 2 and 3 switches

While Layer 2 (Data Link Layer) and Layer 3 (Network Layer) switches are essential for data transfer and routing, threat actors can exploit them using vulnerabilities like MAC and IP spoofing, ARP spoofing, VLAN hopping, and routing attacks. These weaknesses can lead to serious security breaches, including jumping to normally inaccessible networks, data interception, network downtime, and unauthorised access, compromising the integrity and confidentiality of the network. Securing these aspects requires disabling or configuring security protocols such as DTP and continuous monitoring.

Conclusion

We focus on several key vulnerabilities when testing network security, from certificate-based attacks to GPO modifications. With the right partner, preventing these threats does not have to be complex; we emphasise continuous monitoring, regular updates, strict access controls, and proactive management. By implementing these measures, your organisation can improve network security and integrity, protect sensitive data, and establish robust defence mechanisms against potential cyber threats.

Mercury can complete network security testing for your organisation

Is it time to test your network’s security? As a leading Australian cybersecurity provider, we specialise in uncovering vulnerabilities and strengthening your network’s defences. We identify vulnerabilities in your network and applications and provide comprehensive protection against potential cyber threats. Visit our Quality Assurance Services page for the full breadth of our capabilities.