Hackmosphere, a cybersecurity firm, released details of a physical penetration test conducted at a furniture store owned by ExCorp.
The test revealed significant vulnerabilities in the company’s physical and network security infrastructure, highlighting the importance of comprehensive security measures beyond digital defenses.
Exploiting Unattended Terminals and USB Vulnerabilities
The penetration testers identified two critical weaknesses in the store’s public-facing computers.
First, sales terminals were often left unlocked and unattended, providing potential attackers with easy access to the company’s internal systems.
Second, the USB ports on these computers were fully functional, allowing the testers to connect a “Rubber Ducky” device that emulated a keyboard and executed malicious code.
This simple action granted the testers control of an unprivileged user account within the “examplecorp.com.local” domain.
Bypassing Network Security Measures
Taking advantage of momentary staff inattention, the testers successfully connected a LanTurtle device between a lobby computer and the network switch.
This small, inconspicuous device, hidden under a desk, obtained an IP address within the ExCorp.com.local domain.
The LanTurtle was pre-configured to establish an SSH connection encapsulated in TLS, effectively bypassing the firewall on port 443.
This maneuver provided the testers with direct remote access to ExCorp’s internal network, demonstrating a severe lack of network access control (NAC).
The penetration test also exposed vulnerabilities in physical access control.
Using publicly displayed evacuation plans, the testers located the manager’s office.
They then exploited a malfunctioning badge-protected door to access restricted areas.
Posing as fire hydrant inspectors, the testers moved through employee-only spaces unchallenged, ultimately gaining entry to the unattended manager’s office.
According tot the Report, Case study by Hackmosphere underscores the critical need for organizations to implement comprehensive security strategies that address both digital and physical vulnerabilities.
Recommendations include implementing automatic computer locking mechanisms, disabling USB ports on public-facing terminals, deploying robust network access control systems, and training employees to be vigilant against potential physical intrusions.
As cyber threats continue to evolve, it is essential for companies to regularly assess and fortify their security measures across all potential attack vectors.
