Skip to main content

Resources

Behind the Hack: How Password Reuse Led to Admin Access

Risky Business

According to recent studies, the average user has approximately 100 passwords to remember. As if this isn’t challenging enough, password requirements differ among the myriad of applications we use. Some apps require simple passwords of only six characters, while others require longer or more complex passwords, using numbers, uppercase letters, and special characters. With so many passwords to remember, coupled with the never-ending list of password requirements, users are partaking in a risky solution – reusing passwords. Imagine having one key to unlock your front door, start your car, and open a safety deposit box at a bank. If that key were lost or duplicated, you run the risk of losing everything. The same is true when users reuse passwords for different applications.

 

The Domino Effect

Hackers have many methods to obtain a user’s password. Social engineering, keylogging, password spraying, and brute forcing are all common ways a password can be compromised. The internet and dark web also contain password lists with billions of stolen passwords. Often, hackers target a user’s personal account, such as Gmail or a social media account like Twitter or Facebook. Knowing that password reuse is a common practice by users, it only takes one successful password compromise to start a chain reaction of falling dominos.

 

Password Reuse Domino Effect

 

Not Just an End-User Problem

Password reuse is rampant among end-users, but even IT professionals can let their guard down for the sake of convenience. During a recent customer internal penetration test, SBS CyberSecurity’s network security team found several administrative accounts used by the client’s managed service provider (MSP) which reused the same password. Here’s a brief overview of how the issue was identified and the resulting impact to this client’s network:

 

A Nessus vulnerability scan was performed on the client’s internal network. One of the vulnerabilities identified was a device using an old protocol named IPMI v2.0.

IPMI Password Hash Disclosure

 

This protocol is inherently vulnerable due to the method in which it authenticates a user. Simply by knowing a valid username for the device, an attacker can capture the encrypted password hash of the account. Running a Metasploit module then allows the network engineer to capture the hash.  

Hash

 

The password hash was then cracked by SBS and used to gain admin access to the web interface of the device.

 

Knowing that password reuse is a common practice, the network security team attempted to reuse the password to authenticate to other devices on the network. We successfully accessed a Linksys Smart Wi-Fi router.

Lynksys

 

 

We also authenticated into the web interface of a Dell iDRAC using the same password.

Dell iDRAC

 

But perhaps the most damaging result came when we reused the password to RDP into the domain controller as a DOMAIN ADMINISTRATOR.

Domain Admin

 

Mitigation Strategy

Password reuse can be difficult to detect and remediate, but there are several strategies an organization can implement to reduce the associated risk:

  • Employee awareness training
  • Implement a password management system
  • Require multi-factor authentication
  • Deploy a third-party password filter for Active Directory

 

Reclaim Security

Password reuse is a hidden blind spot in security. Many users are unaware of the dangers associated with reusing passwords. Educating users is the first step to reduce this risky practice. Implementing technical controls to aid users in password creation and management provides layered password security.

 


Written by: Bryan Barnes, Network Security Engineer/Regional Director
SBS CyberSecurity


 

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} Penetration Test: Safely simulate a cyber-attack to ensure your network is hardened against known vulnerabilities.
  • {Service} Network Security Audit: Execute a strategic combination of network testing services to provide a comprehensive assessment of your network security.
  • {Service} Security Awareness Training: The goal of a strong Security Awareness Training Program is to create a culture of information security throughout your entire organization. SBS can help create, implement, and maintain a training program that can keep pace with changing technologies and new security threats.
  • {Tip Sheet} Password Tips: It’s important to create strong, complex passwords for your systems. That’s why we’ve put together these best methods for stronger passwords to help you train your employees. Keep in mind, though, that based on the risk of each system, these standards may fluctuate. 

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager  


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, June 3, 2021
Categories: Blog