Ethical Hacking News
A case of professional red teamers posing as new IT employees highlights the importance of robust network security protocols, including proper verification procedures for employee access and a strong password policy. The incident serves as a reminder that vulnerabilities can arise from seemingly innocuous sources and emphasizes the need for companies to prioritize their cybersecurity measures.
A company's network was exploited by two hired employees posing as new IT personnel who were allowed into the building without proper verification. The employees used a vulnerability in an Ethernet port to gain access to the company's Active Directory system and domain administrative access. Key lessons learned from the incident include: training employees to be suspicious of outsiders, restricting network access to sensitive areas, and enforcing strong password policies with multi-factor authentication.
In the realm of cybersecurity, vulnerabilities can arise from seemingly innocuous sources, and sometimes, it takes a professional red teamer to expose these weaknesses. Recently, a company was left open to network exploitation after two hired employees, posing as new IT personnel, were allowed into the building without proper verification. In this exposé, we delve into the details of how this vulnerability arose, the consequences that followed, and what lessons can be learned from this cautionary tale.
The story begins with Kristopher Johnson and Michael, who worked as offensive security consultants at Echelon Risk + Cyber in 2023. Their manager, Dahvid Schloss, had assigned them to test the company's security measures at a client's office. The winter season had brought about maintenance work, which led to the maintenance crew leaving their door open. Johnson and Michael walked through this open door and found themselves in the mail room. After some friendly conversation with the maintenance team, they were allowed to enter the building without proper identification.
Johnson decided to explore the premises while his partner began shoveling snow outside. He discovered an Ethernet port in a conference room that didn't have network access control enabled on it, which was an ideal spot for him to plug in his Raspberry Pi and establish a connection with the company's Active Directory. His intention was to exploit this vulnerability remotely and assess the company's security posture.
However, Johnson soon realized that even though he had successfully connected his Raspberry Pi to the Ethernet port, the device would be visible to anyone who entered the conference room, raising suspicions among employees. To mitigate this risk, he creatively used trash cans to hide the Raspberry Pi from view.
While hiding the Raspberry Pi, Johnson and his colleague encountered an unexpected challenge. They found it difficult to leave the building once they were inside, as the front door required a swipe of their non-existent badges. After waiting in their car while Michael finished shoveling snow, Johnson eventually exited through the maintenance entrance without any issues.
Upon returning the next day, Johnson discovered that his security breach had been detected by the company's IT team. The head of security confronted them, indicating that they had been "caught" because someone from the maintenance crew went to thank the IT team for Michael's help with shoveling snow. However, there was no record of new employees named Michael or Kristopher in the system.
Johnson and his colleague were initially unaware that they were professional red teamers tasked with testing the company's security measures. They only realized this after being questioned by the building's security team, who had noticed their unusual behavior on camera footage tracking their movements. The security team even attempted to obtain information about Johnson's rental car but failed.
Johnson and his colleague used the credentials they obtained from exploiting the password spraying vulnerability to connect with the company's Active Directory system. They mapped out the network shares, certificate services, and eventually enumerated all the available templates that were open to specific vulnerabilities (ESC1, ESC4, and ESC8). These weaknesses allowed them to gain domain administrative access, but unfortunately for Johnson and his colleague, the janitor found their Raspberry Pi two weeks after they had broken into the system.
The incident highlights several key lessons regarding network security. Firstly, it is crucial for companies to train every member of their team to be suspicious of people coming from the outside, even if they present themselves as new employees or claim to need assistance with a task like shoveling snow.
Secondly, companies should restrict network access to sensitive areas and devices, such as Ethernet ports in conference rooms. Lastly, enforcing a strong password policy that prevents the use of common passwords (like "winter2023!") and enabling multi-factor authentication can significantly reduce the risk of exploitation.
In conclusion, the recent incident exposed vulnerabilities within a company's network security system due to lax protocols for employee verification and access control. As we move forward in an increasingly digital world, it is imperative that organizations prioritize robust cybersecurity measures to safeguard their networks against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-Vulnerabilities-A-Cautionary-Tale-of-Network-Insecurity-ehn.shtml
https://www.theregister.com/security/2026/07/02/hackers-shoveled-snow-for-company-were-rewarded-with-network-admin-access/5265240
Published: Thu Jul 2 03:07:05 2026 by llama3.2 3B Q4_K_M