IT Infrastructure Pentesting and a Phishing Campaign for a EU Energy Company
Customer
The Customer is a European energy company. It runs an LNG-to-power plant that delivers safe and reliable electricity while reducing carbon emissions in the region.
Challenge
Aware of the scale and devastating consequences of cyberattacks in the energy sector, the Customer wanted to thoroughly test its IT infrastructure for vulnerabilities that could compromise the power plant’s workflows. Lacking the necessary cybersecurity experts on board, the Customer was looking for an experienced penetration testing vendor. With social engineering attacks being one of the most common threats faced by energy companies, the Customer also wanted the chosen vendor to check its resilience to phishing.
Solution
With 19 years in cybersecurity and 200+ successful projects in the domain, ScienceSoft won against the other vendors the Customer was considering for the project. The targets of penetration testing included the Customer’s corporate website, 2 web servers, 4 public-facing IPs, 20 internal subnetworks and 14 Wi-Fi access points. ScienceSoft’s team was also to stage social engineering attacks on the Customer’s employees.
Gray box penetration testing of IT infrastructure
To thoroughly check the Customer’s IT infrastructure within the 14-day deadline set by the Customer, ScienceSoft’s security testing team chose to go with the gray box penetration testing approach. For that, they were provided with credentials to log in under low-privileged user roles. The team planned and performed the penetration testing project according to the NIST 800-115 methodology, with threat classification based on the NIST CVSS score.
The penetration tests conducted by ScienceSoft showed that the security level of the Customer’s IT infrastructure was low, as it contained a number of critical security issues:
- Missing or poor authentication for critical functions (the access to the database management and network monitoring systems). An intruder only needed to gain low-privileged access to the Customer’s internal network to be able to manipulate the database or the network monitoring tools.
- Default Perlinfo and PHPinfo pages that can disclose information about the web server (e.g., server OS and environment variables, Perl and PHP configurations). A potential hacker can use this info to plan and execute further attacks.
- Unsupported versions of remote Microsoft and Apache web servers containing multiple known vulnerabilities that can enable CRLF injection, arbitrary code execution, XSS, DoS attacks, and more.
- The corporate website running on an outdated PHP version with known vulnerabilities that may be exploited for SQL injections, cross-site scripting, and other attacks.
- 2 workstations using an unsupported version of Windows OS that contained vulnerabilities enabling a variety of potential attacks, including a buffer overflow, directory traversal, arbitrary code execution.
To help the Customer’s IT team promptly fix the detected issues and prevent potential security breaches, ScienceSoft’s experts provided a detailed description of the found vulnerabilities and the required remediation measures. ScienceSoft recommended:
- Setting up stricter authorization mechanisms that only allow admin users to access the critical IT infrastructure components.
- Removing the informational files or restricting access to them.
- Using the supported versions of OS, web servers, and PHP that offer enhanced security and regular updates.
Email phishing campaign
ScienceSoft staged a bulk phishing attack targeting 60 corporate emails belonging to the Customer’s employees. To simulate a real-life phishing spam scenario and also check the efficiency of email protection, the IPs that the testers used were not whitelisted.
ScienceSoft’s team was pleased to report that the Customer’s anti-phishing tools managed to stop the malicious emails.To ensure complete protection against phishing, ScienceSoft recommended evaluating the employees’ cybersecurity awareness through interviews and doing another round of social engineering testing using whitelisted IPs.
Results
Within 14 days, the Customer received an exhaustive list of vulnerabilities in its IT infrastructure and a remediation roadmap with prioritized corrective measures needed to handle the detected security issues. As a result of the phishing campaign performed by ScienceSoft, the Customer received proof of the efficiency of its email security tools. It also got recommendations on boosting its employees’ security vigilance to prevent other kinds of social engineering attacks. Satisfied with ScienceSoft’s proactive approach as well as clear and comprehensive reporting, the Customer is willing to contract ScienceSoft’s team again for future security checkups.
Technologies and Tools
Metasploit, Wireshark, Nessus, Burp Suite, Acunetix, Nmap, Dirb.