#3 The “invisible” network shares

The attack

It’s Wednesday morning, the sun is shining and all ImmerGrün AG employees are looking forward to the summer party in the afternoon.
Beate from the HR department wanted to have a look at some applications from the day before and was surprised that many documents suddenly needed macros to open them, but she would have another look tomorrow…

What happened?

An attacker had compromised an employee’s account. This one could actually only see the company’s global exchange drive. However, the attacker very quickly checked all servers for open network drives and found that most shares were merely unmounted, but every domain user had read & write permissions on them.
Therefore, he added a macro to each Office file (Word, PowerPoint, Excel), on each network share. This meant that any employee who opened one of these files was also compromised.

In addition, the attacker found an “Admin” share, which appeared to be for administrators only.

In addition to various setup files, the attacker also found bat & Powershell scripts. These also contained the access data of various privileged accounts, which meant that the entire company could be compromised.

The countermeasure

First of all, administrators should realize that shares can also be included by users! This means that “invisible” network drives must also be assigned the appropriate permissions.

Afterwards, all systems in the network should be checked for open network shares and their permissions.

Safety gain

Medium to High

*From the blog series Top Security QuickFails