Common Flaws Discovered in Penetration Tests Persist

Brute forcing accounts with weak and guessable passwords, and exploitation using the EternalBlue vulnerability remain among the top 10 findings in penetration tests.

According to research by Lares, the most frequently encountered vulnerabilities and attack vectors during engagements in the past six months have remained exactly the same as in it's previous report, which came out in July last year.

Its latest report analyzed the similarities between hundreds of engagements throughout 2019 and the following list represents the most frequently observed penetration test findings encountered:

  • Brute forcing accounts with weak and guessable passwords
  • Kerberoasting
  • Excessive file system permissions
  • WannaCry/EternalBlue
  • WMI lateral movement
  • Inadequate network segmentation
  • Inappropriate access control
  • Post-exercise defensive control tuning
  • Malicious multi-factor enrolment or MFA bypass
  • Phish-in-the-Middle (PiTM)

In an email to Infosecurity, Lares COO Andrew Hay said that a mix of the top findings are seen in “nearly every engagement.” He said: “Our analysis concludes that regardless of industry or vertical, these findings are evident in most environments we assess.”

Hay also confirmed that the top five findings are still prevalent, whilst implementations of the bottom five were described as “inadequate, inappropriate and ineffective.” Hay added that “those controls were either partially implemented but not tuned correctly, improperly implemented and not correctly hardened during initial deployment, or insufficiently monitored when the control capability exists.”

The fourth finding was unpatched instances of MS17-010, which enabled the WannaCry and NotPetya attacks of 2017. Lares said that despite this vulnerability being resolved, many organizations have yet to deploy this patch or disable SMBv1. “We observed slightly less EternalBlue during the second half of 2019, but we still encounter it quite frequently,” Hay said.

Commenting, Travis Biehn, principal security consultant at Synopsys, said that these sorts of issues come down to a server (or, maybe tens or even hundreds of ‘those servers’) that nobody maintains. He argued: “Perhaps it has been online for a decade, the individual or team that used to manage it is no longer with the company, or somehow it runs software that nobody on the team fully understands: this server may also be home to software that is mysteriously responsible for maintaining a large percentage of revenue.”

Biehn said often fixing these sorts of flaws ends up near the bottom of the pile year after year, and as a result attackers love such servers. “After establishing a foothold on the internal network, say a Linux server, they may hunt for that one Windows XP machine that’s still online. In doing so, there’s no need to worry about next generation anti-virus, EDR, logging, or a nosy sys-admin.”

What’s Hot on Infosecurity Magazine?