Security Assessments & Pentests | isfame.in

Health Tech Company’s Cybersecurity Transformation: A Successful Pentesting Engagement

Meera R — Wed, 30 Apr 2025 08:42:53 +0000

Traboda partnered with a leading health-tech company to secure their digital ecosystem and protect sensitive patient data. The engagement involved penetration testing of four critical web applications, a public-facing Android application, and the supporting cloud infrastructure for web and Android app. By identifying vulnerabilities and delivering actionable recommendations, Traboda enhanced the security of these assets, ensuring secure access to sensitive information and compliance with industry standards. This work reinforced the company’s commitment to delivering secure and reliable healthcare technology solutions.

About the client

The company develops cutting-edge health-tech solutions centered on remote health monitoring. Its device and cloud-based systems integrate biosensor technology with mobile applications, enabling real-time health data collection and remote diagnostics. By combining convenience with clinical accuracy, it plays a key role in the digital transformation of healthcare.

Challenges

Complex Ecosystem: The client’s digital ecosystem included multiple interconnected web applications, an Android app, and cloud infrastructure. Each component required both individual and integrated testing to identify vulnerabilities while minimizing disruption to ongoing operations.

Highly Sensitive Data: The applications managed sensitive patient health data, including real-time cardiac monitoring information. This required stringent adherence to ethical testing practices to ensure data privacy and regulatory compliance throughout the engagement.

Time Constraints: The pentesting engagement needed to be completed within a limited timeframe due to the impending deployment of new features in the web and mobile applications. This necessitated prioritizing testing strategies to focus on the highest-risk areas.

Legacy and Modern Components: The system included a mix of modern technologies and legacy components, some of which lacked adequate documentation. Identifying vulnerabilities in those older components required significant manual analysis and reverse engineering.

Unsecured APIs: APIs exposed critical functionality but lacked standardized security practices, such as authentication and authorization. Testing these endpoints without impacting live operations posed additional challenges.

Compliance Considerations: The client needed to align with healthcare-specific regulations like HIPAA while addressing broader security concerns, such as those outlined in the OWASP Top 10. This required a balance between regulatory and technical security requirements.

Objectives

Identify and Remediate Vulnerabilities: Perform a thorough security assessment of the web applications, Android app, and cloud infrastructure to uncover and prioritize vulnerabilities for remediation.

Ensure Data Privacy and Compliance: Ensure the client’s systems comply with industry standards and regulatory requirements (e.g., HIPAA), protecting sensitive patient data from unauthorized access or misuse.

Strengthen API Security: Evaluate the security of exposed APIs to identify gaps in authentication and authorization mechanisms, ensuring these critical components are resilient to attacks.

Evaluate Component Integrity: Identify outdated or vulnerable components in the technology stack and recommend upgrades to ensure robust application security.

Establish a Secure Foundation: Provide actionable recommendations and a roadmap for long-term security improvements, including secure development practices, regular testing, and automated scanning tools.

Minimize Operational Impact: Perform all testing with minimal disruption to the client’s live services, ensuring uninterrupted availability of critical healthcare applications.

Methodology

Pre-engagement Interactions

Traboda conducted a kick-off meeting with the client to align expectations for the engagement. During the meeting, the agreed-upon scope was reviewed, additional information was gathered, and any IPs or URLs that required whitelisting by the client were identified.

Intelligence Gathering

Intelligence Gathering, also known as Reconnaissance, is the initial phase aimed at evaluating the current maturity level of the targets within the scope. This stage offers valuable insights into how to proceed with the engagement based on the current security posture of the targets. Open-source intelligence (OSINT) will be utilized to gather additional information about the target and name the target uniquely.

Vulnerability Analysis

In this stage, the goal is to identify the flaws and weaknesses of the targets within the scope that a potential attacker could exploit. This phase will be conducted using a combination of automated tools and manual testing, aiming to identify all the vulnerabilities that could be exploited by a potential attacker.

Exploitation

The Exploitation stage goes beyond just identifying vulnerabilities; it focuses on determining whether the discovered vulnerabilities can be exploited and if they can be leveraged to launch an attack on the target. The objective of this stage is to simulate an attack environment that a potential attacker might employ to compromise the target.

Post Exploitation

The inclusion or exclusion of this stage is determined based on the scope agreement established during the pre-engagement interactions. The objective of this stage is to assess the criticality and potential impact of a successful exploitation from an attacker’s perspective.

Summary of Findings

Result and Impact

Critical Vulnerabilities Addressed

Identified and mitigated 6 critical vulnerabilities, including default credentials, vulnerable components, and missing API authorization.
Prevented potential exploitation scenarios that could have led to unauthorized access, data breaches, and service disruptions.

Risk Reduction

Discovered a total of 26 vulnerabilities (6 critical, 12 high, 6 medium, and 2 low).
Enabled the company to prioritize fixes, starting with the most critical and high-impact vulnerabilities, ensuring efficient allocation of resources.

Strengthened API Security

Highlighted significant gaps in API authorization mechanisms, ensuring these endpoints were secured to prevent unauthorized access to sensitive data.

Improved Infrastructure Security

Addressed misconfigurations in the cloud environment, reducing exposure to remote exploitation and improving compliance with secure deployment practices.

Enhanced Application Security

Mitigated risks stemming from the use of outdated third-party components, preventing potential exploitation of known vulnerabilities.

The cloud infrastructure and applications were thoroughly tested for security vulnerabilities using custom test cases. The vulnerabilities found were reported and fixed. A subsequent retest confirmed that the vulnerabilities were effectively resolved, significantly strengthening the organization’s application and infrastructure security.

Red Team Assessment: Strengthening Supply Chain Security

Meera R — Mon, 21 Apr 2025 12:11:07 +0000

A leading consumer products company sought to assess the security posture of its supply chain by conducting a supply chain red team assessment. The objective was to evaluate security gaps in a third-party manufacturing site and its connectivity to the company’s internal IT environment. The assessment followed a zero-knowledge approach, simulating real-world attack scenarios to identify potential vulnerabilities and areas for improvement.

Scope and Objectives

The assessment focused on:

Identifying potential network paths between the organization’s network and the third-party manufacturing site.
Assessing network reachability from the third-party site to the organization’s internal infrastructure.
Discovering vulnerabilities in network devices and configurations that could be exploited to gain unauthorized access.

Key Findings

During the engagement, several critical security weaknesses were identified:

1. Unauthorized LAN Access

The team identified that the internal network lacked proper access controls, allowing unauthorized machines to connect to the LAN. By locating an open Ethernet port and requesting a DHCP lease, an attacker could obtain an IP address without authentication. This provided direct access to internal network resources, allowing the attacker to conduct reconnaissance, sniff network traffic, and pivot to other systems.

2. Insecure Wi-Fi Configuration

The enterprise Wi-Fi network was found to be vulnerable to unauthorized access due to weak authentication mechanisms. Using a rogue access point attack, the team was able to capture WPA2 handshakes and crack network credentials. Furthermore, inadequate rogue access point detection left the network exposed to man-in-the-middle (MITM) attacks, allowing attackers to intercept sensitive data.

3. Weak Application Security

Several critical applications, including a Tomcat server, were running with default administrative credentials. This allowed the red team to log in with commonly known default credentials and gain control over the applications. From this foothold, attackers could manipulate configurations, upload malicious payloads, and escalate privileges to access sensitive business data.

4. Exploitable Windows Protocols

The assessment revealed that Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) were enabled on multiple systems, making them susceptible to spoofing attacks. By deploying a Responder tool on the internal network, the team was able to capture NTLMv2 hashes from authentication requests. These hashes could then be cracked using brute-force techniques or relayed to escalate privileges and gain unauthorized access to internal resources.

5. Weak Password Policy

Multiple user and administrator passwords were found to be weak and easily guessable, that could be found on any commonly known password list. Our team successfully captured authentication hashes from both Wi-Fi and LAN traffic and cracked them using dictionary attacks. Poor password hygiene, coupled with inadequate enforcement of strong password policies, significantly increased the risk of credential theft and unauthorized access.

6. Insecure Active Directory Management

The organization had an excessive number of domain administrator accounts, some of which had weak or easily guessable passwords. Additionally, several service accounts were found to have privileged access and were being used in multiple locations across the network. This widespread presence of privileged accounts increased the risk of lateral movement and privilege escalation attacks.

7. Lack of Multi-Factor Authentication (MFA)

The team was able to compromise an Office 365 administrator account due to the absence of two-factor authentication (2FA). This provided unauthorized access to emails, confidential files, and administrative tools. Without MFA, attackers could use stolen credentials to maintain persistent access to critical systems without detection.

8. Exposure of Building Management Systems (BMS)

The assessment revealed that the Building Management System (BMS) interface was accessible from the Wi-Fi network without authentication. This meant an attacker with access to the network could manipulate critical infrastructure, such as HVAC, lighting, and security controls, potentially leading to operational disruptions.

9. Surveillance Cameras with Weak Passwords

Multiple surveillance cameras were found to be using default or weak passwords, allowing unauthorized access to live video feeds. By connecting to the Wi-Fi network and identifying the IP addresses of these cameras, the team was able to log in and access real-time footage. This posed a serious security risk, as attackers could monitor employee movements and security procedures, facilitating physical intrusion attempts.

10. Legacy Wi-Fi Devices with Weak Authentication

A legacy Wi-Fi device, which was no longer in use, was still active within the network and had a weak default password. This device provided an unexpected entry point for attackers, enabling them to gain unauthorized access to the corporate network. Once inside, an attacker could launch man-in-the-middle attacks, intercept sensitive communications, or use the network as a pivot point for further exploitation.

Remediation and Impact

Following the assessment, we worked closely with the organization to mitigate the identified vulnerabilities. A structured remediation plan was developed and implemented, addressing each issue systematically:

Network security enhancements: Implemented robust network access controls (NAC), disabled insecure Windows protocols, and enforced strong authentication mechanisms for Wi-Fi and LAN access.
Application security hardening: Updated configurations to remove default credentials, applied access control policies, and enforced strong password policies across all critical applications.
Active Directory security improvements: Reduced the number of privileged accounts, implemented Privileged Identity Management (PIM), and enforced multi-factor authentication (MFA) for administrative users.
Infrastructure security upgrades: Restricted access to the Building Management System (BMS), secured surveillance camera configurations, and decommissioned outdated Wi-Fi devices.

By implementing these security measures, the organization significantly improved its security posture, mitigating risks posed by third-party integrations and strengthening its defenses against real-world cyber threats. This engagement highlights the critical importance of proactive security assessments in identifying and remediating vulnerabilities before they can be exploited by malicious actors.