In addition, to further evade suspicion the attacker could change the sender address to a real address belonging to a company employee. Our analysis of the source code in this particular case showed that one file contains, in cleartext, the account credentials of the web application administrator. The employee was selected based on a screening mailshot of phishing messages. For example, an attacker with Citrix access can launch Internet Explorer and use its built-in Open File function. These portions of memory can contain critical data in cleartext:
For more details, please refer to our other reports:
Corporate information system penetration testing: attack scenarios
For server management via SSH, Telnet, and other protocols, a password must be manually set. First and foremost, key settings include segmentation, filtering of network protocols, and refusal to allow unauthorized hardware to connect to the network. The API that we provide allows you to easily integrate the tools from our platform into your own systems and processes. Verify the security of your Internet facing servers using already installed and configured security tools. Also be sure to protect workstations and servers from tools, such as Mimikatz, that obtain account passwords in cleartext.