Internal Asset Scanning and Exploitation

Once inside the internal environment, scanning tools such as fscan identified multiple active hosts in the 10.x.x.x subnet. Several systems were found to be vulnerable due to weak credentials, misconfigurations, or unpatched vulnerabilities.

Techniques such as SMB brute force attempts, SQL Server privilege escalation, SSH weak passwords, and the MS17-010 vulnerability provided access to additional machines. After gaining control of certain endpoints, sensitive data was collected (browser records, database configs, local files) and repurposed into password dictionaries to further expand access.

This iterative process resulted in control of numerous hosts, spanning both Windows and Linux servers. For example, WebLogic servers remained exposed to CVE-2016-0638, while several Windows machines had not patched MS17-010.

 

Weak Credentials in Network Devices

During the investigation, a NAS device contained a network topology diagram along with administrator credentials for routers. With these, it was possible to identify core networking equipment across the environment.

Multiple routers and switches were found to use trivial or predictable passwords (e.g., vendor defaults or simple variations of the company name). This allowed unauthorized administrative access to more than a dozen devices, including Cisco routers with the well-known cisco/cisco credential combination.

Security Management Infrastructure

One internal Windows Server 2019 host, initially believed to be a standard system, was discovered to be running an antivirus centralized management platform. Weak credentials enabled full administrative access to this server.

The system controlled more than 6,000 endpoints. This raised serious concerns about potential supply-chain style attacks—such as tampering with update mechanisms to distribute malicious payloads—highlighting the need for hardening and monitoring of security infrastructure itself.

Domain Environment Compromise

Further reconnaissance revealed an Active Directory domain hosted within the 10.77.9.x range, with domain controllers identified.

Weak passwords again facilitated initial access to domain-joined systems, and configuration files provided additional credential material. Password reuse across systems accelerated lateral movement.

Analysis with BloodHound mapped domain trust relationships and potential attack paths. The environment was confirmed to be vulnerable to CVE-2020-1472 (ZeroLogon), which allowed escalation to full domain controller compromise. With this, complete domain administrator privileges were obtained, giving control over all 418 domain-joined hosts.

Core Production Network Access

By leveraging credentials harvested from the domain, brute force attempts against systems in the production network (10.157.1.x) eventually succeeded. This granted remote access to a critical control center host.

From this foothold, further access into the production zone was achieved, uncovering core industrial control systems (ICS) responsible for signal scheduling and supervisory control—underscoring the potential for operational technology (OT) impact.

Conclusion

This case study demonstrates a full attack chain beginning with external perimeter exposure and progressing through lateral movement, privilege escalation, and eventual domain and production network compromise.

Key weaknesses identified include:

• Outdated VPN appliances with unpatched vulnerabilities.
• Weak and reused passwords across servers, network devices, and domain accounts.
• Unpatched critical Windows vulnerabilities (MS17-010, ZeroLogon).
• Insufficient monitoring of security management platforms.

Defensive Recommendations:

• Apply timely patch management to internet-exposed services.
• Enforce strong password policies with multi-factor authentication.
• Segment networks and restrict administrative privileges.
• Monitor for anomalous activity within both IT and OT environments.
• Harden and closely monitor centralized security infrastructure.

Through this assessment, it becomes clear that a layered defense strategy and proactive governance are essential to prevent similar compromises.