News

|

Feeds

|

Email

Range of Addressable Concerns Includes "Brute Forcing Accounts with Weak Passwords" and "Excessive File System Permissions"

DENVER, Jan. 18, 2023 /PRNewswire/ -- Lares, a leader in global security assessment, testing, and coaching, today released new research highlighting the five most common penetration testing findings encountered by the firm's consultants over hundreds of client engagements in 2022.

Lares typically finds numerous vulnerabilities and attack vectors when conducting penetration tests or red team engagements for clients, regardless of the organization's size or maturity. However, the research team at Lares was surprised by how many times the same five findings kept turning up during their penetration tests and red team engagements in early 2022.

"As we wrapped up 2022, our surprise gave way to expectation, and we found ourselves genuinely surprised if one, or all, of the top five issues were not found on any given engagement," said Andrew Hay, Chief Operating Officer of Lares. "Every single vulnerability described in our latest research paper can be avoided or eliminated through better cybersecurity hygiene practices."

The Lares research team emphasized that these Top 5 findings were not the most severe threats for clients, but rather, the ones they most frequently encountered during engagements over the past year. Key takeaways describing each category include:

Brute Forcing Accounts with Weak and Guessable Passwords: Organizations that have not implemented multifactor authentication (MFA) should be aware that adversaries may target accounts where users have selected weak or guessable passwords to gain access to systems, services, and network resources. If authentication failures are high, there may be a brute-force attempt to gain access to a system using legitimate credentials.

Kerberroasting: Kerberos Service Principal Names (SPNs) uniquely identify each instance of a Windows service configured to accept Kerberos Tickets for authentication. Adversaries possessing a valid Kerberos Ticket-Granting Ticket (TGT) may request one or more Kerberos Ticket-Granting Server (TGS) Service Tickets for any service with an SPN configured from a Key Distribution Server - typically the Domain Controller (DC) in Windows Active Directory. This Service Ticket is then brute-forced offline to recover the plain-text credentials of the account.

Excessive File System Permissions: Improperly set permissions on the binary or directory in which it resides may allow attackers to replace the legitimate binary with a file of their choosing. Adversaries may use this technique to replace legitimate pre-existing binaries or dynamic-link libraries (DLLs) with malicious ones to execute subversive or potentially disruptive code with a much higher permission level than their current user permissions.

WannaCry/EternalBlue: Remote code execution vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server that handles certain requests. An attacker who successfully exploits the vulnerabilities could gain the ability to execute code on the target server. The EternalBlue and EternalRomance exploits were leaked by "The Shadow Brokers" group in 2017. The EternalBlue exploit was also leveraged by WannaCry ransomware to compromise Windows machines, load malware, and propagate to other machines in a network.

WMI (Windows Management Instrumentation) Lateral Movement: Lateral movement is a critical phase in any attack targeting more than a single computer. It is not a vulnerability, but a technique employed by attackers to interact with or gain access to a system other than the current system upon which they are operating. The WMI allows for a structured approach to communicating with a remote computer and exposes system monitoring and configuration capabilities to a remote machine. An adversary can use this native functionality to execute malicious code, modify system settings such as adding a user or password or disabling security tools before performing other activities.

The Lares Top 5 Penetration Test Findings in 2022 research paper is available for download here: https://www.lares.com/lares-top-5-penetration-test-findings-report/.

Lares has scheduled a webinar on Thursday, January 26, at 10 a.m. (PT)/1 p.m. (ET), to discuss these white paper findings in greater detail. To sign up or get more information about the webinar, please click here: https://attendee.gotowebinar.com/register/4185409087390473815.

About Lares, LLC

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008. For more information, visit lares.com, contact us at (720) 600-0329, or follow Lares on Twitter @Lares_.

Media Contact
John Kreuzer
Lumina Communications for Lares
Lares@luminapr.com
408-896-3307

View original content to download multimedia:https://www.prnewswire.com/news-releases/lares-research-highlights-top-5-penetration-test-findings-from-2022-301724432.html

SOURCE Lares

Email

|

Slashdot

|

Digg

|

Del.icio.us

|

Feeds

RELATED NEWS ARTICLES

Sup AI Sets New Benchmark Record with 52.15% on Humanity's Last Exam | Jan 22, 2026 Weekly Recap: 11 Tech Press Releases You Need to See | Jan 22, 2026 DEADLINE ANNOUNCED FOR 2026 NEW TOP-LEVEL DOMAIN APPLICATIONS | Jan 22, 2026 Trigent Partners with WeWork India to Expand its GCC Footprint | Jan 22, 2026 Skunk Works® and XTEND Expand Joint All Domain Command and Control for Advanced Mission Execution | Jan 22, 2026 Altair HyperWorks 2026 Delivers Design and Simulation at Scale with AI | Jan 22, 2026 Exia Labs Brings Keystone to the U.S. Navy via DIU's Blue Object Management Challenge | Jan 22, 2026 Marketing Evolution Announces New Investment Led by Insight Partners to Power AI-Ready Marketing Data for the Agentic Era | Jan 22, 2026 Glasswall Brings Defense-Level File Sanitization to Every Government Agency and Business Using Microsoft 365 | Jan 22, 2026 Genpact Named a Leader in ISG Provider Lens(TM) 2025 for Insurance GCCs and Agentic AI Services | Jan 22, 2026