Tales From the Encrypt: Horror Stories of Endpoint Insecurity

Please join us as we take you on a journey through the looking glass and into the realm of haunted hacks. Here, misconfigured endpoints lay in wait, threatening to jump out from behind every corner, bringing with them chaos and misery. This Halloween, we invite you to explore a tome of real-world incidents — a graveyard filled with forgotten security checks and best practice neglect, where every device represents a potential doorway for malevolent forces. 

In these stories, we reveal the horrors that await those under-prepared for and over-matched by digital ghouls. Unsurprisingly, it’s often the skeletons in your own closet — the configurations of your own making — that prove the most frightening. 

The Portergeist

Our first tale takes place in Transylvania, erm, I mean, Pennsylvania, where the Aliquippa Municipal Water Authority fell into disarray from open ports on their endpoint devices. In November 2023, hackers exploited an unsecured TCP 20256 port on internet-connected Programmable Logic Controllers (PLCs). These controllers regulated vital processes, including pressure management for water distribution systems. Due to misconfigured security, a cyber group known as the “CyberAv3ngers” was able to infiltrate the system.

The attackers shut down pressure regulation pumps and left a threatening message on the control interface. Fortunately, municipal workers were able to disable the compromised equipment (a booster pump and some security cameras) manually, but not before the incident exposed the out-of-date nature of their security measures.

The open TCP 20256 port revealed a perfect opportunity for hackers to gain access. The attack inevitably led to a full emergency response from the FBI, Department of Environmental Protection, and state police, all jumping in to try and stem the leak and assess vulnerabilities.

Lessons Learned

Open ports are a prime attack vector for cybercriminals. In many cases, and this story is one, the true horror comes not in the realization of exposure but in the arduous recovery efforts — costing over $20,000 and spanning several weeks before resuming standard operations. As much of a nightmare as it was, in all reality Aliquippa actually got off easy. When critical infrastructure is exposed it can lead to outages or system compromise that ultimately put lives at risk.

Well-defined security policies that are vigilantly monitored and strictly enforced are key to preventing such attacks.

Dawn of the Dead Protocols

As we continue our twisted tour, we peer into the insecure legacy configurations that led to disaster with Citrix, the target of an attack exploiting insecure legacy protocols. These old configurations are like zombies — undead, without support tethering them to the world of the living and its modern security standards, but still roaming and capable of leaving destruction in their wake. 

In this case, attackers leveraged the Internet Message Access Protocol (IMAP) through which employee cloud services were running. The protocol was vulnerable due to outdated security features like weak encryption support and plain text authentication for login credentials. Attackers utilized password spraying to execute their entry.

Again this was possible due to IMAP's inadequate security — lacking rate limiting on login attempts and related alerting. Using this as their way in, the attackers infiltrated Citrix's cloud accounts, with shared mailboxes and service accounts opening the door to unimpeded lateral movement.

Failure to ensure system hygiene left the entire network exposed and a lack of effective monitoring allowed the damage to reach gargantuan proportions. All told, the attackers lingered in the system for 5 months before being detected, wreaking havoc all the while. 

A class-action lawsuit was brought against the company and ultimately a settlement was reached in the amount of $5.9 million. Naturally, public discourse around the breach reflected negatively on the company, harming internal morale and external trust (of both customers and business partners). And while the exact recovery costs were not disclosed, Citrix acknowledged in its annual report that dealing with the consequences of vulnerabilities had required "significant investment of resources across the company.”

Lessons Learned

Legacy protocols may remain embedded in systems long after they should have been removed from regular use, posing hidden dangers. Insecure configurations in general and outdated communication protocols in particular come back to haunt you at any moment, until and unless they’re dealt with. 

To stay ahead of the threat, you’ll need to identify legacy protocols that don’t meet your security requirements, block access to those protocols, and disentangle any systems or functionality built on top of them.

The Botchers

In the shadow world of IT security operations, group policies guard against the lurking threats that prowl in the darkness — malware ghouls, ransomware wraiths, and phantoms of phishing. Configurations in particular are an absolute breeding ground for the types of human errors that summon these threats. 

And while there are policy managers to help define groups and administer policies, they are by no means fool-proof. Policies are frequently misapplied and enforcement is easily botched. 

When scripts are needed, for example, mistakes can render them ineffective and go unnoticed. Add to that the fact that group policy changes are laxly tracked and you can understand how group policies designed to make security more scalable and seamless can inadvertently create blind spots and liabilities. Sometimes you may think you’ve already dealt with things in practice that you’ve only actually addressed in theory. In practice, this opens up gaping holes in your cyber defenses. Worse still, the lack of clear control feedback and imperfect oversight can lead to direct compromise. 

For example, in April 2023, Microsoft Threat Intelligence reported an incident involving Mango Sandstorm, a malware group associated with Iran's Ministry of Intelligence and Security. Having breached the network, the attackers leveraged Group Policy Objects (GPOs) to weaken security and allow their malware to pass undetected. They also used GPO’s task scheduling capabilities to actually deploy the ransomware.

Because the attacked organization lacked any sort of GPO monitoring, the changes went unnoticed and no alarm bells rang when the scheduler was co-opted for malicious purposes. In the end, the attack inflicted significant damage to server farms, storage accounts, virtual machines, and virtual networks.

Lessons Learned

Misapplied policies and overlooked changes invite chaos into your network. Whether or not that chaos is exploited in the form of a malware attack, it will create operational friction and insecurity. It’s essential to have some sort of systemic oversight of your group policies that ensures they’re properly defined, effectively enforced, and adhere to best practices.

The Defaulting

One of the most haunting examples of how relying on defaults can lead to catastrophic consequences happened to the security camera company Verkada. In 2021, the company suffered a significant breach when hackers exploited a publicly known default administrative password that was never changed, offering attackers unauthorized access to over 5,000 security cameras inside hospitals, jails, schools, and even Tesla factories. 

Hackers could view live feeds and breach internal systems simply because the company hadn’t replaced the credentials on a misconfigured support server. The impact of this breach extended far beyond compromised camera feeds; a frightening fine of almost 3 million dollars was levied by the FTC due to violating the CAN-SPAM Act.

The incident brought to light just how easily a default password can become the weak link that leads to significant security and privacy breaches, especially when dealing with sensitive environments like hospitals and factories.

Other default settings can pose significant security risks — default usernames like "admin" often go unchanged, making it easy for attackers to gain access. Similarly, default open ports, like 3389 for Remote Desktop Protocol, provide attackers with predictable pathways to enter a system. 

Default permissions and factory-set IP ranges create opportunities by providing standard, easily exploitable access. When left unchecked, these defaults become weak links, allowing attackers to exploit predictable system behavior and compromise sensitive environments.

Lessons Learned

Default credentials must be replaced with strong, unique values as soon as a device or service is put into operation. Not only that, but healthy password policies should prioritize complexity, regular changes, and avoidance of reuse. Preventive endpoint security is necessary but never replaces visibility — network monitoring is the most effective method for catching any would-be intruders red-handed and updating credentials afterward.

The Blair Glitch Project

The importance of timely patches may be brushed aside for enterprises who delay their response…until it’s too late. The 2023 ESXiArgs ransomware campaign is a prime example: this attack exploited a two-year-old vulnerability, CVE-2021-21974, affecting the OpenSLP service in older versions of VMware ESXi. Despite VMware releasing a fix in early 2021, many organizations failed to apply the update, leaving their systems exposed.

Seeing their chance, attackers executed remote code on ESXi servers, gaining unauthorized access to encrypt virtual machines.

The consequences were far-reaching, affecting organizations in the United States, Canada, France, Germany, and beyond. VMware ESXi servers are critical infrastructure components, often used to run important workloads and virtual environments. The attack caused massive disruptions in these environments, with operations grinding to a halt as critical systems were encrypted and rendered inaccessible. 

Multiple hospitals and healthcare providers reported the inability to access patient records, leading to postponed medical procedures and compromised patient care. Manufacturing firms experienced complete production shutdowns as essential virtual machines went offline, disrupting supply chains. Neglecting timely patch management leads to catastrophic threats, especially when dealing with infrastructure that supports sensitive and high-value workloads.

Lessons Learned

While prioritizing critical patches to ensure all endpoints receive updates promptly, it is essential to acknowledge that not all vulnerabilities can be patched immediately. Sometimes, patching may not be feasible due to legacy systems, compatibility issues, or operational dependencies. In such cases, there are other options to reduce risk.

Organizations can implement compensating controls such as network segmentation, firewalls, and intrusion prevention systems to limit the exposure of vulnerable systems. Another practical approach is to leverage virtual patching solutions, which can provide interim protection by monitoring and blocking attempts to exploit known vulnerabilities until an official patch can be applied.

Exorcizing Endpoint Demons

As we conclude our journey through the haunted halls of endpoint security, it’s clear that the specters of negligence and oversight can manifest in dire consequences. Each tale serves as a grim reminder that security measures must be vigilant and proactive; open ports, legacy protocols, misapplied policies, and default settings are not mere inconveniences but potential gateways for chaos.

To protect against the lurking horrors of cyber threats, organizations must cultivate a culture of constant vigilance, regular audits, and timely updates. By learning from these cautionary tales, we can fortify our defenses and ensure that our digital realms remain safe from the shadows. With well-defined, meticulously enforced processes and the right supporting technology you should be able to banish evil endpoint spirits to the depths.