The catering service

Last year, we were hired to do an overall security posture assessment and see if we could get a foot inside the customer's network. The idea was to test their perimeter and the training their employees had in security awareness.
The customer gave us 6 weeks to complete the assessment and deliver what we found.

After a couple of weeks and a bunch of failed attempts, we figured their perimeter security was good. We could probe and penetrate it, but we needed a bit more time than what we had. So, we decided to change the approach.

Like most big companies, our customer had a cafeteria in the building that would serve breakfast and lunch to the employees. They outsource the food and service to a 3rd party catering service and since the supply chain is usually one of the traditional weak points, we looked there.
The catering service had set an external website for the employees of the customer to place orders for lunch. After scanning, we found their "secure coding" was, well, non existant and we found multiple vulnerabilities that we could exploit, from PHP env. variables that we could arbitrarily set and get upload our code to reverse shell and exploits, to getting full control of their server. Which we did. After changing a some of the application code, we now had a good way to spread a backdoor into our customer network. The next day, when people began placing orders for lunch, we began receiving shells from their workstations. At the end of the morning we had 39 active shells, including an administrator.

A week later we had copies of all their emails.

So... What's the moral of the story? You might be secure, but are your suppliers?

The multinational and lessons learned

Interview with the Revue Militaire Suisse