Remote access to 5,000 employee devices

June 19, 2024

This was an exciting finding that led to an early indication that Orion can be valuable to security teams. Early on, I wanted to build a security monitoring service that would alert me right away when a new vulnerability was found, whether an app vulnerability or on-premise software vulnerability. One morning, I woke up with a text from Orion saying it had gained access to a company's MDM portal.

As part of the early build, I was monitoring a specific company and only specific instances of that company with particular signatures. One of them was credential brute-forcing to detect weak credentials in various admin/login panels that I deemed to be sensitive for them. One of them was their MDM login panel, which was hosted on-premise. The tool would use a mix of known login credentials and a large dataset to decide what credentials to try randomly. One day, when it was monitoring, it tried a set of credentials that were not common, and it worked. It then extracted the specific users' permission and sent it to me in the alert. To my surprise, this credential gave me remote command permission to send commands to employee devices and lock devices. This would have allowed commands to be executed on more than 5,000 employee devices. A dream for a state-actor to get access to and escalate further with persistence.

Lessons learned: Offensive automation in attack surface management, bug bounty, and pentesting is a necessary complement to manual security testing.