In the dimly lit basement of an abandoned building, hidden beneath the layers of darkness and secrecy, a clandestine cybercrime group known as “The Shadow Syndicate” gathered around a flickering screen displaying the lines of code.

Their eyes glimmered with excitement and malice as they discovered a chink in the armor of a renowned healthcare company, MeditechCorp Pro Solutions.

As the hackers delved deeper into MeditechCorp Pro Solutions’ digital fortress, they stumbled upon a chilling revelation during their reconnaissance phase.

The main server’s vulnerabilities were laid bare — a careless oversight that set their sinister plans into motion.

With PUT HTTP enabled and lacking proper XSS protection, the company’s management system became a breeding ground for their malevolent intentions.

How did they find that?

First, during the reconnaissance phase, they found that one of the JavaScript was using the PUT keyword to unauthenticated, upload a txt file to the server and then later download that same file using the GET keyword.

They didn’t know the reason behind that, but it didn’t matter. All that mattered to them was that they had found the web security misconfiguration; to be more precise: CWE-650: Trusting HTTP Permission Methods on the Server Side.

Request:

Response:

Then the contents of the file were subsequently retrieved using the GET verb:

Request:

Response:

Then they checked the browser security headers configuration:

The CSP security browser header was not implemented.

With their newfound knowledge, The Shadow Syndicate embarked on crafting a web exploit that would haunt the dreams of MeditechCorp Pro Solutions’ unsuspecting users.

In the darkest corners of cyberspace, they wrote a diabolical piece of code — a malicious web exploit that would stealthily infect the heart of the company’s web infrastructure: the index.html file.

The first function in the web exploit downloaded the index.html file:

The second function inserted new JavaScript code into that index.html file that would send each authenticated visitor cookie to their web domain.

That would be for each visitor because the index.html was the first page they’d see after a successful login.

The third function exploited the found vulnerability and just replaced the original index.html with a new one with the malicious JavaScript code:

The web exploit was ready:

They just needed a web domain for stealing user sessions, so they used Burp Collaborator:

The web exploit was ready, and the domain was up and running, so the next phase was crucial — run the exploit:

As MeditechCorp Pro Solutions’ users innocently visited their trusted web platform, a subtle change occurred.

Unbeknownst to them, a single line of nefarious code was injected into the seemingly harmless index.html file, waiting to ensnare their every move.

The unsuspecting victims were unknowingly sending their sensitive sessions to the malevolent domain of The Shadow Syndicate.

Doctors, administrators, and super admins — unaware of the sinister intrusion carried out their daily tasks while The Shadow Syndicate watched their every move from the shadows.

They reveled in the power they wielded, lurking behind the scenes as their victims’ most private healthcare and personal information fell into their clutches.

Hundreds of hospitals utilizing a healthcare management platform have fallen victim to a security breach, resulting in the compromise of thousands of patient data, which now rests in the hands of a notorious cybercrime group.

From a business perspective, do you find this story scary?

Well, “The Shadow Syndicate” and “MeditechCorp Pro Solutions” are not real, and the story was a work of fiction — everything except the security testing. It was a real-life ethical penetration testing session conducted by the UN1QUELY offensive security team on a real healthcare management platform production system used by a lot of hospitals.

Cybercrime groups are on the rise, and this trend will just keep evolving. They’re constantly looking for vulnerable targets so they can use their skills to earn money, ruin the reputation of companies and steal private data, sell it on the black market, or use it to blackmail victims and companies.

Luckily for this healthcare management company, we were first to identify this security

misconfiguration vulnerability and exploit it just to show them how vulnerable they were. In the meantime, they’ve fixed these issues with the help of our cybersec experts.

Our offensive security team is growing and rapidly improving in a wide range of cyber skills, not only in web application penetration testing but also in mobile applications and network penetration testing, phishing simulations, and red teaming.

If you need help securing your company’s cyberspace, please contact us.