Hackers Shoveled Snow for Company, Were Rewarded With Network Admin Access
The Register, Thursday, July 2nd, 2026
Red teamers gained network admin access via social engineering and physical security gaps at a client site.
Two offensive security consultants ran a penetration test by exploiting social engineering and physical security gaps.
After offering to shovel snow, they gained building access and planted a Raspberry Pi on an unprotected network port, remaining undetected for two weeks.
During that time they found the company used weak passwords like winter2023! across 50-60 accounts and multiple Active Directory Certificate Services vulnerabilities.
They ultimately obtained domain administrative access. The incident highlights inadequate security awareness training, unrestricted network ports, and the absence of strong password policies and multi-factor authentication.