Those Sword and Shield guys are pretty clever!
First, I scanned the network with Nessus and did not find any easily exploited vulnerabilities but I did find a medium-risk vulnerability showing unauthenticated access to multiple NFS shares Nessus ID 42256. Browsing the shares I found a backup copy of the client’s public web site, which was developed using Visual Studio. Visual Studio stores database connection strings, including plaintext passwords, in .config files. Using the command grep -r connectionStrings= at the root of the source directory, I found multiple connection strings that used three different database passwords.