CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months (theregister.com) 35
A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...]
After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.
CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.
The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.
After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.
CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.
The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.
Wonder who else was in there? (Score:2)
Surely CISA wasn't the only party inside those systems.
Someone Needs Consequences (Score:5, Interesting)
Re: (Score:2)
Re: Someone Needs Consequences (Score:4, Interesting)
Except that 5% should be used as a incentive to attract more qualified security engineers and architects. I've talked with a few government agencies about positions, the pay is always piss poor, working conditions suck (WFH isn't allowed), and the vacation policy can chortle my balls.
Re: (Score:2)
No one needs 140-180k/yr.
Re: Someone Needs Consequences (Score:2)
Re: (Score:2)
Re: (Score:2)
Except that 5% should be used as a incentive to attract more qualified security engineers and architects. I've talked with a few government agencies about positions, the pay is always piss poor, working conditions suck (WFH isn't allowed), and the vacation policy can chortle my balls.
It might even get a few of those highly prized security professionals to actually come to the office to work at those agencies ... Just sayin'
Re: (Score:2)
They didn't spend their budget on security so take their budget away? That's sure get things fixed.
This is akin to Civil Forfeiture, which is wrong because its actually stealing and is the opposite of justice.
Civil forfeiture works against little people (Score:2)
Of course the higher ups should suffer it... /s
Re: (Score:2)
Needs to be personalised (Score:3)
The real villain of the piece is whoever decided not to spend enough on cyber security. Assuming that the IT staff asked for more money and some accountant refused it, that person should be packing their bags. Perhaps pour encourager les autres all that person's line managers up to the head of the agency should also be fired. ;)
Solaris? (Score:2)
My first thought was, "People still use Solaris???" I thought everyone had abandoned Solaris after Oracle bought it. If not, they certainly should have.
Re: (Score:2)
I thought everyone had abandoned Solaris after Oracle bought it. If not, they certainly should have.
Indeed. That was my first thought too. Solaris is a name I hadn't heard in many years.
"People still use Solaris???"
People make strange choices that are often not based on logic or self-preservation. For example, Windows is still widely used for a reason that totally elude me.
Re: (Score:2)
Because the alternatives suck even worse. I'm sure you've got a favorite flavor of Linux and I bet I can find at least three reasons to not use it.
Re: (Score:2)
Re: (Score:3)
They can't get the budget approved to replace a working system with something newer?
I'm not particularly impressed with the time it took to apply the patch though, according to https://nvd.nist.gov/vuln/detail/CVE-2022-21587 [nist.gov] the NVD published date: was 10/18/2022. This was not a zero-day exploit.
Re: (Score:2)
Oracle Solaris worries me. Open Indiana (which is based off Open Solaris) might be more secure, I don't know the current status of it. It's not exactly a system that gets mentioned a lot.
Re: (Score:2, Interesting)
My first thought was, "People still use Solaris???" I thought everyone had abandoned Solaris after Oracle bought it. If not, they certainly should have.
It all boils down to money. Porting complex specialist software to another operating system platform can be extremely difficult and expensive. When the stakeholders don't want to invest in that process but they still want the services to be available 99.999% of the time the only real option is to keep the legacy system in use. There are plenty of systems in use in both government and private businesses that are so old they are long since past end of support, there are no patches to be had from the manufactu
Re: (Score:2)
Yes, I thought about that afterwards, but Comcast puked just after I posted and has been down all day. It's hard to get management types to cough up money to fix something that they don't understand is broken, since as far as they can see things are still working fine. All too often these ancient creaking behemoths are functioning almost entirely without maintenance too since everyone who knew how to deal with Product X (Solaris in this case) has retired or moved on, which then makes it even more complica
Re: (Score:2)
Solaris is actually not that bad. Still has network and IPC performance problems, but overall a pretty decent OS. Compare it to Windows and it is stellar.
Whining For More Money (Score:2)
Because that is how you fix everything in a capitalistic society. Works 100%.
Re: Whining For More Money (Score:1)
Money is how you measure priorities (Score:2)
There is always a conflict about what to prioritise in ANY society. In the most socialist society there would still be a choice between spending money on making roads safer, better hospitals to treat the victims of road accidents, or cyber security to prevent cars' software being hacked and so becoming murderous.
No surprise at all! (Score:2)
You lead by example, most parts of government give themselves the benefit of the doubt and a pat on the hand when caught. And at the same time, come down hard on any citizen not following the their rules.
Re: (Score:2)
Yep. Typically government is made up of really crap people. That is one of the effects.
Re: (Score:2)
Re: (Score:2)
I mostly agree. Obviously, I was simplifying. One thing I do believe, however, is that everybody part of an organization shares some of the blame for what that organization does. Obviously, most of the blame goes to the top in any hierarchical organization and most definitely in a bureaucracy. But it can be argued that most "leaders" would just be village-idiots if they did not have the support of the organization.
Hence I do not accept "I was acting under orders" as an valid moral excuse. I do expect some t
Biden is responsible!!! (Score:1)
What do you mean: 'of course he's not?' If he's not, who is? And there the problem of real accountability becomes clear; noone is going to be seriously disciplined for this.
That is "industry standard". (Score:3)
Remember that, for example, Microsoft did not notice at all that Outlook Online was completely compromised in 2023. A customer noticed after a while.
If you do it, you go to jail under the CFAA (Score:2)
Data security still not a priority (Score:2)
People can see an unlocked door, possibly an abandoned door-key. They can't see sensitive data saved in the wrong directory, weak passwords and authentication/permission set to default. Worse, in most businesses, no-one is responsible for this and usually, no-one is paid for this. Worst, people assume their IT-services contractor has set permissions correctly, filed the necessary records and done all the fiddly double-checking: He hasn't, his job is to get the system stable and charge as much as the mar