CISA broke into a US federal agency, and no one noticed for a full 5 months
Red team exercise revealed a score of security fails
The US Cybersecurity and Infrastructure Security Agency (CISA) says a red team exercise at a certain unnamed federal agency in 2023 revealed a string of security failings that exposed its most critical assets.
CISA calls these SILENTSHIELD assessments. The agency's dedicated red team picks a federal civilian executive branch (FCEB) agency to probe and does so without prior notice – all the while trying to simulate the maneuvers of a long term hostile nation-state threat group.
According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise.
It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023.
"After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response.
"About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023."
Vulnerabilities added to the KEV catalog mean a few things. First, they are serious, known to be exploited by cybercriminals, and can lead to serious consequences. Second, when bugs are added to the catalog, they also come with deadlines by which FCEB agencies have to patch them.
Since introducing the KEV catalog, CISA has always been cagey about the degree to which federal agencies meet these deadlines, but this case shows they aren't always being met.
The Register fielded a question about deadline compliance to CISA's director Jen Easterly at the Oxford Cyber Forum last month who said, without referring to specific figures she didn't have access to at the time, that "compliance is very high." Plus, a recent survey showed the catalog is helping the private sector too.
After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases.
Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful.
It said real adversaries may have instead used prolonged password-spraying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords.
After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed.
"None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.
CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets – the most highly privileged systems.
"The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain.
"They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)."
From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.
The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable.
CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments.
However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate.
It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario.
Disclosure time
For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.
Detection issues were suspected earlier in the proceedings. The RAT, which was injected in the Solaris phase of the exercise, caused 8GB of network traffic to flow through its C2 seemingly without alerting anyone at the agency, for example.
After CISA eventually put the agency out of its misery, weekly meetings were held with its security team and sysadmins which led to "measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft."
One of the main issues discussed in the post mortem was the agency's log collection, which was deemed to be "ineffective and inefficient." Various issues impeded the agency's ability to collect logs, which you can read about in the full writeup, but CISA's compromise of Solaris and Windows hosts had a big impact as packet capturing happened here, and so CISA was able to disrupt the process.
- Brace for new complications in big tech takedowns after Supreme Court upended regulatory rules
- CISA looked at C/C++ projects and found a lot of C/C++ code. Wanna redo any of it in Rust?
- US lawmakers wave red flags over Chinese drone dominance
- FCC: US telcos a long way off, several billions short of removing Chinese kit
The assessed agency also placed too great a reliance on known indicators of compromise (IoCs) for detecting intrusions, plus various system misconfigurations and procedural issues hindered the analysis of network activity.
CISA said the exercise demonstrated the need for FCEB agencies to apply defense-in-depth principles – multiple layers of detection and analysis measures for maximum effectiveness. Network segmentation was recommended and the red team wanted to stress the danger of over-relying on known IOCS.
It also wouldn't be a CISA communiqué without a plug for its secure-by-design push. It said that insecure software contributes to the issues faced by the target agency and re-upped its call to stamp out default passwords, provide free logging to customers, and for vendors to work with SIEM and SOAR providers to make better use of those logs. ®