Security

CISA broke into a US federal agency, and no one noticed for a full 5 months

Red team exercise revealed a score of security fails


The US Cybersecurity and Infrastructure Security Agency (CISA) says a red team exercise at a certain unnamed federal agency in 2023 revealed a string of security failings that exposed its most critical assets.

CISA calls these SILENTSHIELD assessments. The agency's dedicated red team picks a federal civilian executive branch (FCEB) agency to probe and does so without prior notice – all the while trying to simulate the maneuvers of a long term hostile nation-state threat group.

According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise.

It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023.

"After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. 

"About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023."

Vulnerabilities added to the KEV catalog mean a few things. First, they are serious, known to be exploited by cybercriminals, and can lead to serious consequences. Second, when bugs are added to the catalog, they also come with deadlines by which FCEB agencies have to patch them.

Since introducing the KEV catalog, CISA has always been cagey about the degree to which federal agencies meet these deadlines, but this case shows they aren't always being met.

The Register fielded a question about deadline compliance to CISA's director Jen Easterly at the Oxford Cyber Forum last month who said, without referring to specific figures she didn't have access to at the time, that "compliance is very high." Plus, a recent survey showed the catalog is helping the private sector too.

After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases.

Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful.

It said real adversaries may have instead used prolonged password-spraying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords.

After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. 

"None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.

CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets – the most highly privileged systems.

"The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. 

"They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)."

From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.

The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable.

CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments.

However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate.

It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario.

Disclosure time

For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.

Detection issues were suspected earlier in the proceedings. The RAT, which was injected in the Solaris phase of the exercise, caused 8GB of network traffic to flow through its C2 seemingly without alerting anyone at the agency, for example.

After CISA eventually put the agency out of its misery, weekly meetings were held with its security team and sysadmins which led to "measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft."

One of the main issues discussed in the post mortem was the agency's log collection, which was deemed to be "ineffective and inefficient." Various issues impeded the agency's ability to collect logs, which you can read about in the full writeup, but CISA's compromise of Solaris and Windows hosts had a big impact as packet capturing happened here, and so CISA was able to disrupt the process.

The assessed agency also placed too great a reliance on known indicators of compromise (IoCs) for detecting intrusions, plus various system misconfigurations and procedural issues hindered the analysis of network activity. 

CISA said the exercise demonstrated the need for FCEB agencies to apply defense-in-depth principles – multiple layers of detection and analysis measures for maximum effectiveness. Network segmentation was recommended and the red team wanted to stress the danger of over-relying on known IOCS.

It also wouldn't be a CISA communiqué without a plug for its secure-by-design push. It said that insecure software contributes to the issues faced by the target agency and re-upped its call to stamp out default passwords, provide free logging to customers, and for vendors to work with SIEM and SOAR providers to make better use of those logs. ®

Send us news
21 Comments

Dems want answers on national security risks posed by hiring freeze, DOGE probes

Are cybersecurity roles included? Are Elon's enforcers vetted? Inquiring minds want to know

Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

Think government cybersecurity is bad? Guess again. It’s alarmingly so

Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch

Everyone agrees defense matters. How to do it is up for debate

Cyberattack on NHS causes hospitals to miss cancer care targets

Healthcare chiefs say impact will persist for months

US news org still struggling to print papers a week after 'cybersecurity event'

Publications across 25 states either producing smaller issues or very delayed ones

UK industry leaders unleash hurricane-grade scale for cyberattacks

Freshly minted organization aims to take the guesswork out of incident severity for insurers and policy holders

Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

PLUS: MGM settles breach suits; AWS doesn't trust you with security defaults; A new .NET backdoor; and more

US freezes foreign aid, halting cybersecurity defense and policy funds for allies

Uncle Sam will 'no longer blindly dole out money,' State Dept says

UK armed forces fast-tracking cyber warriors to defend digital front lines

High starting salaries promised after public sector infosec pay criticized

DeepSeek's iOS app is a security nightmare, and that's before you consider its TikTok links

PLUS: Spanish cops think they've bagged NATO hacker; HPE warns staff of data breach; Lazy Facebook phishing, and more!

Netgear fixes critical bugs as Five Eyes warn about break-ins at the edge

International security squads all focus on stopping baddies busting in through routers, IoT kit etc

Poisoned Go programming language package lay undetected for 3 years

Researcher says ecosystem's auto-caching is a net positive but presents exploitable quirks