Source URL: https://www.theregister.com/2024/11/22/cisa_red_team_exercise/
Source: The Register
Title: Here’s what happens if you don’t layer network security – or remove unused web shells
Feedly Summary: TL;DR: Attackers will break in and pwn you, as a US government red team demonstrated
The US Cybersecurity and Infrastructure Agency often breaks into critical organizations’ networks – with their permission, of course – to simulate real-world cyber attacks and thereby help improve their security. In one of those recent exercises conducted at a critical infrastructure provider, the Agency exploited a web shell left behind from an earlier bug bounty program, scooped up a bunch of credentials and security keys, moved through the network and ultimately pwned the org’s domain and several sensitive business system targets.…
AI Summary and Description: Yes
Summary: The US Cybersecurity and Infrastructure Agency (CISA) conducted a simulated cyber attack on a critical infrastructure provider, identifying significant vulnerabilities due to poor security practices and controls. Key insights highlight the importance of regular training for staff, adequate detection methods, and leadership prioritization of cybersecurity threats.
Detailed Description: The recent report by CISA discusses a red teaming exercise conducted over three months on a critical infrastructure provider. This operation served to demonstrate various security vulnerabilities and to offer lessons learned for strengthening defenses against real-world cyber threats. The highlights of the CISA’s findings are as follows:
– **Simulation Process**:
– The red team operated without any prior knowledge of the organization’s network assets.
– Conducted open-source research to identify potential points of attack, targeting employees with a spear-phishing campaign.
– **Exploitation Techniques**:
– The attackers exploited an unpatched service with an XML External Entity (XXE) vulnerability, gaining initial access.
– The presence of an existing web shell allowed greater control over the organization’s systems, including the ability to escalate privileges.
– **Security Flaws Identified**:
– Overly permissive access controls granted excessive privileges, allowing actions as a root user without proper authentication.
– Misconfigurations in network protections, leading to increased vulnerability.
– **Persistence and Lateral Movement**:
– The red team maintained access across multiple Linux servers, leveraging persistence mechanisms to stay undetected.
– Access to SSH keys and sensitive documents led to lateral movement throughout the organization, eventually targeting both Linux and Windows systems.
– **Final Outcomes**:
– The simulation revealed that, while the operational technology (OT) devices were not compromised, the organization was significantly exposed in terms of sensitive data and systems.
– The CISA report emphasized critical lessons to be learned from the exercise.
**Key Lessons Learned**:
– The importance of layered security measures that extend beyond host-based EDR solutions to include network-level protections.
– Continuous training and support for employees to improve their readiness against phishing attacks and recognize signs of malicious activity.
– The need for leadership to remain vigilant regarding known vulnerabilities and prioritize cybersecurity measures based on risk assessments.
The findings also underline the necessity for organizations to engage in regular assessments and simulations to fortify their security postures against evolving cyber threats, particularly in critical infrastructure sectors.