CISA Conducts Cyber Attack Simulation on Critical Organization
/ 4 min read
Quick take - The US Cybersecurity and Infrastructure Agency (CISA) conducted a three-month simulated cyber attack exercise on a critical organization’s networks to identify vulnerabilities and enhance security, revealing significant weaknesses in technical controls and the need for improved staff training and organizational prioritization of cybersecurity measures.
Fast Facts
- CISA conducted a three-month simulated cyber attack exercise to identify vulnerabilities in a critical organization’s networks, with the organization’s consent.
- A spear phishing campaign targeted 13 employees, leading to one employee executing malicious payloads, but security controls successfully blocked these attempts.
- The red team discovered an unpatched XML External Entity (XXE) vulnerability, allowing them to deploy a web shell and gain root access to sensitive systems.
- The exercise revealed significant weaknesses in the organization’s security posture, particularly in intrusion detection and response capabilities.
- CISA emphasized the need for ongoing staff training, improved security measures, and addressing previously identified vulnerabilities to prevent future incidents.
CISA Conducts Simulated Cyber Attack Exercise
Overview of the Exercise
The US Cybersecurity and Infrastructure Agency (CISA) recently conducted a simulated cyber attack exercise on a critical organization’s networks. The exercise aimed to enhance the organization’s security posture and spanned three months, executed with the organization’s consent. The primary goal was to identify vulnerabilities and potential exploit paths within its infrastructure.
Key Findings and Exploits
CISA’s red team conducted extensive open-source research during the simulation, familiarizing themselves with the organization’s technology assets, networks, defensive tools, and personnel. A targeted spear phishing campaign was launched against 13 employees likely to communicate externally. One employee responded and executed two malicious payloads; however, security controls successfully blocked these attempts.
The assessment continued with a search for exposed devices and services using publicly available tools such as Shodan and Censys. An unpatched service with a known XML External Entity (XXE) vulnerability was discovered, which the team exploited to deploy a web shell. They identified an existing web shell on the organization’s Linux web server, allowing them to run commands and establish command and control (C2) capabilities. The team escalated their privileges due to overly permissive access controls, which permitted root access without a password, enabling exploration of directories and files on a Network File System (NFS) share.
Through this exploration, CISA’s team obtained 61 private SSH keys and found a file containing valid cleartext domain credentials, facilitating authentication to the organization’s domain. One week after the initial breach, the red team maintained persistent access across four Linux servers, employing various mechanisms to evade detection.
Implications and Recommendations
CISA emphasized that, in a real-world scenario, the organization would have experienced significant operational impacts, necessitating the shutdown of affected servers. In addition to compromising Linux systems, the red team breached a Windows domain controller, allowing for lateral movement to all domain-connected Windows hosts. Following the compromise of both Linux and Windows systems, the team maintained access for several weeks, attempting to target corporate workstations of administrators and operators. However, time constraints limited their efforts in fully compromising these workstations.
Importantly, CISA noted that the team did not manage to compromise operational technology (OT) devices during the exercise. The exercise unearthed critical weaknesses within the organization, particularly highlighting issues with technical controls for detecting and halting intrusions. The reliance on host-based endpoint detection and response (EDR) solutions was deemed inadequate.
CISA’s findings underscored the necessity for ongoing training and support for staff to ensure proper software configuration and malicious activity detection. Additionally, it was noted that organizational leadership had deprioritized addressing a previously identified vulnerability, underestimating its potential impact and likelihood of exploitation. CISA’s report concludes with recommendations aimed at network defenders and software manufacturers to mitigate the identified risks, emphasizing the importance of enhancing security measures to prevent future incidents.
Original Source: Read the Full Article Here
