A CISA red team exercise performed in early 2023 has revealed significant gaps in the cybersecurity posture of a federal civilian executive branch organization, according to a report from the US government’s cybersecurity agency.
The SILENTSHIELD assessment, which was meant to simulate a long-term state-sponsored attack, found that the unidentified organization failed to prevent and identify malicious activity, had insufficient network segmentation, lacked proper log collection, and applied a ‘known-bad’ detection approach, along with other shortcomings.
After an eight-month-long red-team exercise, the CISA team found that the organization’s network defenders were affected by bureaucratic communication and decentralized teams.
The CISA assessment started with initial access to the executive branch’s Solaris enclave by exploiting an unpatched vulnerability in Oracle Web Applications Desktop Integrator leading to remote code execution without authentication (CVE-2022-21587).
Successful exploitation of the flaw provided access to a backend application server handling incoming requests from the internet-accessible web server and led to the deployment of a secure Python remote access tool (RAT).
Access to the server allowed the red team to extract credentials for a privileged service account and establish an outbound SSH connection. Using the local administrator’s root access, the team was able to move laterally “through much of the network segment via SSH”.
The team deployed RATs on several servers that allowed external internet access and discovered that the federal agency lacked application layer firewalls that could detect and block the malicious traffic.
“The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events,” CISA said in the report.
The extensive access allowed the team to access sensitive information, including personally identifiable information (PII), shadow files, an administrator SSH key, and a plaintext password, and to mount network file system file shares for further access to files and folders.
While the account did not provide privileged access to all hosts on the network, the team identified a network security appliance scanning service account that regularly logged in to an internal host using only password-based authentication and which also connected to all other hosts via SSH, and used a path hijack vulnerability to capture the account’s password.
“The harvested password granted unrestricted privileged access to the entire Solaris enclave,” facilitating “months of persistent access to sensitive systems, including web applications and databases”, CISA added.
Phishing led to Windows environment compromise
Using OSINT techniques, the red team identified the organization’s employees’ names, email addresses, and job titles, and sent a phishing payload to targets that interacted regularly with the public, which was executed on a workstation.
“The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS,” CISA explains.
This allowed the team to identify the security products running on the system and deploy a more-capable RAT into memory, which remained undetected despite a bug that “caused 8 GB of continuous network traffic to flow in one afternoon”.
Leveraging access to the civilian agency’s Windows environment, the team harvested Active Directory data, accessed internal file servers, found a password file containing plaintext passwords, and discovered accounts with high-level administrative privileges that were using eight-year-old passwords.
Using various techniques and payloads, including harvested credentials, the team was able to move laterally within the network, targeted a Systems Center Configurations Manager (SCCM) server, and obtained an administrator’s session token to access a domain controller and compromise the entire domain.
“After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network,” according to the CISA report.
In addition, the team was also able to compromise one of the agency’s partner organizations, which allowed it to perform a cross-organizational attack and access a second partner’s domain controller.
Five months after stating the assessment, CISA officially notified the federal agency’s security operations center (SOC) of the compromise and discovered that the SILENTSHIELD had not been identified by the organization.
The red team then worked with the organization to help it improve its security stance, including its detection capabilities, log collection and analysis, forensic analysis, and monitoring and investigation management.
The assessment revealed that the organization lacked proper network defenses to detect and prevent intrusions, had insufficient network segmentation, lacked proper log collection, and applied a ‘known-bad’ detection approach, along with other shortcomings. Furthermore, the organization’s network defenders were affected by bureaucratic communication and decentralized teams.
Related: CISA, FBI Urge Immediate Action on Vulnerabilities in Network Devices
Related: CISA Warns of PoC Exploit for Flaw in RAD SecFlow-2 Industrial Switch
Related: Artificial Arms Race: What Can Automation and AI Do to Advance Red Teams
Related: Microsoft Releases Red Teaming Tool for Generative AI
