Exploited vulnerabilities a recipe for disaster

Our previous article talked about how ransomware attacks thrive on exploiting a vulnerability. In this article we will take a look at a near real attack scenario by Cybersecurity and Infrastructure Security Agency's (CISA) Red Team. This attack happened to a Federal Civilian Executive Branch (FCEB) Organization.

This happened in early 2023, as part of a SILENTSHIELD red team assessment by CISA for a FCEB organization. As part of the SILENTSHIELD assessment, the red team performs a no-notice, long-term simulation of nation-state cyber operations. Then the team works with the organization to address weaknesses found during the exercise.

During the initial phase, the SILENTSHIELD team gained access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization.

It is key to note that the red team remained undetected by network defenders throughout the exercise and the organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources subsequently.

Here is a timeline view of the exercise carried out by CISA SILENTSHIELD team

Details of the Adversary Emulation Phase

CISA SILENTSHIELD Red Team conducted non-intrusive port scans for common ports and Domain Name System (DNS) enumerations. These efforts revealed that the organization's web server was unpatched for CVE-2022-21587 [An unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator]. For three months the assessed organization failed to patch this vulnerability, and the red team exploited it for initial access.

The exploit provided code execution on a backend application server that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic.

Subsequently CISA Red Team cracked the password for an account by using a common password list to gain further access. Once they had obtained sudo/root access, they then used it for lateral movement. While the red team was able to fully compromise the Solaris enclave, they could not move to the Windows network. Hence they performed a phishing attack on selected organization employees. An employee took bait and the red team was successful in deploying a RAT on the user's workstation. Then they obtained user-level persistence via a registry run key. Next they started data exfiltration from Active Directory. Next the red team started lateral movement and eventually managed to pivot to external trusted partners of the organization as well.

All of this began with the exploit of a publicly known vulnerability!

Organizations till date struggle to identify (aka scan) vulnerabilities and prioritize these. ThreatWorx provides an effective approach to identify vulnerabilities without the need for agents along with Intelligence led Prioritization, which helps drastically cut down the patching burden.

For more details on how ThreatWorx can help you identify and prioritize vulnerabilities, please reach out to us at [email protected]

Interested readers can read the complete report from CISA here.