When Red Teams Go Unnoticed

In 2023, a red team exercise by the Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency revealed critical security vulnerabilities. These SILENTSHIELD assessments are conducted without prior notice to simulate long-term hostile nation-state threats.

The red team exploited an unpatched vulnerability (CVE-2022-21587) in the agency's Oracle Solaris enclave, achieving a full compromise. CVE-2022-21587, an unauthenticated remote code execution bug, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The red team's initial intrusion occurred on January 25, 2023.

"After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. The organization also failed to perform a thorough investigation of the affected servers, missing indicators of compromise that should have led to a full incident response.

Two weeks after the red team accessed the system, exploit code for the vulnerability was released publicly, and an unknown third party exploited it. This CVE was added to the KEV catalog on February 2, 2023. The inclusion in the KEV catalog highlights the seriousness of the vulnerabilities, known to be exploited by cybercriminals, with deadlines set for federal agencies to patch them.

Despite high compliance rates, this case shows deadlines are not always met. At the Oxford Cyber Forum, CISA director Jen Easterly noted that "compliance is very high" without providing specific figures.

After gaining access to the Solaris enclave, the red team faced missing credentials, blocking them from pivoting into the Windows network. However, they succeeded by phishing unidentified members of the target agency, gaining access through a successful attack.

Real adversaries might have used prolonged password-spraying attacks instead of phishing, given several service accounts had weak passwords. Once inside, the red team injected a persistent RAT and discovered unsecured admin credentials, leading to a full domain compromise. The attackers accessed tier zero assets, the most privileged systems.

"None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA reported.

The red team found a password file from a former employee on an open administrative IT share, containing plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, they identified accounts with extensive administrative privileges that had not been updated in over eight years.

The red team discovered trust relationships with multiple external FCEB organizations, which they exploited. They used kerberoasting to gain credentials from one partner organization but couldn't move laterally due to low privileges. They then exploited a second trusted partner organization, where kerberoasting yielded a more privileged account with a crackable password.

CISA emphasized that cross-organizational attacks are rarely tested due to network ownership, legal agreements, and vendor opacity. However, SILENTSHIELD assessments, enabled by the FY21 National Defense Authorization Act (NDAA), allow for such testing.

For the first five months of the assessment, the target agency failed to detect or remediate any SILENTSHIELD activity, raising concerns about its ability to spot genuine malicious activity. Detection issues were suspected early on. For example, the RAT injected during the Solaris phase caused 8GB of network traffic to flow through its C2 without alerting anyone at the agency.

After CISA intervened, weekly meetings with the agency's security team and sysadmins led to "measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft."

A key issue discussed was the agency's log collection, deemed "ineffective and inefficient." Various problems hindered log collection, but CISA's compromise of Solaris and Windows hosts had a significant impact as packet capturing occurred, disrupting the process.

The agency also relied too heavily on known indicators of compromise (IoCs) for detecting intrusions. System misconfigurations and procedural issues further hindered network activity analysis.

CISA recommended applying defense-in-depth principles, with multiple layers of detection and analysis measures for maximum effectiveness. Network segmentation was advised, and the danger of over-relying on known IoCs was stressed.

CISA's communiqué also promoted its secure-by-design initiative, noting that insecure software contributes to the issues faced by the target agency. They reiterated calls to eliminate default passwords, provide free logging to customers, and for vendors to work with SIEM and SOAR providers to enhance log usage.

Source:https://www.theregister.com/2024/07/12/cisa_broke_into_fed_agency/