CISA Cybersecurity Drill Reveals Critical Infrastructure Vulnerabilities

December 3, 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive cybersecurity exercise designed to simulate a cyber attack on a critical infrastructure provider. The purpose of this exercise was to identify weaknesses within the organization and propose improvements to its security measures. The exercise revealed several significant vulnerabilities, demonstrating the potential for serious breaches if network security systems are not properly layered and maintained.

Discovery and Exploitation of Web Shell

Initial Reconnaissance and Spear Phishing Campaign

CISA’s red team was tasked with this simulation and initiated the operation with no prior knowledge of the target organization’s technology assets. By conducting thorough open-source research, the red team aimed to understand the organization’s network structure, defensive tools, and employee profiles. This foundational knowledge set the stage for their next move—a spear phishing campaign targeting 13 employees who were likely to communicate with external parties frequently. Persistence proved vital, as after multiple attempts, a single employee ran two malicious payloads. Fortunately, these initial attempts were intercepted by the organization’s existing security systems, halting the immediate threat.

However, the red team remained undeterred. Utilizing publicly available reconnaissance tools like Shodan and Censys, they identified devices and services exposed to the internet. Their efforts paid off when they discovered an old, unpatched service harboring a known XML External Entity (XXE) vulnerability. Armed with a publicly known proof-of-concept exploit, they executed the attack and found an existing web shell on a Linux web server. This discovery enabled the team to deploy their own web shell, thereby gaining an initial foothold within the organization’s network and setting the stage for further exploitation.

Identifying and Exploiting Vulnerabilities

With the web shell in place, the red team leveraged it to run various commands on the compromised server. During this phase, they located an internal proxy server exposed to external access, allowing them to establish a command and control (C2) channel. The team then escalated their privileges, discovering overly permissive access controls that could be exploited to execute commands with root privileges, all without the need for a password. This root-level access granted them the ability to control and manipulate the organization’s directory and file structures on a Network File System (NFS) share, which had the problematic “no_root_squash” option enabled.

Gaining root access yielded extensive control over the NFS share, including the home directories for hundreds of Linux users, many with elevated server permissions. This critical flaw allowed the red team to secure 61 private SSH keys and uncover a cleartext file containing valid domain credentials. These findings enabled further unauthorized access across the organization’s domain. Furthermore, the team established persistent access on four Linux servers, utilizing different persistence mechanisms for each server to evade detection.

Escalation and Command and Control

Gaining Root Access and Establishing Persistence

The red team’s acquisition of root access represented a significant escalation in the attack. Using this elevated level of control, they were able to run commands and navigate through the organization’s network infrastructure. The red team identified an internal proxy server that was accidentally exposed, which they used to establish a robust command and control (C2) infrastructure. By doing so, they maintained their grip on the compromised network and orchestrated further penetrative actions. The root access they had obtained uncovered overly permissive controls, specifically on an NFS share configured with the “no_root_squash” option, amplifying the extent of their reach.

By exploiting these access privileges, they gained full control over the organization’s directories and files hosted on the NFS share. This share contained vital information, including the home directories for numerous Linux users with privileged server access. The red team’s access to these directories allowed them to acquire 61 private SSH keys and extract a cleartext file harboring valid domain credentials. Armed with these credentials, the team expanded their unauthorized domain control significantly.

Compromising User Credentials and Expanding Access

The chain of compromises continued as the red team utilized the newly acquired credentials and SSH keys. Gaining such extensive access, they entrenched themselves within the network by establishing persistent accesses across four Linux servers. Employing distinct persistence mechanisms on each server aimed at complicating detection and removal by the organization’s security team. The red team then exploited their privileged position to gain root access to an infrastructure management server, specifically one running Ansible Tower, situated near sensitive business systems.

This high-level compromise of the infrastructure management server permitted deeper network penetration. Leveraging this server, they infiltrated six additional systems spreading across diverse IP ranges. Despite their pervasive access and the potential to maintain a presence for extended periods, the organization’s security team detected irregular activities. Specifically, one week post-breach, they noticed abnormal behavior consistent with a root SSH private key being used to log into multiple hosts at unusual times and durations. This anomaly raised red flags, leading the organization to recognize the intrusion.

Detection and Response

Anomaly Detection and Initial Response

Despite the red team’s extensive access and capability to remain undetected for several weeks, the organization’s security team eventually caught onto the unusual activities emanating from a compromised root SSH private key. This key was used to log into various hosts at odd times and for extended durations, signaling anomalies that warranted further investigation. The recognition of these abnormal patterns facilitated the detection of the intrusion, setting off an initial response to mitigate the damages. The ability to identify such unusual behaviors underscores the importance of vigilant monitoring and anomaly detection within cybersecurity practices.

CISA aptly noted that had this been a genuine cyber attack, the operational disruption caused by shutting down the compromised server would have had significant repercussions on business continuity. The prompt detection of the breach allowed the organization to initiate containment and remediation steps, effectively reducing the potential fallout from the cyber incident. This aspect of timely detection and swift response is essential in minimizing the impacts of cyber intrusions. This illustrates the value of continuous monitoring and anomaly-based detection mechanisms.

Compromising Windows Domain Controller

In addition to the exploitation of the web shell and Linux servers, the red team extended their penetration to encompass a Windows domain controller. This escalation allowed them to steal administrative credentials and pivot laterally across all domain-connected Windows hosts within the organization. Their expanded access included various critical business systems and even administrative workstations. Though restricted by time constraints, preventing a complete compromise, this episode showcased the breadth of vulnerabilities that could be exploited within a critical infrastructure network, highlighting potential risks under actual attack scenarios.

By infiltrating the Windows domain controller, the red team demonstrated the critical need for robust security measures across diverse operating environments. The seizure of such essential components within the network further illustrated the potential for vast disruption and data exfiltration in real-world cyber threats. It emphasized the necessity for comprehensive security measures spanning both Linux and Windows ecosystems to mitigate risks across organizational infrastructure.

Key Lessons and Recommendations

Importance of Layered Security

The simulated attack highlighted the paramount importance of implementing layered security frameworks within critical infrastructure organizations. In this case, the target organization displayed a concerning deficiency in technical controls at the network layer. Instead, they heavily relied on host-based endpoint detection and response (EDR) solutions, which proved inadequate under persistent, targeted attacks. Effective cybersecurity demands multifaceted defenses, incorporating both host-based and network-based protective measures.

Layered security extends beyond mere endpoint protection, encompassing robust network-level defenses, vigilant monitoring systems, anomaly detection mechanisms, and continuous threat intelligence integration. The lessons from this exercise underscore that where one layer may falter, others should compensate, collectively fortifying the organization’s security posture against escalated intrusions.

Regular Training and Support

In addition to robust technical defenses, the necessity for persistent training and support for staff emerged as a significant takeaway from the exercise. Employees must be adequately trained to configure software correctly and to recognize indicators of malicious activities proliferating within the network. Continuous education and awareness initiatives significantly enhance an organization’s resilience against sophisticated cyber threats. Proper training ensures employees remain vigilant and well-prepared to respond promptly to emerging cyber threats, reinforcing the organization’s overall defensive capabilities.

Moreover, maintaining a security-conscious culture within critical infrastructure organizations catalyzes proactive threat detection and incident response, supporting continuous improvements in alignment with evolving cybersecurity paradigms.

Prioritization of Known Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently carried out an extensive cybersecurity drill aimed at simulating a cyber attack on a vital infrastructure provider. This exercise was designed with the goal of uncovering weaknesses within the organization and suggesting improvements to enhance its security measures. Throughout the exercise, several critical vulnerabilities were discovered, underscoring the risk of severe breaches if network security systems are not adequately layered and maintained.

Additionally, this simulation exercise offered invaluable insights into the current state of cybersecurity readiness and resilience of the provider. The identified vulnerabilities highlighted the urgent need for robust, multi-layered defensive strategies and continuous monitoring to ensure the security of sensitive infrastructure.

By conducting such exercises, CISA aims to strengthen the nation’s preparedness against potential cyber threats and improve the overall stability and security of critical infrastructure systems, thereby safeguarding essential services from possible cyber attacks.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later