The US CISA led red team exercise at one of federal agencies (unnamed) in 2023 revealed a string of security failings that exposed its most critical assets.
CISA calls this assessment as SILENTSHIELD, in which the red team picks an FCEB agency to probe and does so without prior notice, where it simulates the maneuvers of a long term hostile nation-state threat group.
The initial access was gained by exploiting a vulnerability CVE-2022-21587 that has a CVSS score of 9.8 in the target agency’s Oracle Solaris enclave, leading to what it said was a full compromise.
That said, the bug is an unauthenticated RCE added to CISA’s KEV catalog in February 2023. The initial intrusion by CISA’s red team was made on January 25, 2023.
The red team promptly informed the organization’s trusted agents of the unpatched device, but it took nearly two weeks to apply the available patch. Even the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response.
After gaining access to the Solaris enclave, the red team discovered they couldn’t pivot into the Windows part of the network because missing credentials blocked their path, despite remained persistent for months of access to sensitive web apps and databases.
The red team managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful.
After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed.
CISA described this as “full domain compromise” that gave the attackers access to tier zero assets. The team found a password file left from a previous employee on an open administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts.
One of the accounts was identified and had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management.
The red team also disscoved the victim organization had trust relationships with multiple external FCEB organizations, which CISA’s team then pivoted into using the access they already had and performed kerberoasting.
The team kerberoasted one partner organization that’s connected through trust relationships. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments.
SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA’s Federal Attack Surface Testing (FAST) pentesting program to operate.
CISA said the exercise demonstrated the need for FCEB agencies to apply defense-in-depth principles. Network segmentation was recommended, and the red team wanted to stress the danger of over-relying on known IOCS.
