Threat Research

CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization

CISA
CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization

CISA and USCG conducted a proactive hunt engagement at a U.S. critical infrastructure organization, finding no malicious activity but identifying significant cybersecurity risks including shared local admin credentials and insufficient network segmentation between IT and OT environments. The advisory provides detailed recommendations and mitigations to improve cybersecurity posture, aligning with CISA, NIST, and CGCYBER guidelines. #CISA #USCG #LocalAdminCredentials #NetworkSegmentation #SCADA #MITREATTACK

Keypoints

  • CISA and USCG performed a threat hunt at a critical infrastructure organization without detecting malicious cyber activity but revealed multiple cybersecurity weaknesses.
  • Critical findings included sharing local administrator credentials with non-unique passwords stored in plaintext scripts, enabling lateral movement risks.
  • Insufficient network segmentation allowed non-privileged IT users potential direct access to OT networks such as SCADA VLANs.
  • Logging and log retention were inadequate, limiting detection and investigation capabilities for anomalous or malicious behavior.
  • Additional technical issues included insecure IIS sslFlags causing potential interception risks and centralized SQL connection strings with weak password policies.
  • Mitigations recommended included enforcing unique credentials with multifactor authentication, strengthening network segmentation and bastion host configurations, and improving comprehensive logging practices.
  • The advisory aligns mitigations with CISA and NIST Cybersecurity Performance Goals and CGCYBER 2024 CTIME report recommendations to protect critical infrastructure.

MITRE Techniques

  • [T1078.003] Valid Accounts: Use of credentials obtained for local administrator accounts to gain admin access and enable lateral movement (“…used the credentials found in one of the scripts to log into its associated admin account locally on a workstation…”).
  • [T1098] Account Manipulation: Modifying or creating accounts to escalate privileges or maintain persistence (“…malicious cyber actors can modify existing accounts or create new accounts…”).
  • [T1059] Command and Scripting Interpreter: Use of PowerShell scripts to execute commands against OT systems (“…execute commands and scripts using scripting languages like PowerShell…”).
  • [T1547] Boot or Autostart Execution: Configuring autostart execution paths for persistence.
  • [T1574] Hijack Execution Flow: Injecting malicious code by hijacking application execution.
  • [T1484] Domain or Tenant Policy Modification: Modifying domain policies to escalate privileges or evade defenses.
  • [T1112] Modify Registry: Installing malicious browser extensions on compromised systems.
  • [T1562.010] Impair Defenses: Downgrade Attack: Exploiting legacy SSL/TLS configurations to downgrade encryption (“…the misconfigured sslFlags could enable threat actors to attempt an adversary-in-the-middle attack…”).
  • [T1552.001] Unsecured Credentials: Credentials in Files: Searching for credentials stored in plaintext scripts (“…passwords stored in plaintext in the script…”).
  • [T1003] OS Credential Dumping: Extracting credentials from memory or storage of unsecured workstations.
  • [T1557] Adversary-in-the-Middle: Intercepting credentials and data via compromised TLS communications.
  • [T1110.001] Brute Force: Password Guessing: Attempted password guessing attacks against weak passwords.
  • [T1110.002] Brute Force: Password Cracking: Cracking plaintext passwords to gain unauthorized access.
  • [T1110.003] Brute Force: Password Spraying: Using common passwords across accounts.
  • [T1110.004] Brute Force: Credential Stuffing: Using credentials from unrelated breaches to gain access.
  • [T1049] System Network Connections Discovery: Mapping network connections to identify OT paths.
  • [T1016] System Network Configuration Discovery: Discovering network configurations via unsecured workstations.
  • [T1021.001] Remote Services: Remote Desktop Protocol: Using RDP with valid credentials for lateral movement (“…establish a Remote Desktop Protocol (RDP) connection to another workstation…”).
  • [T1021.004] Remote Services: SSH: Using SSH for lateral movement.
  • [T1071] Application Layer Protocol: Communicating with compromised systems over standard protocols to blend with legitimate traffic.

Indicators of Compromise

  • [File Hashes] Local admin credential scripts containing plaintext passwords – examples include batch script files used to create local admin accounts with stored passwords in cleartext.
  • [Network Ports] Open port 21 (FTP) accessible between IT and SCADA VLANs – demonstrates insufficient network segmentation allowing FTP connections.
  • [Configuration Files] IIS ApplicationHost.config with sslFlags=“0” – misconfigured HTTPS bindings on production servers.
  • [Configuration Files] machine.config with centralized SQL connection strings and weak password length configuration – indicating shared credentials and low password security.
  • [User Accounts] Shared local administrator account credentials across multiple workstations – non-unique password usage enabling lateral movement potential.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-212a