The Cybersecurity and Infrastructure Security Agency is reminding agencies and the public to patch known cyber vulnerabilities after a federal agency was hacked earlier this year by threat actors leveraging a bug in outdated software.
In a cyber advisory issued this week, CISA said unidentified threat actors exploited a vulnerability in older versions of Adobe ColdFusion software to gain access to the network of a federal civilian executive branch agency. The specific agency was not identified.
Analysis of the agency’s network logs confirmed the compromise of “at least two public-facing servers” within the agency’s environment between June and July of this year.
“Both servers were running outdated versions of software which are vulnerable to various [Common Vulnerabilities and Exposures],” CISA said in the advisory.
ColdFusion is a commercial application server used to develop web applications. The vulnerability leveraged by the hackers this summer had just been published in the CVE database in March. Older versions of Adobe ColdFusion are susceptible to the bug. It allows hackers to gain access to a network and run commands or code on the target network without any interaction with authorized users.
“Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network,” CISA said in its advisory. “No evidence is available to confirm successful data exfiltration or lateral movement during either incident.”
It also isn’t known whether the threat actor was the same in both confirmed instances.
In the advisory, CISA recommended organizations upgrade all versions of software affected by vulnerabilities and prioritize remediation of vulnerabilities on internet facing systems. It also recommends employing network segmentation practices, enforcing application control policies, and requiring secure account management methods like phishing-resistant multifactor authentication.
CISA plans to release ‘ReadySetCyber’ tool next year
The recommendations outlined in the latest alert align with many of CISA’s cross-sector cybersecurity performance goals (CPGs) first published in October 2022 and then later updated earlier this year. In 2024, CISA plans to release a web application called “ReadySetCyber” that the agency says will help organizations better understand their security gaps and how to meet the CPGs.
“So within a few minutes, an organization could actually have a package of cybersecurity information services and context to help them reduce their risk,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said Tuesday at CISA’s Cybersecurity Advisory Committee meeting in Carlsbad, California. “Given the scale of under resourced organizations, and the scale of the threat we are facing, this is one way to ensure that our services, our information, and our team members can scale to meet that challenge.”
CISA leaders are increasingly looking to the performance goals as a baseline for how business leaders should think about tackling cybersecurity risks, which officials say is too often ignored or misunderstood in c-suites and board rooms.
“Frankly, the environment for [chief information security officers] is getting even more difficult and demanding given the threat environment that we are all operating in,” CISA Director Jen Easterly said at the advisory committee meeting.