CISA review: ‘Low hanging’ cyber lapses plague critical infrastructure

Phishing, stolen credentials, and other lapses in basic cybersecurity continue to be a primary avenue available to hackers, including China-linked threat groups such as “Volt Typhoon,” looking to infiltrate U.S. critical infrastructure networks.

That’s the upshot from a new analysis released today by the Cybersecurity and Infrastructure Security Agency. The report breaks down the results of 143 Risk Vulnerabilities and Assessments (RVAs) CISA and the U.S. Coast Guard completed in fiscal 2023. The teams probed the cyber defenses of organizations across multiple critical infrastructure sectors.

Ultimately, CISA and Coast Guard teams found they could infiltrate networks using some of the most common attack methods available, such as phishing, valid accounts, and default passwords.

“These are really low hanging things that you don’t actually need to be a sophisticated threat actor to take advantage of,” Chris Hilde, chief of risk insights within CISA’s vulnerability management branch, said in an interview with Federal News Network.

“When we talk about nation state threats and things like that, they’re going path of least resistance, just like anybody kind of would,” Hilde added. “So we still need to be looking at how can we collectively clean up some of this low hanging fruit in order to make the adversary’s job more difficult.”

The red flags raised in CISA’s report come amid a steady drumbeat of warnings about cyber threats to critical infrastructure. U.S. officials earlier this year said the China-linked Volt Typhoon had compromised the networks of organizations across multiple sectors, including communications, energy and water. The Chinese government denies those claims.

In the latest RVA report, CISA ties many of its findings to the techniques used by Volt Typhoon and other China-connected groups. Hilde said the goal is to emphasize to critical infrastructure operators that the threat of exploitation isn’t just theoretical.

“One of the challenges we have is to change the mindset, particularly within organizations that are not associated with national security, typically that are outside of the federal or even state governments,” Hilde said. “Things that typically we don’t think about as national security, like a water system or a transportation system, they all come into play now, because you can reach out and touch them remotely as a cybersecurity threat actor.”

During the assessments, CISA’s teams emulated the tactics that Volt Typhoon and other China-linked groups would use.

“The thought process is, if we can do this, then the threat actor – who can be more sophisticated in some ways or more surreptitious – can probably do the same sort of thing,” Hilde said.

In most cases, however, CISA’s teams found they didn’t need sophisticated tactics to gain access.

“Sometimes the team will have ideas in mind to use some of the tactics, techniques and procedures that we might attribute to a nation state actor, but we’re still able to get in via phishing,” Hilde said.

The use of “valid accounts” was the most successful initial attack vector in the fiscal 2023 RVAs, responsible for 41.28% of cases where CISA’s teams gained initial access to a network. Attackers gain access to valid accounts by using default or stolen administrator accounts, or by using accounts of former employees who haven’t been removed from the network’s active directory.

In 26.3% of cases, clicking on a spearphishing link allowed CISA’s teams to gain initial access. Brute force password cracking was the next most successful attack avenue with a 9.48% success rate.

Once hackers are inside an environment, Hild said the goal is to “escalate privileges as much as possible” to gain further access to systems and sensitive data. CISA’s assessment teams showed that attackers can do that by using shared user accounts and administrative credentials.

“Now they have administrator privileges across the system and network,” Hild explained. “So you know we are looking and trying to talk to folks about how to get rid of your default credentials. Try to eliminate passwords. Cycle passwords if you can make them long enough and strong enough. And also make sure that you’re enforcing least privileges for your users.”

CISA’s report recommends organizations adopt CISA’s voluntary cross-sector cybersecurity performance goals. Hild said the agency will typically present its findings to an assessed organization’s leadership to discuss the results and areas for improvement.

“We expect to kind of go through this again next year and see if the messaging over the last year about PRC threats, and other threats that that CISA has been very public about, have maybe tipped the scales at all or influenced risk decision making amongst the folks that have worked with us over the past year,” Hild said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.