A virtual private network vulnerability that has been known since December. Stolen credentials of a power user. A poorly configured firewall. It didn’t take long for the hacker to own this unnamed federal agency.
In what was a matter of days, maybe weeks, this bad actor, possibly a nation state given how sophisticated the attack was, set up two remote command-and-control points, reviewed email and other documents to look for passwords and started networking hopping to find more valuable data and information.
And now the Cybersecurity and Infrastructure Security Agency at the Homeland Security Department is laying out what happened with depth and specificity rarely seen in a public way. Without a doubt, CISA is telling other agencies, “Don’t let this happen to you.”
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
The use case, gently titled “Federal Agency Compromised by Malicious Cyber Actor” is a detailed example of what happens when your agency’s cyber hygiene is poor and exacerbated by the surge in remote workers.
“COVID-19 has undermined the cybersecurity of U.S. agencies. Telework and a 400% increase in attacks have allowed for intrusions. Telework places a huge strain on IT and security resources and these skeleton crews have lost both visibility and the capacity to harden these remote systems,” said Tom Kellermann, head of cybersecurity strategy for VMWare. “This attack illustrates the greater problem of over reliance on VPNs to protect these systems. The current security posture of perimeter defense is ineffective against the kill chains of 2020.”
Kellermann said while it’s hard to tell if this was a small or large agency impacted by the attack, all signs point to the hacker being from a nation state like Russia or China.
“Given the level of sophistication that we see here, it’s pretty clear that it’s a nation state because it doesn’t necessarily fit the operations of cyber criminals or hacktivists,” he said. “Nation states tend to set up two command and control points that were encrypted, and the fact that CISA was not sure how they compromised the user’s credentials, it means the adversary likely bypassed two-factor authentication. This was a highly sophisticated group who used a multi-stage attack, and most likely wanted to move laterally across government agencies. I think that is why there is so much detail in this warning.”
John Pescatore, the director of emerging security trends at the SANS Institute, said this incident has all the characteristics of a “living off the land” attack.
Symantec described “living off the land attacks” as those “where attackers take advantage of native tools and services already present on targeted systems” and have grown in popularity over the last few years.
Crowdstrike says LOTL attacks generally do not involve malware and have become more popular among those who support cyber espionage, with 40% of all global attacks in 2018 not involving malware, meaning that they relied entirely on built-in programs.
“The bad guys figured out with living off the land attacks that if they get credentials and use those capabilities they can’t tell us from the administrators and the malware detection will not go off,” Pescatore said. “A lot of what is described in the use case, the use of PowerShell and SOCK proxies use the operating system to attack itself.”
Pescatore said once the hacker owned the machine from the inside, it was just a matter of communicating to the outside to exfiltrate data or move network to network.
“Sounds like whatever agency this was had a poorly configured firewall because it let anything on the inside talk to the outside based on the high number of ports that were open,” he said. “The attacker seemed to combine a lot of known techniques, and there were a lot of security hygiene mistakes like why the administrator didn’t have two-factor authentication implemented? Why the firewall was configured to allow all the outbound traffic?”
While the case study is a new way of presenting this type of cyber attack, CISA alerted agencies to similar concerns in August with the release of a capacity enhancement guide for remote devices outside the agency’s network. CISA said the guide is in response to reported VPN bandwidth constraints that are impacting the timely patching of roaming devices and degrading or interrupting other vital services that employees or citizens are accessing remotely.
The guide aimed to build upon the recommendations CISA put forward with the Trusted Internet Connections 3.0 telework guidance in April.
“[W]hen routing traffic through agency campus networks, agencies face challenges related to virtual private network (VPN) bandwidth constraints, which are impacting the timely patching of roaming devices and degrading or interrupting other vital services being accessed from roaming devices. These significant delays in patching leave roaming devices susceptible to common vulnerabilities and threats,” CISA wrote in the guidance. “Recent increases in teleworking have amplified these issues and made securing roaming devices even more challenging.”
CISA recommended nine ways agencies can implement a cloud-based remote vulnerability and patch management capabilities, including centrally managing devices, configuring devices to disable receiving automatic updates for the operating system and individual software directly from vendors, and ensuring cloud services include an agency-managed patch repository.
In the use case, CISA also recommends agencies take several steps, including employing an enterprisewide firewall, closing down ports that aren’t in use and implementing the principle of least privilege on data access.
VMWare’s Kellermann said agencies continue to over rely on VPNs and adversaries are getting better at taking over encrypted tunnels.
“VPN tunnels allow for trusted traffic on the network and the hacker masked its efforts because it was in those tunnels,” he said. “The only way CISA or the agency saw what was going on is because they saw data leaving the systems. At that point, it’s almost too late, and the real concern is if the adversary moved laterally and was island hopping between networks.”
Kellermann said the threat of cyber attacks is only getting worse, particularly because of the pandemic and surge of remote workers. He said new data from VMWare shows cyber criminals are emboldened and doing more to attack and take over networks.
“We will release new data soon that shows 82% of the time we are seeing counter incident response where the adversaries are fighting back,” he said. “They are deleting logs or manipulating time stamps. They are committing destructive attacks such as dropping in ransomware without asking for money just to be mean.”