CISA: Federal Agency Hacked, Data Exfiltrated
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency's enterprise network. The threat actor gained access to the unnamed agency's system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA's intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure proxies.
This is the first time I've seen DHS/CISA put out a detailed public report on how an attack against a government agency succeeded. This one starts off with a litany of basic security hygiene failures: the attackers started out with admin credentials, admin accounts didn't seem to require 2FA for remote access, if a firewall was in place it seemed to have allowed everything not explicitly denied policies, VPN patches were not applied, etc. The details on the steps the attackers took show a number of "Living off the Land" techniques that Ed Skoudis detailed in his SANS "Most Dangerous New Attacks" keynote panel talk at this year's RSA.
This is an excellent write-up of how the system was compromised and how the attacker adjusted to available resources to continue to penetrate and exploit the system. This also re-enforces the need for 2FA on internet accessible services, epically email and remote access (e.g. VPN). Take a look at your network and make sure that not only strong authentication is required, but also patches are applied.