Sunday, August 3, 2025
Latest:

Threatshub.org sponsored-Post

The Register

CISA roasts unnamed critical national infrastructure body for shoddy security hygiene

TH Author

CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong.

The US cybersecurity agency, along with experts from the US Coast Guard (USCG), identified myriad weaknesses in the mystery organization’s approach to security, including storing credentials in plaintext.

Threat hunters did not find any signs of foul play, nor any malicious activity on the network, but published an extensive report of its findings on Thursday, highlighting risks such as:

  • Insufficient logging
  • Insecurely-stored credentials
  • Shared local admin credentials across many workstations
  • Unrestricted remote access for local admin accounts
  • Insufficient network segmentation configuration between IT and operational technology assets
  • Device misconfigurations

CISA’s report did not explicitly state that the critical infrastructure organization in question operated in the marine industry. However, the fact that it collaborated with the USCG, and that many of its findings overlapped with those of Coast Guard Cyber Command’s 2024 trends, suggests the subject of the report was of interest to both authorities.

This organization’s most serious offense was sharing local admin accounts, which were protected by non-unique passwords that were stored in plaintext, according to CISA, which ranked the risks in order of severity.

The agency said “a few” of these accounts were found – only on workstations, not servers or devices – and they were shared among many hosts. Their credentials were stored in plaintext batch scripts used to create admin accounts with identical, non-expiring passwords.

“The storage of local admin credentials in plaintext scripts across numerous hosts increases the risk of widespread unauthorized access, and the usage of non-unique passwords facilitates lateral movement throughout the network,” CISA wrote in its report. “Malicious actors with access to workstations with either of these batch scripts could obtain the passwords for these local admin accounts by searching the file system for strings like net user /add, identifying scripts containing usernames and passwords, and accessing these accounts to move laterally.”

If an attacker gained remote, local admin access to the network of this organization, they could feasibly create new accounts, install software to maintain persistent access, disable security features, or inject malicious code.

The organization also improperly segmented its operational technology (OT) environment, which allowed standard user accounts to access the Supervisory Control and Data Acquisition (SCADA) VLAN.

Having someone gain unauthorized access to these systems would create real-world safety concerns, CISA warned. 

Within critical national infrastructure, SCADA systems monitor various pieces of OT equipment, such as sensors and valves, communications tech like radio and fiber-optic cables, and programmable logic controllers.

If an attacker could control temperature or pressure gauges, or flow rates, for example, they could theoretically create real-world hazards for workers.

CISA said its investigators found some issues concerning the facility’s HVAC systems, noting improperly configured and insufficiently secured bastion hosts. When set properly, these systems prevent unauthorized access and lateral movement.

“Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality,” the report reads.

CISA also said it was unable to carry out as comprehensive a hunt for threats as it would have liked because of the organization’s lack of workstation logs.

Such logs are useful in determining an organization’s ability to detect unauthorized access and lateral movement when attackers deploy techniques that evade typical defenses, such as using valid accounts and circumventing EDR alerts.

“Insufficient logging can prevent the detection of malicious activity by hindering investigations, which makes detection of threat actors more challenging and leaves the network susceptible to undetected threats,” CISA said.

The report includes a list of general recommendations for defenders to implement following the probe of the organization, which was carried out with its knowledge.

CISA is also known to break into federal agencies unannounced as part of red team exercises, or SILENTSHIELD assessments.

This different kind of test simulates a long-term compromise campaign using tactics that US adversaries and their state-sponsored cyber crews deploy.

One example came a year ago, again with an unspecified federal agency, and saw CISA make its way onto the network, remaining there undetected for five months.

The red teamers gained initial access to the agency’s network using an unpatched critical vulnerability (CVE-2022-21587 – 9.8) affecting its Oracle Solaris enclave.

This led to a full compromise and, yes, the flaw was added to CISA’s Known Exploited Vulnerability (KEV) catalog, but that occurred a week after CISA used it to gain access. ®

READ MORE HERE