United States cybersecurity authorities have issued strict new rules demanding that all federal agencies perform automated asset discovery every seven days and run “vulnerability enumeration” across all discovered assets, including “all discovered nomadic/roaming devices (e.g., laptops)”, every fortnight, as of April 3, 2023.
The rules come after persistent attacks on federal organisations. Suffolk County, New York, for example this week reported that its computer systems were attacked on September 8, resulting in major disruptions to county systems, some government functions and compromised county records including personal information.
Fitch Ratings pointed on October 5 to "the severity of the attack" on Long Island, noting that "the county does not have cyber-security insurance, and Fitch believes that recovery costs could be substantial."
The rules come as the Cybersecurity and Infrastructure Security Agency (CISA) also this week revealed that “likely multiple APT groups” had compromised a defence contractor, breaching its Microsoft Exchange Server in January 2021, exploiting the “ProxyShell” series of CVEs and staying on its network – having deployed over 17 webshells, custom exfiltration tools and successfully moved laterally to other systems – for 12 long months.
During the same period, the attackers used Impacket, a Python toolkit for manipulating network protocols, on another system, deploying its wmiexec.py and smbexec.py tools – which use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively – to create a “semi-interactive shell” that let them run commands on remote devices using the Windows management protocols.
The attackers also made use of the (leaked) credentials of an earlier employer, CISA’s report says; suggesting that the multiple attackers had a whole smorgasbord of ways into the defence contractor’s systems. (Given the wide coverage of the ProxyShell vulnerabilities and subsequent rampant attacks against it, the fact that a company working in such a critical sector did not conduct earlier analysis of its environment seems problematic – until you remember that an entire oil pipeline was shut down after VPN credentials with no MFA set up leaked.)
New federal vulnerability scan rules
CISA’s Binding Operational Directive 23-01 meanwhile is effective April 3, 2023.
Asset discovery can be conducted through active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API queries. CISA does not mandate an approach. It does, instead, want to “comprehensively achieve the following outcomes without prescribing how to do so”:
- “Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
- “Identify software vulnerabilities, using privileged or client-based means where technically feasible;
- “Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
- “Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.
“Where the capability is available” agencies must perform the same type of vulnerability enumeration on mobile devices and other devices that reside outside of agency on-premises networks” it adds, without specifying in the directive whether agencies should strictly aim to find a way to make that capability available.
Terry Olaes, Director of Sales Engineering, Skybox Security, told The Stack in an emailed comment: “This alert also serves as a reminder that infrastructure devices must be included in vulnerability management programs. Security teams need to quickly assess vulnerability risk posed across both endpoint and infrastructure assets without waiting for other teams, such as platform and network functions, to provide feedback.”
Critically, all federal agencies will need to “develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request”.
With regard to the defence contractor breach, CISA shares full TTPs here and urges companies to:
Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.
- Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below:
- Review logs for "impossible logins," such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
- Search for "impossible travel," which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
- Search for one IP used across multiple accounts, excluding expected logins.
- Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.
There are multiple lessons in the breach report but the need to patch critical CVEs promptly and a robust credentials management policy -- with MFA enabled everywhere, ideally with hardware tokens used; defence contractors can afford to deploy them -- remain powerful ways to prevent attackers picking off low-hanging fruit.