CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Secure Remote Access
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape

CISA, NSA highlight top ten cybersecurity misconfigurations, urge action from network defenders and software manufacturers

October 06, 2023
CISA, NSA highlight top ten cybersecurity misconfigurations, urge action from network defenders and software manufacturers

The U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published Thursday a joint cybersecurity advisory (CSA) highlighting the most common cybersecurity misconfigurations in large organizations. The advisory details the TTPs (tactics, techniques, and procedures) hackers use to exploit these misconfigurations. It also calls upon network defenders and software manufacturers to take appropriate action and reduce the risk of malicious actors exploiting the identified misconfigurations.

Through NSA and CISA Red and Blue team assessments and the activities of NSA and CISA Hunt and Incident Response teams, the agencies listed the ten most common network misconfigurations. These teams have ​​assessed the security posture of many network enclaves across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector. 

The common network misconfigurations include default configurations of software and applications; improper separation of user/administrator privilege; insufficient internal network monitoring; lack of network segmentation; and poor patch management. The teams also listed bypass of system access controls; weak or misconfigured multi-factor authentication (MFA) methods; insufficient access control lists (ACLs) on network shares and services; poor credential hygiene; and unrestricted code execution. 

These misconfigurations demonstrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures. It also showcases the importance of software manufacturers embracing secure-by-design principles. This would reduce the burden on network defenders so that properly trained, staffed, and funded network security teams can implement known mitigations for these weaknesses. Software manufacturers must reduce the prevalence of these misconfigurations, thus strengthening the security posture for customers, by incorporating secure-by-design and -default principles and tactics into their software development practices.

The advisory said that default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include default credentials, default service permissions, and configuration settings. Assessment teams regularly find insecure Active Directory certificate services; insecure legacy protocols/services; and insecure Server Message Block (SMB) services. 

Administrators often assign multiple roles to one account. These accounts have access to various devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures. Assessment teams have observed common account separation misconfigurations including excessive account privileges; elevated service account permissions; and non-essential use of elevated accounts. 

The advisory identified that some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from the timely detection of anomalous activity. Assessment teams have exploited insufficient monitoring to gain access to assessed networks. 

It also covered network segmentation that separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows a hacker who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques. Lack of segmentation between IT and OT (operational technology) environments places OT environments at risk. 

The advisory also flagged the practice of vendors releasing patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes a lack of regular patching; and use of unsupported operating systems (OSs) and outdated firmware. 

The document also identified that a malicious hacker can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH). By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection.

It added that ‘kerberoasting’ is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

The advisory identified that some networks, generally government or DoD networks, require accounts to use smart cards or tokens. “Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication.” 

Additionally, the document pointed out that “if the password hash never changes, once a malicious actor has an account’s password hash, the actor can use it indefinitely, via the PtH technique for as long as that account exists.”

Some forms of MFA are vulnerable to phishing, ‘push bombing,’ exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or ‘SIM swap’ techniques. These attempts, if successful, may allow a hacker to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems.

The advisory added that data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow unauthorized users to access sensitive or administrative data on shared drives. Hackers can use commands, open-source tools, or custom malware to look for shared folders and drives. 

The document also pointed out that poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes easily crackable passwords and cleartext password disclosure. 

The advisory also said that If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network. Hackers often execute code after gaining initial access to a system. “For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.”

It also identified that assessment teams and malicious hackers frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros to establish initial access, persistence, and lateral movement.

NSA and CISA encourage network defenders to reduce the risk of malicious actors exploiting the identified misconfigurations. They recommend removing default credentials and hardening configurations, disabling unused services, and implementing access controls. Additionally, they suggest updating regularly and automating patching, prioritizing patching of known exploited vulnerabilities; and reducing, restricting, auditing, and monitoring administrative accounts and privileges.

The advisory also urged software manufacturers to take ownership of improving the security outcomes of their customers by embracing secure-by-design and -default tactics, including embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC). They also recommend eliminating the practice of default passwords; providing high-quality audit logs to customers at no extra charge; mandating MFA, ideally phishing-resistant, for privileged users, and making MFA a default rather than an opt-in feature.

The document further recommended that software manufacturers reduce the prevalence of misconfigurations by aligning with the mitigation tactics provided in the security-by-design and -default advisory. NSA and CISA strongly encourage software manufacturers to apply these recommendations to ensure their products are secure ‘out of the box’ and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings