A pair of recent U.S. government reports offer a fresh reminder of how vulnerable critical infrastructure environments are.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report this week detailing the ease with which a CISA red team was able to penetrate an unspecified critical infrastructure environment, while the EPA issued a report last week that showed that 27 million Americans are served by drinking water systems with high to critical-severity vulnerabilities.

Vulnerabilities in water and wastewater systems are particularly concerning because communities are generally unprepared for an extended outage to those systems. Cyble researchers recently observed two incidents where threat actors claimed to have accessed water system control infrastructures and changed water system settings – we detail those incidents below.

CISA Red Team Breaches Critical Infrastructure Organization

CISA was asked by the critical infrastructure organization to conduct a red team assessment. During the assessment open-source research and targeted spearphishing campaigns were unsuccessful, but external reconnaissance discovered a web shell left from a third party’s previous security assessment. The red team used the shell for initial access and immediately reported it to the organization’s trusted agents (TAs). The red team was then able to escalate privileges on the host, discover credential material on a misconfigured Network File System (NFS) share, and move from a DMZ to the internal network.

From there, the red team gained further access to several sensitive business systems (SBSs). The team discovered a certificate for client authentication on the NFS share and used it to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller, which was used to further compromise the domain. The red team leveraged this high-level access to exploit SBS targets that had been provided by the organization’s TAs.

CISA published a graphic detailing the exploits:

The targeted organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them to the vulnerability the red team used for initial access, but despite delaying the red team from accessing many SBSs, the red team was still able to access a subset of SBSs. “Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode,” the CISA report said. “In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it.”

CISA Red Team Findings

The CISA red team detailed nine findings are all organizations should be aware of:

Inadequate Perimeter and DMZ Firewalls: The organization’s perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks.

Network Protection Lacking: CISA said the organization was “too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS).” EDR solutions also failed to detect all of the red team’s payloads.

Insufficient Legacy Environment Protection: Hosts with a legacy operating system did not have a local EDR solution, “which allowed the red team to persist for several months on the hosts undetected.”

Security Alerts Unreviewed: The red team’s activities generated security alerts that network defenders did not review. “In many instances, the organization relied too heavily on known IOCs and their EDR solutions instead of conducting independent analysis of their network activity compared against baselines.”

Identity Management Lacking: The organization had not implemented a centralized identity management system in their Linux network, so defenders had to manually query every Linux host for artifacts related to the red team’s lateral movement through SSH. “Defenders also failed to detect anomalous activity in their organization’s Windows environment because of poor identity management,” CISA said.

Known Insecure and Outdated Software: The red team discovered outdated software on one of the organization’s web servers.

Unsecured Keys and Credentials: The organization stored many private keys that lacked password protection, allowing the red team to steal the keys and use them for authentication.

Email Address Verification: The active Microsoft Office 365 configuration allowed an unauthenticated external user to validate email addresses by observing error messages in the form of HTTP 302 versus HTTP 200 responses, a misconfiguration that helps threat actors verify email addresses before sending phishing emails.

EPA OIG Finds Alarming Drinking Water System Vulnerabilities

A report by the EPA’s Office of the Inspector General (OIG) found that nearly 27 million Americans are served by drinking water systems with high-risk or critical cybersecurity vulnerabilities, and an additional 83 million Americans are served by systems with medium or low-severity vulnerabilities.

The OIG investigation looked at drinking water systems serving 50,000 or more people, 1,062 systems in all, covering 193 million people, or about 56% of the U.S. population. The Oct. 8 vulnerability scans identified 97 high-risk water systems and 211 moderate-risk ones.

The vulnerability tests “consisted of a multilayered, passive assessment tool to scan the public-facing networks” of the drinking water systems, the report said.

“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the OIG report said.

Two Recent Concerning Attacks on Water Systems

While several recent attacks on water utilities did not penetrate operational technology environments, Cyble dark web researchers noted two concerning claims made on Telegram by the Russian-linked People’s Cyber Army (PCA).

In late August, PCA released a video on their Telegram channel claiming responsibility for a cyberattack on a Texas water treatment plant. The threat actors posted a video claiming to show unauthorized access to the plant’s control panel, where the attackers altered water settings.

In September, they claimed unauthorized access to Delaware water towers, again posting a video that claims to show the attackers breaching the plant’s control panel, where they manipulated water system settings.

The CISA and EPA reports—and Cyble’s own observations—suggest that critical infrastructure security, and water system security in particular, are urgent problems requiring attention.

Cyble Recommendations

The CISA report, in particular, highlights security weaknesses that all critical infrastructure organizations should investigate. Beyond that, here are some general recommendations for improving the security of critical environments:

1. Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly.
2. Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation.
3. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks.
4. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense.
5. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise.

Related