A federal agency was compromised last year after failures in vulnerability remediation, incident response and EDR log reviews, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
CISA claimed in a “lessons learned” advisory published on September 23 that threat actors gained access to the agency’s network on July 11, 2024, by exploiting CVE 2024-36401 on a public-facing GeoServer.
That critical remote code execution (RCE) bug was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on July 15.
The adversaries used the vulnerability to download open source tools and scripts and establish persistence in the agency’s network, before exploiting the same flaw to access a second GeoServer over a week later.
“They moved laterally from GeoServer 1 to a web server and then a Structured Query Language (SQL) server,” CISA explained.
“On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber-threat actors also used living off the land (LOTL) techniques.”
Read more on US government breaches: CISA Claims Treasury Breach Did Not Impact Other Agencies.
The adversaries relied mainly on brute-force techniques to obtain passwords for lateral movement and privilege escalation, and also accessed service accounts by exploiting their associated services, the report added.
Lessons Learned
CISA claimed the federal agency failed on several counts:
- It didn’t remediate the GeoServer vulnerability quickly enough. Although it wasn’t added to KEV until four days after the initial compromise, the CVE was patched by the vendor 11 days previously, on June 30. Exploitation of the second server occurred on July 24, which was within the KEV patching window
- The agency didn’t test its incident response plan, and the plan itself didn’t enable it to engage or allow third parties to access resources swiftly. This hampered CISA’s own response efforts
- EDR alerts weren’t continuously reviewed, meaning the malicious activity went undetected for three weeks. An alert on July 15 would have enabled swift containment of the threat
- The agency didn’t apply EDR to all endpoints. Its web server lacked protection, for example
“CISA encourages all organizations to consider the lessons learned and apply the associated recommendations in the Mitigations section of this advisory to improve their security posture,” the agency said.
Exabeam security operations strategist, Gabrielle Hempel, argued the incident highlights that patching processes are still sub-optimal across government agencies.
“I know we keep saying ‘expedite patching,’ but the real need is automated enforcement,” she added. “If a critical CVE is in KEV, patch it, or pull the system off the network. Leaving these exposed should no longer be an acceptable risk posture in any organization, especially in a federal landscape.”
CISA did not name the federal civilian executive branch agency that was impacted by the compromise.
