CISA: Most cyberattacks on gov’ts, critical infrastructure involve valid credentials

More than half of all cyberattacks on government agencies, critical infrastructure organizations and state-level government bodies involved the use of valid accounts, according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA).

In 2022, CISA worked with the United States Coast Guard (USCG) to conduct 121 Risk and Vulnerability Assessments (RVAs) on federal civilian agencies, high priority private and public sector critical infrastructure operators; and select state, local, tribal, and territorial stakeholders.

Gabriel Davis, a risk operations federal lead at CISA, told Recorded Future News that these assessments are designed to test an organization's defenses and give the government a chance to see how they would respond to a sophisticated attack.

They also give CISA insights into how hackers operate. The report of the agency's findings, published on Wednesday, noted that threat actors “completed their most successful attacks via common methods, such as phishing and using default credentials.” Valid credentials, which can be former employee accounts that have not been disabled in addition to default administrator accounts, were used in 54% of successful attacks studied.

Davis said that what stood out most to him was the fact that hackers are largely using the same methods in most incidents.

“We’re seeing the same issues. Threat actors are modifying their TTPs but we’re not seeing a large deviation from the activity they’ve done in the past,” Davis said.

“This is kind of a good thing because we know where the problems are, we know where we need to address some of our effort. And these are things that can be solved with some small changes throughout the network.”

He noted that RVAs are one of the most popular things organizations ask CISA for, but the agency cannot fulfill every request for one due to a lack of manpower.

They choose organizations for RVAs based on the priorities of CISA Director Jen Easterly, the threat landscape and the kinds of activity they’re seeing, Davis said, adding that part of why they partnered with USCG is so that they can expand the number of organizations that get an RVA.

RVAs are not simply a one-time event, he noted. CISA provides ongoing assistance to all organizations that get an RVA and works with them as they mature in terms of their cybersecurity defense posture.

“So it's not just an assessment and we walk away. It's an ongoing engagement and it's a relationship that we want to build with that organization,” he said.

He noted that for the organizations that did not get an RVA, CISA shares what they found at similar organizations, allowing entities to take the findings and ask themselves “the hard questions about their networks.”

Valid accounts and spearphishing

The RVAs give agencies a set of tactics and methods to use while defending themselves. For example, organizations that change default passwords can protect themselves against hackers who compromise valid administrator accounts, which could be used to spread malware onto a system.

Hackers also used spearphishing — pretending to be a trusted colleague or brand while getting people to click links or provide access — in their attacks. CISA said it was the second-most-common successful attack technique used after valid accounts.

Spearphishing links were successful 33% of the time, according to their RVAs, noting that malicious emails were able to get through network protections to deliver malware onto victim devices. Only 13% of spearphishing attempts were blocked at the network border level during RVAs but at the device level, CISA said 78% of links or attachments were blocked.

“Threat actors use a variety of techniques, such as keylogging or credential dumping, to steal credentials,” CISA explained, noting that in 17% of assessments, the assessments team was able to successfully spoof an authoritative source.

The report includes real-world examples alongside CISA’s findings, using previous attacks by China-based hacking group APT41 to demonstrate the tactics illustrated during the RVAs. Davis said APT41 — which has been implicated in dozens of attacks on a variety of organizations — was used as the example group because they use many of the attack paths outlined in the report.

CISA and the USCG provided the 121 entities examined with a list of observations made during their assessments in an effort to improve their ability to secure themselves.

They urged organizations to take a number of actions — including implementing secure password policies, filtering out and blocking emails with malicious indicators, using phishing awareness programs, maintaining fully patched software, disabling unnecessary operating system applications and network protocols, maintaining a public vulnerability disclosure reporting program, and accessing threat intelligence.

Organizations were also told to adopt multi-factor authentication and make a point of swiftly identifying abnormalities in an effort to reduce the damage caused by intrusions. Davis added that examining all of the RVAs done last year made him feel like organizations are on the right path forward.

“All the right controls are being put in place and all the right actions are being taken. With any other tasks it just comes down to how many man-hours you have to devote to any specific activity,” he said.