Stolen account info still chief risk for federal agencies, annual CISA audit finds

Stolen login information and compromised accounts are still the leading way hackers can gain entry to the systems of federal civilian agencies, according to an assessment conducted over the last year.

The Cybersecurity and Infrastructure Security Agency (CISA) carried out 143 tests on federal civilian agencies in 2023 — an increase on the 121 done in 2022. 

The audits, known as Risk and Vulnerability Assessments (RVAs), are done alongside the U.S. Coast Guard, allowing the federal government to test an agency's network defense against the standard types of attacks they see from nation-state hackers and others. 

The report points to real-world past attacks by China-affiliated nation-state hackers as an example of why the tests matter. 

For the second year in a row, CISA found that stolen account information was the main potential source of entry for a would-be attacker. CISA found that the easiest way into a federal network is through the use of default or stolen administrator accounts, or former employee accounts that have not been removed. 

Referred to with the umbrella term “Valid Accounts,” CISA said this was “the most common successful attack technique, responsible for 41% of successful attempts,” they said. 

“A common technique under this tactic is cracking password hashes, which was successful in 89% of USCG assessments to access Domain Administrator accounts.”

There is also an overflowing market of initial access brokers who have already done the hard work of compiling account credentials available for a price. The same actors often sell exploits to nation-states and cybercriminals, according to CISA.

Default passwords and ones that can be easily guessed are another major source of account takeover that CISA saw. 

Alongside the theft of valid accounts, CISA found several other commonplace tactics, including phishing and the exploitation of common vulnerabilities, as a risk for agencies. 

CISA noted that their hackers “used common vulnerabilities facilitated by shortcomings in secure by design and default principles and other misconfigurations to compromise systems.”

“Although CISA and the USCG teams do not directly emulate an adversary, they locate any conditions present in the environment, or use opportunistic techniques,” CISA explained.