The Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 15 released the results of a January 2023 Risk and Vulnerability Assessment (RVA) performed on an unidentified organization in the Healthcare and Public Health (HPH) sector that found exploitable misconfigurations and the use of weak passwords, among other cybersecurity weaknesses.
The agency’s assessment – conducted over a span of two weeks – was performed at the request of the unnamed organization, which CISA said is a “large organization deploying on-premises software.”
The RVA process covers external and internal network penetration testing, and includes web application, phishing, penetration, database, and wireless assessments.
The good news from the testing, CISA said, was that during the external assessment portion, the testing team “did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network. Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing.”
“However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain,” CISA reported.
“The CISA assessment team identified four High severity vulnerabilities and one Medium severity vulnerability during penetration testing that contributed to the team’s ability to compromise the domain,” stated the agency.
CISA reported finding:
- Poor Credential Hygiene/ Easily Crackable Passwords and Guessable Credentials;
- Misconfigured ADCS Certificate Templates;
- Unnecessary Network Services Enabled and Elevated Service Account Privileges;
- Server Message Block (SMB) signing Not Enabled; and
- Insecure Default Configuration: Default Credentials.
Although weaknesses were found, CISA said that “the organization’s security … demonstrated their ability to detect some of the CISA team’s actions throughout testing and overall situational awareness through the use of logs and alerts.”
“The organization used MFA for cloud accounts. The assessment team obtained cloud credentials via a phishing campaign but was unable to use them because of MFA prompts,” CISA said.
CISA said it released the results of the RVA “to provide network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.”
“CISA encourages the HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, to apply the recommendations in the Mitigations section of this CSA to harden networks against malicious activity and to reduce the likelihood of domain compromise,” the agency said.
The agency recommended that HPH sector organizations implement better password protections – as laid out in the National Institute of Standards and Technologies (NIST) password guideline – and continually work to patch networks to maintain up to date cybersecurity standards.
“These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST,” stated CISA.