Many years ago, we were hunting for government systems to hack. We enumerated them from scanning different IP addresses associated with a government domain, or by taking over a remote desktop which gave us access to the local area network. After scrubbing for logins, we hopped onto other remote desktops with access to the domain.
With a reliable vulnerability scanner and some knowledge of SQL injections, Apache, Windows IIS exploits, and especially Google Dorks, we dumped the database tables of scores of poorly configured vulnerable websites owned by government agencies, as well as military domains. Most of them were thinly protected by guessable, and even crackable md5 hashed passwords.
It was for the sake of curiosity and the thrill ride. In contrast, this certainly isn’t the driving motivation harbored by hostile nation states operating on a global scale today.
Nowadays, it exasperates me when I’m trying to get menial work done on my computer, and suddenly an update prompt appears, notifying me that my computer, browser, or some app on my desktop has taken the initiative against my will to begin an update process. Then, it has the audacity to demand to know when I’d like to restart, and won’t leave me alone until I make a decision.
How the tables have turned! Because on a daily basis I don’t always feel like I’m in control of my own computer. With vulnerabilities being discovered daily, I have to take time out of my busy schedule to learn what they are, how it affects vulnerable devices, and then determine whether I’m protected while having to apply the necessary patches. Sometimes I just need a break.
Now, imagine this scenario on a much larger scale along with the responsibility of having to prioritize the integrity of a large network with hundreds of connected devices. Then factor in bureaucratic red tape with proper chain of command and procedures for reporting any issues the devices might encounter.
Are costly repairs and hardware upgrades even in the budget? Will file backups be stable on the upgraded hardware? There’s a lot of unforeseeable issues that could cause systems administrators to drag their feet.
Following this same line of thought, it should come as no surprise that government networks are among the prized targets of threat actors, especially among hacktivist groups and ransomware gangs.
When Government Agencies Are Forced To Take The Initiative Late In The Game
Earlier this month, the Biden Administration issued an order that mandates all federal agencies to start patching their systems, in order to minimize the increasing attack surface by cybercriminals. It specifically addresses hundreds of identified vulnerabilities that are prioritized as critical threats, which pose a significant risk to government systems.
This initiative was launched by the US Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the CISA published a catalog of Common Vulnerabilities and Exposures (CVEs), which includes known exploits being utilized by cybercriminals from Apple, Cisco, Microsoft, and Google. Interestingly enough, security flaws that pose an imminent danger to systems are prioritized, needing to be fixed immediately.
The due dates are from Nov. 2021 to May 2022, which mandates addressing the security vulnerabilities discovered this year, which are tracked as CVE-2021-XXXXX.
This undertaking also includes both hardware and software being used on the properties of federal agencies nationwide, which includes executive branch departments. The only agencies exempt from this order are national security systems used by the Defense Department and Intelligence Community.
"These vulnerabilities pose significant risk to agencies and the federal enterprise,"
the CISA said.
"It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents."
The US May Be A Target For A Reason
Last year alone, cybercriminals targeted city and county governments in the US with 79 ransomware attacks. In fact, government-associated organizations faced a ransom average totaling $570,857, with over $1.75 million in payouts to the cybercriminals. When you include the last three years alone, 246 ransomware attacks were carried out against US government agencies amounting to an estimated cost of $52.88 billion.
Let’s not forget about the Colonial pipeline ransomware attack earlier this year, which shut down important conduits that delivered fuel from Gulf Coast refineries to major markets along the East Coast. The fuel was disrupted, cutting off supplies simply by stealing one password.
Factor in the threats the US faces from foreign nation-states, like Russia, and Advanced Persistent Threat (APT) hacking units looking for backend access into government networks through low-key municipal servers. With that, questions start to arise as to why the US government’s cybersecurity infrastructure has suffered so much abuse at the hands of threat actors for so long.
There was also that incident back in May when an APT group exploited a Fortigate appliance, in order to access a web server hosting the domain used by a US municipal government.
The FBI and the CISA had issued a forewarning concerning foreign government-backed hacking units that had managed to gain access to Fortinet appliances by exploiting known CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 FortiOS vulnerabilities. When the attacks persisted even after warnings, heads should have rolled then.
Whatever the reason is, the new directive by the Biden Administration carries the impression that cybersecurity has finally taken priority, with its proactive mandate that compels an inquisition into high-risk cybersecurity flaws.
Hackers never sleep. There’s no reason why any government agency should fall asleep behind the helm of its cybersecurity infrastructure.
An article by
Jesse McGraw
Edited by
Ana Alexandre
Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!
Comentários