CISA Shares Lessons Learned from an Incident Response Engagement
CISA responded to a cyber incident at a U.S. federal agency after its endpoint detection and response tool flagged suspicious activity. The agency was compromised by exploiting CVE-2024-36401 in two GeoServers. This vulnerability, disclosed shortly before the exploitation, allowed attackers to gain remote code execution.The attackers remained undetected for three weeks, during which they moved laterally to other servers. Key lessons learned from this engagement highlight critical security failures. Prompt remediation of vulnerabilities, particularly in public-facing systems, is essential.Organizations must regularly test and update their incident response plans, ensuring they facilitate third-party assistance. Continuous review of endpoint detection and response alerts is crucial for timely threat detection. Implementing comprehensive and centralized logging is also vital for effective incident analysis.The attackers utilized publicly available tools for reconnaissance, resource development, and various stages of their attack. They employed web shells, cron jobs, and valid accounts for persistence. Privilege escalation attempts were made using known Linux exploits.Defense evasion tactics included indirect command execution and the use of tools like RingQ. Credential access was achieved through brute-force techniques and exploitation of service accounts. Discovery efforts involved network scanning and vulnerability assessment tools. CISA provides indicators of compromise and technical details to help organizations prevent similar attacks.