Security breaches at government organizations follow familiar patterns
A new report released by the US based Cybersecurity & Infrastructure Security Agency (CISA) details a typical breach that recently occurred at an unnamed federal government organization.
CISA basically sifted through some historical logs and observed network traffic associated with exploitation of the Log4Shell vulnerability (months old at the time) targeting the organization's VMware Horizon servers used to deliver desktop virtualization (VDI) for its employees.
As with ransomware attack against the government of Albania, there are some critical lessons:
the attackers usually spend months unnoticed, exploring the network and elevating privileges. In this case, the initial access via vulnerable Vmware Horizon servers was obtained in February 2022, while a proper response was deployed only in late summer, leaving plenty of time for the attackers to steal data or cause other damage.
Although phishing is the preferred technique to gain unauthorized access nowadays, the second easiest technique is exploiting public-facing applications, such as Vmware Horizon in this case (or MS Exchange, Wordpress, RDP servers, etc.)
Organizations in practice don't have time and money to continually monitor, maintain and upgrade on-premise public facing servers. In today's threat environment, running your own public facing services has simply become too costly and risky. That's especially true for government organizations, where procurement is less inclined to purchase IT as a service via pay-as-you-go schemes, opting for in-house maintenance that results in poorly run infrastructure with huge hidden costs.
Generally speaking, organizations should opt for SaaS applications wherever possible. Alternatively, fully managed services (as opposed to legacy break-fix reactive maintenance), providing constant monitoring and maintenance - should be a standard. Unless you a high tolerance to risk and ignore the hidden costs.
Read more on this particular breach outcomes, link here.