The US cybersecurity agency CISA has issued cybersecurity recommendations after conducting an assessment at the request of an unnamed healthcare and public health (HPH) sector organization using on-prem software.
During a two-week penetration test, CISA said it assessed the target entity’s web applications, susceptibility to phishing, resilience to simulated adversary attacks, and reviewed its databases for misconfigurations and its network and connected devices for vulnerabilities.
The US government cybersecurity arm is releasing information on the assessment results to help other organizations in the Healthcare and Public Health sector improve their cybersecurity posture.
“The CISA team did not identify any significant or exploitable conditions from penetration or web application testing that may allow a malicious actor to easily obtain initial access to the organization’s network,” the agency said, noting that its phishing attempts failed, because payloads were blocked, either before they could be downloaded, or upon execution. Payloads that evaded protections did not connect to a command-and-control (C&C) server.
While employees did fall for phishing email lures and shared their credentials through malicious forms, the login information provided limited access to external-facing resources and the organization had multi-factor authentication (MFA) implemented for cloud accounts.
During the internal penetration testing phase, however, the agency did identify misconfigurations, weak passwords, and other issues that could have allowed an attacker to compromise the organization’s domains. CISA said it found multiple web interfaces protected by default credentials, as well as the use of default printer credentials, and was able to compromise the organization’s domain via four different attack paths.
Following the assessment, CISA drew attention to four high-severity and one medium-severity issues that need addressing, including the weak passwords, a web server template that did not restrict authenticated users’ permissions, the use of unnecessary network services, a service account with elevated privileges, and systems that lacked SMB signing enforcement.
The agency also draws attention to the reuse of passwords across administrator and user accounts, the lack of timely patches, the use of outdated software, weak authentication measures, credentials stored in plaintext, insecure file shares, and other high- and medium-severity issues that could allow attackers to fully compromise an organization’s environment.
As part of its assessment report, CISA also provides a series of mitigation recommendations and urges HPH sector and other critical infrastructure entities to review and apply them to mitigate the identified issues. The agency also recommends a set of strategies that HPH organizations can implement to mitigate cyber threats.