In an age when cyberattacks are an unfortunate reality, a new joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard (USCG) offers a critical reality check for cybersecurity professionals. The advisory, AA25-212A, stems from a proactive threat hunt CISA conducted at a U.S. critical infrastructure organization.
The key takeaway? While no malicious activity was found, the hunt uncovered a series of fundamental cybersecurity risks that serve as a wake-up call for the entire sector. The advisory is a unique opportunity for organizations to learn from someone else's "near miss" and proactively enhance their security posture.
The CISA hunt team identified several crucial risks that, while not immediately exploited, left the organization vulnerable. The findings highlight common weaknesses that could easily be leveraged by a sophisticated attacker to gain a foothold and move laterally.
Insecure credential management: The most alarming finding was the storage of local administrator (admin) account credentials in plaintext within batch scripts. These accounts had non-unique passwords and were shared across many workstations, creating a significant risk for widespread unauthorized access and lateral movement. As the advisory notes, a threat actor with access to one of these scripts could easily obtain the passwords and use Remote Desktop Protocol (RDP) to move freely across the network.
Insufficient network segmentation (IT/OT): The report found that the operational technology (OT) environment was not properly configured. Standard user accounts on the IT network could directly access the supervisory control and data acquisition (SCADA) virtual local area network (VLAN). The advisory points out that "compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality." The lack of a secure "bastion host" or "jump server" for accessing these systems was a major weakness.
Inadequate logging: The CISA team's ability to conduct a thorough hunt was hindered by insufficient logging. The organization's security information and event management (SIEM) system did not receive Windows event logs from workstations, and verbose command-line auditing was not enabled. This gap meant that CISA couldn't perform a full analysis to detect "living-off-the-land" techniques or unauthorized access via local administrator credentials.
Server misconfigurations: The advisory also details two specific server misconfigurations. A production server had sslFlags="0", which disabled modern certificate management features and could expose it to man-in-the-middle and protocol downgrade attacks. Additionally, a weak minimum password length on a production server's configuration file made it vulnerable to brute-force and credential stuffing attacks.
The advisory isn't just a list of problems; it's a blueprint for improvement. The recommended mitigations align with the CISA and NIST Cross-Sector Cybersecurity Performance Goals (CPGs) and are a playbook for strengthening an organization's overall cybersecurity posture.
Prioritize credential security: The advisory's first recommendation is to "not store passwords or credentials in plaintext." Instead, organizations should use secure credential management solutions like encrypted password vaults. For administrator accounts, the advisory strongly recommends using unique, complex passwords for each account, leveraging tools like Microsoft's Local Administrator Password Solution (LAPS) to automate management and rotation.
Strengthen network segmentation: CISA and the USCG advise organizations to "assess the existing network architecture to ensure effective segmentation between the IT and OT networks." The report suggests implementing VLANs with strict inter-VLAN access controls and using a DMZ with firewalls to create a secure intermediary between the two environments.
Enhance logging and monitoring: To improve visibility, organizations should implement comprehensive and detailed logging across all systems, ensuring logs capture crucial information like authentication attempts and command-line executions. These logs should be retained for an appropriate period and aggregated in a centralized SIEM to prevent tampering and enable efficient analysis.
Secure server and application configurations: Organizations must address server misconfigurations by configuring SSL/TLS settings properly and enforcing strong password policies (the advisory recommends a minimum of 15 characters). The report also suggests avoiding centralized database connections that can create a single point of failure.
The joint advisory is a powerful and practical reminder that attackers often succeed by exploiting basic, preventable misconfigurations. It provides cybersecurity professionals with a roadmap to identify and close these gaps before a proactive hunt becomes a post-breach investigation.
For more insights on this topic, attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. See the agenda and register here.