author photo
By SecureWorld News Team
Mon | Sep 27, 2021 | 9:40 AM PDT

Port Houston is one of the largest ports in the world. With that title, it helps drive the economy in the U.S., employing more than 1 million people in Texas and 3.2 million people in the nation. Each year, it brings in nearly $1 trillion in revenue.

What would happen if integral critical infrastructure such as this busy port was hit by a malicious cyberattack? Fortunately, Port Houston was prepared and avoided disruption after an incident almost played out.

On September 23rd, Port Houston released a statement explaining that it had been targeted by threat actors working with an adversarial government to spy on operations. A key factor in averting the attack was early discovery and isolating the unauthorized access to the server.

Port officials said they protected against the attack by following a security plan it put in place:

"Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result," reads the statement.

Hacker found weak link in port's password management software

In coverage by CNN, it was reported that the hackers were able to breach the web server by finding a vulnerability through password management software, ManageEngine ADSelfService Plus.

"In the case of the Port of Houston, the unidentified hackers broke into a web server somewhere at the complex using a previously unidentified vulnerability in password management software at 2:38 p.m. UTC on August 19, according to the Coast Guard report. The intruders then planted malicious code on the server, which allowed further access to the IT system.

Beginning about 90 minutes after the initial breach, the hackers stole all of the log-in credentials for a type of Microsoft software that organizations use to manage passwords and access to their networks, according to the report. Minutes later, cybersecurity staff at the port isolated the hacked server, 'cutting off unauthorized access to the network.'" 

On September 16th, CISA, the FBI, and United States Coast Guard Cyber Command (CGCYBER) released a joint advisory statement warning about the vulnerability found in the software. The advisory said the vulnerability was ranked "critical" and that APT actors were using it to exploit critical infrastructure.

"The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files," reads the advisory.

News outlets have been increasing coverage on maritime cybersecurity, because an attack on the ports could be devastating due to the business operations and access to sensitive information.

"Our adversaries know, probably better than most Americans, that our nation's economy runs through our ports," Sean Plankey, a former White House senior cybersecurity official, told CNN.

CISA director discusses port threat at senate committee hearing

In a senate committee hearing last Thursday, CISA Director Jen Easterly said:

"We are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable."

To date, the alleged nation-state actor has not yet been disclosed, though Easterly said she believes this was a targeted attack by a foreign government.

SecureWorld will continue to update the details around this cyberattack when more information becomes available.

[RESPONSE: Incident Response planning is one of the most important ways your organization can prepare. Tune in for SecureWorld's Remote Sessions webcast, You've Been Breached. Now What?, and learn about strategies posed by CISOs Rick Peters and Roberto Gutierrez to help protect your business.]