The US Cybersecurity and Infrastructure Security Agency (CISA) says a red team exercise at a certain unnamed federal agency in 2023 revealed a series of security flaws that exposed its most critical assets.
CISA does NOT use Memory Safe Code #cisa #infosecnews #podcastclips #code #opensource #projects
CISA calls these SILENTSHIELD assessments. The agency's dedicated Red Teams select a Federal Civilian Executive Branch (FCEB) to investigate and do so without warning—while attempting to simulate the maneuvers of a long-term enemy nation-state threat group.
According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 – 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise.
It is worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug with a near-maximum 9.8 CVSS score, was added to CISA's catalog of known exploited vulnerabilities (KEV) in February 2023. The first the breach by the CISA red team was made on January 25, 2023.
