Using Flaws in Pentagon Systems, Hackers Can Make It Look As If Cyberattacks Originated from the US
Security researchers have warned that several misconfigured servers run by the US Department of Defense offer hackers easy access to internal systems. These vulnerable systems allow hackers, including foreign threat groups, to launch cyberattacks through Pentagon's easily exploitable systems. The flaws are especially attractive since foreign criminal hackers could make it look as though these attacks originated from inside the US.
Pentagon dismissed the bug report, saying it was "out of scope"
"It's very likely that these servers are being exploited in the wild," Dan Tentler, founder of cybersecurity firm Phobos Group said while speaking to ZDNet. He added that the flaws are so easy to discover that he believes hackers may have already found them.
There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country, who could want to implicate the US as culprits in hacking attacks if they so desire.
The security expert claimed that the Pentagon is already aware of these vulnerable servers, however, it is yet to implement any fixes. Over eight months have been passed since the department was made aware of these flaws. The department runs a bug bounty program, allowing white hat hackers to discover and report flaws in the system. However, the extent of this bug bounty program is limited, with only a few sites open to research. The researcher said he was told that the vulnerable servers aren't part of the scope of this bug bounty program. However, that definitely doesn't justify the negligence that the Pentagon has shown in this particular case.
Tentler hasn't shared any specifics, since the bug bounty prohibits hackers from disclosing "any details of the vulnerability... except upon receiving explicit written authorization" from the Pentagon.
"China, Russia could be scanning these networks"
Tentler appeared frustrated with how the government departments are dealing with cybersecurity. He said the government is more interested in appeasing lawmakers and auditors, and less in making their systems more secure. Tentler argued that best practices and security compliance with auditors is making only the bare minimum efforts, not being aggressive about the quickly evolving cybersecurity issues.
"The Pentagon has created a circumstance where the good guys can't find the problems because we're not allowed to scan, or go out of scope, or find things on our own," Tentler said. "But the bad guys can scan whatever they want, for as long as they want, and exploit whatever they feel like."
Well, Russia and China don't care. You can bet they're scanning those networks.
The Trump administration had announced its plan to review all federal systems of security issues and vulnerabilities over a 60-day period. Tentler says those plans are "just not feasible". The way these problems have been dealt with by the previous government and the current administration further confirms that 60 days cannot be enough to review "all" systems.
"It's laughable that an order like this was drafted in the first place because it demonstrates a complete lack of understanding what the existing problems are," Tentler added. "The order will effectively demand a vulnerability assessment on the entire government, and they want it in 60 days? Just that one vulnerability finding from me... it's been months -- and they still haven't fixed it."