(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

CISA roasts unnamed critical national infrastructure body for shoddy security hygiene

#### [Security](/security/)**2** CISA roasts unnamed critical national infrastructure body for shoddy security hygiene=====================================================================================**2** Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org——————————————————————————————-[Connor Jones](/Author/Connor-Jones ‘Read more by this author’) Sat 2 Aug 2025 // 08:24 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene) [](https://twitter.com/intent/tweet?text=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&summary=Plaintext%20passwords%2c%20shared%20admin%20accounts%2c%20and%20insufficient%20logging%20rampant%20at%20mystery%20org) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong.The US cybersecurity agency, along with experts from the US Coast Guard (USCG), identified myriad weaknesses in the mystery organization’s approach to security, including storing credentials in plaintext.Threat hunters did not find any signs of foul play, nor any malicious activity on the network, but published an [extensive report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-212a) of its findings on Thursday, highlighting risks such as:* Insufficient logging* Insecurely-stored credentials* Shared local admin credentials across many workstations* Unrestricted remote access for local admin accounts* Insufficient network segmentation configuration between IT and operational technology assets* Device misconfigurationsCISA’s report did not explicitly state that the critical infrastructure organization in question operated in the marine industry. However, the fact that it collaborated with the USCG, and that many of its findings overlapped with those of Coast Guard Cyber Command’s 2024 trends, suggests the subject of the report was of interest to both authorities.This organization’s most serious offense was sharing local admin accounts, which were protected by non-unique [passwords](https://www.theregister.com/2025/05/04/security_news_in_brief/) that were stored in plaintext, according to CISA, which ranked the risks in order of severity. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aI3iHffNMn5SsCXiPZ8jSQAAAAg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)The agency said ‘a few’ of these accounts were found — only on workstations, not servers or devices — and they were shared among many hosts. Their credentials were stored in plaintext batch scripts used to create admin accounts with identical, non-expiring passwords. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aI3iHffNMn5SsCXiPZ8jSQAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)’The storage of local admin credentials in plaintext scripts across numerous hosts increases the risk of widespread unauthorized access, and the usage of non-unique passwords facilitates lateral movement throughout the network,’ CISA wrote in its report. ‘Malicious actors with access to workstations with either of these batch scripts could obtain the passwords for these local admin accounts by searching the file system for strings like net user /add, identifying scripts containing usernames and passwords, and accessing these accounts to move laterally.’If an attacker gained remote, local admin access to the network of this organization, they could feasibly create new accounts, install software to maintain persistent access, disable security features, or inject malicious code. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI3iHffNMn5SsCXiPZ8jSQAAAAg&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The organization also improperly segmented its operational technology (OT) environment, which allowed standard user accounts to access the Supervisory Control and Data Acquisition (SCADA) VLAN.Having someone gain unauthorized access to these systems would create real-world safety concerns, CISA warned.Within critical national infrastructure, SCADA systems monitor various pieces of OT equipment, such as sensors and valves, communications tech like radio and fiber-optic cables, and [programmable logic controllers](https://www.theregister.com/2023/08/11/microsoft_codesys_bugs/).If an attacker could control temperature or pressure gauges, or flow rates, for example, they could theoretically create real-world hazards for workers.CISA said its investigators found some issues concerning the facility’s HVAC systems, noting improperly configured and insufficiently secured bastion hosts. When set properly, these systems prevent unauthorized access and lateral movement.* [Ex-CISA chief slams MAGA ‘manufactured outrage’ after sudden West Point firing](https://www.theregister.com/2025/07/31/jen_easterly_west_point_termination/)* [CISA caves to Wyden, agrees to release US telco insecurity report – but won’t say when](https://www.theregister.com/2025/07/29/cisa_wyden_us_telecoms_insecurity_report/)* [Now everybody but Citrix agrees that CitrixBleed 2 is under exploit](https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/)* [CISA warns the Signal clone used by natsec staffers is being attacked, so patch now](https://www.theregister.com/2025/07/02/cisa_telemessage_patch/)’Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality,’ the report reads.CISA also said it was unable to carry out as comprehensive a hunt for threats as it would have liked because of the organization’s lack of workstation logs.Such logs are useful in determining an organization’s ability to detect unauthorized access and lateral movement when attackers deploy techniques that evade typical defenses, such as using valid accounts and circumventing [EDR](https://www.theregister.com/2025/03/31/ransomware_crews_edr_killers/) alerts.’Insufficient logging can prevent the detection of malicious activity by hindering investigations, which makes detection of threat actors more challenging and leaves the network susceptible to undetected threats,’ CISA said.The report includes a list of general recommendations for defenders to implement following the probe of the organization, which was carried out with its knowledge.CISA is also known to break into federal agencies unannounced as part of red team exercises, or SILENTSHIELD assessments.This different kind of test simulates a long-term compromise campaign using tactics that US adversaries and their state-sponsored cyber crews deploy.One example came a year ago, again with an unspecified federal agency, and saw CISA make its way onto the network, [remaining there undetected for five months](https://www.theregister.com/2024/07/12/cisa_broke_into_fed_agency/).The red teamers gained initial access to the agency’s network using an unpatched critical vulnerability (CVE-2022-21587 — 9.8) affecting its Oracle Solaris enclave.This led to a full compromise and, yes, the flaw was added to CISA’s [Known Exploited Vulnerability (KEV) catalog](https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/), but that occurred a week after CISA used it to gain access. ® **Get our** [Tech Resources](https://whitepapers.theregister.com/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene) [](https://twitter.com/intent/tweet?text=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&summary=Plaintext%20passwords%2c%20shared%20admin%20accounts%2c%20and%20insufficient%20logging%20rampant%20at%20mystery%20org) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) ### Narrower topics* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene) [](https://twitter.com/intent/tweet?text=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=CISA%20roasts%20unnamed%20critical%20national%20infrastructure%20body%20for%20shoddy%20security%20hygiene&summary=Plaintext%20passwords%2c%20shared%20admin%20accounts%2c%20and%20insufficient%20logging%20rampant%20at%20mystery%20org) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/02/cisa_coast_guard_cni/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **2** COMMENTS #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) ### Narrower topics* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Gene scanner pays $9.8 million to get feds off its back in security flapIllumina allegedly lied about its testing devices meeting government standardsSecurity2 days -| 3](/2025/07/31/7_years_of_back_debt/?td=keepreading) [#### Banning VPNs to protect kids? Good luck with thatAnalysis UK’s Online Safety Act kicks off about as well as everyone expectedNetworks2 days -| 269](/2025/07/31/banning_vpns_to_protect_kids/?td=keepreading) [#### War Games: MoD asks soldiers with 1337 skillz to compete in esportsTroopers to swap radios for Turtle Beaches in preparation for ’21st century challenges’Cyber-crime4 days -| 11](/2025/07/29/mod_asks_soldiers_with_1337/?td=keepreading) [#### Why rapid proliferation of cloud native apps requires faster, more efficient toolsetsKubernetes enables easy, rapid AI app development, making it the industry standard for AI workloadsSponsored feature](/2025/05/13/nutanix_cloud_native_ai_apps/?td=keepreading) [#### CISA caves to Wyden, agrees to release US telco insecurity report – but won’t say whenThe security nerds’ equivalent of the Epstein files sagaSecurity3 days -| 3](/2025/07/29/cisa_wyden_us_telecoms_insecurity_report/?td=keepreading) [#### Ex-CISA chief slams MAGA ‘manufactured outrage’ after sudden West Point firingcomment US Army Sec appears to fold under pressure from far-right conspiracy theoristPublic Sector1 day -| 26](/2025/07/31/jen_easterly_west_point_termination/?td=keepreading) [#### NHS disability equipment provider on brink of collapse a year after cyberattackGovernment officials say they are monitoring the situationCyber-crime2 days -| 16](/2025/07/31/nhs_disability_equipment_provider_nears/?td=keepreading) [#### Lethal Cambodia-Thailand border clash linked to cyber-scam slave campsAnalysis Infosec issues spill into the real world and regional politicsSecurity2 days -| 17](/2025/07/31/thai_cambodia_war_cyberscam_links/?td=keepreading) [#### Ransomware gang sets deadline to leak 3.5 TB of Ingram Micro dataDistie insists global operations restored despite some websites only now coming back onlineCyber-crime3 days -| 4](/2025/07/30/ingram_micro_ransomware_threat/?td=keepreading) [#### FBI: Watch out for these signs Scattered Spider is spinning its web around your orgNew malware, even better social engineering chopsCyber-crime4 days -| 11](/2025/07/29/fbi_scattered_spider_alert/?td=keepreading) [#### Majority of 1.4M customers caught in Allianz Life data heistNo word on who’s behind it, but attack has hallmarks of the usual suspectsCyber-crime5 days -| 2](/2025/07/28/allianz_life_data_breach/?td=keepreading) [#### Funding for program to stop next Stuxnet from hitting US expired SundayCyberSentry work grinds to a haltSecurity11 days -| 7](/2025/07/22/lapsed_cisa_funding_cybersentry/?td=keepreading)

Related Tags:
Play

Storm-0875

Octo Tempest

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 221 – Utilities

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

Associated Indicators:

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us