FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization

U.S.
cybersecurity
and
intelligence
agencies
on
Tuesday
disclosed
that
multiple
nation-state
hacking
groups
potentially
targeted
a “Defense
Industrial
Base
(DIB)
Sector
organization’s
enterprise
network”
as
part
of
a
cyber
espionage
campaign.

“[Advanced
persistent
threat]
actors
used
an
open-source
toolkit
called

Impacket

to
gain
their
foothold
within
the
environment
and
further
compromise
the
network,
and
also
used
a
custom
data
exfiltration
tool,
CovalentStealer,
to
steal
the
victim’s
sensitive
data,”
the
authorities

said
.

The

joint
advisory
,
which
was
authored
by
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
the
Federal
Bureau
of
Investigation
(FBI),
and
the
National
Security
Agency
(NSA),
said
the
adversaries
likely
had
long-term
access
to
the
compromised
environment.

The
findings
are
the
result
of
CISA’s
incident
response
efforts
in
collaboration
with
a
trusted
third-party
security
firm
from
November
2021
through
January
2022.
It
did
not
attribute
the
intrusion
to
a
known
threat
actor
or
group.

The
initial
infection
vector
used
to
breach
the
network
is
also
unknown,
although
some
of
the
APT
actors
are
said
to
have
obtained
a
digital
beachhead
to
the
target’s
Microsoft
Exchange
Server
as
early
as
mid-January
2021.

Subsequent
post-exploitation
activities
in
February
entailed
a
mix
of
reconnaissance
and
data
collection
efforts,
the
latter
of
which
resulted
in
the
exfiltration
of
sensitive
contract-related
information.
Also
deployed
during
this
phase
was
the
Impacket
tool
to
establish
persistence
and
facilitate
lateral
movement.

A
month
later,
the
APT
actors
exploited

ProxyLogon
flaws

in
Microsoft
Exchange
Server
to
install
17
China
Chopper
web
shells
and

HyperBro
,
a

backdoor

exclusively
used
by
a
Chinese
threat
group
called

Lucky
Mouse

(aka
APT27,
Bronze
Union,
Budworm,
or
Emissary
Panda).

The
intruders,
from
late
July
through
mid-October
2021,
further
employed
a
bespoke
malware
strain
called

CovalentStealer

against
the
unnamed
entity
to
siphon
documents
stored
on
file
shares
and
upload
them
to
a
Microsoft
OneDrive
cloud
folder.

Organizations
are
recommended
to
monitor
logs
for
connections
from
unusual
VPNs,
suspicious
account
use,
anomalous
and
known
malicious
command-line
usage,
and
unauthorized
changes
to
user
accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *