US cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated a likely US military contractor and maintained “persistent, long-term” access to their system. The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a detailed, joint advisory containing the notification, explaining that in November 2021 CISA responded to a report of malicious activity on an anonymous “Defense Industrial Base (DIB) Sector organization’s enterprise network.”
CISA uncovered a likely compromise and said that some of the intruders had “long-term access to the environment.” After breaking in, officials reported, hackers leveraged an open-source toolkit known as Impacket to “programmatically” construct and manipulate network protocols.[1]
Impacket is a collection of Python libraries that “plug into applications like vulnerability scanners, allowing them to work with Windows network protocols,” the director of threat intelligence at Red Canary, said via email. Hackers favor Impacket because it helps them retrieve credentials, issue commands and deliver malware onto systems, she said.
The digital intruders in this case also used a custom data exfiltration tool, CovalentStealer, to steal sensitive data and exploited a Microsoft Exchange vulnerability on the defense organization’s server to gain access remotely, officials said. From there, the hackers used the compromised company accounts to further infiltrate the targeted organization. Red Canary said hackers could have gained access by exploiting vulnerabilities in Exchange, but there is “no evidence to support this right now, nor is there evidence that adversaries knew about the ProxyNotShell vulnerabilities, a reference to a new Exchange Server zero-day vulnerability.
There have been several Exchange vulnerabilities reported over a span of years, researchers said. Given how difficult it can be to patch on-premise Exchange servers, she said, many of these vulnerabilities go unfixed, and become vectors for attack.
The advisory includes details on indicators of compromise found by CISA and a third-party incident response organization. CISA, the FBI and the NSA recommend that defense industrial base and other critical infrastructure organizations implement the mitigations detailed in the advisory.
Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization Advisory.[2]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.cyberscoop.com/feds-release-advisory-apts/
[2] https://media.defense.gov/2022/Oct/04/2003090705/-1/-1/0/CSA_IMPACKET_AND_EXFIL_TOOL_STEAL_SENSITIVE_INFO_FROM_DEFENSE_INDUSTRIAL_BASE.PDF
Comments