The Cybersecurity and Infrastructure Security Agency has warned companies of an attack it observed from advanced persistent threat actors against a defense contractor from last year.
In an alert on Tuesday, CISA revealed that it conducted an incident response from November 2021 through last January on the network of an organization in the Defense Industrial Base (DIB) sector. While the initial access vector remains unknown, CISA discovered that APT actors were using Impacket, an open-source Python toolkit, to move laterally between systems and installed China Chopper web shells to act as gates. stolen.
Although the attackers managed to compromise the DIB network and steal sensitive data using a custom exfiltration tool called CovalentStealer, the techniques did not appear elaborate and could pose a potential risk to other businesses. Impacket is a legitimate open-source toolkit, for example, and there is no indication that zero-day vulnerabilities have been exploited.
Katie Nickels, director of intelligence at security provider Red Canary, said adversaries prefer Impacket because it allows them to retrieve credentials, issue commands, move laterally and deliver malware.
“Impacket consistently makes the list of the top 10 threats seen in Red Canary customer environments. In September, it was the fourth most prevalent threat we observed,” Nickels said in an email to TechTarget Editorial. “While Impacket is fairly easy to detect, it can be difficult to determine whether the activity is malicious or benign without additional context.”
Nickels added that about a third of Impacket detections in 2021 came from confirmed tests.
CISA said it was “likely” that multiple APT groups compromised the anonymous defense contractor beginning in January 2021, when threat actors gained access to the DIB’s Microsoft Exchange server. Although the initial access vector is unclear, the APT actors used a compromised administrator account and Windows command shells to enforce their control of the mail server and eventually used the Impacket tools, wmiexec.py and smbexec. py, to move laterally in the environment of the DIB. .
Another familiar tactic CISA noted was the use of VPNs to “disguise interaction with victim networks.” In this case, APT actors used M247 and SurfShark to remotely access Microsoft Exchange Server, an attack surface that has been widely abused over the past year.
Microsoft Exchange connection
Microsoft Exchange servers have been under attack lately, most recently last week when researchers found two zero-day vulnerabilities being exploited in the wild. This was reminiscent of emergency patches released in early March 2021 after a set of four zero-day vulnerabilities, dubbed ProxyLogon, were also exploited before being disclosed and patched.
Around the same time, APT actors exploited ProxyLogon vulnerabilities on the DIB’s Exchange server, although it’s unclear if these actors were the same group that compromised the mail server in January 2021.
“In early March 2021, APT actors exploited CVE-2021-26844, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper web shells on the Exchange server. Later in March, the APT cast installed HyperBro on the Exchange server and two other systems,” CISA wrote in the advisory.
Anonymous defense contractor breach overlaps ProxyLogon’s exploit activity in early 2021. Multiple security vendors have detected China Chopper web shells, which were also used in the DIB attack, on organizations that were compromised using ProxyLogon exploits. The government ultimately attributed initial ProxyLogon activity to Hafnium, a Chinese nation-state APT group, though other threat groups also exploited the flaws for later attacks.
It is unclear which APT groups were involved in the DIB attack. TechTarget Editorial contacted CISA for further comment on the events, but the agency declined.
In response to the attacker’s continued presence on the DIB network, which lasted until mid-January 2022, CISA urged other defense contractors and critical infrastructure organizations to implement detection, mitigation and correction measures. Monitoring network connections for VPNs and suspicious account activity plays an important role in preventing these extended downtimes, the agency said, while implementing network segmentation can prevent threat actors to move laterally.
CISA also recommended limiting the number of remote access tools used and what those tools can access. For vulnerabilities, the alert reminded organizations to prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow remote code execution.
