U.S. military contractor’s enterprise network compromised, data stolen
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA have issued a joint report describing an intrusion into the network of a U.S. military contractor that stole sensitive data.
It remains unknown how the hackers broke into the defense organization’s Microsoft Exchange Server. The warning said that the threat actors spent hours searching mailboxes and using a compromised admin account to query Exchange through its EWS API.
Other malicious activities carried out by the hackers on the military contractor’s network include executing Windows commands to learn more about IT setup and collecting other files in archives using WinRAR, as well as using the Impacket open source network toolkit to remotely control and move machines around the network.
The attackers then used a custom data exfiltration tool called CovalentStealer to siphon sensitive data, including contract-related information from shared drives.
The attackers activities were only discovered after someone realized something was wrong. During the investigation conducted by CISA and a “trusted third-party”security firm, officials investigated malicious network activity and discovered that some unnamed crews gained initial access to the organization’s Exchange Server as early as mid-January 2021.
The researchers’ findings showed that the attackers exploited several Microsoft bugs in 2021, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, to install 17 China Chopper webshells on the Exchange Server.
In some of their observed threat activities, the attackers use Impacket, which can be used for legitimate and malicious purposes. According to Katie Nickels, Head of Intelligence at Red Canary, the attackers Impacket’s wmiexec.py and smbexec.py Python scripts as soon as they are on the network to remotely control machines on the victim’s networks.
“Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems,” Nickels said.
The sources for this piece include an article in TheRegister.