ClickCease U.S. military contractor's network compromised, data stolen

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

U.S. military contractor’s enterprise network compromised, data stolen

Obanla Opeyemi

October 19, 2022 - TuxCare expert team

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA have issued a joint report describing an intrusion into the network of a U.S. military contractor that stole sensitive data.

It remains unknown how the hackers broke into the defense organization’s Microsoft Exchange Server. The warning said that the threat actors spent hours searching mailboxes and using a compromised admin account to query Exchange through its EWS API.

Other malicious activities carried out by the hackers on the military contractor’s network include executing Windows commands to learn more about IT setup and collecting other files in archives using WinRAR, as well as using the Impacket open source network toolkit to remotely control and move machines around the network.

The attackers then used a custom data exfiltration tool called CovalentStealer to siphon sensitive data, including contract-related information from shared drives.

The attackers activities were only discovered after someone realized something was wrong. During the investigation conducted by CISA and a “trusted third-party”security firm, officials investigated malicious network activity and discovered that some unnamed crews gained initial access to the organization’s Exchange Server as early as mid-January 2021.

The researchers’ findings showed that the attackers exploited several Microsoft bugs in 2021, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, to install 17 China Chopper webshells on the Exchange Server.

In some of their observed threat activities, the attackers use Impacket, which can be used for legitimate and malicious purposes. According to Katie Nickels, Head of Intelligence at Red Canary, the attackers Impacket’s wmiexec.py and smbexec.py Python scripts as soon as they are on the network to remotely control machines on the victim’s networks.

“Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems,” Nickels said.

The sources for this piece include an article in TheRegister.

Summary
U.S. military contractor's enterprise network compromised, data stolen
Article Name
U.S. military contractor's enterprise network compromised, data stolen
Description
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA have issued a joint report describing an intrusion into the network of a U.S. military contractor that stole sensitive data.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023