Jump to content
  • FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization

    aum

    • 302 views
    • 2 minutes
     Share


    • 302 views
    • 2 minutes

    U.S. cybersecurity and intelligence agencies on Tuesday disclosed that multiple nation-state hacking groups potentially targeted a "Defense Industrial Base (DIB) Sector organization's enterprise network" as part of a cyber espionage campaign.

     

    "[Advanced persistent threat] actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data," the authorities said.

     

    The joint advisory, which was authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), said the adversaries likely had long-term access to the compromised environment.

     

    The findings are the result of CISA's incident response efforts in collaboration with a trusted third-party security firm from November 2021 through January 2022. It did not attribute the intrusion to a known threat actor or group.

     

    The initial infection vector used to breach the network is also unknown, although some of the APT actors are said to have obtained a digital beachhead to the target's Microsoft Exchange Server as early as mid-January 2021.

     

    Subsequent post-exploitation activities in February entailed a mix of reconnaissance and data collection efforts, the latter of which resulted in the exfiltration of sensitive contract-related information. Also deployed during this phase was the Impacket tool to establish persistence and facilitate lateral movement.

     

    A month later, the APT actors exploited ProxyLogon flaws in Microsoft Exchange Server to install 17 China Chopper web shells and HyperBro, a backdoor exclusively used by a Chinese threat group called Lucky Mouse (aka APT27, Bronze Union, Budworm, or Emissary Panda).

     

    The intruders, from late July through mid-October 2021, further employed a bespoke malware strain called CovalentStealer against the unnamed entity to siphon documents stored on file shares and upload them to a Microsoft OneDrive cloud folder.

     

    Organizations are recommended to monitor logs for connections from unusual VPNs, suspicious account use, anomalous and known malicious command-line usage, and unauthorized changes to user accounts.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...