Multiple advanced persistent threat groups compromised the network of an unnamed organization in the defense industrial base (DIB) sector in order to steal sensitive contract-related data and credentials, according to a new joint security alert from multiple U.S. government agencies.
Threat groups gained initial access as early as mid-January 2021 and used compromised credentials in order to stay hidden on the network for the next year (until January 2022). The initial access vector couldn’t be determined, but attackers did use a number of exploits and tools to further compromise the network and conduct follow-up malicious activity, including a legitimate open-source toolkit, Impacket, and a custom data exfiltration tool, CovalentStealer.
“From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization’s enterprise network,” according to CISA, the FBI, and the NSA in a joint security advisory that provided Indicators of Compromise (IoC) for the attack, as well as threat groups’ TTPs. “During incident response activities, CISA and the trusted third-party identified APT activity on the victim’s network.”
Four hours after gaining initial access to the organization’s Microsoft Exchange server, actors gathered more data about the Exchange environment, performed mailbox searches and used a compromised administrator account to access the Exchange Web Services API. In the following weeks, threat actors used a Windows command shell to learn more about the organization’s environment and collect sensitive data, including contract-related data. CISA said that in March, APT actors exploited a number of Microsoft Exchange remote code execution flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26868 and CVE-2021-27065) in order to install 17 China Chopper webshells on the Exchange server. And from late July through mid-October 2021, the threat actors used the CovalentStealer custom tool to steal files and store them on a Microsoft OneDrive cloud folder.
APT actors also utilized Impacket, a legitimate Python toolkit that is used by both legitimate tools and by threat groups, and is leveraged for constructing network protocols. Specifically, they relied on two Impacket tools (wmiexec.py and smbexec.py) that use the Windows Management Instrumentation and Server Block Message protocols in order to create semi-interactive shells with target devices. Impacket allows users to run commands on remote devices using the Windows management protocols required to support an enterprise network, according to CISA.
“The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization's multifunctional devices,” said CISA. “The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses.”
The actors then assigned the Application Impersonation role to the service account with a command that then gave the service account the ability to access other users’ mailboxes, according to CISA. Impacket has previously been used for lateral movement by threat groups, including in activity observed from DEV-0270 and the Lazarus APT.
Katie Nickels, director of Intelligence at Red Canary, said that in September, Impacket was the fourth most prevalent threat observed by Red Canary in customer environments. Impacket is a favorite for threat actors because the tool enables them to retrieve credentials, issue commands and deliver additional malware to systems, in addition to lateral movement, said Nickels.
"Many types of threat actors use Impacket, ranging from state-sponsored actors to criminally-motivated actors," said Nickels. "As noted in this advisory, it has been used by state-sponsored actors. We have observed Impacket used in ransomware intrusions such as those conducted by Vice Society and Yanluowang."
Organizations in the DIB sector house particularly sensitive data, with more than 220,000 companies contributing to the web of research, development and production behind the U.S. Department of Defense’s (DoD) military weapons systems. The government classifies this industry as a critical infrastructure sector, which it has been pushing to better secure over the past year after the Colonial Pipeline ransomware attack. Earlier this year, Deputy Defense Secretary Kathleen Hicks said that cybersecurity across the DIB sector will be an “expanding priority” as the sector is “now facing increasingly sophisticated and well-resourced cyber-attacks that must be stopped.” As part of this increased prioritization of security, the DoD required all companies in the sector to complete a cybersecurity maturity model certification that aligns with the NIST 800-171 security requirements. CISA, the NSA and the FBI in their security advisory this week encouraged organizations to take a variety of security measures, including enforcing multi-factor authentication (MFA) on user accounts, implementing network segmentation, keeping software up-to-date and auditing account usage.