The US National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI have released a joint security advisory detailing malicious activity by state-sponsored hacker groups that used custom malware to pilfer sensitive data from a US organization in the Defense Industrial Base (DIB) sector.
An investigation into the intrusion revealed that the organization’s network was compromised by multiple threat actors and that some APT’s maintained long-term access to the environment. The threat actors leveraged an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
The compromise lasted for about ten months, with some of the APT actors gaining access to the victim’s Microsoft Exchange Server as early as mid-January 2021.
“Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (“Admin 1”) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN),” the alert says.
During that period, the hackers planted the Impacket framework on the victim’s system to move laterally through the network.
The threat actors were also observed exploiting the ProxyLogon bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange to install 17 China Chopper webshells on the Exchange Server. The attackers then planted a remote access trojan called HyperBro on the Exchange Server and two other systems.
According to CISA, the threat actor used Impacket with the compromised credentials to obtain a service account with higher privileges, which allowed them to establish remote access from multiple external IP addresses to the organization’s Exchange server via Outlook Web Access (OWA). The cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. To steal sensitive information from the victim the attackers used the custom CovalentStealer malware.
Besides additional technical details and IoCs, the joint alert provides mitigations to help organizations prevent such attacks.