CISA did not reveal the name of the targeted Federal agency.
In cybersecurity, an attacker’s access to mere credentials could be further used to do a range of harmful things. In a recent report, it was revealed that there are 15 billion credentials from 100,000 data breaches being sold on the dark web.
One such new case has emerged recently as reported by the Cybersecurity and Infrastructure Security Agency (CISA) which sheds light on how attackers managed to penetrate into a Federal agency’s computer network by gaining access to Microsoft Office 365 login credentials and domain administrator accounts.
The way they did so remains unknown although there is a hint of speculation to suggest that the vulnerability named CVE-2019-11510 which was found in Pulse Secure may have been exploited as it has already been done previously in numerous federal agency attacks. This is despite a patch being available for it as the VPN servers may not have been updated yet.
Long story short, this led the attackers to then download emails containing “Intranet access” and ‘VPN passwords’ in the subject line”; changing a registry key; and enumerating the account directory, group policy key, the entire network and system that had been compromised using Microsoft’s line commands such as ping and netstat.
Yet, this was only at the surface. A range of other things was also done, amongst which one is explained by the researchers in their Analysis Report that:
The cyber threat actor established Persistence [TA0003] and Command and Control [TA0011] on the victim network by (1) creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, (2) running inetinfo.exe (a unique, multi-stage malware used to drop files), and (3) setting up a locally mounted remote share on IP address 78.27.70[.]237 (Proxy [T1090]). The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis.
The infographic shows tactics and techniques acquired by threat actor:
Nonetheless, you may be wondering, was the anti-malware system taking a nap when all of this was happening? The truth is, it was forced to. Apparently, threat actors had this in mind, and for this reason, they found the anti-malware software’s license key using which they “visited a directory used by the product for temporary file analysis.”
Within this directory, the malware file named inetinfo.exe was run with the subsequent havoc illustrated in the graphic below:
To conclude, this could inflict significant damage to any organization in the form of data and privacy theft. To protect against such attacks, it is recommended to close all unused ports, monitor for suspicious IP addresses, keep everything updated, use 2FA plus access-based controls.
Furthermore, keep track of the type of data being transmitted over your network. For example, if large files, unusual for your agency’s work are being sent, there may be something wrong.