![]() With the ability to remain in the network-and to get back in when necessary-assured, the attacker created a local account on the network. Setting up a hard drive to the agency’s network as a locally mounted remote share “allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA said. The attacker “gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall,” CISA said. The proxy used port 8100, a normally closed port which was opened by the malware. The attacker also created a backdoor to the network by installing an SSH tunnel and reverse SOCKS proxy. The custom malware "was able to overcome the agency's anti-malware protection, and inetinfo.exe escaped quarantine," CISA said. Once done, the attacker was able to connect to a command-and-control server and install custom malware, which turned out to be a dropper for additional malware. The attacker connected to a virtual private server (VPS) through a Windows Server Message Block (SMB) client. The actor used “common Microsoft Windows command line processes-conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe-to enumerate the compromised system and network,” CISA said. Considering the attacker already had privileged access in the network, the attacker was likely looking for more areas to target. The attacker was able to enumerate the Active Directory and Group Policy key, and was also able to change a registry key for the Group Policy. None of the help-desk messages contained actual passwords, CISA noted in the report. The attacker explored the network by logging into an Office 365 email account to view and download help-desk messages with the phrases “Intranet access” and “VPN passwords” in the subject lines. ![]() The vulnerability allows “remote, unauthenticated retrieval of files, including passwords.” Network Reconnaissance “It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability-CVE-2019-11510-in Pulse Secure,” CISA said in the report. In those cases, the attackers were already in the network. A security update has been available since April 2019, but the Department of Homeland Security had previously warned that attack groups may have compromised Active Directory accounts before the patches were deployed. ![]() The attacker also connected multiple times to the VPN server.ĬISA’s investigation could not definitely say how the credentials were compromised, but one of the ways may have involved exploiting a known vulnerability in the agency’s Pulse Secure VPN server (CVE-2019-11510). ![]() The attacker’s first foray into the network began by remotely logging into an agency computer and browsing a SharePoint site using an employee’s Microsoft Office 365 credential. The report contains technical details of the multi-stage attack such as the threat actor’s tactics, techniques, procedures, and indicators of compromise. CISA’s incident response report did not include the name of the federal agency, or offer any details about the attacker (or adversary group) or when the attack happened and was detected. The attack also utilized compromised credentials for domain administrator accounts and the Pulse Secure VPN server.ĬISA said EINSTEIN, its intrusion detection system that monitors federal civilian networks, flagged the malicious activity. The attacker relied on multiple users’ Microsoft Office 365 accounts and domain administrator accounts to get the initial foothold into the agency network, according to CISA’s Analysis Report. An intruder breached a federal agency’s internal network and accessed data files using compromised credentials and custom malware, the Cybersecurity and Infrastructure Security Agency said in an Analysis Report.
0 Comments
Leave a Reply. |