Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CISA Says Threat Actor Breached Federal Agency’s Network

A threat actor was able to compromise the network of a federal agency and create a reverse proxy and install malware, the Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday.

A threat actor was able to compromise the network of a federal agency and create a reverse proxy and install malware, the Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday.

The attack, CISA explains, relied on compromised credentials for initial access, and resulted in multi-stage malware being installed on the affected agency’s systems, without triggering in-place anti-malware protections.

Credentials for multiple Microsoft Office 365 (O365) and domain administrator accounts were employed in the attack, CISA says. Using the Transmission Control Protocol (TCP), the attackers were able to connect multiple times to the victim organization’s virtual private network (VPN) server.

CISA could not determine how the adversary obtained the credentials, but says that they might have gotten them from an unpatched VPN server by exploiting a known vulnerability in Pulse Secure, namely CVE-2019-11510, which was patched in April 2019.

“CISA has observed wide exploitation of CVE-2019-11510 across the federal government,” the agency notes.

Following initial access, the threat actor started gathering information of interest from email accounts, enumerated the Active Directory and Group Policy key, modified a registry key for the Group Policy, and enumerated compromised systems.

The attackers connected to the compromised network using various methods, including Remote Desktop Protocol (RDP), a Windows Server Message Block (SMB) client, and through plink.exe, a command-line version of PuTTy.

Furthermore, the adversary achieved persistence through a Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy (two Scheduled Tasks were created for them), and executed a unique, multi-stage malware to drop files. Additionally, they created a locally mounted remote share.

Advertisement. Scroll to continue reading.

The threat actor also created a local account to browse directories on a file server, copy a file to the locally mounted remote share, interact with other files on users’ home directories (although CISA could not confirm whether exfiltration occurred), create a reverse SMB SOCKS proxy, interact with a PowerShell module, steal data from an account directory and file server directory, and create ZIP archives containing files and directories (CISA could not confirm that the ZIP files were exfiltrated).

To overcome the agency’s anti-malware protection, the threat actor accessed the “anti-malware product’s software license key and installation guide and then visited a directory used by the product for temporary file analysis,” after which they were able to run their malware executable.

CISA, which has provided indicators of compromise (IoC) associated with the attack, recommends that all federal agencies monitor network traffic to identify unusual activity such as unusual open ports, large outbound files, and unexpected and unapproved protocols.

The agency also recommends that organizations deploy an enterprise firewall, that they identify and block all ports that are not necessary, implement multi-factor authentication, separate administrative accounts on administrative workstations and apply the principle of least privilege, secure RDP, and ensure that anti-malware software and operating systems are up to date.

Related: CISA Warns of Increased Use of LokiBot Malware

Related: FBI, CISA Warn of Disinformation Campaigns Targeting 2020 Election Results

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...