The Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity wing of the U.S. Department of Homeland Security (DHS) has notified about a cybersecurity incident that targeted an unnamed federal agency. According to CISA, hackers implanted a malware “including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.”
Describing the activity by the threat actors, CISA stated that the actor had valid credentials for several users’ Microsoft Office 365 accounts as well as domain administrator accounts. The actors leveraged these accounts and browsed on SharePoint site using an IP address 91.219.236[.]166 and even downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The hackers also connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.
“After initial access, the threat actor performed Discovery [TA0007] by logging into an agency O365 email account from 91.219.236[.]166 and viewing and downloading help desk email attachments with ‘Intranet access’ and ‘VPN passwords’ in the subject line, despite already having privileged access (Email Collection [T1114], Unsecured Credentials: Credentials In Files [T1552.001]). (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address 207.220.1[.]3 (External Remote Services [T1133]). The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy (Account Manipulation [T1098]). Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network (Command and Scripting Interpreter [T1059], System Network Configuration Discovery [T1016]),” CISA stated.
The attackers, after accessing the local Active Directory, modified the settings and to have easier access into the federal body’s network, also installed custom malware. “The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA added.
CISA has also stated that the hackers were able to overcome the agency’s anti-malware protection as well. It is still unclear how the hackers accessed valid credentials, however, there have been speculations that leaks of credentials could have been the result of vulnerability exploits which have been rampant across government networks for a while now.
CISA has also recommended to deploy an enterprise firewall and even block unused ports to the affected organization. Additionally, it also recommended the following best practices like:
- Implement multi-factor authentication, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Implement the principle of least privilege on data access.
- Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
- Deploy and maintain endpoint defense tools on all endpoints.
- Keep software up to date.