An intruder breached a federal agency’s internal network and accessed data files using compromised credentials and custom malware, the Cybersecurity and Infrastructure Security Agency said in an Analysis Report.
The attacker relied on multiple users’ Microsoft Office 365 accounts and domain administrator accounts to get the initial foothold into the agency network, according to CISA’s Analysis Report. The attack also utilized compromised credentials for domain administrator accounts and the Pulse Secure VPN server.
CISA said EINSTEIN, its intrusion detection system that monitors federal civilian networks, flagged the malicious activity. CISA’s incident response report did not include the name of the federal agency, or offer any details about the attacker (or adversary group) or when the attack happened and was detected. The report contains technical details of the multi-stage attack such as the threat actor’s tactics, techniques, procedures, and indicators of compromise.
The attacker’s first foray into the network began by remotely logging into an agency computer and browsing a SharePoint site using an employee’s Microsoft Office 365 credential. The attacker also connected multiple times to the VPN server.
CISA’s investigation could not definitely say how the credentials were compromised, but one of the ways may have involved exploiting a known vulnerability in the agency’s Pulse Secure VPN server (CVE-2019-11510). A security update has been available since April 2019, but the Department of Homeland Security had previously warned that attack groups may have compromised Active Directory accounts before the patches were deployed. In those cases, the attackers were already in the network.
“It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” CISA said in the report. The vulnerability allows “remote, unauthenticated retrieval of files, including passwords.”
The attacker explored the network by logging into an Office 365 email account to view and download help-desk messages with the phrases “Intranet access” and “VPN passwords” in the subject lines. None of the help-desk messages contained actual passwords, CISA noted in the report. The attacker was able to enumerate the Active Directory and Group Policy key, and was also able to change a registry key for the Group Policy. Considering the attacker already had privileged access in the network, the attacker was likely looking for more areas to target.
The actor used “common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” CISA said.
The attacker connected to a virtual private server (VPS) through a Windows Server Message Block (SMB) client. Once done, the attacker was able to connect to a command-and-control server and install custom malware, which turned out to be a dropper for additional malware.
The custom malware "was able to overcome the agency's anti-malware protection, and inetinfo.exe [the malware] escaped quarantine," CISA said.
The attacker also created a backdoor to the network by installing an SSH tunnel and reverse SOCKS proxy. The proxy used port 8100, a normally closed port which was opened by the malware.
The attacker “gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall,” CISA said.
Setting up a hard drive to the agency’s network as a locally mounted remote share “allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA said.
With the ability to remain in the network—and to get back in when necessary—assured, the attacker created a local account on the network. That local account was used to browse through file servers, copy files from users’ home directories to the previously mounted remote share, execute PowerShell commands, and create ZIP archives. The attacker also created a reverse SMB SOCK proxy to connect an attacker-controlled VPS and the network’s file server.
There were signs the attacker copied files and moved them around. In at least one instance, some data was exfiltrated from the network using Microsoft Windows Terminal Services. However, the attacker masked many of their activities so CISA’s investigators were unable to determine if all the files they accessed were exfiltrated, or just some.
CISA used MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to describe each of the attacker behaviors. Since the ATT&CK framework provides a common language for adversary behavior associated with each phase of the attack lifecycle, it is easier for security teams to understand how the techniques were used during the attack.
The report also outlined some recommendations on preventing a similar attack, such as implementing multifactor authentication on user accounts and setting up separate administrative accounts on separate administration workstations. CISA also recommended security teams monitor network traffic for unusual open ports, unexpected protocols, and signs large files are leaving the network. The attack used quite a few protocols to connect to the Internet, such as SSH, SMB, and RDP (Remote Desktop Protocol), and the malware opened port 8100, when it was supposed to be closed. Organizations should have an enterprise firewall to control what is allowed in and out of the network, and ports that aren't needed should be blocked.
"If network defenders note any of the above activity, they should investigate," CISA said.