U.S. cybersecurity and intelligence agencies informed that U.S. Defense Industrial Base (DIB) Sector organization’s enterprise network was targeted for purposes of cyber espionage by a number of hacking groups with ties to foreign nation-states.
The FBI and NSA stated that by compromising the environment, the adversaries were able to have long-term access.
A trusted third party did not attribute the intrusion to a known threat actor or group. These findings are the result of CISA’s incident response efforts from November 2021 through January 2022.
One of the actors in the attack is unknown, but they were able to get in early by obtaining access to Microsoft Exchange Server.
After exploiting the network, I conducted post-exploitation activities. These consisted of reconnaissance and data collection efforts, which resulted in the extraction of sensitive contract-related information, as well as the utilization of Impacket for persistence and lateral movement.
The hackers were able to exploit a vulnerability in Microsoft Exchange Server to install 17 China Chopper web shells and HyperBro, a backdoor exclusive to the threat group Lucky Mouse (aka APT27, Bronze Union, Budworm, or Emissary Panda).
The intruders used a bespoke malware strain called CovalentStealer to steal documents that were stored on file shares.
Organizations are recommended to keep an eye on their logs for any unusual VPN connections, suspicious account use, changes to user accounts that were not authorized, and suspicious commands.
Pegasus Spyware Latest Victims-Mexican Journalists And Human Rights Activists
Ex-National Security Agency Employee’ Arrested For Spying
Moody’s Investors Service Identifies Sectors At The Highest Risk For Cyberattacks