US Agencies Warn of Tools Used to Access DIB Entity’s Sensitive Data
U.S. government agencies have released a joint advisory to inform the defense industrial base about the recent tactics, techniques and procedures that advanced persistent threat groups use to obtain critical information from a DIB organization. The cybersecurity advisory from the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency revealed that several APT groups used an open-source Python toolkit called Impacket to access the organization’s network and the CovalentStealer custom data exfiltration tool to steal sensitive data. CISA and a third-party incident response entity found the malicious activities during their investigation of the incident, NSA said.
The probe, performed between November 2021 through January 2022, determined that some APT actors gained access to the DIB organization’s accounts and employee data by exploiting a vulnerability on the company’s Microsoft Exchange server. Using a compromised administrator account and a virtual private network, the threat actors infiltrated the Exchange Web Services application programming interface. The APT groups then installed two Impacket tools designed for programmatically constructing and manipulating network protocols to gain access to another system.
To detect if threat actors have penetrated enterprise environments, the agencies recommended monitoring suspicious account use and logs for connections from unexpected ranges, particularly from machines hosted by SurfShark and M247. All organizations that have compromised networks are advised to report the incident, reset all login accounts, audit accounts and permissions and enforce multi-factor authentication, among other actions.
The agencies also provided mitigation recommendations, including implementing network segmentation, updating software and using cybersecurity visibility and analytics tools.
Tags: advanced persistent threat CISA cybersecurity Defense Industrial Base FBI National Security Agency