An unspecified US government agency was hacked by a miscreant who appears to have made off with archives of information.
This is according to Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA), which on Thursday went into technical detail on how an intruder: broke into staffers' Office 365 accounts; gained access the agency's internal network via its VPN; and installed malware and exfiltrated data.
"CISA became aware – via EINSTEIN, CISA's intrusion detection system that monitors federal civilian networks – of a potential compromise of a federal agency's network," the team wrote. "In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity."
Feeling bad about your last security audit? Check out what just happened to the US Department of InteriorREAD MORE
We're told the hacker possessed valid login credentials for a bunch of the hacked agency's Microsoft Office 365 accounts as well as domain administrator accounts. CISA suggested these details were obtained by someone exploiting the CVE-2019-11510 vulnerability in Pulse Secure products present in government networks, a hole that can be abused to fetch files and passwords from a vulnerable machine. CISA said it had "observed wide exploitation of CVE-2019-11510 across the federal government," worryingly enough.
Armed with those stolen Office 365 credentials, the attacker logged into one of the agency's O365 accounts, made a beeline for a SharePoint server, and browsed its pages and downloaded a file. Shortly after, the intruder connected to the unnamed agency's VPN, presumably using information gleaned so far from snooping around.
After that, once in the network, the miscreant returned to rifling through one of the Office 365 accounts, "viewing and downloading help desk email attachments with 'Intranet access' and 'VPN passwords' in the subject line, despite already having privileged access," CISA noted. "These emails did not contain any passwords." Nice try but no cigar, then.
Next, the miscreant enumerated the network using standard Windows command-line tools, connected to an external virtual server via SMB, and then, using their administrator credentials, sought to gain a persistent presence on the network by, according to CISA:
- Creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy
- Running inetinfo.exe (a unique, multi-stage malware used to drop files)
- Setting up a locally mounted remote share ... the mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis.
They then created a local account that allowed them to steal files thus:
- Browse directories on a victim file server
- Copy a file from a user's home directory to their locally mounted remote share. CISA analysts detected the cyber threat actor interacting with other files on users' home directories but could not confirm whether they were exfiltrated.
- Create a reverse SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled VPS and the victim organization's file server
- Interact with PowerShell module Invoke-TmpDavFS.psm
- Exfiltrate data from an account directory and file server directory using tsclient (tsclient is a Microsoft Windows Terminal Services client)
- Create two compressed Zip files with several files and directories on them; it is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because the actor masked their activity.
The malware used was non-trivial – it injected decrypted code into itself to fetch and run a payload from a remote server – and was able to avoid detection by hoodwinking the system's antivirus. "The cyber threat actor was able to overcome the agency's anti-malware protection, and inetinfo.exe escaped quarantine," CISA said. Its analysts "determined that the cyber threat actor accessed the anti-malware product's software license key and installation guide and then visited a directory used by the product for temporary file analysis. After accessing this directory, the cyber threat actor was able to run inetinfo.exe."
As we don't know the name of the agency nor what info was stolen, it's hard to say just what the damage was here, though obviously it was important enough for a smart attacker to go through a number of steps to infiltrate and get persistence on the victim network.
As for prevention, CISA recommended organizations follow the usual best practices: monitor for and shut down unusual open ports, eg: port 8100; watch out for large outbound file transfers; and prevent unexpected protocol use, such as SSH, SMB, and RDP. Folks should "deploy an enterprise firewall to control what is allowed in and out of their network" and "conduct a survey of the traffic in and out of their enterprise to determine the ports needed for organizational functions. They should then configure their firewall to block unnecessary ports."
It also published a list of IP addresses, used by the hacker, to look for in logs as a sign of compromise, and to block in case they are reused. CISA declined to comment further. ®