APT groups likely maintained long-term access to Defense Industrial Base organization


The US law enforcement, FBI, and national security officials disclosed that multiple advanced persistent threat (APT) groups likely infiltrated a Defense Industrial Base organization to steal sensitive information.

APTs refer to state-sponsored hacking groups, which can be found across a variety of nations, including the US, Iran, Russia, Pakistan, Vietnam, China, and North Korea.

From November 2021 through January 2022, unusual cyber activity was recorded on a Defense Industrial Base (DIB) Sector organization’s enterprise network. Following the investigation, it was uncovered that likely multiple APT actors maintained “long-term access to the environment.”

ADVERTISEMENT

Cybercriminals used an open-source toolkit called Impacket for initial access and compromise and later implemented a custom data exfiltration tool, CovalentStealer, to obtain sensitive information.

“One of these tools is Impacket, which is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. Impacket is a “dual use” tool in that it is used by legitimate tools as well as by adversaries during intrusions. Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems,” Katie Nickels, Director of Intelligence at Red Canary, commented.

Nickels also notes that Impacket regularly makes the Red Canary “top 10" list of threats observed in customer environments, being the fourth most prevalent threat in September.

Despite the fact that Impacket is fairly easy to detect, there is a caveat: it’s hard to determine if the activity is malicious or benign without additional context.

“Approximately one third of the Impacket detections we saw in 2021 were from confirmed testing. Red Canary recommends that all organizations have a clear understanding of authorized use of Impacket in their environments, and consider any activity outside of that to be malicious until proven otherwise. If an organization’s infosec team detects a malicious instance of Impacket, they should consider isolating the endpoint because there may be an active adversary in their environment. By detecting the use of Impacket early in an intrusion, defenders have a good chance at stopping that intrusion and preventing exfiltration of sensitive data,” Nickels explains.

According to the advisory, threat actors exploited a Microsoft Exchange vulnerability on the organization's server to gain access, although the initial vector access remains unknown. Nickels refers back to Microsoft’s Exchange Server zero-day vulnerabilities known as ProxyNotShell, although it’s hard to conclusively state what exactly served as the initial vector access.

“It is possible that adversaries could have gained access by exploiting vulnerabilities in Exchange, but there is no evidence to support this right now, nor is there evidence that adversaries knew about the ProxyNotShell vulnerabilities. The advisory notes that actors did exploit multiple known vulnerabilities from 2021 to install webshells on the Exchange server later in the intrusion. There have been multiple Exchange vulnerabilities over a span of years, and given the challenges of patching on-premise Exchange servers, many of these vulnerabilities remain unpatched and give adversaries an opportunity to compromise a network.”

The joint Cybersecurity Advisory (CSA) provides indicators of compromise and mitigation strategies to help organizations detect and prevent related APT activity. These include managing vulnerabilities and configurations, searching for anomalous behaviour, securing the use of remote admin tools, and implementing a mandatory access control model, among others.

ADVERTISEMENT