Feds Hit with Successful Cyber attack, Data Stolen

The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.

- Advertisement -

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA. “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.”

Feds Hit with Successful Cyber attack, Data Stolen
Feds Hit with Successful Cyber attack, Data Stolen cyber

As for how the attackers managed to get their hands on the credentials in the first place, CISA’s investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said it has been rampant across government networks.

“It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” according to the alert. “CVE-2019-11510…allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government
The patch was issued in April of 2019. Still, the Department of Homeland Security (DHS) in April of this year noted that before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw. So, even those who have patched for the bug could still be compromised and are vulnerable to attack.

- Advertisement -

After initial access, the group set about carrying out reconnaissance on the network. First, they logged into an agency O365 email account to view and download help-desk email attachments with “Intranet access” and “VPN passwords” in the subject lines – and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.


“Immediately afterwards, the threat actor used common Microsoft Windows command line processes—cohost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” according to CISA.


The next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.
After that, they connected to command-and-control (C2), and installed a custom malware with the file name “inetinfo.exe.” The attackers also set up a locally mounted remote share, which “allowed the actor to freely move during its operations while leaving fewer artefacts for forensic analysis,” CISA noted.


The cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.
“inetinfo.exe is a unique, multistage malware used to drop files,” explained CISA. “It dropped system.dll and 363691858 files and the second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.”

It added, “The cyber-threat actor was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped quarantine.”
CISA didn’t specify what the secondary payload was – Threatpost has reached out for additional information.
The threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.

- Advertisement -

“The proxy allowed connections between an attacker-controlled remote server and one of the victim organization’s file servers,” according to CISA. “The reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker’s malware opened it.”
A local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users’ home directories; connected an attacker-controlled VPS with the agency’s file server (via a reverse SMB SOCKS proxy), and exfiltrated all the data using the Microsoft Windows Terminal Services client.

The attack has been remediated – and it’s unclear when it took place. CISA said that its intrusion-detection system was thankfully able to flag the activity, however eventually.
“CISA became aware—via EINSTEIN, CISA’s intrusion-detection system that monitors federal civilian networks—of a potential compromise of a federal agency’s network,” according to the alert. “In coordination with the affected agency, CISA conducted an incident response engagement, confirming the malicious activity.”

Also Read:

YOU MIGHT LIKE

Oppo Reno 5 Pro 5G could Come with Quad Camera Specifications

There is a lot of buzz around Oppo’s next flagship smartphone series, oppo Reno 5. Already, the smartphone series has appeared in multiple leaks...

2FA bypass discovered in web hosting software cPanel

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The...

YouTube 8K Streaming Support Reportedly Rolling Out to Select Android TV Users

YouTube is reportedly rolling out 8K streaming support for select Android TV users as part of the company’s plans to possibly bring the feature to all users everywhere. According...

Indian Government Bans 43 More Chinese Apps Including Ali Express

The Indian Government has today banned another 43 apps of Chinese origin under section 69A of the Information Technology Act. The news was released...

PUBG Mobile India was Recently Registered as a Company and Launch Soon

PUBG Mobile is one of the leading mobile battle royale titles. The game has amassed a massive fan base worldwide and holds a special place...

Leave A Reply

Please enter your comment!
Please enter your name here