[BreachExchange] Feds Hit with Successful Cyberattack, Data Stolen

[Destry Winant]

https://threatpost.com/feds-cyberattack-data-stolen/159541/

The attack featured a unique, multistage malware and a likely
PulseSecure VPN exploit.

A federal agency has suffered a successful espionage-related
cyberattack that led to a backdoor and multistage malware being
dropped on its network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
issued an alert on Thursday, not naming the agency but providing
technical details of the attack. Hackers, it said, gained initial
access by using employees’ legitimate Microsoft Office 365 log-in
credentials to sign onto an agency computer remotely.

“The cyber-threat actor had valid access credentials for multiple
users’ Microsoft Office 365 (O365) accounts and domain administrator
accounts,” according to CISA. “First, the threat actor logged into a
user’s O365 account from Internet Protocol (IP) address
91.219.236[.]166 and then browsed pages on a SharePoint site and
downloaded a file. The cyber-threat actor connected multiple times by
Transmission Control Protocol (TCP) from IP address 185.86.151[.]223
to the victim organization’s virtual private network (VPN) server.”

As for how the attackers managed to get their hands on the credentials
in the first place, CISA’s investigation turned up no definitive
answer – however, it speculated that it could have been a result of a
vulnerability exploit that it said has been rampant across government
networks.

“It is possible the cyber-actor obtained the credentials from an
unpatched agency VPN server by exploiting a known
vulnerability—CVE-2019-11510—in Pulse Secure,” according to the alert.
“CVE-2019-11510…allows the remote, unauthenticated retrieval of files,
including passwords. CISA has observed wide exploitation of
CVE-2019-11510 across the federal government.”

The patch was issued in April of 2019, but the Department of Homeland
Security (DHS) in April of this year noted that before the patches
were deployed, bad actors were able to compromise Active Directory
accounts via the flaw – so, even those who have patched for the bug
could still be compromised and are vulnerable to attack.

After initial access, the group set about carrying out reconnaissance
on the network. First they logged into an agency O365 email account to
view and download help-desk email attachments with “Intranet access”
and “VPN passwords” in the subject lines – and it uncovered Active
Directory and Group Policy key, changing a registry key for the Group
Policy.

“Immediately afterward, the threat actor used common Microsoft Windows
command line processes—conhost, ipconfig, net, query, netstat, ping
and whoami, plink.exe—to enumerate the compromised system and
network,” according to CISA.

The next step was to connect to a virtual private server (VPS) through
a Windows Server Message Block (SMB) client, using an alias secure
identifier account that the group had previously created to log into
it; then, they executed plink.exe, a remote administration utility.

After that, they connected to command-and-control (C2), and installed
a custom malware with the file name “inetinfo.exe.” The attackers also
set up a locally mounted remote share, which “allowed the actor to
freely move during its operations while leaving fewer artifacts for
forensic analysis,” CISA noted.

The cybercriminals, while logged in as an admin, created a scheduled
task to run the malware, which turned out to be a dropper for
additional payloads.

“inetinfo.exe is a unique, multi-stage malware used to drop files,”
explained CISA. “It dropped system.dll and 363691858 files and a
second instance of inetinfo.exe. The system.dll from the second
instance of inetinfo.exe decrypted 363691858 as binary from the first
instance of inetinfo.exe. The decrypted 363691858 binary was injected
into the second instance of inetinfo.exe to create and connect to a
locally named tunnel. The injected binary then executed shellcode in
memory that connected to IP address 185.142.236[.]198, which resulted
in download and execution of a payload.”

It added, “The cyber-threat actor was able to overcome the agency’s
anti-malware protection, and inetinfo.exe escaped quarantine.”

CISA didn’t specify what the secondary payload was – Threatpost has
reached out for additional information.

The threat group meanwhile also established a backdoor in the form of
a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.

“The proxy allowed connections between an attacker-controlled remote
server and one of the victim organization’s file servers,” according
to CISA. “The reverse SOCKS proxy communicated through port 8100. This
port is normally closed, but the attacker’s malware opened it.”

A local account was then created, which was used for data collection
and exfiltration. From the account, the cybercriminals browsed
directories on victim file servers; copied files from users’ home
directories;  connected an attacker-controlled VPS with the agency’s
file server (via a reverse SMB SOCKS proxy); and exfiltrated all the
data using the Microsoft Windows Terminal Services client.

The attack has been remediated – and it’s unclear when it took place.
CISA said that it’s intrusion-detection system was thankfully able to
eventually flag the activity, however.

“CISA became aware—via EINSTEIN, CISA’s intrusion-detection system
that monitors federal civilian networks—of a potential compromise of a
federal agency’s network,” according to the alert. “In coordination
with the affected agency, CISA conducted an incident response
engagement, confirming malicious activity.”