Home>Blog>The Hacker News Headlines>FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization
The Hacker News Headlines

FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization

Industrial Base Organization

U.S. cybersecurity and intelligence agencies on Tuesday
disclosed that multiple nation-state hacking groups potentially
targeted a “Defense Industrial Base (DIB) Sector organization’s
enterprise network” as part of a cyber espionage campaign.

“[Advanced persistent threat] actors used an open-source toolkit
called Impacket[1]
to gain their foothold within the environment and further
compromise the network, and also used a custom data exfiltration
tool, CovalentStealer, to steal the victim’s sensitive data,” the
authorities said[2].

CyberSecurity

The joint advisory[3], which was authored by
the Cybersecurity and Infrastructure Security Agency (CISA), the
Federal Bureau of Investigation (FBI), and the National Security
Agency (NSA), said the adversaries likely had long-term access to
the compromised environment.

The findings are the result of CISA’s incident response efforts
in collaboration with a trusted third-party security firm from
November 2021 through January 2022. It did not attribute the
intrusion to a known threat actor or group.

The initial infection vector used to breach the network is also
unknown, although some of the APT actors are said to have obtained
a digital beachhead to the target’s Microsoft Exchange Server as
early as mid-January 2021.

Subsequent post-exploitation activities in February entailed a
mix of reconnaissance and data collection efforts, the latter of
which resulted in the exfiltration of sensitive contract-related
information. Also deployed during this phase was the Impacket tool
to establish persistence and facilitate lateral movement.

CyberSecurity

A month later, the APT actors exploited ProxyLogon flaws[4]
in Microsoft Exchange Server to install 17 China Chopper web shells
and HyperBro[5], a backdoor[6]
exclusively used by a Chinese threat group called Lucky Mouse[7]
(aka APT27, Bronze Union, Budworm, or Emissary Panda).

The intruders, from late July through mid-October 2021, further
employed a bespoke malware strain called CovalentStealer[8]
against the unnamed entity to siphon documents stored on file
shares and upload them to a Microsoft OneDrive cloud folder.

Organizations are recommended to monitor logs for connections
from unusual VPNs, suspicious account use, anomalous and known
malicious command-line usage, and unauthorized changes to user
accounts.

References

  1. ^
    Impacket
    (github.com)
  2. ^
    said
    (www.cisa.gov)
  3. ^
    joint
    advisory     (www.cisa.gov)
  4. ^
    ProxyLogon flaws
    (thehackernews.com)
  5. ^
    HyperBro
    (www.cisa.gov)
  6. ^
    backdoor
    (thehackernews.com)
  7. ^
    Lucky
    Mouse     (thehackernews.com)
  8. ^
    CovalentStealer
    (www.cisa.gov)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.