Hackers maintained deep access to military organization’s network, US officials reveal

Written by Suzanne Smalley

US cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers had infiltrated a likely US military contractor. and maintained “persistent and long-term” access to their system.

The National Security Agency, Cybersecurity and Infrastructure Security Agency, and the FBI issued a detailed joint advisory containing the notification, explaining that in November 2021, CISA responded to a report of malicious activity on a public limited company in the sector of the “Defence Industrial Base (DIB)”. network.”

CISA found a likely compromise and said some of the intruders had “long-term access to the environment.” After breaking in, officials said, the hackers leveraged an open-source toolkit known as Impacket to “programmatically” construct and manipulate network protocols.

Impacket is a collection of Python libraries that “plug into applications like vulnerability scanners, allowing them to work with Windows network protocols,” said Katie Nickels, director of threat intelligence at Red Canary, via email. mail. Hackers prefer Impacket because it helps them retrieve credentials, issue commands and deliver malware to systems, she said.

The digital intruders in this case also used a custom data exfiltration tool, CovalentStealer, to steal sensitive data and exploited a Microsoft Exchange vulnerability on the defense organization’s server to access it remotely, officials said. responsible. From there, the hackers used the company’s compromised accounts to further infiltrate the targeted organization.

Nickels said hackers could have accessed it by exploiting vulnerabilities in Exchange, but there’s “no supporting evidence at this time, nor any evidence that adversaries knew about ProxyNotShell,” a reference to a new Exchange Server zero-day vulnerability.

A number of Exchange vulnerabilities have been reported over the years, Nickels said. Given how difficult it can be to patch on-premises Exchange servers, she said, many of these vulnerabilities go unpatched and become attack vectors.

The advisory includes details of indicators of compromise found by CISA and a third-party incident response organization. CISA, the FBI, and the NSA recommend that the Defense Industrial Base and other critical infrastructure organizations implement the mitigations detailed in the advisory.

Read the full review here.

Comments are closed.