CISA: Multiple APT groups infiltrate defense organization
Multiple advance persistent threat (APT) groups gained access to the network of a US-based defense organization in January 2021, extensively compromising the company’s computers, network, and data for nearly a year, three government agencies stated in a joint advisory on Oct. 4.
The attackers had access to the organization’s Microsoft Exchange Server and used a compromised administrator account to collect information and move laterally in the IT environment as early as mid-January 2021, according to the advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
The attackers gained access to email messages and defense contract information, collected credentials to elevate user privileges, and deployed a custom exfiltration tool, CovalentStealer, to move the data to an external server.
Most of the techniques used software already on the system or widely available open source tools, Katie Nickels, director of intelligence at Red Canary, a managed detection and response (MDR) firm, said in a statement sent to Dark Reading.
“While many people think that state-sponsored actors always use advanced techniques, this report demonstrates that many of the tools and techniques these actors use are known to defenders and can be detected,” she stated.
For instance, a new Exchange vulnerability could have been used for initial access, but there are plenty of Exchange vulnerabilities that remain unpatched in corporate networks, Nickels said.
“The advisory notes that actors did exploit multiple known vulnerabilities from 2021 to install webshells on the Exchange server later in the intrusion,” she said. “There have been multiple Exchange vulnerabilities over a span of years, and given the challenges of patching on-premise Exchange servers, many of these vulnerabilities remain unpatched and give adversaries an opportunity to compromise a network.”
To read the complete article, visit Dark Reading.