Maine Critical Infrastructure Partners:
Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) with details on advanced persistent threat (APT) actors using an open-source toolkit and custom data exfiltration tool to steal sensitive data from a defense industrial base (DIB) sector organization’s enterprise network.
APT actors used the open-source toolkit, Impacket, to gain their foothold within the environment and further compromise the network and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data. The analysis of available data showed APT actors were active in the victim’s enterprise network at least as early as January 2021 and gained access to the organization’s share drives, Microsoft Exchange server, and Exchange Web Services (EWS). The actors used the account of a former employee to access the EWS, which enables access to mailbox items such as email messages, meetings, and contacts.
In March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, and CVE-2021-26868, and CVE-2021-27065 to install China Chopper webshells and HyperBro on the victim’s systems. In the CSA there are links to malware analysis reports with additional technical details for network defenders, including indicators of compromise (IOCs) and detection signatures, on the webshells and on HyperBro.
APT actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from share drives, for eventual exfiltration. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network. Some threat actors likely maintained persistent access for several months by relying on legitimate credentials.
Some of the actions that can help protect against APT cyber activity include:
- Enforce multi-factor authentication (MFA) on all user accounts;
- Implement network segmentation to separate network segments based on role and functionality;
- Update software, including operating systems, applications, and firmware, on network assets; and
- Audit account usage.
The Defense Industrial Base sector and other critical infrastructure organizations are encouraged to implement effective, mature cybersecurity programs, such as the recommended actions in the CSA, to ensure they are managing and mitigating the impact of APT threats to their networks. Also, organizations are recommended to validate or test their existing security controls to assess how they perform against the adversarial behavior (i.e., MITRE ATT&CK techniques) described in this advisory.
Your support to amplify this CSA through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.
Thomas “T.J.” Swenson Jr., LP.D.
Protective Security Advisor (PSA) – Maine
Cybersecurity and Infrastructure Security Agency (CISA)
U.S. Department of Homeland Security (DHS)
(U) Email: Thomas.Swenson@cisa.dhs.gov
(S) Email: Thomas.J.Swenson@dhs.sgov.gov