Investigation on a recent malware attack by a threat actor on the corporate network of a federal organization has been released by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
The cyber threat attacker leveraged compromised credentials to install sophisticated malware, including multi-stage malware that evaded the anti-malware security of the affected organization defined in the study and obtained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited firewall vulnerabilities in the organization. The Reverse SOCKS Proxy communicated through port 8100 (Non-Standard Port). This port is usually locked, but the attacker malware opened it. This and other information in the study is taken entirely from the incident response of CISA and includes the tactics, methods, and procedures of the threat entity, as well as indicators of compromise found as part of the interaction.
The CISA discovered the cyberattack through an intrusion detection system called EINSTEIN that scans federal civilian networks for signs of possible compromise. An incident response protocol was then performed by the CISA in which they were able to confirm malicious activities. According to the CISA, the threat actor(s) possessed valid access credentials for several Microsoft Office 365 accounts as well as domain administrator accounts. So, it is unclear how the cyber attackers were able to obtain the usernames and passwords.
Investigators realized the threat attacker logged remotely into the Office 365 account of a customer, then browsed sites on a SharePoint site and downloaded a file. Through Transmission Control Protocol, the threat agent is then linked several times to the virtual private network (VPN) server of the target entity.
“Immediately afterward, the threat actor used common Microsoft Windows command line processes—con host, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network,” stated CISA.
Using a Microsoft Windows Terminal Services client, the cyber-criminal copied files and exfiltrated the records. Further attacks were planned, as the intruder created a backdoor.
CISA investigators were unable to identify how the cyber threat attacker originally accessed the credentials used in the attack, although they established a theory involving Pulse Secure.
“It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” stated CISA, adding that it “has observed wide exploitation of CVE-2019-11510 across the federal government.”
The error allows the remote, unauthenticated retrieval of files, including passwords. Patches were published for multiple crucial vulnerabilities in April 2019 by Pulse Secure, including CVE-2019-11510.
In the various stages of the outlined attack, CISA analysts found numerous IP addresses involved.
- 185.86.151[.]223 – Command and Control (C2
- 91.219.236[.]166 – C2
- 207.220.1[.]3 – C2
- 78.27.70[.]237 – Data Exfiltration
- 185.193.127[.]18 – Persistence
CISA encourages the adoption of the following best practices by organizations.
- Implement multi-factor authentication with privileged accounts.
- Use distinct administrative accounts on separate workstations for administration.
- Implement the data access principle of least privilege.
- Using jump boxes to access Secure RDP and other remote access solutions.
- Deploy and maintain devices for defense on all endpoints.
- Blocking unused Ports such as SMB, SSH, FTP, RDP(Approval required)
- Monitor Network Traffic for Unusual Activity
- Deploying Enterprise Firewall
- Keep your software updated.