After a Cyberattack on a federal agency, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday. They are not naming the agency but providing technical details of the attack. By using employees legitimate Microsoft Office 365 login credentials, hackers gained initial access.
According to CISA, “the cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts”. They further stated that, “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.”
CISA’s investigation has no definitive answer as to how the hackers managed to get their hands on the credentials in the first place. However, it is considered that it could have happened because of the vulnerability.
According to the alert, it is possible that the hackers obtained credentials from an unpatched VPN server by using a known vulnerability, CVE-2019-11510 in pulse secure. This vulnerability allows the remote, unauthenticated recovery of files, including passwords. CISA has noted wide use of this vulnerability across the federal government.
For this vulnerability, the patch was issued in April of 2019, but the DHS ( Department of Home Security) noticed that before the patches were installed, hackers had completed their work.
Before the patches, hackers were able to compromise the Active Directories accounts. So this way, who have patched this bug could still have some vulnerabilities in their system and they could be attacked by cyber-actors.
After initial access, they start making changes on the network. They firstly logged into an Office365 email account and downloaded help desk email attachment with “Intranet access” and “VPN passwords”. This way, they were able to uncover Active Directory and Group Policy key.
After that, they immediately used common Microsoft Windows common line processes (conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe) to identify the compromised system and network.
In the next step, they made a connection to a virtual private server through Windows Server Message Block(SMB). For this, they used an alias secure identifier account, which was created by them to login into it and then, they executed plink.exe.
After that, they installed a custom malware with the file name “inetinfo.exe”. CISA noted that they also set up a locally mounted share, with that they could freely move during its operations while leaving fewer artifacts for forensic analysis.
CISA explained that “inetinfo.exe is a unique, multi-stage malware used to drop files”. They further added, “It dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.”
The Cyberattack group was able to overcome the agency’s anti-malware protection and inetinfo.exe escaped quarantine.
Meanwhile, in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, they established a backdoor. According to CISA, “the proxy allowed a connection between the target organization’s file server and an attacker controlled server. The reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker’s malware opened it.”
Then, for data collection and filtration, a local account was created. From the account, they copied the data from users’ home directories.
Everything is under control now but It’s still unclear when this attack took place.