U.S. cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated a likely U.S. military contractor and maintained “persistent, long-term” access to their system.
The National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI released a detailed, joint advisory containing the notification, explaining that in November 2021 CISA responded to a report of malicious activity on an anonymous “Defense Industrial Base (DIB) Sector organization’s enterprise network.”
CISA uncovered a likely compromise, and said that some of the intruders had “long-term access to the environment.” After breaking in, officials said, hackers leveraged an open-source toolkit known as Impacket to “programmatically” construct and manipulate network protocols.
Impacket is a collection of Python libraries that “plug into applications like vulnerability scanners, allowing them to work with Windows network protocols,” Katie Nickels, director of threat intelligence at Red Canary, said via email. Hackers favor Impacket because it helps them retrieve credentials, issue commands and deliver malware onto systems, she said.
The digital intruders in this case also used a custom data exfiltration tool, CovalentStealer, to steal sensitive data and exploited a Microsoft Exchange vulnerability on the defense organization’s server to gain access remotely, officials said. From there, the hackers used the compromised company accounts to further infiltrate the targeted organization.
Nickels said hackers could have gained access by exploiting vulnerabilities in Exchange, but there is “no evidence to support this right now, nor is there evidence that adversaries knew about the ProxyNotShell vulnerabilities, a reference to a new Exchange Server zero-day vulnerability.
There have been a number of Exchange vulnerabilities reported over a span of years, Nickels said. Given how difficult it can be to patch on-premise Exchange servers, she said, many of these vulnerabilities go unfixed, and become vectors for attack.
The advisory includes details on indicators of compromise found by CISA and a third-party incident response organization. CISA, the FBI and the NSA recommend that defense industrial base and other critical infrastructure organizations implement the mitigations detailed in the advisory.
Clarified Oct. 5, 2022: This story has been clarified by adding the word “vulnerabilities” after a reference to ProxyNotShell in a quote from Katie Nickels of Red Canary.