Heimdal
article featured image

Contents:

On 4 October 2022 U.S. Government announced a data breach at a U.S. organization in the Defense Industrial Base (DIB) sector.

The infection lasted approximately ten months before being identified, with the initial access taking place in January 2021.

The origin of the attackers is unknown at the moment, but several advanced persistent threat groups (APT) were probably involved in the attack using the victim’s Microsoft Exchange Server.

DIB organizations provide military weapons system studies, innovation, design, manufacturing, distribution, and maintenance, as well as all necessary components and parts.

Details About the Malware

The Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint report containing details from the incident response activity that took place between November 2021 and January 2022.

“The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples”, according to BleepingComputer.

Hackers Use Customized Malware to Steal U.S. Defense Data

Source

Cybercriminals also targeted the ProxyLogon collection of four Microsoft Exchange Server vulnerabilities. This happened around the time Microsoft issued an emergency security update to address them.

In a separate report, CISA provides technical analysis for CovalentStealer noting that the malware relies on code from two publicly available utilities, ClientUploader and the PowerShell script Export-MFT, to upload compressed files and to extract the Master File Table (MFT) of a local storage volume.

CovalentStealer also contains resources for encrypting and decrypting the uploaded data, and configuration files, and to secure communications.

Source

Another CISA report contains details about HyperBro RAT. A trojan that can upload/download files to/from the infected system, do logging keystrokes, execute commands on the infected device, and bypass User Account Control to function with full admin privileges.

The Timeline of the Attack

The breach happened in mid-January 2021, with the hackers gaining access to the Exchange Server of the targeted company. Four hours later they used an admin account to access the Exchange Web Services (EWS) API, gaining visibility to client application messages.

In February 2021 attackers accessed the network once more using the same admin account through a VPN. This time they used Windows Command Shell to carry out recognition activities

The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory.

Source

In March 2021 ProxyLogon vulnerabilities were used to install 17 China Chopper webshells on the Exchange Server. And in April 2022 the hackers began the lateral movement on the network using Impacket to temper with network protocols.

Impacket allowed them to compromise an account with larger privileges, gaining remote access from multiple external IP addresses to the Exchange server through Outlook Web Access (OWA).

Between July and October 2022 cybercriminals uploaded data to a Microsoft OneDrive location using a custom-built CovalentStealer implanted deep in the infected network.

How to Detect Data Breach

The joint report from CISA, FBI, and NSA contains also a set of recommendations so organizations will detect “persistent, long-term access in compromised enterprise environments”:

  • monitor logs to identify connections from unusual VPSs and VPNs
  • monitor for suspicious account use such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts
  • monitor for the installation of unauthorized software
  • monitor for suspicious and known malicious command-line use
  • investigate unauthorized changes to user accounts

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo