- ITDM 2025 전망 | “불경기 시대 속 콘텐츠 산업··· 기술이 돌파구를 마련하다” CJ ENM 조성철 엔터부문 CIO
- 50억 달러 피해에서 700명 해고까지··· 2024년 주요 IT 재난 8선
- Network problems delay flights at two oneworld Alliance airlines
- Leveraging Avaya Experience Platform to accelerate your digital banking transformation
- The best iRobot vacuums of 2024: Expert tested and reviewed
CISA Advisory Details How Hackers Targeted Defense Industrial Base Organization
The Cybersecurity and Infrastructure Security Agency (CISA) published on Tuesday an advisory highlighting advanced persistent threat (APT) activity observed on a Defense Industrial Base (DIB) Sector organization’s enterprise network.
The joint Cybersecurity Advisory (CSA) was released in collaboration with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
It details how APT actors deployed the open–source toolkit Impacket to get initial access and then the data exfiltration tool CovalentStealer, to steal the victim’s sensitive data.
According to the advisory, CISA observed the attacks between November 2021 and January 2022.
“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long–term access to the environment.”
Some APT actors spotted by the security agency reportedly gained initial access to the organization’s Microsoft Exchange Server as early as mid–January 2021.
A month later, they would have returned and used Command Shell to learn about the organization’s environment and to collect sensitive data before implanting two Impacket tools: wmiexec.py and smbexec.py.
In both cases, the threat actors were observed using VPNs while performing the attacks. Further, in early March 2021, the APT actors would have exploited several vulnerabilities to install 17 China Chopper web shells on the Exchange Server. Later in March, they installed HyperBro on the Exchange Server and two other systems.
“In April 2021, APT actors used Impacket for network exploitation activities,” the advisory reads. “From late July through mid–October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files.”
To counter such attacks’ impact, CISA recommended organizations monitor logs for connections from unusual VPNs and suspicious account use. The agency also warned against instances of abnormal and known malicious command–line usage and unauthorized changes to user accounts.
The attacks against the unnamed DIB are not the first ones spotted by security researchers this year relying on Impacket.
Last month, Microsoft spotted multiple ransomware campaigns attributed to DEV–0270 and linked with the Iranian government that used Impacket’s WMIExec to maintain persistence on a system after gaining an initial foothold.
