Despite improvements in cybersecurity, hackers stay a step ahead exploiting any vulnerability they could find. However, it's not general consumers or enterprises, more often than not, government agencies fall victim to their sophisticated attacks.
In a recent cyber attack, a hacker managed to infiltrate an unnamed federal agency using valid access credentials and managed to steal data, the Cybersecurity & Infrastructure Security Agency (CISA) revealed on September 24.
Sophisticated Malware
To begin with, the hacker planted a custom malware (inetinfo.exe) in the agency's network that went undetected. Once in the system, the hacker used compromised Microsoft Office 365 credentials to log into accounts.
While CISA didn't clarify how the hacker gained access to the agency's network, it said it was possible that the attacker exploited a vulnerability in Pulse Secure VPN (virtual private network) that was noticed in April 2019.
The vulnerability allows an attacker to retrieve credentials, files including passwords remotely. Pulse had released a fix in April 2019 but the agency hadn't installed the patch. The hacker could also retrieve domain administrator passwords and logged in and searched for email attachments with "Intranet Access" and "VPN passwords" in the email subject line. As per CISA, the attacker also searched for local Active Directory and modified settings to evaluate the agency's internal network structure.
The hacker also installed an SSH tunnel and SOCKS proxy using the custom malware that could drop files in different stages and allowed a way back to the network. The threat actor then connected a hard drive to the agency's network and mounted it as a local remote share.
EINSTEIN Helped in Detection
The CISA was finally able to notice the breach thanks to EINSTEIN, its intrusion detection system that monitors all federal civilian networks. Through the system, CISA found that the hacker created a local account to browse server directories, copy files to the locally mounted drive and run Windows PowerShell commands.
While the investigators couldn't say for sure if the hacker was able to steal data but since the file or files were compressed and copied to the locally mounted hard drive, it was possible that the attacker could exfiltrate data.
The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis," CISA said in its report. "It is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because the actor masked their activity."
Last week, CISA, the cybersecurity wing of the U.S. Homeland Security also warned of a critical Windows vulnerability that allowed hackers one-click access to servers. The Zerologon vulnerability was detected in the Windows server edition and could be exploited to steal data from compromised systems or networks.
