A threat actor was able to compromise the network of a federal agency and create a reverse proxy and install malware, the Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday.
The attack, CISA explains, relied on compromised credentials for initial access, and resulted in multi-stage malware being installed on the affected agency’s systems, without triggering in-place anti-malware protections.
Credentials for multiple Microsoft Office 365 (O365) and domain administrator accounts were employed in the attack, CISA says. Using the Transmission Control Protocol (TCP), the attackers were able to connect multiple times to the victim organization’s virtual private network (VPN) server.
CISA could not determine how the adversary obtained the credentials, but says that they might have gotten them from an unpatched VPN server by exploiting a known vulnerability in Pulse Secure, namely CVE-2019-11510, which was patched in April 2019.
“CISA has observed wide exploitation of CVE-2019-11510 across the federal government,” the agency notes.
Following initial access, the threat actor started gathering information of interest from email accounts, enumerated the Active Directory and Group Policy key, modified a registry key for the Group Policy, and enumerated compromised systems.
The attackers connected to the compromised network using various methods, including Remote Desktop Protocol (RDP), a Windows Server Message Block (SMB) client, and through plink.exe, a command-line version of PuTTy.
Furthermore, the adversary achieved persistence through a Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy (two Scheduled Tasks were created for them), and executed a unique, multi-stage malware to drop files. Additionally, they created a locally mounted remote share.
The threat actor also created a local account to browse directories on a file server, copy a file to the locally mounted remote share, interact with other files on users’ home directories (although CISA could not confirm whether exfiltration occurred), create a reverse SMB SOCKS proxy, interact with a PowerShell module, steal data from an account directory and file server directory, and create ZIP archives containing files and directories (CISA could not confirm that the ZIP files were exfiltrated).
To overcome the agency’s anti-malware protection, the threat actor accessed the “anti-malware product’s software license key and installation guide and then visited a directory used by the product for temporary file analysis,” after which they were able to run their malware executable.
CISA, which has provided indicators of compromise (IoC) associated with the attack, recommends that all federal agencies monitor network traffic to identify unusual activity such as unusual open ports, large outbound files, and unexpected and unapproved protocols.
The agency also recommends that organizations deploy an enterprise firewall, that they identify and block all ports that are not necessary, implement multi-factor authentication, separate administrative accounts on administrative workstations and apply the principle of least privilege, secure RDP, and ensure that anti-malware software and operating systems are up to date.Ionut Arghire is an international correspondent for SecurityWeek.