Hackers used Impacket, Exfiltration tool to steal data from DIB organization, US cybersecurity advisory says

A joint Cybersecurity Advisory (CSA) released by U.S. cybersecurity agencies disclosed the use of Impacket and Exfiltration tool to steal sensitive information from a defense industrial base (DIB) organization. Additionally, from November last year through January, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a DIB sector organization’s enterprise network. The advisory, however, did not clarify why the information was being made after several months. 

The advisory also revealed that the targeted organization engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted third party identified APT activity on the victim’s network. It also provides recommended actions, remediations, mitigations, and technical details and indicators of compromise (IOCs) in three malware analysis reports (MARs) that organizations can use to detect this activity and reduce their risk.

“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” the CSA released on Tuesday by the CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), disclosed. “APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.”

The advisory details the tactics, techniques and procedures (TTPs) that were likely used by multiple APT groups recently used to steal sensitive information from the DIB organization. It also provided the IOCs identified during the incident response activities by CISA and a third-party incident response organization. The advisory further includes detection and mitigation actions to help organizations detect and prevent related APT activity. It also rolls out recommendations that the DIB sector and other critical infrastructure organizations implement the mitigations in the CSA, to ensure they are managing and reducing the impact of cyber threats to their networks.

The advisory revealed that some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January last year. “The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (Admin 1) to access the EWS Application Programming Interface (API),” it added. 

In early February 2021, the hackers returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN), the advisory said. “Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server,” it added. 

During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system. 

By March, the APT hackers exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later that month, the APT hackers installed HyperBro on the Exchange Server and two other systems. 

In April 2021, APT hackers used Impacket for network exploitation activities, the advisory said. “From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.”

CISA discovered activity indicating the use of two Impacket tools – wmiexec[dot]py and smbexec[dot]py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol to create a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.

The APT cyber hackers used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices, the CSA disclosed. The adversaries first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterward, the actors assigned the Application Impersonation role to the service account by running a PowerShell command for managing Exchange, to give the service account the ability to access other users’ mailboxes. 

The APT cyber hackers used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. The use of these hosting providers, which serves to conceal interaction with victim networks, is common for these hackers. 

According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the hackers used the account of a former employee to access the EWS. “EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247,” the advisory said.

Hackers also employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files. The tool is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. “CovalentStealer includes two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption,” the CSA revealed.

Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to monitor logs for connections from unusual VPSs and VPNs, keep track of suspicious account use, keep tabs on the installation of unauthorized software, observe for anomalous and known malicious command-line use, and track unauthorized changes to user accounts. 

The CSA called upon organizations to enforce multi-factor authentication (MFA) on all user accounts and implement network segmentation to separate network segments based on role and functionality. It also recommended updating software, including operating systems, applications, and firmware, on network assets, searching for anomalous behavior, implementing a mandatory access control model, and auditing account usage.

In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating the organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. For example, the agencies recommend testing existing security controls inventory to assess their performance against the ATT&CK techniques. Furthermore, the agencies suggest continually testing the security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.