CISA Alert AA22-277A - Impacket and CovalentStealer Used to Steal Sensitive Data

Keep up to date with latest blog posts

On October 4, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) on multiple APT actors that exfiltrated sensitive data from a defense contractor using Impacket and CovalentStealer [1]. The investigation of the security incident shows that threat actors were able to maintain their access for a whole year and exfiltrate sensitive information.

Picus Labs updated the Picus Threat Library with new attack simulations for techniques and malware used by the APT actors. In this blog, we gave a detailed explanation of how these threat actors were able to compromise a Defense Industrial Base (DIB) organization.

Simulate Advanced Persistent Threats with 14-Day Free Trial of Picus Platform

Data Exfiltration Attack Against US Critical Infrastructure

Organizations in Defense Industrial Base (DIB) contribute to the research, development, and production of military weapons systems, and the US government classified this industry as critical infrastructure. According to CISA, multiple Advanced Persistent Threat (APT) actors breached an unnamed organization in DIB and maintained their access between January 2021 and January 2022. The initial access of adversaries originated from the organization's Microsoft Exchange Server. After initial access, the threat actors gathered information about the compromised network and exfiltrated data over the victim's compromised Microsoft Exchange server. Then, adversaries used an open-source toolkit named Impacket to move laterally in the victim’s network and used a custom tool called CovalentStealer to exfiltrate remaining sensitive data.

During the course of their attack, the APT actors used virtual private networks (VPN) to hide their identity and location. CISA has not attributed this attack to any threat group or nation-state yet.

Validate Security Controls

CISA, FBI, and NSA recommend organizations continuously validate their security controls against threat behavior mapped to the MITRE ATT&CK framework. The recommended methodology is as follows:

  1. Select an ATT&CK technique

  2. Align your security technologies against the technique

  3. Test your technologies against the technique

  4. Analyze your detection and prevention technologies’ performance

  5. Repeat the process for all security technologies

  6. Tune your security program

  7. Repeat the whole process for other ATT&CK techniques

For more detailed information, please visit our blog post “How to Validate Your Security Controls Against APT Actors at Scale”.

Tools and TTPs Used in Cyber Espionage & Data Exfiltration

The APT actors responsible for the cyber espionage and data exfiltration attack against the unnamed Defense Industrial BAS organization used the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

1. Tactic: Initial Access & Persistence & Privilege Escalation

1.1. T1078 Valid Accounts

The threat actors gain access to Exchange Web Services (EWS) API using compromised administrator credentials.

2. Tactic: Execution      

2.1. T1047 Windows Management Instrumentation

The APT actors use Windows Management Instrumentation (WMI) via the Impacket wmiexec.py script.

2.2. T1059.001 Command and Scripting Interpreter: PowerShell

Adversaries used the following PowerShell commands and scripts in their malicious activities.

powershell add-pssnapin *exchange*;New-ManagementRoleAssignment - name:"Journaling-Logs" -Role:ApplicationImpersonation -User:<account>

Example 1: Assigning the Application Impersonation role to the service account

powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt

Example 2: Listing and saving map of folders and directories

2.3. T1059.001 Command and Scripting Interpreter: Windows Command Shell

The threat actors used the commands below to discover assets in the victim’s network and check the internet connectivity of the compromised hosts.

certutil

net share

taskkill

route print

dir

netstat

tasklist

set

ipconfig

ntfsinfo

ping

systeminfo

3. Tactic: Defense Evasion

3.1. T1036.005 Masquerading: Match Legitimate Name or Location

The APT actors changed the name of the archive tool “WinRAR.exe” to “VMware.exe” to avoid detection.

3.2. T1070.004 Indicator Removal on Host: File Deletion

Adversaries deleted the archive files that are to be exfiltrated from the victim’s network using “del.exe” command and “*.rar” wildcard.

3.3. T1497.001 Virtualization/Sandbox Evasion: System Checks

The threat actors use the systeminfo command to check whether the compromised host is a virtual machine.

4. Tactic: Discovery

4.1. T1016 System Network Configuration Discovery

The APT actors use the “route print” command to list entries in the local IP table.

4.2. T1016.001 System Network Configuration Discovery: Internet Connection Discovery

Adversaries use the following commands to check whether the compromised host has internet access.

certutil -urlcache -split -f https://microsoft.com temp.html
ping -n 2 apple.com
ping -n 2 amazon.com

Example 3: Commands used to test internet connectivity

4.3. T1049 System Network Connections Discovery

The threat actors use the “netstat” command to display active TCP connections in the victim’s machine.

4.4. T1057 Process Discovery

The APT actors use the “tasklist” command to list the running processes in the compromised host.

4.5. T1082 System Information Discovery & T1497.001 Virtualization/Sandbox Evasion: System Checks

Adversaries use the “systeminfo” and “ipconfig” commands to get detailed information about the compromised host and check whether it is a virtual machine.

4.6. T1083 File and Directory Discovery

The threat actors use the command given in Example 2 to list files and directories in the compromised host or a network share.

5. Tactic: Lateral Movement

5.1. T1021.002 Remote Services: SMB/Windows Admin Shares

The APT actors execute commands on the remote system via the Impacket smbexec.py script.

6. Tactic: Collection

6.1. T1560.001 Archive Collected Data: Archive via Utility & T1074.002 Data Staged: Remote Data Staging

Adversaries use archive utility “WinRAR“and PowerShell “Compress-Archive“ cmdlet to compress data into 3MB chunks prior to exfiltration.

7. Tactic: Command and Control

7.1. T1105 Ingress Tool Transfer

The threat actors transfer “CovalentStealer data exfiltration tool”, “China Chopper webshell”, and “HyperBro remote access trojan (RAT)” to compromised hosts.

7.2. T1090 Proxy

The APT actors use “M247” and “SurfShark” VPN/VPS services to access the victim’s network to hide their identity and location.

8. Tactic: Exfiltration

8.1. T1029 Schedule Transfer

Adversaries exfiltrate sensitive data only at certain times to blend with normal network traffic.

8.2. T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

CovalentStealer exfiltrates stolen sensitive data to a Microsoft OneDrive cloud folder.

How Picus Helps Simulate Advanced Persistent Threats?

We also strongly suggest simulating Advanced Persistent Threats to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Control Validation Platform. You can test your defenses against infamous APT actors such as Lazarus, HAFNIUM, and DEV-0586 within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for APT actors targeting Defense Industrial Base Organization

Threat ID

Action Name

Attack Module

57719

CISA Critical Infrastructure Vulnerabilities Campaign

Web Application

56467

WebShell Web Attack Campaign

  • China Chopper Webshell (2 variants)

Web Application

24723

Microsoft Exchange Web Attack Campaign

  • CVE-2021-26855 (Unauthorized SSRF)

Web Application

90739

CovalentStealer Malware Dropper Email Threat

Email Infiltration (Phishing)

67940

CovalentStealer Malware Dropper Download Threat

Network Infiltration

50835

HyperBro Backdoor Email Threat 

Email Infiltration (Phishing)

60455

HyperBro Backdoor Download Threat

Network Infiltration

67725

HyperBro RAT Dropper Email Threat

Email Infiltration (Phishing)

99073

HyperBro RAT Dropper Download Threat

Network Infiltration

83795

Generic Reverse Shell Web Attack Campaign

Web Application

89406

Server-Side Request Forgery Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Control Validation Platform.

References

[1] “Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Subscribe

Keep up to date with latest blog posts