On October 4, 2022, CISA, the FBI, and the NSA issued a joint advisory detailing how multiple APT actors used Impacket and CovalentStealer to exfiltrate sensitive data from a defence contractor [1]. Investigators found the attackers maintained access for an entire year and removed sensitive information during that period.
Picus Labs updated the Picus Threat Library with new attack simulations for techniques and malware used by the APT actors. In this blog, we gave a detailed explanation of how these threat actors were able to compromise a Defense Industrial Base (DIB) organization.
Simulate Advanced Persistent Threats with 14-Day Free Trial of Picus Platform
Organizations in Defense Industrial Base (DIB) contribute to the research, development, and production of military weapons systems, and the US government classified this industry as critical infrastructure. According to CISA, multiple Advanced Persistent Threat (APT) actors breached an unnamed organization in DIB and maintained their access between January 2021 and January 2022. The initial access of adversaries originated from the organization's Microsoft Exchange Server. After initial access, the threat actors gathered information about the compromised network and exfiltrated data over the victim's compromised Microsoft Exchange server. Then, adversaries used an open-source toolkit named Impacket to move laterally in the victim’s network and used a custom tool called CovalentStealer to exfiltrate remaining sensitive data.
During the course of their attack, the APT actors used virtual private networks (VPN) to hide their identity and location. CISA has not attributed this attack to any threat group or nation-state yet.
CISA, FBI, and NSA recommend organizations continuously validate their security controls against threat behavior mapped to the MITRE ATT&CK framework. The recommended methodology is as follows:
Select an ATT&CK technique
Align your security technologies against the technique
Test your technologies against the technique
Analyze your detection and prevention technologies’ performance
Repeat the process for all security technologies
Tune your security program
Repeat the whole process for other ATT&CK techniques
For more detailed information, please visit our blog post “How to Validate Your Security Controls Against APT Actors at Scale”.
The APT actors responsible for the cyber espionage and data exfiltration attack against the unnamed Defense Industrial BAS organization used the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:
The threat actors gain access to Exchange Web Services (EWS) API using compromised administrator credentials.
The APT actors use Windows Management Instrumentation (WMI) via the Impacket wmiexec.py script.
Adversaries used the following PowerShell commands and scripts in their malicious activities.
|
powershell add-pssnapin *exchange*;New-ManagementRoleAssignment - name:"Journaling-Logs" -Role:ApplicationImpersonation -User:<account> |
Example 1: Assigning the Application Impersonation role to the service account
|
powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt |
Example 2: Listing and saving map of folders and directories
The threat actors used the commands below to discover assets in the victim’s network and check the internet connectivity of the compromised hosts.
|
certutil |
net share |
taskkill |
route print |
|
dir |
netstat |
tasklist |
set |
|
ipconfig |
ntfsinfo |
ping |
systeminfo |
The APT actors changed the name of the archive tool “WinRAR.exe” to “VMware.exe” to avoid detection.
Adversaries deleted the archive files that are to be exfiltrated from the victim’s network using “del.exe” command and “*.rar” wildcard.
The threat actors use the systeminfo command to check whether the compromised host is a virtual machine.
The APT actors use the “route print” command to list entries in the local IP table.
Adversaries use the following commands to check whether the compromised host has internet access.
|
certutil -urlcache -split -f https://microsoft.com temp.html |
Example 3: Commands used to test internet connectivity
The threat actors use the “netstat” command to display active TCP connections in the victim’s machine.
The APT actors use the “tasklist” command to list the running processes in the compromised host.
Adversaries use the “systeminfo” and “ipconfig” commands to get detailed information about the compromised host and check whether it is a virtual machine.
The threat actors use the command given in Example 2 to list files and directories in the compromised host or a network share.
Adversaries use archive utility “WinRAR“and PowerShell “Compress-Archive“ cmdlet to compress data into 3MB chunks prior to exfiltration.
The threat actors transfer “CovalentStealer data exfiltration tool”, “China Chopper webshell”, and “HyperBro remote access trojan (RAT)” to compromised hosts.
The APT actors use “M247” and “SurfShark” VPN/VPS services to access the victim’s network to hide their identity and location.
Adversaries exfiltrate sensitive data only at certain times to blend with normal network traffic.
CovalentStealer exfiltrates stolen sensitive data to a Microsoft OneDrive cloud folder.
How Picus Helps Simulate Advanced Persistent Threats?
We also strongly suggest simulating Advanced Persistent Threats to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Control Validation Platform. You can test your defenses against infamous APT actors such as Lazarus, HAFNIUM, and DEV-0586 within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for APT actors targeting Defense Industrial Base Organization:
|
Threat ID |
Action Name |
Attack Module |
|
57719 |
CISA Critical Infrastructure Vulnerabilities Campaign |
Web Application |
|
56467 |
WebShell Web Attack Campaign
|
Web Application |
|
24723 |
Microsoft Exchange Web Attack Campaign
|
Web Application |
|
90739 |
CovalentStealer Malware Dropper Email Threat |
Email Infiltration (Phishing) |
|
67940 |
CovalentStealer Malware Dropper Download Threat |
Network Infiltration |
|
50835 |
HyperBro Backdoor Email Threat |
Email Infiltration (Phishing) |
|
60455 |
HyperBro Backdoor Download Threat |
Network Infiltration |
|
67725 |
HyperBro RAT Dropper Email Threat |
Email Infiltration (Phishing) |
|
99073 |
HyperBro RAT Dropper Download Threat |
Network Infiltration |
|
83795 |
Generic Reverse Shell Web Attack Campaign |
Web Application |
|
89406 |
Server-Side Request Forgery Web Attack Campaign |
Web Application |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Control Validation Platform.
[1] “Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-277a