A joint report from the Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) details the tactics, techniques, and procedures (TTPs) used to breach an unnamed United States organization in the defense industrial base sector between January 2021 and January 2022. Entities in the defense industrial base provide products and services that enable the support and deployments of military operations, such as the research, design, production, delivery, and maintenance of military weapons systems. While no indication to the origin of the threat actors involved was released, CISA uncovered that it was likely multiple APT groups that compromised the organization.
While the initial access vector itself is unknown, the current advisory indicates that the actors first gained access to the organization’s Exchange Server. Shortly following the initial access, the actors searched mailboxes of users, finding the credentials belonging to a former employee to access the Exchange Web Services API. A month later, the actors were seen using this same password to access the network through a VPN where they then engaged in reconnaissance activity using the command shell, archiving sensitive data stored on shared drives such as contract-related information. Following this, the actors used numerous tools such as CovenantStealer, the HyperBro remote access trojan, and also exploited the ProxyLogon vulnerability to install at at least 17 different ChinaChopper webshell samples.
The joint report included several different recommendations to detect this activity such as:
- Monitor logs for connections from unusual VPSs and VPNs
- Examine connections from unexpected IP ranges
- Check for machines hosted by SurfShark or M247
- Monitoring for suspicious account use, such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party account
One would like to believe that organizations withing the United States Government, especially within the defense industrial base sector, are secure. Unfortunately, organizations cannot maintain a perimeter security strategy in the modern threat environment: it is inevitable that initial access and exploitation will occur due to the proliferation of social engineering, zero-day, and N-day attacks. This highlights the importance of having a detection repository that covers a wide range of different TTPs as well as performing proactive threat hunting to identify any malicious activity that may not be covered by detections. In this case, the report identified numerous different recommendations to aid in the detection of TTPs used in this campaign. On top of these recommendations, which primarily cover searching for suspicious account use and suspicious network traffic, it is also advised to have detections that detect post exploitation TTPs via such behavioral indicators as suspicious commands being executed and attempts to bypass user account control protection.