A joint report from the Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) details the tactics, techniques, and procedures (TTPs) used to breach an unnamed United States organization in the defense industrial base sector between January 2021 and January 2022. Entities in the defense industrial base provide products and services that enable the support and deployments of military operations, such as the research, design, production, delivery, and maintenance of military weapons systems. While no indication to the origin of the threat actors involved was released, CISA uncovered that it was likely multiple APT groups that compromised the organization.
While the initial access vector itself is unknown, the current advisory indicates that the actors first gained access to the organization’s Exchange Server. Shortly following the initial access, the actors searched mailboxes of users, finding the credentials belonging to a former employee to access the Exchange Web Services API. A month later, the actors were seen using this same password to access the network through a VPN where they then engaged in reconnaissance activity using the command shell, archiving sensitive data stored on shared drives such as contract-related information. Following this, the actors used numerous tools such as CovenantStealer, the HyperBro remote access trojan, and also exploited the ProxyLogon vulnerability to install at at least 17 different ChinaChopper webshell samples.
The joint report included several different recommendations to detect this activity such as:
- Monitor logs for connections from unusual VPSs and VPNs
- Examine connections from unexpected IP ranges
- Check for machines hosted by SurfShark or M247
- Monitoring for suspicious account use, such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party account