The Cybersecurity and Infrastructure Security Agency (CISA) published on Tuesday an advisory highlighting advanced persistent threat (APT) activity observed on a Defense Industrial Base (DIB) Sector organization’s enterprise network.
The joint Cybersecurity Advisory (CSA) was released in collaboration with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
It details how APT actors deployed the open–source toolkit Impacket to get initial access and then the data exfiltration tool CovalentStealer, to steal the victim’s sensitive data.
According to the advisory, CISA observed the attacks between November 2021 and January 2022.
“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long–term access to the environment.”
Some APT actors spotted by the security agency reportedly gained initial access to the organization’s Microsoft Exchange Server as early as mid–January 2021.
A month later, they would have returned and used Command Shell to learn about the organization’s environment and to collect sensitive data before implanting two Impacket tools: wmiexec.py and smbexec.py.
In both cases, the threat actors were observed using VPNs while performing the attacks. Further, in early March 2021, the APT actors would have exploited several vulnerabilities to install 17 China Chopper web shells on the Exchange Server. Later in March, they installed HyperBro on the Exchange Server and two other systems.
“In April 2021, APT actors used Impacket for network exploitation activities,” the advisory reads. “From late July through mid–October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files.”
To counter such attacks’ impact, CISA recommended organizations monitor logs for connections from unusual VPNs and suspicious account use. The agency also warned against instances of abnormal and known malicious command–line usage and unauthorized changes to user accounts.
The attacks against the unnamed DIB are not the first ones spotted by security researchers this year relying on Impacket.
Last month, Microsoft spotted multiple ransomware campaigns attributed to DEV–0270 and linked with the Iranian government that used Impacket’s WMIExec to maintain persistence on a system after gaining an initial foothold.