Security News > 2020 > September > Feds Hit with Successful Cyberattack, Data Stolen
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
"The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 accounts and domain administrator accounts," according to CISA. "First, the threat actor logged into a user's O365 account from Internet Protocol address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol from IP address 185.86.151[.]223 to the victim organization's virtual private network server."
"Inetinfo.exe is a unique, multi-stage malware used to drop files," explained CISA. "It dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.".
From the account, the cybercriminals browsed directories on victim file servers; copied files from users' home directories; connected an attacker-controlled VPS with the agency's file server; and exfiltrated all the data using the Microsoft Windows Terminal Services client.
"CISA became aware-via EINSTEIN, CISA's intrusion-detection system that monitors federal civilian networks-of a potential compromise of a federal agency's network," according to the alert.