Security News > 2022 > October > Hackers stole data from US defense org using Impacket, CovalentStealer

Hackers stole data from US defense org using Impacket, CovalentStealer
2022-10-04 23:08

The U.S. Government today released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base sector.

The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan, and well over a dozen ChinaChopper webshell samples.

CVE-2021-26855 is a server-side request forgery vulnerability in Exchange that allows sending arbitrary HTTP requests and authenticating as the Exchange server.

While the initial access vector is unknown, the current advisory notes that the hackers gained access to the organization's Exchange Server in mid-January 2021.

"These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2hedebug directory" - joint report from CISA, FBI, and NSA. At the beginning of March, the hackers exploited the ProxyLogon vulnerabilities to install no less than 17 China Chopper webshells on the Exchange Server.

Burrowed deeply in the victim network, the hackers relied on the custom-built CovalentStealer to upload additional sensitive files to a Microsoft OneDrive location between late July and mid-October 2022.


News URL

https://www.bleepingcomputer.com/news/security/hackers-stole-data-from-us-defense-org-using-impacket-covalentstealer/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-03-03 CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
0.0