Security News > 2022 > October > Cyber-snoops broke into US military contractor, stole data, hid for months

Cyber-snoops broke into US military contractor, stole data, hid for months
2022-10-05 19:27

Spies for months hid inside a US military contractor's enterprise network and stole sensitive data, according to a joint alert from the US government's Cybersecurity and Infrastructure Security Agency, the FBI, and NSA. The intruders somehow broke into the defense org's Microsoft Exchange Server - the Feds still aren't sure how - and rummaged through mailboxes for hours and used a compromised admin account to query Exchange via its EWS API. The snoops also ran Windows commands to learn more about the IT setup and gathered up files into archives using WinRAR. Interestingly, the cyberattackers also used the open source network toolkit Impacket to remote-control machines on the network and move laterally.

It seems someone eventually realized something was up because from November 2021 to January 2022, CISA and a "Trusted third-party" security company were called in to check over the contractor's enterprise network in an incident response.

The investigators also found that the intruders, after snooping around the network for a couple of months, exploited in March 2021 a handful of Microsoft bugs, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server.

According to the cyber and law-enforcement agencies, the intruders - described, as usual, as advanced persistent threats - maintained access to the military contractor's network through mid-January 2022, "Likely" by relying on staff credentials obtained by the miscreants.

Py Python scripts were used by the miscreants, once in the network, to remotely control machines on the victim's network.

While Impacket is relatively easy to detect with endpoint and network visibility, "It can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment," she said.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/05/military_contractor_hack/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-03-03 CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-918
critical
9.1
2021-03-03 CVE-2021-26857 Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server
Microsoft Exchange Server Remote Code Execution Vulnerability
local
low complexity
microsoft CWE-502
7.8
2021-03-03 CVE-2021-26858 Unspecified vulnerability in Microsoft Exchange Server
Microsoft Exchange Server Remote Code Execution Vulnerability
local
low complexity
microsoft
7.8
2021-03-03 CVE-2021-27065 Path Traversal vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
local
low complexity
microsoft CWE-22
7.8