Security News > 2022 > October > Cyber-snoops broke into US military contractor, stole data, hid for months
Spies for months hid inside a US military contractor's enterprise network and stole sensitive data, according to a joint alert from the US government's Cybersecurity and Infrastructure Security Agency, the FBI, and NSA. The intruders somehow broke into the defense org's Microsoft Exchange Server - the Feds still aren't sure how - and rummaged through mailboxes for hours and used a compromised admin account to query Exchange via its EWS API. The snoops also ran Windows commands to learn more about the IT setup and gathered up files into archives using WinRAR. Interestingly, the cyberattackers also used the open source network toolkit Impacket to remote-control machines on the network and move laterally.
It seems someone eventually realized something was up because from November 2021 to January 2022, CISA and a "Trusted third-party" security company were called in to check over the contractor's enterprise network in an incident response.
The investigators also found that the intruders, after snooping around the network for a couple of months, exploited in March 2021 a handful of Microsoft bugs, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server.
According to the cyber and law-enforcement agencies, the intruders - described, as usual, as advanced persistent threats - maintained access to the military contractor's network through mid-January 2022, "Likely" by relying on staff credentials obtained by the miscreants.
Py Python scripts were used by the miscreants, once in the network, to remotely control machines on the victim's network.
While Impacket is relatively easy to detect with endpoint and network visibility, "It can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment," she said.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/05/military_contractor_hack/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-03 | CVE-2021-26855 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.1 |
| 2021-03-03 | CVE-2021-26857 | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability | 7.8 |
| 2021-03-03 | CVE-2021-26858 | Unspecified vulnerability in Microsoft Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability | 7.8 |
| 2021-03-03 | CVE-2021-27065 | Path Traversal vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 7.8 |