An unnamed threat actor launched a multi-stage cyber attack on an unnamed federal agency’s enterprise network by leveraging confidential credentials, exploiting a known vulnerability, planting malware and taking advantage of a poorly configured firewall, the Department of Homeland Security’s cyber wing said in an incident response report.
The Cybersecurity and Infrastructure Security Agency’s (CISA) recounting is unusual in that it offers a schematic of the hacker’s movements and tactics yet stops short of providing the date of the event, or clues to the intruder’s identity (a lone bad actor or nation state-backed hackers?), location and associated industry. It also does not provide any information as ti whether the perpetrator(s) have been apprehended.
CISA officials said the agency’s intrusion detection system for monitoring federal civilian networks raised red flags of a potential infiltration, “confirming malicious activity.” The subsequent report, entitled Federal Agency Compromised by Malicious Cyber Actor, is a detailed use case of the fallout that can occur from an agency’s inadequate, or possibly neglected, cyber hygiene profile.
Here’s step-by-step what happened:
- The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged to gain entry into the agency's network. The credentials may have come from an unpatched agency VPN by exploiting a known vulnerability.
- After initial access, the threat actor performed Discovery by logging into an agency O365 email account, viewing and downloading certain help desk email attachments looking for passwords.
- The cyber threat actor then attempted multiple times to connect to a virtual private server through a Windows Server Message Block client, ultimately succeeding.
- They then created a local account for data collection, exfiltration, persistence and command and control, and used it to:
- Browse directories on a victim file server.
- Copy a file from a user’s home directory to their locally mounted remote share.
- Create a reverse SMB SOCKS proxy that allowed connection between a cyber threat actor-controlled VPS and the victim organization’s file server.
- Exfiltrate data from an account directory and file server directory.
- Create two compressed Zip files with several files and directories on them they may have exfiltrated.
CISA recommended actions agencies can take to to protect against against activity described in the report, including the following:
Deploy an enterprise firewall to control what is allowed in and out of their network. If the organization chooses not to deploy an enterprise firewall, work with their internet service provider to ensure their firewall is configured properly.
Survey traffic in and out of their enterprise to determine the ports needed for organizational functions. Then configure their firewall to block unnecessary ports. Organizations should develop processes to make control changes to those rules. Of special note, unused SMB, SSH, and FTP ports should be blocked.
In addition, CISA recommends these best practices:
- Implement multi-factor authentication, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Implement the principle of least privilege on data access.
- Secure RDP and other remote access solutions using multifactor authentication and jump boxes for access.
- Deploy and maintain endpoint defense tools on all endpoints.
- Keep software up to date.