The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actor’s cyberattack on a federal agency’s enterprise network. By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.
For a downloadable copy of IOCs, see: AA20-268A.stix.
Description
CISA became aware—via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks—of a potential compromise of a federal agency’s network. In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity. The following information is derived exclusively from the incident response engagement and provides the threat actor’s tactics, techniques, and procedures as well as indicators of compromise that CISA observed as part of the engagement.
Threat Actor Activity
The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged for Initial Access [TA0001] to the agency’s network (Valid Accounts [T1078]). First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server (Exploit Public-Facing Application [T1190]).
CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure (Exploitation for Credential Access [T1212]). In April 2019, Pulse Secure released patches for several critical vulnerabilities—including CVE-2019-11510, which allows the remote, unauthenticated retrieval of files, including passwords.[1] CISA has observed wide exploitation of CVE-2019-11510 across the federal government.[2]
After initial access, the threat actor performed Discovery [TA0007] by logging into an agency O365 email account from 91.219.236[.]166 and viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access (Email Collection [T1114], Unsecured Credentials: Credentials In Files [T1552.001]). (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address 207.220.1[.]3 (External Remote Services [T1133]). The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy (Account Manipulation [T1098]). Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network (Command and Scripting Interpreter [T1059], System Network Configuration Discovery [T1016]).
The cyber threat actor then attempted multiple times to connect to virtual private server (VPS) IP 185.86.151[.]223 through a Windows Server Message Block (SMB) client. Although they connected and disconnected multiple times, the connections were ultimately successful. During the same period, the actor used an alias secure identifier account they had previously created to log into VPS 185.86.151[.]223 via an SMB share. The attacker then executed plink.exe on a victim file server (Command and Scripting Interpreter [T1059]). (plink.exe is a command-line version of PuTTy that is used for remote administration.)
The cyber threat actor established Persistence [TA0003] and Command and Control [TA0011] on the victim network by (1) creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, (2) running inetinfo.exe (a unique, multi-stage malware used to drop files), and (3) setting up a locally mounted remote share on IP address 78.27.70[.]237 (Proxy [T1090]). The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis. Refer to Threat Actor Malware section for more information about the SSH Tunnel/reverse SOCKS proxy and inetinfo.exe.
The cyber threat actor created a local account, which they used for data Collection [TA0009], Exfiltration [TA0010], Persistence [TA0003], and Command and Control [TA0011] (Create Account [T1136]). The cyber threat actor used the local account to:
- Browse directories on a victim file server (Data from Shared Network Drive [T1039]).
- Copy a file from a user’s home directory to their locally mounted remote share (Data Staged [T1074]).
- CISA analysts detected the cyber threat actor interacting with other files on users’ home directories but could not confirm whether they were exfiltrated.
- Create a reverse SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled VPS and the victim organization’s file server (refer to Threat Actor Malware section for more information) (Proxy [T1090]).
- Interact with PowerShell module
Invoke-TmpDavFS.psm(refer to Threat Actor Malware section for more information). - Exfiltrate data from an account directory and file server directory using
tsclient(tsclientis a Microsoft Windows Terminal Services client) (Data from Local System [T1005], Data from Network Shared Drive [T1039]). - Create two compressed Zip files with several files and directories on them (Archive Collected Data [T1560]); it is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because the actor masked their activity.
