Serviceteam IT Security News

A warning has been issued by America’s Cybersecurity and Infrastructure Security Agency (CISA) after a malicious cyber-actor compromised a United States federal agency. 

The attacker used valid log-in credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts to gain access to the agency’s enterprise network. Once inside, the bad actor infected the network with sophisticated malware.

“By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall,” said CISA in a statement released yesterday.

CISA was alerted to a potential compromise of a federal agency’s network via EINSTEIN, an intrusion detection system that monitors federal civilian networks.

Malicious activity was confirmed during an investigation launched by CISA in conjunction with the affected agency.

Investigators found the threat actor logged into a user’s Office 365 account remotely, then browsed pages on a SharePoint site and downloaded a file. The threat actor then connected multiple times by Transmission Control Protocol to the victim organization’s virtual private network (VPN) server.

“Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” stated CISA.

The cyber-criminal copied files and exfiltrated the data via a Microsoft Windows Terminal Services client. Further attacks were planned, as the intruder created a backdoor. 

CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials used in the attack; however, they did come up with a theory involving Pulse Secure.

“It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” stated CISA, adding that it “has observed wide exploitation of CVE-2019-11510 across the federal government.”

The error allows the remote, unauthenticated retrieval of files, including passwords. Patches were released by Pulse Secure in April 2019 for several critical vulnerabilities, including CVE-2019-11510.

No details of when the attack took place or which agency was compromised have been released. 

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!