US-CERT- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

Netwörkheäd · October 05, 2022, 12:22:00 PM

AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

[html]Original release date: October 4, 2022 | Last revised: October 5, 2022

Summary

Actions to Help Protect Against APT Cyber Activity:

• Enforce multifactor authentication (MFA) on all user accounts.

• Implement network segmentation to separate network segments based on role and functionality.

• Update software, including operating systems, applications, and firmware, on network assets.

• Audit account usage.

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.

This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.

Download the PDF version of this report: https://us-cert.cisa.gov/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf">pdf, 692 KB

For a downloadable copy of IOCs, see the following files:

https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r1.v1.WHITE_stix_7.xml">Malware Analysis Report (MAR)-10365227-1.stix, 966 kb

https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r2.v1.WHITE_stix.xml">MAR-10365227-2.stix, 249B

https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10365227.r3.v1.WHITE_stix_0.xml">MAR-10365227-3.stix, 3.2 MB

Technical Details

Threat Actor Activity

Note: This advisory uses the https://attack.mitre.org/versions/v11/matrices/enterprise/">MITRE ATT&CK® for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework.

From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization's enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted –third-party identified APT activity on the victim's network.

Some APT actors gained initial access to the organization's Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account ("Admin 1") to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).

Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim's network. The actors used Command Shell to learn about the organization's environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.

During the same period, APT actors implanted https://attack.mitre.org/versions/v11/software/S0357/">Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.

In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b">MAR-10365227-2 and https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277c">-3.

In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.

APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.

Use of Impacket

CISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.

The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization's multifunctional devices. The threat actors first used the service account to remotely access the organization's Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:

powershell add-pssnapin *exchange*;New-ManagementRoleAssignment - name:"Journaling-Logs" -Role:ApplicationImpersonation -User:<account>

This command gave the service account the ability to access other users' mailboxes.

The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA's analysis of the victim's Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.

Use of Custom Exfiltration Tool: CovalentStealer

The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.

CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim's documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a">MAR-10365227-1 for additional technical details, including IOCs and detection signatures.

MITRE ATT&CK Tactics and Techniques

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.

*Table 1: Identified APT Enterprise ATT&CK Tactics and Techniques*
Initial Access
Technique Title	ID	Use
Valid Accounts	https://attack.mitre.org/versions/v11/techniques/T1078/" style="color:#0563c1; text-decoration:underline">T1078	Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization's multifunctional device domain account used to access the organization's Microsoft Exchange server via OWA.
Execution
Technique Title	ID	Use
Windows Management Instrumentation	https://attack.mitre.org/versions/v11/techniques/T1047/" style="color:#0563c1; text-decoration:underline">T1047	Actors used Impacket tools wmiexec.py and smbexec.py to leverage Windows Management Instrumentation and execute malicious commands.
Command and Scripting Interpreter	https://attack.mitre.org/versions/v11/techniques/T1059/003/" style="color:#0563c1; text-decoration:underline">T1059	Actors abused command and script interpreters to execute commands.
Command and Scripting Interpreter: PowerShell	https://attack.mitre.org/techniques/T1059/001" style="color:#0563c1; text-decoration:underline">T1059.001	Actors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command Shell	https://attack.mitre.org/versions/v11/techniques/T1059/003/" style="color:#0563c1; text-decoration:underline">T1059.003	Actors abused the Windows Command Shell to learn about the organization's environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used. The actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell.
Command and Scripting Interpreter: Python	https://attack.mitre.org/versions/v11/techniques/T1059/006/" style="color:#0563c1; text-decoration:underline">T1059.006	The actors used two Impacket tools: wmiexec.py and smbexec.py.
Shared Modules	https://attack.mitre.org/techniques/T1129" style="color:#0563c1; text-decoration:underline">T1129	Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.
System Services	https://attack.mitre.org/versions/v11/techniques/T1569/" style="color:#0563c1; text-decoration:underline">T1569	Actors abused system services to execute commands or programs on the victim's network.
Persistence
Technique Title	ID	Use
Valid Accounts	https://attack.mitre.org/versions/v11/techniques/T1078/" style="color:#0563c1; text-decoration:underline">T1078	Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Create or Modify System Process	https://attack.mitre.org/versions/v11/techniques/T1543/" style="color:#0563c1; text-decoration:underline">T1543	Actors were observed creating or modifying system processes.
Privilege Escalation
Technique Title	ID	Use
Valid Accounts	https://attack.mitre.org/versions/v11/techniques/T1078/" style="color:#0563c1; text-decoration:underline">T1078	Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization's multifunctional device domain account used to access the organization's Microsoft Exchange server via OWA.
Defense Evasion
Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	https://attack.mitre.org/versions/v11/techniques/T1036/005" style="color:#0563c1; text-decoration:underline">T1036.005	Actors masqueraded the archive utility WinRAR.exe by renaming it VMware.exe to evade defenses and observation.
Indicator Removal on Host	https://attack.mitre.org/versions/v11/techniques/T1070/004/" style="color:#0563c1; text-decoration:underline">T1070	Actors deleted or modified artifacts generated on a host system to remove evidence of their presence or hinder defenses.
Indicator Removal on Host: File Deletion	https://attack.mitre.org/versions/v11/techniques/T1070/004/" style="color:#0563c1; text-decoration:underline">T1070.004	Actors used the del.exe command with the /f parameter to force the deletion of read-only files with the .rar and tempg wildcards.
Valid Accounts	https://attack.mitre.org/versions/v11/techniques/T1078/" style="color:#0563c1; text-decoration:underline">T1078	Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization's multifunctional device domain account used to access the organization's Microsoft Exchange server via OWA.
Virtualization/Sandbox Evasion: System Checks	https://attack.mitre.org/techniques/T1497/001" style="color:#0563c1; text-decoration:underline">T1497.001	Actors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information.
Impair Defenses: Disable or Modify Tools	https://attack.mitre.org/techniques/T1562/001" style="color:#0563c1; text-decoration:underline">T1562.001	Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.
Hijack Execution Flow	https://attack.mitre.org/versions/v11/techniques/T1574/" style="color:#0563c1; text-decoration:underline">T1574	Actors were observed using hijack execution flow.
Discovery
Technique Title	ID	Use
System Network Configuration Discovery	https://attack.mitre.org/techniques/T1016" style="color:#0563c1; text-decoration:underline">T1016	Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine. The threat actor used route print to display the entries in the local IP routing table.
System Network Configuration Discovery: Internet Connection Discovery	https://attack.mitre.org/techniques/T1016/001" style="color:#0563c1; text-decoration:underline">T1016.001	Actors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways.
System Owner/User Discovery	https://attack.mitre.org/techniques/T1033" style="color:#0563c1; text-decoration:underline">T1033	Actors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system.
System Network Connections Discovery	https://attack.mitre.org/techniques/T1049" style="color:#0563c1; text-decoration:underline">T1049	Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP.
Process Discovery	https://attack.mitre.org/techniques/T1057" style="color:#0563c1; text-decoration:underline">T1057	Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine. The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string "powers."
System Information Discovery	https://attack.mitre.org/techniques/T1082" style="color:#0563c1; text-decoration:underline">T1082	Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine.
File and Directory Discovery	https://attack.mitre.org/techniques/T1083" style="color:#0563c1; text-decoration:underline">T1083	Actors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system.
Virtualization/Sandbox Evasion: System Checks	https://attack.mitre.org/techniques/T1497/001" style="color:#0563c1; text-decoration:underline">T1497.001	Actors used Windows command shell commands to detect and avoid virtualization and analysis environments.
Lateral Movement
Technique Title	ID < Let's not argue. Let's network! Print Go Up Pages1 User actions Networking-Forums.com ► Professional Discussions ► Vendor Advisories ► US-CERT- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization User actions Print Help \| Terms and Rules \| Go Up ▲ SMF 2.1.4 © 2023, Simple Machines