HACKERS USED IMPACKET, COVALENTSTEALER
FOR THEIR PURPOSE
A joint advisory by The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) has revealed that multiple actors gained access to sensitive data from a defense contractor.
The state-backed hackers used open-source Impacket framework based on Python, and custom malware CovalentStealer besides HyperBro remote access Trojan (RAT) and over a dozen ChinaChopper webshell samples to steal critical data from a defense industrial base (DIB) organization.
Departments working under the Defense Industrial Base sector offer products and services that support and deploy military operations. Their scope of work includes research, development, design, production, delivery, and maintenance of military weapons systems.
CISA kept responding to persistent threat activity from November last year to January this year. There was no clarification as to why the news of breach was concealed or why it was being released after a lapse of several months.
The investigators believe that the hackers gained access to the Exhange Server sometime in January of 2021. Within hours, the threat actors, after relentless searches, reached a compromised administrator account of a former employee. Within a month, the hackers were performing reconnaissance activities allowing them access to manually archived sensitive data. Once there, the hackers were ready for exfiltration.
Just a month later, the hackers exploited ProxyLogon vulnerabilities to install nearly 17 China Chopper webshells on the Exchange Server. China Chopper packs a lot of destructive power in a small package of merely 4 kilobytes. Its diminutive size and immense destructive capabilities contributed toward the popularity. A number of hackers and hacker groups started using these webshells for their exploits.
CISA, FBI and NSA investigating breach have come out with recommendations to continuously validate security controls against threat behavior. The suggested methodology depends on the following key actions:
- Select ATT&CK technique
- Align security technologies against the technique
- Test the technologies against the technique
- Analyze your detection and prevention technologies performance
- Repeat the process for all security technologies
- Tune your security program
- Repeat the whole process for other ATT&CK techniques
If these recommendations are followed, a good defensive mechanism would be in place and threats would be dealt with in an effective manner.