The U.S. Government released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector.
The compromise lasted for about ten months and it is likely that multiple advanced persistent threat (APT) groups likely compromised the organization, some of them gaining initial access through the victim’s Microsoft Exchange Server in January last year.
Entities in the Defense Industrial Base Sector provide products and services that enable support and deployment of military operations.
They are engaged in the research, development, design, production, delivery, and maintenance of military weapons systems, including all necessary components and parts.
A joint report from the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) provides technical details collected during incident response activity that lasted between November 2021 and January 2022.
The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples.
They also exploited the ProxyLogon collection of four vulnerabilities for Exchange Server around the time Microsoft released an emergency security update to fix them.
At the time, Microsoft had detected the ProxyLogon exploit chain when the vulnerabilities were zero days (unknown to the vendor), in attacks attributed to a Chinese state-sponsored hacking group they call Hafnium.
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows sending arbitrary HTTP requests and authenticating as the Exchange server
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Hafnium used it to run code as SYSTEM on the Exchange server
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. It could be exploited after compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange
While the initial access vector is unknown, the current advisory notes that the hackers gained access to the organization’s Exchange Server in mid-January 2021.
Within four hours, the threat actor started mailbox searches and used a compromised administrator account belonging to a former employee to access the Exchange Web Services (EWS) API, which is used for sending and receiving web service messages from client applications.
Less than a month later, in early February 2021, the attackers accessed the network again using the same admin credentials through a virtual private network (VPN) connection.
After four days, the hackers engaged in reconnaissance activity using command shell. They learned about the victim’s environment and manually archived (WinRAR) sensitive data, e.g. contract-related information stored on shared drives, preparing it for exfiltration.
At the beginning of March, the hackers exploited the ProxyLogon vulnerabilities to install no less than 17 China Chopper webshells on the Exchange Server.
China Chopper carries powerful capabilities in a very small package (just 4 kilobytes). It was initially used by Chinese threat actors but it became so popular that other groups adopted it.
Activity to establish persistence on the network and to move laterally started in April 2021 and was possible Impacket, which allows working with network protocols.
CISA says that the attacker used Impacket with the compromised credentials to obtain a service account with higher privileges, which enabled remote access from multiple external IP addresses to the organization’s Exchange server through Outlook Web Access (OWA).
Accessing the remote Exchange Server was done through services from two VPN and virtual private server providers, M247 and SurfShark, a common tactic to hide the interaction with the victim network.
Burrowed deeply in the victim network, the hackers relied on the custom-built CovalentStealer to upload additional sensitive files to a Microsoft OneDrive location between late July and mid-October 2022.
In a separate report, CISA provides technical analysis for CovalentStealer noting that the malware relies on code from two publicly available utilities, ClientUploader and the PowerShell script Export-MFT, to upload compressed files and to extract the Master File Table (MFT) of a local storage volume.
CovalentStealer also contains resources for encrypting and decrypting the uploaded data, and configuration files, and to secure communications.
CISA shares technical details for the HyperBro RAT in distinct report, saying that the capabilities of the malware include uploading and downloading files to and from the system, logging keystrokes, executing commands on the infected host, and bypassing User Account Control protection to run with full admin privileges.
A set of recommendations are available in the joint report for detecting persistent, long-term access threat activity, one of them being to monitor logs for connections from unusual VPSs and VPNs.
Defenders should also examine connections from unexpected ranges and, for this particular attacker, check for machines hosted by SurfShark and M247.
Monitoring for suspicious account use, such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts, is also on the list.
The use of compromised credentials with a VPS may also indicate a potential breach that could be uncovered by:
Searching for unusual activity in typically dormant accounts
Source: CISA
