US military contractor hacked through Microsoft Exchange vulnerabilities, custom exfiltration tools

A digital render of a blue padlock fragmenting into a cloud of data
(Image credit: Getty Images)

The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory, admitting that numerous threat actors maintained long-term access to a military industrial facility's IT environment.

The October 4 advisory described advanced persistent threat (APT) activity on a “Defense Industrial Base (DIB) Sector organisation’s enterprise network". CISA first responded to the threat in November 2021, but the earliest activity by the APT actors is believed to have started in January 2021.

RELATED RESOURCE

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

FREE DOWNLOAD

APT groups are typically, but not always, linked to nation-states or state-sponsored hackers. They are characterised as threat actors that use sophisticated methods to continuously and surreptitiously gain access to systems, usually for long periods of time.

Attackers used a number of widely exploited and known vulnerabilities in Microsoft Exchange, such as CVE-2021-27065 and CVE-2021-26858, to install malicious China Chopper web shells on the company’s Exchange server. This established backdoor access to the server without the need to connect it to any command and control (C2) infrastructure.

China Chopper has seen a surge in popularity having been spotted in numerous attacks throughout the year. Microsoft reported in July that it was being used in conjunction with internet information services (IIS) modules to establish backdoors in organisations.

After the initial access to the system had been established, APT actors used the Windows command shell to explore the firm’s network environment and manually exfiltrate files. They also installed a Python toolkit called Impacket, used to establish and alter network protocols, in order to obtain access to another system on the network.

Through Impacket, users with access to administrator credentials can run commands remotely using Windows enterprise network management. The APT actors used Impacket to gain control of a service account used across devices on the DIB’s network.

Activity of the APT actors within the network is especially notable due to the time they went undetected, as well as for the use of a custom exfiltration tool known as CovalentStealer.

The tool is tailor-made to categorise sensitive files and upload them to a remote OneDrive cloud folder, encrypted using a 256-bit AES key.

The initial access vector remains a mystery, according to the advisory, and attackers used virtual private networks (VPNs) to obscure their origin at all times.

Authorities also said the APT actors abused access to escalate attacks. A device domain account used for managing the firm’s Microsoft Exchange server was used, alongside a compromised account of a former employee to access the Microsoft Exchange Web Services (EWS) for the organisation.

CISA, FBI and NSA have warned organisations to carefully monitor logs for unusual VPN activity, carefully observe administrator account use, and make sure that the command line is not being used for suspicious activity.

Any affected companies are urged to contact the relevant authorities, reset all accounts in anticipation of stolen credentials, and police strict multi-factor authentication (MFA) for all user accounts.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.