IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US military contractor hacked through Microsoft Exchange vulnerabilities, custom exfiltration tools

In a joint advisory, US security groups have warned the prolonged campaign showed new strategies in play, with the vector still unknown

The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory, admitting that numerous threat actors maintained long-term access to a military industrial facility's IT environment.

The October 4 advisory described advanced persistent threat (APT) activity on a “Defense Industrial Base (DIB) Sector organisation’s enterprise network". CISA first responded to the threat in November 2021, but the earliest activity by the APT actors is believed to have started in January 2021.

Related Resource

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Whitepaper cover with BT logo and title, and businessman looking into the distanceFree Download

APT groups are typically, but not always, linked to nation-states or state-sponsored hackers. They are characterised as threat actors that use sophisticated methods to continuously and surreptitiously gain access to systems, usually for long periods of time.

Attackers used a number of widely exploited and known vulnerabilities in Microsoft Exchange, such as CVE-2021-27065 and CVE-2021-26858, to install malicious China Chopper web shells on the company’s Exchange server. This established backdoor access to the server without the need to connect it to any command and control (C2) infrastructure.

China Chopper has seen a surge in popularity having been spotted in numerous attacks throughout the year. Microsoft reported in July that it was being used in conjunction with internet information services (IIS) modules to establish backdoors in organisations. 

After the initial access to the system had been established, APT actors used the Windows command shell to explore the firm’s network environment and manually exfiltrate files. They also installed a Python toolkit called Impacket, used to establish and alter network protocols, in order to obtain access to another system on the network.

Through Impacket, users with access to administrator credentials can run commands remotely using Windows enterprise network management. The APT actors used Impacket to gain control of a service account used across devices on the DIB’s network.

Activity of the APT actors within the network is especially notable due to the time they went undetected, as well as for the use of a custom exfiltration tool known as CovalentStealer.

The tool is tailor-made to categorise sensitive files and upload them to a remote OneDrive cloud folder, encrypted using a 256-bit AES key.

The initial access vector remains a mystery, according to the advisory, and attackers used virtual private networks (VPNs) to obscure their origin at all times.

Authorities also said the APT actors abused access to escalate attacks. A device domain account used for managing the firm’s Microsoft Exchange server was used, alongside a compromised account of a former employee to access the Microsoft Exchange Web Services (EWS) for the organisation.

CISA, FBI and NSA have warned organisations to carefully monitor logs for unusual VPN activity, carefully observe administrator account use, and make sure that the command line is not being used for suspicious activity.

Any affected companies are urged to contact the relevant authorities, reset all accounts in anticipation of stolen credentials, and police strict multi-factor authentication (MFA) for all user accounts.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022