APT Group Targets Industrial Base with Impacket

Category: Critical Infrastructure Security | Industry: Industrial | Level: Tactical | Source: CISA

The latest alert from the Cybersecurity and Infrastructure Security Agency (CISA) provided investigation details of an intrusion against a defense industrial base (DIB) by advanced persistent threat (APT) actors. A specific APT group was not identified, as many groups appear to be involved in the intrusion. CISA was engaged for incident response from November 2021, through January 2022. All initial access vectors were not fully clear, only exploits of Exchange and abusing compromised credentials were observed. Threat actors-initiated system reconnaissance for the first three days studying the victim's environment with the Exchange environment of additional interest. Most notably was the use of Impacket tools wmiexec.py and smbexec.py. "The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization's multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses." Using a former employee's account, the threat actors were observed accessing Exchange resources with Exchange web services (EWS). CovalentStealer, a custom exfiltration tool was also discovered. "CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim's documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times."

Anvilogic Use Cases:

• Impacket SMBexec
• Impacket/Empire's WMIExec
• China Chopper Web Shell

‍