"Abuse of Privilege Enabled Long-Term DIB Organization Hack"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization's network from November 2021 to January 2022. During that time, Advanced Persistent Threat (APT) adversaries breached the environment and further penetrated the organization's network using an open-source toolkit called Impacket. According to CISA, multiple APT groups may have hacked into the organization's network. These types of data breaches are almost always the result of compromised endpoints and privileged credentials. In this incident, user and admin privilege abuse was critical to the attack's success. The APT group's attack demonstrates the importance of monitoring and protecting privileged accounts for strong security. APT actors gained access to the organization's Microsoft Exchange Server as early as mid-January 2021 in the early stages of the attack. The initial access vector is still unknown. The threat actors collected information about the exchange environment and searched mailboxes within four hours of the initial breach. Four days later, the APT actors used Windows Command Shell to explore the organization's environment and start collecting data. Exfiltrated data from shared drives included sensitive contract-related information. In another system, the APT actors implanted Impacket, a Python toolkit for building and manipulating network protocols programmatically. The actors were also able to move laterally within the network using this toolkit. They obtained and misused existing account credentials for initial access, persistence, privilege escalation, and defense evasion. Their demonstrated ability to maintain persistent, long-term access in compromised enterprise environments prompted the CISA, FBI, and National Security Agency (NSA) to urge organizations to monitor logs for unusual Virtual Private Server (VPS) and Virtual Private Network (VPN) connections. Examining connection logs for access from unusual ranges is part of this. Organizations should also monitor for unusual account activity, such as the inappropriate or unauthorized use of administrator, service, or third-party accounts. This article continues to discuss the advanced cyberattack faced by a DIB organization's network. 

Security Intelligence reports "Abuse of Privilege Enabled Long-Term DIB Organization Hack"