At a glance.
- Data stolen from US "Defense Industrial Base organization."
- Major sideloading cryptojacking campaign in progress.
- US Cyber Command describes assistance missions in Ukraine.
- Investigation into Nord Stream sabotage continues.
- CISA has released five Industrial Control System Advisories.
Data stolen from US "Defense Industrial Base organization."
The Cybersecurity and Infrastructure Security Agency (CISA) released a report yesterday detailing alert AA22-277A. From November 2021 through January 2022, CISA uncovered activity from likely multiple advanced persistent threat (APT) groups on a Defense Industrial Base (DIB) Sector organization’s enterprise network. The organization affected isn't named in the report. The APTs used Impacket, an open-source toolkit, to gain access, and then used custom data exfiltration tool CovalentStealer to steal sensitive data.In this case, as BleepingComupter notes, CISA did not indicate who was behind the APTs. “During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” CISA says in the report.
The agency reports that some APTs may have gained access to the victim’s Microsoft Exchange Server as early as mid-January 2021. Bleeping Computer reports that they used “the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples,” on the organization’s network, as well as exploiting the ProxyLogon collection of Microsoft Exchange Server vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. CISA has published, separately, a detailed analysis of both CovalentStealer and HyperBro, the tools that figured prominently in the exploitation. For more information on the incident, see CyberWire Pro.