The CISA report lists a number of apparently successful efforts to steal data from the compromised environment. The goal of the attack appears to have been data exfiltration. Subsequent to those events "the cyber threat actor was able to run inetinfo.exe in the agency's environment.
#Inetinfo exploit license key
While the exact methodology used for doing so is unclear, CISA analysts observed the cyber threat actor accessing the anti-malware product’s software license key and installation guide, followed by a visit to a directory used by the product for temporary file analysis. Despite the presence of host-based anti-malware protections, attackers were able to escape quarantine. Still, despite the highly suspicious port traffic, the compromise went undetected.Īccording to CISA's write up, the attackers deployed a range of info stealing malware and remote access tools including ShellExperienceHost.exe and the dropper malware inetinfo.exe. Port forwarding was used to establish connections from the remote server port 39999 to the victim file server through port 8100 on a daily basis. With access to the agency's network, the attacker ran through the APT playbook: obtaining local administrator permissions on compromised systems and establishing a Secure Shell (SSH) tunnel and reverse SOCKS proxy to connect to a remote server under the attacker's control.
#Inetinfo exploit windows
Subsequent to that, the attacker used Microsoft Windows command line processes to enumerate the compromised system and do network discovery. The attacker also engaged in account manipulation to maintain persistence: enumerating the Active Directory and Group Policy key and changing a registry key for the Group Policy. Tripping the Office FantasticĪfter initial access, CISA's analysis found that the threat actor used their access to the agency's Office 365 deployment to conduct reconnaissance within the compromised environment: logging into an O365 account remotely and viewing and downloading help desk email attachments with terms like “Intranet access” and “VPN passwords” in the subject line. Still, CISA has observed wide exploitation of the flaw, CVE-2019-11510, across the federal government according to the report.
#Inetinfo exploit update
That flaw was patched in April 2019 and DHS warned federal agencies to change their Pulse Secure VPN account passwords and update Pulse VPN servers at the time. But the report said that exploitation of an unpatched agency Pulse Secure VPN server may be the cause. Root Cause: A 16 Month Old Vulnerability?ĬISA said it was not able to determine the means by which the threat actor initially gained credentials needed to access the agency's network.
In the detailed report based on its investigation of the intrusion, CISA provides a detailed account of the tactics and procedures used by the malicious actors, who were able to obtain credentials for multiple agency users' Microsoft Office 365 accounts in the course of the breach. The attack on the unnamed agency caught the attention of CISA after an alert received from EINSTEIN, an intrusion detection system that monitors federal civilian networks. The attack on the agency gave criminal hackers access to a wide range of systems and may have resulted in the theft of data from the federal government, according to an analysis by the Cybersecurity and Infrastructure Security Agency (CISA), which was published on Thursday.
A report by the US Government’s lead cybersecurity agency finds plenty of unlocked doors following the compromise of an unnamed federal agency.Īn analysis of a hack of an unnamed federal agency suggests that a recent hack of a government agency may have started with the exploitation of a known flaw in the Pulse VPN server.
0 kommentar(er)
