NSA, CISA, FBI issue alert on custom exfiltration tools being used against DIB
On October 4, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI released a Cybersecurity Advisory that details the tactics, techniques and procedures (TTPs) that likely multiple advanced persistent threat (APT) groups recently used to steal sensitive information from a Defense Industrial Base organization. The advisory, “Impacket, Custom Exfiltration Tools Used to Steal Sensitive Information from Defense Industrial Base Organization,” provides indicators of compromise and TTPs used by the groups and shares guidance to detect and prevent related activity.
During a hunt on the organization’s network, CISA and a third-party incident response organization discovered the following malicious activity:
- Once on the network, APT actors leveraged Impacket in their attack, a toolkit for programmatically constructing and manipulating network protocols
- The actors used a custom exfiltration tool called CovalentStealer to steal the victim’s data
- The actors exploited a Microsoft Exchange vulnerability on the organization’s server to gain access remotely and compromised legitimate company accounts to access the accounts of other employees
They recommend that Defense Industrial Base sector and other critical infrastructure organizations implement the mitigations in the advisory to ensure they are managing and reducing threats to their networks.
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.