From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network.

During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network.

Data breaches such as these are almost always the result of compromised endpoints and privileged credentials. In this case, the abuse of user and admin privilege played a major role in the success of this attack. The APT group’s attack further proves that monitoring and protecting privileged accounts are crucial for strong security.

Evolution of the Attack

In the first stages of the attack, APT actors gained access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector remains unknown. Based on log analysis, the actors collected information about the exchange environment and searched mailboxes — all within four hours after the initial breach.

Four days later, the APT actors used Windows Command Shell to study the organization’s environment and begin harvesting data. That exfiltrated data included sensitive contract-related information from shared drives.

At the same time, APT actors implanted Impacket in another system. Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. By using this toolkit, the actors were also able to attempt to move laterally within the network.

Preventing Abuse of Privilege

One of the hallmarks of this attack was the abuse of privilege. Actors obtained and abused credentials of existing accounts as a means of executing Initial Access, Persistence, Privilege Escalation or Defense Evasion.

Given the actors’ proven capability to maintain persistent, long-term access in compromised enterprise environments, the CISA, FBI and NSA are encouraging organizations to monitor logs for connections from unusual VPSs and VPNs. This includes examining connection logs for access from unexpected ranges.

Organizations should also monitor for suspicious account use, such as inappropriate or unauthorized use of administrator accounts, service accounts or third-party accounts.

According to CISA, suspicious account use can appear as:

  • “Impossible logins” with changing usernames, user agent strings and IP address combinations or logins where IP addresses do not align with the expected user’s geographic location
  • Suspicious privileged account use after resetting passwords or applying user account mitigations
  • Unusual activity in typically dormant accounts
  • Unusual user agent strings, such as strings not typically associated with normal user activity, may indicate bot activity.

Privileged Access Management Offers a Solution

Successfully mitigating this type of APT attack is far more effective with privileged access management (PAM) solutions. By establishing least-privilege access on endpoints, unusual user activity can be detected faster. For example, if users access files that aren’t part of their usual work activity, least privilege methods can detect this, or, if a dormant account suddenly becomes active, PAM solutions can trigger an alert.

As illustrated by this DIB organization incident, local administrator rights are prime targets for cyber criminals. To thoroughly protect sensitive data, controls need to be in place that keep both endpoints and privileged credentials secure.

More from News

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read