The incident came to light in a US government report that reported that hackers used a custom CovalentStealer malware and a set of Python classes called Impacket to steal sensitive data from a US defense-industrial complex company.
The joint CISA, FBI and NSA report provided technical details of the cyberattack collected during the aftermath of the attack.
The attacker's arsenal looked like this:
- Custom malware CovalentStealer;
- Impacket is a set of open source Python classes;
- RAT HyperBro;
- Over a dozen ChinaChopper web shell samples;
- Four vulnerabilities in Exchange Server.
List of exploited vulnerabilities:
- CVE-2021-26855 - Allows server-side request forgery (SSRF), which results in HTTP requests being sent by an unauthenticated attacker.
- CVE-2021-26857 is a vulnerability in the Exchange Messaging service. Allows arbitrary code to be used on the victim's system.
- CVE-2021-26858 - Available after authentication. An attacker could use this vulnerability to write arbitrary files to the server.
- CVE-2021-27065 - works in conjunction with CVE-2021-26855 and allows access to the EAC/EPC (Exchange admin center) interface.
While the initial access vector is unknown, the report states that hackers gained access to the organization's Exchange server in mid-January 2021. For four hours, the attackers searched mailboxes and used a compromised administrator account belonging to a former employee to access the Exchange Web Services (EWS) API.
Less than a month later, in early February 2021, attackers gained access to the network again via VPN using the same account.
Four days later, the hackers conducted reconnaissance using a command shell. They learned about the victim's environment and manually archived (WinRAR) confidential data stored on shared drives, preparing it for exfiltration. The files were split into fragments of about 3 MB and located on the Microsoft Exchange server in the CU2\he\debug directory.
In early March, hackers used the above to install at least 17 China Chopper web shells on an Exchange server.
Having completed the preparations, in April 2021, the attackers began to gain a foothold in the system and slowly move deeper. In addition, cybercriminals used Impacket with compromised credentials and gained remote access from multiple external IP addresses to the organization's Exchange server via Outlook Web Access (OWA).
Once deep in the victim's network, the hackers downloaded all the collected data using CovalentStealer. This stage of the attack took place from late July to mid-October 2022.
CISA specialists have already published a technical analysis of CovalentStealer. They managed to find out that the malware uses the code of two publicly available utilities: ClientUploader and the Export-MFT PowerShell script needed to upload compressed files and extract the master file table (MFT) from the local volume.
Comments 0