Unknown adversaries breached the security of a federal agency and downloaded files that could give them knowledge on how to further infiltrate and control government systems, according to the Cybersecurity and Infrastructure Security Agency.
The malicious actors, using valid credentials, continued trying to collect more network credentials and downloaded a file that could have included schematics from the agency, which CISA did not identify.
CISA detected the intrusion through its EINSTEIN program, which monitors federal networks for anomalies, and after responding, released an analysis of the incident Thursday.
It’s not entirely clear how the intruder acquired the credentials to gain initial access, but it’s possible it was by exploiting a known vulnerability in Pulse Secure Virtual Private Networks, according to the analysis.
The tactics, techniques and procedures involved in the intrusion are associated with high-profile foreign adversaries as well as cyber actors motivated by financial gain, according to descriptions in an encyclopedia of adversarial methods maintained by the MITRE corporation.
Last October, CISA and the National Security Agency warned that the vulnerability—Common Vulnerability and Exposure-2019-11510—was a prime target for advanced persistent threat actors. Though Pulse Secure released a fix in April 2019, CISA’s analysis Thursday notes the agency “has observed wide exploitation of CVE-2019-11510 across the federal government.”
After gaining initial access, the threat actor logged into a Microsoft Office 365 account and viewed and downloaded attachments in help desk emails with subject lines “Intranet access” and “VPN passwords,” despite already having privileged access.
CISA said those emails did not contain any passwords, but the intruder w ..