An advanced hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times.
Incident responders from cybersecurity company Volexity investigating the attacks between late 2019 and July 2020 named the threat actor Dark Halo, a versatile adversary capable to quickly switch to different tactics and techniques to carry out long-term, stealthy operations.
In one attack, Dark Halo leveraged a newly disclosed vulnerability for the Microsoft Exchange server that allowed them to bypass multi-factor authentication (MFA) defenses against unauthorized email access.
In another, the actor used a trojanized update for the SolarWinds’ network and applications monitoring platform Orion that enabled the breach of cybersecurity company FireEye and several U.S. government networks.
Bypassing Duo’s authentication challenge
When investigating the first incident, Volexity discovered that the attacker used “multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years.”
Dark Halo primarily used living-off-the-land utilities in weekly operations, aiming to extract emails from select individuals (executives, policy experts, IT staff). The attacker deployed malware and tools only when they had no choice.
“Dark Halo did use malware and red-teaming tools but largely only for specific one-time tasks as a fallback mechanism when other avenues of access were cut off” - Volexity
After being kicked out of the victim's network the first time, Dark Halo found their way back by exploiting a remote code execution vulnerability in the on-premise Microsoft Exchange server.
The flaw, tracked as CVE-2020-0688, had rec ..
Support the originator by clicking the read the rest link below.
