SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data

Oct 5, 2022

SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data

Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach

On October 4, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory highlighting malicious cyber activity by unknown advanced persistent threat (APT) actors against a Defense Industrial Base (DIB) organization’s enterprise network. According to the information available, this attack started in 2021 when the APT actors successfully compromised the network defenses and gained access to the networks. They continued to have access to the network until mid-January 2022. Additional details about these threat actors and its associated tactics, techniques, and procedures (TTPs) are available in US-CERT Alert (AA22-277A) Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Additional Technical Details

According to the advisory, the threat actors used an open-source toolkit called Impacket to gain an initial foothold within the DIB’s enterprise network and further compromise it. They also leveraged a custom data exfiltration tool called CovalentStealer to steal sensitive information from the DIB networks. Below are additional details about the compromise and data theft:

  • Some threat actors gained initial access to the DIB’s MS Exchange Server as early as January 2021. During this initial recon, they gathered information about the exchange environment and performed mailbox searches to locate sensitive data.

  • In January and February 2021, they used a previously compromised admin account “Admin 1” to access the Exchange Web Services (EWS) API.

  • During the same period, they used Windows Command Shell to interact with the DIB’s network. This ..

    Support the originator by clicking the read the rest link below.