Oct 5, 2022
SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data
Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach
On October 4, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory highlighting malicious cyber activity by unknown advanced persistent threat (APT) actors against a Defense Industrial Base (DIB) organization’s enterprise network. According to the information available, this attack started in 2021 when the APT actors successfully compromised the network defenses and gained access to the networks. They continued to have access to the network until mid-January 2022. Additional details about these threat actors and its associated tactics, techniques, and procedures (TTPs) are available in US-CERT Alert (AA22-277A) Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.
Additional Technical Details
According to the advisory, the threat actors used an open-source toolkit called Impacket to gain an initial foothold within the DIB’s enterprise network and further compromise it. They also leveraged a custom data exfiltration tool called CovalentStealer to steal sensitive information from the DIB networks. Below are additional details about the compromise and data theft:
Support the originator by clicking the read the rest link below.