US Federal Agency Compromised by Cyber-Actor

US Federal Agency Compromised by Cyber-Actor

warning has been issued by America's Cybersecurity and Infrastructure Security Agency (CISA) after a malicious cyber-actor compromised a United States federal agency. 

The attacker used valid log-in credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts to gain access to the agency's enterprise network. Once inside, the bad actor infected the network with sophisticated malware.

"By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall," said CISA in a statement released yesterday.

CISA was alerted to a potential compromise of a federal agency's network via EINSTEIN, an intrusion detection system that monitors federal civilian networks.

Malicious activity was confirmed during an investigation launched by CISA in conjunction with the affected agency.

Investigators found the threat actor logged into a user's Office 365 account remotely, then browsed pages on a SharePoint site and downloaded a file. The threat actor then connected multiple times by Transmission Control Protocol to the victim organization’s virtual private network (VPN) server.

“Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” stated CISA.

The cyber-criminal copied files and exfiltrated the data via a Microsoft Windows Terminal Services client. Further attacks were planned, as the intruder created a backdoor. 

CISA analysts were not able to determin ..