APTs compromised defense contractor with Impacket tools

A CISA alert warned that APT actors compromised a defense contractor's Microsoft Exchange server and used Impacket, an open source Python toolkit, to move laterally in the network.

The Cybersecurity and Infrastructure Security Agency warned enterprises of an attack it observed from advanced persistent threat actors against a defense contractor beginning last year.

In an alert Tuesday, CISA revealed it conducted incident response from November 2021 through last January on a defense industrial base (DIB) sector organization's network. While the initial access vector remains unknown, CISA discovered APT actors used Impacket, an open source Python toolkit, to move laterally across systems and installed China Chopper web shells to act as backdoors.

Though the attackers successfully compromised the DIB network and stole sensitive data using a custom exfiltration tool called CovalentStealer, the techniques didn't appear to be elaborate and could pose a potential risk to other enterprises. Impacket is a legitimate open source toolkit, for example, and there is no indication that any zero-day vulnerabilities were exploited.

Katie Nickels, director of intelligence at security vendor Red Canary, said adversaries favor Impacket because it allows them to retrieve credentials, issue commands, move laterally and deliver malware.

"Impacket regularly makes the Red Canary 'top 10' list of threats observed in customer environments -- in September, it was fourth most prevalent threat we observed," Nickels said in an email to TechTarget Editorial. "While Impacket is fairly easy to detect, it can be challenging to determine if the activity is malicious or benign without additional context."

Nickels added that approximately one third of the Impacket detections in 2021 were from confirmed testing.

CISA said it's "likely" that multiple APT groups compromised the unnamed defense contractor beginning in January 2021 when threat actors gained access to the DIB's Microsoft Exchange server. While the initial access vector is unclear, the APT actors used a compromised admin account and Windows command shells to shore up their control of the email server and eventually used Impacket tools, wmiexec.py and smbexec.py, to move laterally within the DIB's environment.

Another familiar tactic CISA noted was the use of VPNs to "conceal interaction with victim networks." In this case, the APT actors used M247 and SurfShark to remotely access the Microsoft Exchange Server, an attack surface that was widely abused last year.

Microsoft Exchange connection

Microsoft Exchange servers have been under attack lately, most recently last week when researchers discovered two zero-day vulnerabilities were being exploited in the wild. It was reminiscent of the emergency patches released in early March 2021 after a set of four zero-day vulnerabilities, dubbed ProxyLogon, were also exploited before being disclosed and patched.

Around the same time, APT actors exploited the ProxyLogon vulnerabilities on the DIB's Exchange server, though it's unclear if these actors were the same group that compromised the email server in January 2021.

"In early March 2021, APT actors exploited CVE-2021-26844, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 to install 17 China Chopper web shells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems," CISA wrote in the advisory.

The breach of the unnamed defense contractor overlaps with exploitation activity of ProxyLogon in early 2021. Several security vendors detected China Chopper web shells, which were also used in the DIB attack, on organizations that were compromised using ProxyLogon exploits. The government eventually attributed the initial ProxyLogon activity to Hafnium, a Chinese nation-state APT group, though other threat groups also exploited the flaws for later attacks.

It's unclear what APT groups were involved in the DIB attack. TechTarget Editorial contacted CISA for further comment on the events, but the agency declined.

In response to the attacker's persistent presence on the DIB network, which lasted through mid-January 2022, CISA urged other defense contractors and critical infrastructure organizations to implement detection, mitigation and remediation steps. Monitoring network connections for VPNs and suspicious account activity plays a large role in preventing those prolonged dwell times, the agency said, while implementing network segmentation can stop the threat actors from moving laterally.

CISA also recommended limiting the number of remote access tools in use and what those tools can access. For vulnerabilities, the alert reminded organizations to prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution.

Dig Deeper on Network security