CyberWire Daily - CISA Alert AA22-277A – Impacket and exfiltration tool used to steal sensitive information from defense industrial base organization.
Episode Date: October 4, 2022From November 2021 through January 2022, the CISA responded to APT activity against a Defense Industrial Base organization’s enterprise network. During incident response activities, CISA discovered ...that multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data. AA22-277A Alert, Technical Details, and Mitigations CISA Cyber Hygiene Services Malware Analysis Report (MAR)-10365227-1.stix MAR-10365227-2.stix MAR-10365227-3.stix CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
This is a CISA cybersecurity alert.
ID number Alpha Alpha two two tech two seven seven Alpha.
Original release date, October 4th, 2022.
Alpha. Original release date, October 4th, 2022.
From November 2021 through January 2022, CISA responded to APT activity against a defense industrial-based organization's enterprise network. During incident response activities,
CISA discovered that multiple APT groups compromised the organization's network,
and some APT actors had long-term access to the environment.
APT actors used an open-source toolkit called Impacket
to gain their foothold within the environment and further compromise the network,
and also used a custom data exfiltration tool, Covalent Stealer,
to steal the victim's sensitive data.
Impacket uses Windows Management Instrumentation and Server Message Block protocol to create
a semi-interactive shell within the target device.
Through the command shell, an Impacket user with credentials can run commands on the remote
device using the Windows Management protocols required to support an enterprise network.
Covalent Stealer is designed to identify file shares on a system, categorize the files,
and upload the files to a remote server.
Covalent Stealer includes two configurations that target the victim's documents using
predetermined file paths and user credentials.
Covalent Stealer stores the collected files on a Microsoft OneDrive Cloud folder.
The alert documentation listed in the show notes provides the APT actor's tactics,
techniques, and procedures and IOCs for the threat activity.
The alert documentation also includes detection and mitigation actions to help organizations prevent this APT activity.
CISA, FBI and NSA recommend defense industrial-based organizations implement the mitigations listed in this alert to ensure they are managing and reducing the impact of cyber threats to their networks.
CISA, FBI and NSA acknowledge Mandiant for its contributions to this alert.
To report incidents in anomalous activity or to request incident response resources or technical assistance,
contact CISA at report at cisa.gov or call 888-282-0870 or report incidents to your local FBI field office.
This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report,
which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.