US military contractor hacked through Microsoft Exchange vulnerabilities, custom exfiltration tools

The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory, admitting that numerous threat actors maintained long-term access to a military industrial facility's IT environment.

The October 4 advisory described advanced persistent threat (APT) activity on a “Defense Industrial Base (DIB) Sector organisation’s enterprise network". CISA first responded to the threat in November 2021, but the earliest activity by the APT actors is believed to have started in January 2021.

APT groups are typically, but not always, linked to nation-states or state-sponsored hackers. They are characterised as threat actors that use sophisticated methods to continuously and surreptitiously gain access to systems, usually for long periods of time.

Attackers used a number of widely exploited and known vulnerabilities in Microsoft Exchange, such as CVE-2021-27065 and CVE-2021-26858, to install malicious China Chopper web shells on the company’s Exchange server. This established backdoor access to the server without the need to connect it to any command and control (C2) infrastructure.

China Chopper has seen a surge in popularity having been spotted in numerous attacks throughout the year. Microsoft reported in July that it was being used in conjunction with internet information services (IIS) modules to establish backdoors in organisations.

After the initial access to the system had been established, APT actors used the Windows command shell to explore the firm’s network environment and manually exfiltrate files. They also installed a Python toolkit called Impacket, used to establish and alter network protocols, in order to obtain access to another system on the network.

Through Impacket, users with access to administrator credentials can run commands remotely using Windows enterprise network management. The APT actors used Impacket to gain control of a service account used across devices on the DIB’s network.

Activity of the APT actors within the network is especially notable due to the time they went undetected, as well as for the use of a custom exfiltration tool known as CovalentStealer.

The tool is tailor-made to categorise sensitive files and upload them to a remote OneDrive cloud folder, encrypted using a 256-bit AES key.

The initial access vector remains a mystery, according to the advisory, and attackers used virtual private networks (VPNs) to obscure their origin at all times.

Authorities also said the APT actors abused access to escalate attacks. A device domain account used for managing the firm’s Microsoft Exchange server was used, alongside a compromised account of a former employee to access the Microsoft Exchange Web Services (EWS) for the organisation.

CISA, FBI and NSA have warned organisations to carefully monitor logs for unusual VPN activity, carefully observe administrator account use, and make sure that the command line is not being used for suspicious activity.

Any affected companies are urged to contact the relevant authorities, reset all accounts in anticipation of stolen credentials, and police strict multi-factor authentication (MFA) for all user accounts.