Feds share methods, mitigations – MeriTalk

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) have issued a advisory this week detailing how multiple nation-state hacking groups potentially targeted the corporate network of a Defense Industrial Base (DIB) sector organization as part of a cyber espionage campaign.

The joint advisory explains that the hacking groups used the open source toolkit, Impacket, to gain a foothold in the environment, and the data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

CISA observed the attacks between November 2021 and January 2022. They did not identify the victim organization.

“During incident response activities, CISA discovered that several [advanced persistent threat (APT)] groups have compromised the organization’s network and some APT players have had long-term access to the environment,” the notice read.

Some APT actors reportedly gained initial access to the organization’s Microsoft Exchange server as early as mid-January 2021. Later, they returned and used Command Shell to learn more about the organization’s environment and to collect information. sensitive data before implementing two Impacket tools.

“In April 2021, APT actors used Impacket for network exploitation activities,” the notice reads. “From late July to mid-October 2021, APT actors used a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files.”

Security agencies have recommended that organizations monitor logs for connections from unusual virtual private networks, use of suspicious accounts, anomalous and known malicious command line use, and unauthorized changes to user accounts .

Previous Big banks fund Elon Musk's Twitter deal amid losses: Reuters
Next Samsung profits fall in warning sign for global demand | Economy