CISA Report: Unpatched VPN, Credential Theft Fueled Agency Hack

A report by the US Government’s lead cybersecurity agency finds plenty of unlocked doors following the compromise of an unnamed federal agency.

An analysis of a hack of an unnamed federal agency suggests that a recent hack of a government agency may have started with the exploitation of a known flaw in the Pulse VPN server.

The attack on the agency gave criminal hackers access to a wide range of systems and may have resulted in the theft of data from the federal government, according to an analysis by the Cybersecurity and Infrastructure Security Agency (CISA), which was published on Thursday.

[Want to learn more about how QOMPLX can help your company spot lateral movement and avoid damaging attacks? Contact our Sales team.]

The attack on the unnamed agency caught the attention of CISA after an alert received from EINSTEIN, an intrusion detection system that monitors federal civilian networks. In the detailed report based on its investigation of the intrusion, CISA provides a detailed account of the tactics and procedures used by the malicious actors, who were able to obtain credentials for multiple agency users' Microsoft Office 365 accounts in the course of the breach.

Root Cause: A 16 Month Old Vulnerability?

CISA said it was not able to determine the means by which the threat actor initially gained credentials needed to access the agency's network. But the report said that exploitation of an unpatched agency Pulse Secure VPN server may be the cause. That flaw was patched in April 2019 and DHS warned federal agencies to change their Pulse Secure VPN account passwords and update Pulse VPN servers at the time. Still, CISA has observed wide exploitation of the flaw, CVE-2019-11510, across the federal government according to the report.

Tripping the Office Fantastic

After initial access, CISA's analysis found that the threat actor used their access to the agency's Office 365 deployment to conduct reconnaissance within the compromised environment: logging into an O365 account remotely and viewing and downloading help desk email attachments with terms like “Intranet access” and “VPN passwords” in the subject line.

The attacker also engaged in account manipulation to maintain persistence: enumerating the Active Directory and Group Policy key and changing a registry key for the Group Policy. Subsequent to that, the attacker used Microsoft Windows command line processes to enumerate the compromised system and do network discovery.

Anti-Malware Defeated, Malware Deployed

With access to the agency's network, the attacker ran through the APT playbook: obtaining local administrator permissions on compromised systems and establishing a Secure Shell (SSH) tunnel and reverse SOCKS proxy to connect to a remote server under the attacker's control.  Port forwarding was used to establish connections from the remote server port 39999 to the victim file server through port 8100 on a daily basis. Still, despite the highly suspicious port traffic, the compromise went undetected.

According to CISA's write up, the attackers deployed a range of info stealing malware and remote access tools including ShellExperienceHost.exe and the dropper malware inetinfo.exe. Despite the presence of host-based anti-malware protections, attackers were able to escape quarantine. While the exact methodology used for doing so is unclear, CISA analysts observed the cyber threat actor accessing the anti-malware product’s software license key and installation guide, followed by a visit to a directory used by the product for temporary file analysis. Subsequent to those events "the cyber threat actor was able to run inetinfo.exe in the agency's environment.

Data Theft a Goal

The goal of the attack appears to have been data exfiltration. The CISA report lists a number of apparently successful efforts to steal data from the compromised environment. Among other things, the attackers were observed copying files from a compromised user’s home directory to a locally mounted remote share they used as a staging site.

CISA analysts also observed the cyber threat actor steal data from an account directory and file server directory using tsclient, a Microsoft Windows Terminal Services client.

Finally, two compressed Zip files were created with several files and directories on them. These were likely exfiltrated as well, though CISA could not confirm that from their post mortem.

Low Hanging Fruit

While attacks on U.S. federal agencies like this are often chalked up to so-called "Advanced Persistent Threat" (APT) and sophisticated nation-state hackers, there is nothing sophisticated about the incident CISA describes. Rather, the attackers appear to have taken advantage of favorable conditions and picked mostly low hanging fruit.

That would start with exploitation of a critical, 15 month old vulnerability in the Pulse Secure VPN Server that allowed remote-, no-authentication file retrieval from vulnerable VPN servers  assuming CISA's guess is correct that the hole played a role in the initial compromise.

The agency in question also missed a wide range of warning lights and red flags that might have tipped them off to an intrusion. Those include unusual open ports like port 8100, large, periodic, outbound file transfers with unexpected outbound traffic using protocols like SSH, SMB and RDP.

Basic protections and security hygiene may have also blunted the attack. Those include the use of multi-factor authentication to secure administrator and other privileged accounts, additional controls for remote access through RDP, and implementation of user "least privilege" for data access.  The impact from the initial breach could certainly have been minimized if the victim agency had better detections in place for lateral movement through credential abuse.

If you want to learn more about how QOMPLX can help your company spot otherwise surreptitious lateral movement to avoid damaging attacks? Contact our Sales team now.