DecryptedTech

Friday19 August 2022

Joint Advisory from the NSA, FBI and CISA Warns of Long-Term Attack by State Actors with Little Detail.


Reading time is around minutes.

Life would not be the same without new popping up that one state level threat actor or another was attacking and compromising US defense contractors or other businesses linked to US national security and defense. The counties of origin for these actors become a blur over time, although you do see some highlighted depending on current political trends. The two most often bandied about are Russia and China with North Korea getting an honorable mention.

The latest in the “seems about right” news is that apparent state-sponsored threat actors that have been attributed to Russia have been targeting US cleared defense contractors (CDCs) since around the start of the pandemic in January 2020. This is according to a joint advisory from the FBI, NSA and CISA. The trio say that the threat actors in question targeted CDCs that cover a wide breadth of critical systems for US defense. The advisory is a bit vague on which actors they think are behind these well documented attacks (vague as in not listing anyone).

According to the advisory, the attackers used common methods to gain entry and abused several well-known vulnerabilities that were present on unpatched systems. The vulnerabilities included ones present in on-prem devices as well as in cloud infrastructure with Microsoft’s Exchange seeming to be heavily targeted. The campaigns harvested credentials (as usual) so that they could access sensitive data as well as collect emails. According to the advisory the threat actors also changed tactics as vulnerabilities were patched (once they had a foothold) to ensure their continued presence in the targeted systems.

Really the advisory describes just about any attack campaign with little to no details on actual TTPs other than generic stuff such as MITRE ATT&CK mapping. Even the procedures are not overly specific.

Brute force techniques to identify valid account credentials for domain and M365 accounts and then use those credentials to gain initial access in networks.
Spearphishing emails with links to malicious domains, to include using methods and techniques meant to bypass virus and spam scanning tools.
Using harvested credentials used in conjunction with known vulnerabilities to escalate privileges and gain remote code executions on exposed applications.
Mapping Active Directory and connect to domain controllers, which would enable credentials to be exfiltrated.
Maintained persistent access, in multiple instances for at least six months, which is likely because the threat actors relied on possession of legitimate credentials enabling them to pivot to other accounts.

If organizations with the level of clearance and access that these groups should have are still vulnerable to these types of attacks, or do not have proper controls in place to stop the, we have a much bigger issue in terms of national security. The recommendation from this advisory is pretty much a list of things that should already be in place anyway. I can sum up the advisory for you:

Ensure you are using proper security controls. Threat actors, including state sponsored ones are always trying to get into your environment. If you are not already exceeding best practices and working on an active security culture in your environment, do it by yesterday.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.