The cyber threat actor then attempted multiple times to connect to virtual private server (VPS) IP 123 through a Windows Server Message Block (SMB) client. Immediately afterward, the threat actor used common Microsoft Windows command line processes- conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe-to enumerate the compromised system and network ( Command and Scripting Interpreter, System Network Configuration Discovery ). The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy ( Account Manipulation ). (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address 207.220.13 ( External Remote Services ). CISA has observed wide exploitation of CVE-2019-11510 across the federal government.Īfter initial access, the threat actor performed Discovery by logging into an agency O365 email account from 91.219.236166 and viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access (Email Collection, Unsecured Credentials: Credentials In Files ). In April 2019, Pulse Secure released patches for several critical vulnerabilities-including CVE-2019-11510, which allows the remote, unauthenticated retrieval of files, including passwords. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability-CVE-2019-11510-in Pulse Secure ( Exploitation for Credential Access ). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 123 to the victim organization’s virtual private network (VPN) server ( Exploit Public-Facing Application ).ĬISA analysts were not able to determine how the cyber threat actor initially obtained the credentials. First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236166 and then browsed pages on a SharePoint site and downloaded a file ( Data from Information Repositories: SharePoint ). The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged for Initial Access to the agency's network ( Valid Accounts ). The following information is derived exclusively from the incident response engagement and provides the threat actor’s tactics, techniques, and procedures as well as indicators of compromise that CISA observed as part of the engagement. In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity. This vulnerability was initially described in BID 7728 and is now being assigned its own BID.CISA became aware-via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks-of a potential compromise of a federal agency’s network. This will cause the IIS server to stop serving requests until the service is manually restarted. ** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. IIS will automatically restart and normal service will resume. All current web, FTP, and email sessions will be terminated. When WebDAV receives excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. Microsoft Internet Information Services has been reported vulnerable to a denial of service. Attackers can send malicious "PROPFIND" requests to the server to crash it. This signature detects attempts to exploit a known vulnerability in Microsoft IIS 5.0.
0 Comments
Leave a Reply. |