Initial access to the agency’s system was possibly due to failure to fix a known VPN vulnerability, a patch for which was released in April 2019.
Unknown adversaries breached the security of a federal agency and downloaded files that could give them knowledge on how to further infiltrate and control government systems, according to the Cybersecurity and Infrastructure Security Agency.
The malicious actors, using valid credentials, continued trying to collect more network credentials and downloaded a file that could have included schematics from the agency, which CISA did not identify.
CISA detected the intrusion through its EINSTEIN program, which monitors federal networks for anomalies, and after responding, released an analysis of the incident Thursday.
It’s not entirely clear how the intruder acquired the credentials to gain initial access, but it’s possible it was by exploiting a known vulnerability in Pulse Secure Virtual Private Networks, according to the analysis.
The tactics, techniques and procedures involved in the intrusion are associated with high-profile foreign adversaries as well as cyber actors motivated by financial gain, according to descriptions in an encyclopedia of adversarial methods maintained by the MITRE corporation.
Last October, CISA and the National Security Agency warned that the vulnerability—Common Vulnerability and Exposure-2019-11510—was a prime target for advanced persistent threat actors. Though Pulse Secure released a fix in April 2019, CISA’s analysis Thursday notes the agency “has observed wide exploitation of CVE-2019-11510 across the federal government.”
After gaining initial access, the threat actor logged into a Microsoft Office 365 account and viewed and downloaded attachments in help desk emails with subject lines “Intranet access” and “VPN passwords,” despite already having privileged access.
CISA said those emails did not contain any passwords, but the intruder went on to browse files on a user’s home directory and copied one from a SharePoint repository.
“SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems,” according to the MITRE framework. Examples of the type of information often contained in these repositories include system architecture and logical/physical network diagrams; testing and development credentials; policies, procedures and standards; technical system documentation; work and project schedules; source code snippets; and links to other internal resources and network shares.
The threat actor also likely made off with two compressed .zip files containing several other files and directories, CISA said, although analysts couldn’t confirm this because the adversary covered their tracks.
CISA issued several recommendations including that agencies update software and implement multi-factor authentication, especially for privileged accounts. Agencies should also deploy an enterprise firewall or work with their internet service provider to ensure one is properly configured and monitor network traffic for unusual open ports and large outbound files.