8/1/2023 0 Comments Inetinfo exploit![]() The injected binary then executed shellcode in memory that connected to IP address 185.142.236198, which resulted in download and execution of a payload.” The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. “It dropped system.dll and 363691858 files and a second instance of inetinfo.exe. “inetinfo.exe is a unique, multi-stage malware used to drop files,” explained CISA. The cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads. The next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it then, they executed plink.exe, a remote administration utility.Īfter that, they connected to command-and-control (C2), and installed a custom malware with the file name “inetinfo.exe.” The attackers also set up a locally mounted remote share, which “allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA noted. “Immediately afterward, the threat actor used common Microsoft Windows command line processes-conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe-to enumerate the compromised system and network,” according to CISA. ![]() First they logged into an agency O365 email account to view and download help-desk email attachments with “Intranet access” and “VPN passwords” in the subject lines – and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy. The patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year noted that before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw – so, even those who have patched for the bug could still be compromised and are vulnerable to attack.Īfter initial access, the group set about carrying out reconnaissance on the network. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.” “CVE-2019-11510…allows the remote, unauthenticated retrieval of files, including passwords. “It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability-CVE-2019-11510-in Pulse Secure,” according to the alert. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 123 to the victim organization’s virtual private network (VPN) server.”Īs for how the attackers managed to get their hands on the credentials in the first place, CISA’s investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks. “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236166 and then browsed pages on a SharePoint site and downloaded a file. “The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA. ![]() Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |