CISA announced yesterday that it had acquired a hacker access and decoded data by a U.S. federal agency. The name of the federal agency in which the infringement, as well as the date of the attack or any details about the hacker, are not currently known.
CISA officials revealed the breach after the publication of a detailed incident response (IR) report detailing every step the hacker took. The report, analyzed by ZDNet, reveals how the hacker managed to gain access to the internal networks of the federal service, exploiting violated credentials accounts Microsoft Office 365, administrator accounts domain and credentials for Pulse Secure VPN server service.
According to CISA, the hacker logged into Office 365 accounts to view and download help desk email attachments with “Intranet Access” and passwords VPN”On the subject line. The hacker searched these files even though he had already gained privileged access to the service network, most likely to find other parts of the network that he could attack.
The hacker also had access to the local Active Directory, where he modified the settings and studied the structure of the service's internal network. In addition, the hacker installed an SSH tunnel and reverse SOCKS proxy, customized malware and connected a hard drive, which he controlled, to the service network.
According to CISA analysts, the hacker was able to move freely during his "operation", leaving less evidence for forensic analysis. In addition, the hacker created his own local account on the network. Analyzing the forensic evidence, CISA noted that the hacker used this account to browse the local network, execute PowerShell commands, and gather important files in ZIP files. However, CISA noted that it could not confirm whether the hacker removed the ZIP files, although this probably did in the end. CISA also reported that malware (inetinfo.exe) installed by the hacker on the federal service network could bypass the service's anti-malware protection.
However, the researchers said they had detected the intrusion through EINSTEIN, CISA's intrusion detection system that monitors federal political networks, and were therefore able to compensate for the hacker who bypassed US federal anti-malware protection.