Feds Hit with Successful Cyberattack, Data Stolen:
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees' legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
"The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 (O365) accounts and domain administrator accounts," according to CISA. "First, the threat actor logged into a user's O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization's virtual private network (VPN) server."
As for how the attackers managed to get their hands on the credentials in the first place, CISA's investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.
"It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," according to the alert. "CVE-2019-11510...allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government."
Check out the rest of the story for additional details on the attack.
(Score: 2, Interesting) by RandomFactor on Saturday September 26 2020, @02:23PM (5 children)
This is the raison d'etre for multi-factor authentication.
Mass O365 credential phishing and compromise of single factor authenticating tenant accounts became a major thing a few years ago and hasn't stopped.
Any major organization on O365 that hasn't told their user's to get over it and deal with multi-factor by this point is basically being professionally negligent.
For many (most?) organizations this is an existential requirement (oh your accounts keep sending me malware and phishing and spam...yeah, we're done I'll be at your competitor's website, kthxbai)
(admittedly this doesn't apply to federal organizations...sigh...I concede that point before someone makes it...)
Nor does being 'too small to bother with' work. Most attacks are highly automated and done in bulk. For any significant organization running single-factor O365, it is really just a matter of time.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 5, Insightful) by Thexalon on Saturday September 26 2020, @06:22PM
Also:
1. Why is the FBI doing running Office365? You know, a widely attacked platform? You'd think they'd have something a bit more sophisticated and secretive than that.
2. If they still can't figure out how risky this is, remember that all the OMG-Hillary-and-the-Democrats-were-hacked-by-the-Russians business from 4 years ago was due to a lack of MFA combined with some basic spear-phishing.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Saturday September 26 2020, @07:42PM
This is the fun/sad part. US Federal employees are required to use CAC (military) or PIV (civilian agencies) cards to login to computers, email, vpn, etc...
So either MFA was broken, someone's card/pin was stolen, or MFA was not actually required for specific individuals (EG Hillary style), agencies, or bureaus.
Wish they would say what agency. There is a big difference in concern depending on if it was: a Forest Service intern _OR_ a virologist at the CDC __OR__ a big cheese at the SEC __OR__ anybody at the Federal Election Commission.
(Score: 2) by corey on Saturday September 26 2020, @11:54PM (1 child)
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @04:57PM
oh please. The problem is we have a whole nation/world of retarded whores who suck up to power and do everything they can to fund the enemies of their own offspring as often as they can if it gets them a pat on the head. Fuck them. They are complicit.
(Score: 2) by fakefuck39 on Sunday September 27 2020, @07:26AM
It's cool, nothing to see here. This will all be fixed when like the government wants, all encryption has a backdoor. No need for credentials, since every country and every hacker in the world will work on breaking that government decryption key.