Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Feds Hit with Successful Cyberattack, Data Stolen

posted by martyb on Saturday September 26 2020, @01:27PM   Printer-friendly
from the who-is-next? dept.

Fnord666 writes:

Feds Hit with Successful Cyberattack, Data Stolen:

A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees' legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

"The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 (O365) accounts and domain administrator accounts," according to CISA. "First, the threat actor logged into a user's O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization's virtual private network (VPN) server."

As for how the attackers managed to get their hands on the credentials in the first place, CISA's investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.

"It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," according to the alert. "CVE-2019-11510...allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government."

Check out the rest of the story for additional details on the attack.

CVE-2019-11510

Original Submission

 
This discussion has been archived. No new comments can be posted.
Feds Hit with Successful Cyberattack, Data Stolen | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by RandomFactor on Saturday September 26 2020, @02:23PM (5 children)

    by RandomFactor (3682) Subscriber Badge on Saturday September 26 2020, @02:23PM (#1057251) Journal

    "The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 (O365) accounts and domain administrator accounts,"

    This is the raison d'etre for multi-factor authentication.
     
    Mass O365 credential phishing and compromise of single factor authenticating tenant accounts became a major thing a few years ago and hasn't stopped.
     
    Any major organization on O365 that hasn't told their user's to get over it and deal with multi-factor by this point is basically being professionally negligent.
    For many (most?) organizations this is an existential requirement (oh your accounts keep sending me malware and phishing and spam...yeah, we're done I'll be at your competitor's website, kthxbai)
     
    (admittedly this doesn't apply to federal organizations...sigh...I concede that point before someone makes it...)
     
    Nor does being 'too small to bother with' work. Most attacks are highly automated and done in bulk. For any significant organization running single-factor O365, it is really just a matter of time.

    --
    В «Правде» нет известий, в «Известиях» нет правды
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   2  

  • (Score: 5, Insightful) by Thexalon on Saturday September 26 2020, @06:22PM

    by Thexalon (636) on Saturday September 26 2020, @06:22PM (#1057332)

    Also:
    1. Why is the FBI doing running Office365? You know, a widely attacked platform? You'd think they'd have something a bit more sophisticated and secretive than that.
    2. If they still can't figure out how risky this is, remember that all the OMG-Hillary-and-the-Democrats-were-hacked-by-the-Russians business from 4 years ago was due to a lack of MFA combined with some basic spear-phishing.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.

  • (Score: 0) by Anonymous Coward on Saturday September 26 2020, @07:42PM

    by Anonymous Coward on Saturday September 26 2020, @07:42PM (#1057350)

    This is the fun/sad part. US Federal employees are required to use CAC (military) or PIV (civilian agencies) cards to login to computers, email, vpn, etc...

    So either MFA was broken, someone's card/pin was stolen, or MFA was not actually required for specific individuals (EG Hillary style), agencies, or bureaus.

    Wish they would say what agency. There is a big difference in concern depending on if it was: a Forest Service intern _OR_ a virologist at the CDC __OR__ a big cheese at the SEC __OR__ anybody at the Federal Election Commission.

  • (Score: 2) by corey on Saturday September 26 2020, @11:54PM (1 child)

    by corey (2202) on Saturday September 26 2020, @11:54PM (#1057432)
    I part blame Microsoft for pushing this cloud shit onto everyone. Every Tom, Dick and his dog are jumping over each other to get their businesses onto O365, because Microsoft are making it The Next Big Thing. But because corporate (and government) data is now in the cloud, it’s way easier to get, as opposed to internal (often Linux/Unix) networks separated from the internet with a DMZ. I predict in a few years time, The Next Big Thing will be going back to the old ways with self run hardware and software, probably where the management will be done by Microsoft. And it’ll cost an arm and a leg.

    • (Score: 0) by Anonymous Coward on Sunday September 27 2020, @04:57PM

      by Anonymous Coward on Sunday September 27 2020, @04:57PM (#1057675)

      oh please. The problem is we have a whole nation/world of retarded whores who suck up to power and do everything they can to fund the enemies of their own offspring as often as they can if it gets them a pat on the head. Fuck them. They are complicit.

  • (Score: 2) by fakefuck39 on Sunday September 27 2020, @07:26AM

    by fakefuck39 (6620) on Sunday September 27 2020, @07:26AM (#1057557)

    It's cool, nothing to see here. This will all be fixed when like the government wants, all encryption has a backdoor. No need for credentials, since every country and every hacker in the world will work on breaking that government decryption key.