SoylentNews

Fnord666 [soylentnews.org] writes:

Feds Hit with Successful Cyberattack, Data Stolen [threatpost.com]:

A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert [cisa.gov] on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees' legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

"The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 (O365) accounts and domain administrator accounts," according to CISA. "First, the threat actor logged into a user's O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization's virtual private network (VPN) server."

As for how the attackers managed to get their hands on the credentials in the first place, CISA's investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.

"It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," according to the alert. "CVE-2019-11510...allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government."

Check out the rest of the story for additional details on the attack.

CVE-2019-11510 [mitre.org]

Original Submission