Decrypting A Cyber Breach

The Help AG Incident Response team responded to multiple breaches in 2021. One of the most notable breaches was attempted by an Iran-linked threat actor.

In November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert highlighting ongoing malicious activity by an advanced persistence threat (APT) group associated with the government of Iran. The alert mentioned initial access leveraging Fortinet FortiOS and Microsoft Exchange ProxyShell vulnerabilities.

A client engaged Help AG to respond to a security breach. An Administrator at the client site noticed suspicious admin account usage and unauthorized access to user mailboxes. Help AG consultants identified exploitation of multiple Exchange ProxyShell vulnerabilities (CVE-2021-34473,CVE-2021-34523,CVE-2021-31207).

1. After exploiting the vulnerabilities, the attacker uploaded various web shells to the Exchange server to stay connected to the environment, maintain persistence, and perform command and control functions.
2. The attacker then uploaded a reverse proxy tool to establish a secure tunnel to the environment.
3. Using the Remote Desktop Protocol (RDP), the attacker managed to connect to the Exchange server via the secure tunnel.
4. The attacker then created a local Administrator account on the Exchange server, followed by attempts at lateral movement and profiling the systems in the environment.

The attacker

• Used RDP for connectivity and the PsExec tool to perform remote command execution
• Used the PsExec tool to create services to maintain persistence in the environment
• Installed an SSH application on one of the systems to perform data exfiltration
• Downloaded PsTools, a legitimate Microsoft toolset, and used it for further lateral movement
• Used the Mimikatz credential dumping tool and the “pass-the-hash” technique to obtain access to the Domain Controller
• Created various user accounts and added these accounts to the “Domain Admin” group
• Installed another backdoor on multiple systems to control them remotely
• Used the SSH application server to exfiltrate dumped credentials and other data to their command-and-control server

Analysis and Response

Help AG observed significant sophistication in the attack. Our consultant identified the source of infection and initial access techniques within the first 2 hours of engagement. We assisted the client in patching the vulnerable systems, blocking relevant IoCs on perimeter and endpoint devices, rapidly resetting the compromised credentials, and rebuilding systems to a “known good” state. In addition, we installed an Endpoint Detection and Response (EDR) solution to monitor the client environment to ensure that the rebuilt system was and remained free of compromise.

The attacker Tools, Technique, and Procedures (TTP) mapped to MITRE ATT&CK