Week in Security: Open source tool used to steal data from defense firm

This week: APT groups targeted a defense industrial base sector organization, why SBOMs are a great “first step,” and more.

This week’s top story

CISA: Open source tool used to steal data from defense firm

Advanced Persistent Threat (APT) groups compromised a defense firm and lurked on its network for months, according to a new U.S. Cybersecurity and Infrastructure Security Agency (CISA) Alert (AA22-277A). The groups compromised an administrator account used to manage the organization’s Microsoft Exchange Server and used an open-source toolkit called Impacket to expand their foothold in the network and compromise it, CISA said.

The known activity took place from November 2021 to January 2022, and was tracked by CISA with the help of a trusted third-party organization. They have not yet determined how these groups gained access to the network.

Once granted access, the APT groups used a compromised administrator account, allowing them to access the network’s EWS Application Programming Interface (API) twice, while connected to a VPN. After accessing the EWS API, the threat actors used Window Command Shell over a 3-day period, allowing them to interact with the organization’s network, including the collection of sensitive data. It was in this same period that the APT groups utilized Impacket to move laterally across systems. The Alert defines Impacket as a “Python toolkit for programmatically constructing and manipulating network protocols on another system.”

The response effort believes that the APT groups were able to maintain access to the network until January 2022 with the use of legitimate login credentials.

CISA’s Alert lists tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IoCs) related to this incident. CISA, along with the FBI and NSA, advise that any DIB sector or critical infrastructure organization take the necessary precautions listed in the Alert in order to manage this cyber threat.

News roundup

Here are the stories we’re paying attention to this week…

SBOM: A first step in software supply chain security
(Kuppingercole Analysts)

"Having a Bill of Materials is nothing new in the traditional Supply Chain Management (SCM) process, and it shouldn’t be any surprise and makes perfect sense to apply this same concept to software."

Complying with the Egypt Financial Cybersecurity Framework: What you should know
(The State of Security)

The Egypt Financial Cybersecurity Framework uses the most common, and well-respected frameworks into one unified source. Rather than attempting to cross-reference all the frameworks to each other, the CBE choses the best practices from each, creating a new document for use in the financial sector.

FBI and CISA publish a PSA on malicious cyber activity against election infrastructure
(CISA)

The Federal Bureau of Investigation (FBI) and CISA have published a joint public service announcement. It assesses that malicious cyber activity aiming to compromise election infrastructure is unlikely to result in large-scale disruptions or prevent voting.

Researchers report supply chain vulnerability in Packagist PHP Repo
(The Hacker News)

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.

How scanning GitHub can help secure the open-source supply chain
(Venture Beat)

SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help enterprises secure their GitHub implementations. The solution will enable security and devops teams to scan GitHub configurations at scale and ensure the integrity of open-source software.