On Tuesday, the Cybersecurity and Infrastructure Security Agency (CSA) released an advisory highlighting a threat targeting the Defense Industrial Base sector organization’s enterprise network. The advanced persistent threat group is leveraging the open-source toolkit Impakcet to gain initial access into target systems. After Impacket is successfully deployed, it launches the data exfiltration tool CovalentStealer. The advisory was released in collaboration with the Federal Bureau of Investigation and the National Security Agency.
The advisory states that the CISA observed these attacks between November 2021 and January 2022 during incident response activities. In some instances, the CISA believes that the threat actors had long-term access to the environment. Additionally, the threat actors used Microsoft Exchange to breach target systems and returned later to use Command Shell ot collect sensitive data before launching the Impacket tools. In the observed instances, the threat actors used VPNs to conduct the attacks.