Malware Attack Leverages Stolen Admin Credentials

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging campaign, occurring since at least May 2016, that uses multiple malware implants to compromise IT systems and access data. Among the victims of this attack are organizations in the Information Technology, Energy, Healthcare, Communications, and Manufacturing sectors.

According to the NCCIC’s preliminary analysis, the attack appears to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. The hacker makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement.

Get the entire NCCIC Incident Report

Some of the campaign’s victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mechanisms in place, the hacker could possibly gain full access to networks and data in a way that appears legitimate to existing security monitoring tools.

Among the mitigations recommended by the NCCIC is the fine-tuning of account controls, specifically…

  • Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege.
  • Limit the ability of a local administrator account to login from a local interactive session (e.g., “Deny access to this computer from the network”) and prevent access via a Remote Desktop Protocol session.
  • Remove unnecessary accounts, groups, and restrict root access.
  • Control and limit local administration.
  • Make use of the Protected Users Active Directory group in Windows Domains to further secure privileged user accounts against pass-the-hash compromises.

This activity is still under investigation by the NCCIC. If an intrusion is suspected, please reach out to DataLink’s Cyber Security team for help. Contact us today: 410.729.0440 or