You're listening to the CyberWire Network, powered by N2K.

This is a SISA Cybersecurity Alert.

ID number Alpha Alpha 22 TAC-277

Alpha. Original release date, October 4, 2022.

From November 2021 through January 2022,

CISA responded to APT activity against a defense industrial-based

organization's enterprise network. During incident response activities,

CISA discovered that multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment.

APT actors used an open source toolkit called Impactet to gain their foothold within the environment and further compromise the network

and also used a custom data exfiltration tool, co-valence dealer, to steal the victim's sensitive data.

Impactit uses Windows Management Instrumentation and Server Message Block Protocol to create a semi-interactive shell within the target device.

Through the command shell, an impact user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.

Covalence Steeler is designed to identify file shares on a system, categorize the files, and upload the

files to a remote server.

Covalent Steeler includes two configurations that target the victim's documents using

predetermined file paths and user credentials.

CoVaillet Steeler stores the collected files on a Microsoft OneDrive Cloud folder.

The alert documentation also includes detection and

techniques and procedures and IOCs for the threat activity.

The alert documentation also includes detection and mitigation actions

to help organizations prevent this APT activity.

CISA, FBI, and NSA recommend defense industrial-based organizations implement the

...