Msiexec Impersonation – Exploit Leads to Data Exfiltration

The intrusion began with the exploitation of an internet-facing instance of ManageEngine SupportCenter Plus via the CVE-2021-44077 vulnerability.
The threat actor successfully exploited the RCE vulnerability in SupportCenter Plus, which allowed them to drop a web shell in an internet accessible directory.
The exploit that was witnessed looks very similar to a publicly available POC exploit on GitHub.

The threat actor then performed some generic enumeration of the system and enabled WDigest authentication on the server using the web shell.
Enumeration on the system included querying network configuration, a list of domain joined computers, user and OS information, and current user sessions on the beachhead.

Periodically over several days, the threat actor returned and checked what users were logged into the beachhead server using the webshell.
Finally, on the seventh day, the threat actors performed an LSASS dump on the system, which captured the credentials of an administrative user that had recently logged into the system.
In this case, the threat actor had access to the user’s plaintext credentials as a result of WDigest authentication being previously enabled.

The following day the threat actor downloaded ekern.exe, which was a renamed version of Plink, and deployed a script to establish a reverse SSH connection to the RDP port of the beachhead server.
An interactive RDP session was successfully established to the beachhead server by the threat actor where they began enumerating other computers on the network.

From the beachhead, lateral movement was conducted to three other servers via RDP, including a domain controller, a file server, and another server.
Confidential files were exfiltrated from the network throughout this intrusion using a mixture of web shell access and hands-on keyboard access via RDP.

These files, were critical to the business and it’s partner.
The documents were selectively chosen as if the attackers were looking for specific material.
When it came time to exfiltrate certain files or folders, one folder of the utmost importance was exfiltrated while passing on other partner folders and files.

Besides the files and folders mentioned, internal machine certs were reviewed and later exfiltrated.
The exfiltrated information has not been found in any public dumps or sales to date.

The threat actors were evicted from the network soon after stealing this information.