Microsoft Warns of Attacks via HPE Operations Agent

Microsoft Warns of Attacks via HPE Operations Agent

Posted on By CWS

Microsoft has issued a warning regarding a sophisticated attack campaign. The campaign, recently uncovered by security experts, involves the misuse of a legitimate enterprise tool, the HPE Operations Agent, to carry out malware-free intrusions.

The attackers gained entry through a compromised third-party IT services provider, then navigated the victim’s system using pre-approved tools. This method allowed them to bypass conventional malware detection, as no traditional malware was executed during the attack.

Exploiting Trusted Tools for Stealthy Intrusions

According to Microsoft Incident Response investigators, the attackers utilized HPE Operations Agent (OA) as a primary delivery mechanism. This tool, commonly used for enterprise monitoring, was not inherently flawed but was repurposed to exploit its trusted status within the target’s IT environment.

The attack campaign persisted for over 100 days, utilizing the HPE Operations Manager (HPOM) managed by a third-party provider. During this period, attackers harvested credentials, accessed critical systems, and maintained undetected access through covert tunnels established with ngrok.

Credential Harvesting and Network Mapping

Throughout the intrusion, attackers focused on credential theft and network reconnaissance. They deployed VBScripts, such as abc003.vbs, to collect system data and map the network. These scripts ran undetected due to their execution through a trusted management platform.

The attackers also implanted web shells on internet-facing servers, creating persistent backdoors. These included files like Errors.aspx and modified Signoff.aspx, which remained active even when other tools were removed.

Recommendations for Enhanced Security

Microsoft advises organizations to enhance their security frameworks by deploying endpoint detection and response (EDR) tools and adopting a default-deny model for outbound traffic. This strategy helps block unauthorized connections and detect unusual activities within the network.

Furthermore, enabling detailed server logging and actively monitoring authentication configurations can help identify stealthy abuses. Removing unnecessary tools that could be exploited and monitoring for unexpected changes are crucial steps in securing IT environments.

The sophistication of this attack highlights a shift in tactics, emphasizing the importance of maintaining vigilance and employing comprehensive security measures to protect against similar threats in the future.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Cost of a Breach Calculating ROI for Cybersecurity Investments Cost of a Breach Calculating ROI for Cybersecurity Investments Cyber Security News
EngageSDK Flaw Puts Millions of Crypto Wallets at Risk EngageSDK Flaw Puts Millions of Crypto Wallets at Risk Cyber Security News
Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution Cyber Security News
Securing Virtualized Environments – Hypervisor Security Best Practices Securing Virtualized Environments – Hypervisor Security Best Practices Cyber Security News
AI-Powered VoidLink Malware Framework Poses New Cyber Threat AI-Powered VoidLink Malware Framework Poses New Cyber Threat Cyber Security News
Phishing Attacks Exploit GitHub and Jira Notifications Phishing Attacks Exploit GitHub and Jira Notifications Cyber Security News