Microsoft has issued a warning regarding a sophisticated attack campaign. The campaign, recently uncovered by security experts, involves the misuse of a legitimate enterprise tool, the HPE Operations Agent, to carry out malware-free intrusions.
The attackers gained entry through a compromised third-party IT services provider, then navigated the victim’s system using pre-approved tools. This method allowed them to bypass conventional malware detection, as no traditional malware was executed during the attack.
Exploiting Trusted Tools for Stealthy Intrusions
According to Microsoft Incident Response investigators, the attackers utilized HPE Operations Agent (OA) as a primary delivery mechanism. This tool, commonly used for enterprise monitoring, was not inherently flawed but was repurposed to exploit its trusted status within the target’s IT environment.
The attack campaign persisted for over 100 days, utilizing the HPE Operations Manager (HPOM) managed by a third-party provider. During this period, attackers harvested credentials, accessed critical systems, and maintained undetected access through covert tunnels established with ngrok.
Credential Harvesting and Network Mapping
Throughout the intrusion, attackers focused on credential theft and network reconnaissance. They deployed VBScripts, such as abc003.vbs, to collect system data and map the network. These scripts ran undetected due to their execution through a trusted management platform.
The attackers also implanted web shells on internet-facing servers, creating persistent backdoors. These included files like Errors.aspx and modified Signoff.aspx, which remained active even when other tools were removed.
Recommendations for Enhanced Security
Microsoft advises organizations to enhance their security frameworks by deploying endpoint detection and response (EDR) tools and adopting a default-deny model for outbound traffic. This strategy helps block unauthorized connections and detect unusual activities within the network.
Furthermore, enabling detailed server logging and actively monitoring authentication configurations can help identify stealthy abuses. Removing unnecessary tools that could be exploited and monitoring for unexpected changes are crucial steps in securing IT environments.
The sophistication of this attack highlights a shift in tactics, emphasizing the importance of maintaining vigilance and employing comprehensive security measures to protect against similar threats in the future.
