FOCUS MODE
EXTRACT IOC
Threat Research

Infostealing Malware Infections in the U.S. Military & Defense Sector: A Cybersecurity Disaster in the Making

admin
Infostealing Malware Infections in the U.S. Military & Defense Sector: A Cybersecurity Disaster in the Making
The article by Alon Gal highlights a significant national security threat posed by Infostealer malware infections among U.S. defense contractors and military personnel. Employees from companies like Lockheed Martin, Boeing, and Honeywell have unwittingly downloaded malware, resulting in the theft of sensitive credentials and exposing classified information. This issue raises serious concerns about the integrity of national security infrastructures. Affected: Lockheed Martin, Boeing, Honeywell, U.S. Army, U.S. Navy, FBI, Government Accountability Office (GAO)

Keypoints :

  • Employees at major defense contractors have been infected by Infostealer malware, compromising sensitive data.
  • Stolen credentials from military personnel expose VPN access and classified systems.
  • Infostealer malware infects systems through human error, particularly via downloaded files.
  • Cybercriminals can purchase stolen data from employees for as low as per log.
  • Infostealers capture various credentials, including email and multi-factor authentication session cookies.
  • The problem extends beyond infected employees, impacting entire supply chains and partnerships.
  • Notable cases of compromise include Honeywell and the U.S. Navy, with significant data breaches reported.
  • No firm is immune to these threats; if major companies are vulnerable, smaller companies also face risks.
  • Strong cybersecurity measures are essential to prevent initial infections and secure sensitive networks.

MITRE Techniques :

  • T1071 – Application Layer Protocol: Infostealers exfiltrate stolen data via application layer protocols.
  • T1081 – Credential Dumping: Infostealers capture and exfiltrate user credentials from infected systems.
  • T1552.001 – Credentials in Files: Sensitive login credentials for internal systems are stored in files that are later exfiltrated.
  • T1075 – Pass the Ticket: Session cookies stolen from browsers allow attackers to leverage existing authenticated sessions.

Indicator of Compromise :

  • [URL] http://intranet.honeywell.com
  • [URL] http://access.dev1.honeywell.com
  • [URL] http://globalapps.honeywell.com
  • [URL] https://adfs1.honeywell.com/adfs/ls
  • [URL] https://itim.honeywell.com/idm/controller

Full Story: https://www.infostealers.com/article/infostealing-malware-infections-in-the-u-s-military-defense-sector-a-cybersecurity-disaster-in-the-making/

Tags: BROWSER, GOVERNMENT, ACTIVE DIRECTORY, HEALTHCARE, SSO, LEARN, CREDENTIAL, VPN