Microsoft has recently disclosed a sophisticated cyber intrusion campaign characterized by its unique approach, where attackers have successfully evaded traditional security measures by leveraging trusted enterprise tools. This method highlights a significant shift in the landscape of cyber threats, as malicious actors increasingly opt for legitimate software and existing trust frameworks to stealthily infiltrate networks.
The cyber attack did not exploit any vulnerabilities within HPE Operations Agent (OA), a trusted IT management tool. Instead, it began with a compromised third-party IT services provider tasked with managing the organization’s infrastructure. By accessing systems through a trusted vendor, the threat actors were able to manipulate their way into the organization’s networks without raising alarms. This tactic enabled them to blend seamlessly into standard administrative tasks, making their malicious activities appear as routine system operations. As a result, detection and subsequent response efforts were significantly delayed.
This operation is notably aligned with the MITRE ATT&CK framework’s technique T1199, known simply as the “Trusted Relationship” technique. In this scenario, the trust associated with the external service provider effectively broadened the attack surface, allowing adversaries to exploit pre-existing business and operational trust paths. By extending their reach beyond the internal networks, these attackers demonstrated a clever exploitation of the systems that enterprises rely on for daily operations.
According to a report shared by Microsoft with cyber threat intelligence sources, the attackers utilized HPE OA to execute a series of destructive and malicious actions across the targeted environments. Specifically, on the organization’s domain controllers, they deployed a rogue network provider named “mslogon.” This malicious component enabled the interception of user credentials during login activities and password modifications, allowing the attackers to gather sensitive information without detection.
The breadth of this intrusion campaign was revealed through Microsoft’s detailed analysis, outlining that the operation unfolded over several months. Following their initial access, the attackers implemented VBScript payloads through the HPE Operations Manager (HPOM), which allowed them to conduct extensive network reconnaissance and map out Active Directory structures. This phase of the attack was crucial, as it led to the escalation into credential harvesting and further penetration into critical systems.
Furthermore, the malicious DLL introduced in the attack was designed to capture usernames and passwords in cleartext, storing them locally. The attackers could then reuse these credentials to execute lateral movements throughout the organization’s networks, thereby further compromising security.
As the campaign deepened, the intruders employed a second malicious mechanism: a password filter DLL known as “passms.dll.” This component integrated directly into the Windows Local Security Authority (LSA), allowing it to capture credentials whenever users updated passwords. Notably, the stolen data was not left in cleartext. Instead, it was double-encoded—first using Base64 encoding, followed by a custom encoding routine carefully embedded within the DLL, making recovery of sensitive information even more challenging for defenders.
In addition to this, web shells were established on internet-facing servers, utilizing modified application files, such as “Signoff.aspx.” These web shells facilitated remote command execution and file uploads without raising suspicion, as they mimicked the behavior of legitimate applications.
The attackers also deployed tools like ngrok to maintain covert remote access. By setting up encrypted tunnels, they could establish Remote Desktop Protocol (RDP) connections without leaving ports exposed, effectively circumventing perimeter defenses and enabling lateral movements across critical systems, including SQL servers and domain controllers. This process was facilitated further by using Windows Management Instrumentation (WMI)-based remote execution to deploy and launch ngrok on various devices.
Despite the multiple layers and stages of compromise, the attack largely remained undetected due to its reliance on already trusted tools, valid credentials, and established system processes. Even after suspicions were raised, the threat actors managed to reestablish their persistence by utilizing previously compromised access points.
In light of these developments, Microsoft has underscored a wider trend in contemporary cyber operations that favor stealth over noise. Rather than relying solely on the deployment of discernible malware that triggers security alerts, attackers seem to prioritize living off the land—leveraging built-in tools and pre-existing trust relationships for long-term access to networks.
To mitigate these sophisticated threats, Microsoft recommends organizations deploy endpoint detection and response (EDR) systems across all networks. It urges administrators to enforce strict outbound traffic controls and maintain comprehensive logging on servers. Additionally, a zero-trust approach is adviced, especially when engaging with third-party service providers, along with the continuous validation of the behavior exhibited by trusted tools within the environment. This proactive stance may prove crucial in mitigating the risks associated with such stealthy intrusion campaigns.