In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information.
As an example, the threat actors downloaded a small photo from a publically accessible human resources page.
Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites.
It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks.
DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.
As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.
(Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.
Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.