A significant cyberattack disrupted Nevada’s state government network on August 24, forcing all state office branches to shut down operations for 48 hours.
The intrusion began with the exploitation of an unpatched VPN gateway, allowing the threat actor to gain initial foothold on the internal network.
Within hours, the attackers deployed a custom malware payload designed to escalate privileges, move laterally across critical servers, and exfiltrate sensitive data.
This event marks one of the most severe disruptions of state IT services in recent history, affecting email, public records access, and internal communication channels.
Governor Lombardo Press Office analysts noted that the malware leveraged a multi-stage attack vector: a lightweight dropper written in PowerShell, which in turn fetched a second-stage binary from a compromised web server.
This binary contained encrypted configuration files, indicating the attackers’ intent to remain undetected while mapping the network topology.
As state technicians worked to isolate infected endpoints, normal user authentication services were rerouted to offline backups, further complicating the recovery process.
Initial forensic analysis revealed that the dropper script used the following pattern to establish persistence on reboot:-
$TaskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -File C:WindowsTempsvc_update.ps1'
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName 'WindowsUpdateSvc' -Action $TaskAction -Trigger $Trigger -Description 'System Update Service'.webp "Nevada IT Systems Hit by Cyberattack 3")
This technique allowed the malware to relaunch silently, even after endpoint patches were applied.
Governor Lombardo Press Office researchers identified the dropper’s code similarities to known APT toolkits, suggesting that the perpetrators possess advanced capabilities and extensive reconnaissance data on state infrastructure.
Infection Mechanism
Delving deeper into the infection mechanism, the second-stage binary employs a custom communications protocol over HTTPS, masquerading its traffic as benign REST API calls to evade intrusion detection systems.
Upon execution, the binary loads a DLL into the Windows Management Instrumentation (WMI) host process (wmiprvse.exe), effectively concealing its operations within legitimate system processes.
The DLL decrypts embedded payloads in memory, deploying modules that scan for domain controllers and file shares.
Once targets are identified, encrypted archives of critical files are staged for exfiltration using chunked uploads to a remote C2 server.
The malware transition from initial code execution to data exfiltration without triggering standard network security alarms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
