Microsoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions

Severity

Medium

Detail

Security researchers uncovered a stealthy cyberattack where threat actors abused a legitimate enterprise management tool to stay hidden inside a company’s network for more than 100 days. Instead of deploying obvious malware, the attackers relied on trusted administrative software already approved within the environment, allowing them to move quietly across critical systems without triggering major security alerts.

The campaign was investigated by Microsoft Incident Response, which found that the attackers exploited trusted access provided through a third-party IT services provider. The attack specifically abused the HPE Operations Agent platform, though no vulnerability in the software itself was involved.

How?

After compromising a third-party IT provider, the attackers used the trusted HPE Operations Agent platform to distribute malicious VBScript files across web servers and domain controllers. These scripts collected system information, mapped the internal network, and identified valuable systems while appearing as legitimate administrative activity.

To maintain long-term access, the attackers deployed web shells such as Errors.aspx and a modified Signoff.aspx on internet-facing servers. They also focused heavily on credential theft by installing malicious DLLs like mslogon.dll and passms.dll on domain controllers. These components intercepted usernames and passwords during Windows authentication events and quietly stored the stolen data for later retrieval.

The attackers later used the harvested credentials to move laterally across sensitive systems, including SQL servers and domain controllers. To avoid detection, they established encrypted remote access tunnels using ngrok, allowing covert Remote Desktop Protocol (RDP) sessions without exposing suspicious firewall ports or relying on obvious malware activity.

Conclusion

The incident highlights how modern threat actors increasingly rely on trusted tools and legitimate administrative channels instead of noisy malware. By abusing existing enterprise software and third-party access relationships, attackers can remain hidden for long periods while harvesting credentials and moving through sensitive environments.

Researchers recommend organizations strengthen monitoring of administrative tools, enable endpoint detection and response (EDR) solutions across all systems, restrict unnecessary outbound connections, and closely monitor authentication-related configurations for unusual changes. The campaign also reinforces the growing risks associated with third-party service providers and the importance of maintaining visibility into all trusted remote access pathways.

Source

https://cybersecuritynews.com/microsoft-warns-of-attackers-using-trusted-hpe-operations-agent/