WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.
The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.
Financial terms were not released but the price tag is expected to be hefty with Exabeamβs most recent valuation pegged at $2.5 billion.
The post Thoma Bravo-Owned LogRhythm Announces Merger With Rival ExabeamΒ appeared first on SecurityWeek.
Phish Ahoy! Hacker took advantage of Dellβs lack of anti-scraping defense.
The post Dell Hell Redux β More Personal Info Stolen by βMenelikβ appeared first on Security Boulevard.
In the realm of cybersecurity, vigilance is paramount. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a critical vulnerability in GitLab, a popular platform for collaborative software development. This GitLab password exploit tracked as CVE-2023-7028, has been actively exploited in the wild, posing significant risks to organizations utilizing GitLab for their development workflows. [β¦]
The post CISA Alert: GitLab Password Exploit β Act Now For Protection appeared first on TuxCare.
The post CISA Alert: GitLab Password Exploit β Act Now For Protection appeared first on Security Boulevard.
Source: news.sophos.com β Author: Sally Adam PRODUCTS & SERVICES I am delighted to announce that the Sophos Incident Response service has been awarded U.K.βs National Cyber Security Centre (NCSC) Cyber Incident Response (CIR) Level 2 status by CREST. This assurance confirms that amid the sophisticated cybersecurity threat landscape, Sophos has the experience and capabilities to [β¦]
La entrada Sophos Incident Response achieves NCSC Certified Incident Response (CIR) Level 2 status β Source: news.sophos.com se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The Biden Administration is moving to cybersecurity standards for hospitals, but the AHA is pushing back, saying voluntary models are enough.
The post UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security appeared first on Security Boulevard.
Source: securelist.com β Author: Kaspersky GERT, Kaspersky Security Services SOC, TI and IR posts SOC, TI and IR posts 14 May 2024 minute read Incident response analyst report 2023 As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, [β¦]
La entrada Incident response analyst report 2023 β Source: securelist.com se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
ΠΡΠ΄Π΅Ρ! Russian ransomware rascals riled a Roman Catholic healthcare organization.
The post FBI/CISA Warning: βBlack Bastaβ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.
Source: securityboulevard.com β Author: Richi Jennings Dark web sale of leaked data exposes Dell users to phishing phraud. Dell customer data from the past six or more years has been stolen. It looks like scrotes unknown broke into the company support portal and sold scads of personal information to the highest bidder. Again? In todayβs [β¦]
La entrada Dell Hell: 49 Million Customersβ Information Leaked β Source: securityboulevard.com se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityboulevard.com β Author: Jeffrey Burt Dell is sending emails to as many as 49 million people about a data breach that exposed their names, physical addresses, and product order information. According to the brief message, bad actors breached a Dell portal that contains a database βwith limited types of customer information related to purchases [β¦]
La entrada Dell Data Breach Could Affect 49 Million Customers β Source: securityboulevard.com se publicΓ³ primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The tech giant says the information stolen doesn't represent a significant risk to users, but cybersecurity experts disagree.
The post Dell Data Breach Could Affect 49 Million Customers appeared first on Security Boulevard.
DUDE! Youβre Getting Phished.
Dell customer data from the past six (or more?) years was stolen. It looks like someone sold scads of personal information to the highest bidder.
The post Dell Hell: 49 Million Customersβ Information Leaked appeared first on Security Boulevard.
Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann
Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and response (MDR) customers. The incident involves a threat actor overwhelming a user's email with junk and calling the user, offering assistance. The threat actor prompts impacted users to download remote monitoring and management software like AnyDesk or utilize Microsoft's built-in Quick Assist feature in order to establish a remote connection. Once a remote connection has been established, the threat actor moves to download payloads from their infrastructure in order to harvest the impacted users credentials and maintain persistence on the impacted users asset.
In one incident, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised network. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT and other incident response engagements handled by Rapid7.
Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the userβs inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.
With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organizationβs IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.
In the event the threat actorβs social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.
Once the threat actor successfully gains access to a userβs computer, they begin executing a series of batch scripts, presented to the user as updates, likely in an attempt to appear more legitimate and evade suspicion. The first batch script executed by the threat actor typically verifies connectivity to their command and control (C2) server and then downloads a zip archive containing a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe***), along with its dependencies, several RSA keys, and other Secure Shell (SSH) configuration files. SSH is a protocol used to securely send commands to remote computers over the internet. While there are hard-coded C2 servers in many of the batch scripts, some are written so the C2 server and listening port can be specified on the command line as an override.
The script then establishes persistence via run key entries Β in the Windows registry. The run keys created by the batch script point to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via PowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the downloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some of which also conditionally establish persistence using other remote monitoring and management solutions, including NetSupport and ScreenConnect.
In all observed cases, Rapid7 has identified the usage of a batch script to harvest the victimβs credentials from the command line using PowerShell. The credentials are gathered under the false context of the βupdateβ requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actorβs server via a Secure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.
In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.
In one incident, Rapid7 observed the threat actor attempting to deploy additional remote monitoring and management tools including ScreenConnect and the NetSupport remote access trojan (RAT). Rapid7 acquired the Client32.ini file, which holds the configuration data for the NetSupport RAT, including domains for the connection. Rapid7 observed the NetSupport RAT attempt communication with the following domains:
After successfully gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, disguised as a legitimate Dynamic Link Library (DLL) named 7z.DLL, to other assets within the same network as the compromised asset using the Impacket toolset.
In our analysis of 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key and then execute the beacon.
The threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.exe and passing a command line argument of `b`, i.e. `C:\Users\Public\7zG.exe b`. By doing so, the legitimate binary 7zG.exe side-loads 7z.DLL, which in turn executes the embedded Cobalt Strike beacon. This technique is known as DLL side-loading, a method Rapid7 previously discussed in a blog post on the IDAT Loader.
Upon successful execution, Rapid7 observed the beacon inject a newly created process, choice.exe.
Rapid7 recommends baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or ββMicrosoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can be blocked from execution via AppLocker. Β As an additional precaution, Rapid7 recommends blocking domains associated with all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and associated domains can be found here.
Rapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls and texts purporting to be from internal IT staff.
| Tactic | Technique | Procedure |
|---|---|---|
| Denial of Service | T1498: Network Denial of Service | The threat actor overwhelms email protection solutions with spam. |
| Initial Access | T1566.004: Phishing: Spearphishing Voice | The threat actor calls impacted users and pretends to be a member of their organizationβs IT team to gain remote access. |
| Execution | T1059.003: Command and Scripting Interpreter: Windows Command Shell | The threat actor executes batch script after establishing remote access to a userβs asset. |
| Execution | T1059.001: Command and Scripting Interpreter: PowerShell | Batch scripts used by the threat actor execute certain commands via PowerShell. |
| Persistence | T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH. |
| Defense Evasion | T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification | The threat actor uses cacls.exe via batch script to modify file permissions. |
| Defense Evasion | T1140: Deobfuscate/Decode Files or Information | The threat actor encrypted several zip archive payloads with the password βqaz123β. |
| Credential Access | T1056.001: Input Capture: Keylogging | The threat actor runs a batch script that records the userβs password via command line input. |
| Discovery | T1033: System Owner/User Discovery | The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not. |
| Lateral Movement | T1570: Lateral Tool Transfer | Impacket was used to move payloads between compromised systems. |
| Command and Control | T1572: Protocol Tunneling | An SSH reverse tunnel is used to provide the threat actor with persistent remote access. |
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
| Detections |
|---|
| Attacker Technique - Renamed SSH For Windows |
| Persistence - Run Key Added by Reg.exe |
| Suspicious Process - Non Approved Application |
| Suspicious Process - 7zip Executed From Users Directory (*InsightIDR product only customers should evaluate and determine if they would like to activate this detection within the InsightIDR detection library; this detection is currently active for MDR/MTC customers) |
| Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command |
| Network Discovery - Domain Controllers via Net.exe |
| Domain/IPv4 Address | Notes |
|---|---|
| upd7[.]com | Batch script and remote access tool host. |
| upd7a[.]com | Batch script and remote access tool host. |
| 195.123.233[.]55 | C2 server contained within batch scripts. |
| 38.180.142[.]249 | C2 server contained within batch scripts. |
| 5.161.245[.]155 | C2 server contained within batch scripts. |
| 20.115.96[.]90 | C2 server contained within batch scripts. |
| 91.90.195[.]52 | C2 server contained within batch scripts. |
| 195.123.233[.]42 | C2 server contained within batch scripts. |
| 15.235.218[.]150 | AnyDesk server used by the threat actor. |
| greekpool[.]com | Primary NetSupport RAT gateway. |
| rewilivak13[.]com | Secondary NetSupport RAT gateway. |
| 77.246.101[.]135 | C2 address used to connect via AnyDesk. |
| limitedtoday[.]com | Cobalt Strike C2 domain. |
| thetrailbig[.]net | Cobalt Strike C2 domain. |
| File | SHA256 | Notes |
|---|---|---|
| s.zip | C18E7709866F8B1A271A54407973152BE1036AD3B57423101D7C3DA98664D108 | Payload containing SSH config files used by the threat actor. |
| id_rsa | 59F1C5FE47C1733B84360A72E419A07315FBAE895DD23C1E32F1392E67313859 | Private RSA key that is downloaded to impacted assets. |
| id_rsa_client | 2EC12F4EE375087C921BE72F3BD87E6E12A2394E8E747998676754C9E3E9798E | Private RSA key that is downloaded to impacted assets. |
| authorized_keys | 35456F84BC88854F16E316290104D71A1F350E84B479EEBD6FBB2F77D36BCA8A | Authorized key downloaded to impacted assets by the threat actor. |
| RuntimeBroker.exe | 6F31CF7A11189C683D8455180B4EE6A60781D2E3F3AADF3ECC86F578D480CFA9 | Renamed copy of the legitimate OpenSSH for Windows utility. |
| a.zip | A47718693DC12F061692212A354AFBA8CA61590D8C25511C50CFECF73534C750 | Payload that contains a batch script and the legitimate ScreenConnect setup executable. |
| a3.zip | 76F959205D0A0C40F3200E174DB6BB030A1FDE39B0A190B6188D9C10A0CA07C8 | Contains a credential harvesting batch script. |
Tech giant notifies millions of customers that full names and physical mailing addresses were stolen during a security incident.
The post Dell Says Customer Names, Addresses Stolen in Database Breach appeared first on SecurityWeek.
War of the words: Fancy Bear actions are βintolerable and unacceptable,β complains German foreign minister Annalena Baerbock.
The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.
Google rolls out new threat-intel and security operations products and looks to the magic of AI to tap into the booming cybersecurity market.
The post Google Debuts New Security Products, Hyping AI and Mandiant Expertise appeared first on SecurityWeek.
UnitedHealth CEO Andrew Witty said in a U.S. Senate hearing that his company is still trying to understand why the server did not have the additional protection.
The post Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says appeared first on SecurityWeek.
UnitedHealth Groupβs CEO Andrew Witty shares details on the damaging cyberattack in testimony before a US Congress committee set for May 1, 2024.
The post UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike appeared first on SecurityWeek.
Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked via CVE-2024-3400.
The post Palo Alto Networks Shares Remediation Advice for Hacked Firewalls appeared first on SecurityWeek.
Irish startup Tines raises $50 million in new venture capital funding as investors make big bets on automation and orchestration startups.
The post Tines Bags $50 Million Funding for Security Workflow Automation appeared first on SecurityWeek.
UnitedHealth confirms that personal and health information was stolen in a ransomware attack that could cost the company up to $1.6 billion.
The post UnitedHealth Says Patient Data Exposed in Change Healthcare Cyberattack appeared first on SecurityWeek.
Investors make an early-stage $6.5 million bet on BreachRx, a startup promising to shield cybersecurity executives from personal liability.
The post BreachRx Raises $6.5M to Revamp Incident Response Reporting Systems appeared first on SecurityWeek.
*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, itβs also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.
Rapid7 consistently monitors emergent threats to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 InsightIDR has an alert rule Suspicious Web Request - Possible Atlassian Confluence CVE-2023-22527 Exploitation available for all IDR customers to detect the usage of the text-inline.vm consistent with the exploitation of CVE-2023-22527. A vulnerability check is also available to InsightVM and Nexpose customers. A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available on the Velociraptor Artifact Exchange here. Read Rapid7βs blog on CVE-2023-22527.
Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST requests consistent with known vulnerabilities, including CVE-2023-22527. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm component of Confluence by sending a modified POST request to the server.
Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, but the identified POST requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:
| Access.log Entry |
|---|
| POST /template/aui/text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 |
| POST /template/aui/text-inline.vm HTTP/1.0 200 70ms 7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 |
| POST /template/aui/text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 |
Evidence showed the execution of a curl command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
As a result of the executed curl command, file w.sh was written to the /tmp/ directory on the system. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. The bash script then executed the wget command to download javs.tar.gz from the IP address 38.6.173[.]11 over port 80. This file was identified to be the XMRigCC cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service was created on the system and set to run as root to ensure persistence.
The following is a snippet of code contained within w.sh defining communication parameters for the downloading and execution of the XMRigCC binary.
Rapid7 found additional log evidence within Catalina.log that references the download of the above file inside of an HTTP response header. This response registered as βinvalidβ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.
| Catalina Log Entry |
|---|
| WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... ] has been removed from the response because it is invalid |
Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179 communicating over port 8888 from both servers. netstat command output showed that the network connectionβs source program was called X-org and was located within the systemβs /tmp directory. According to firewall logs, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org file creation. Rapid7 identified another malicious file residing on the secondary server named X0 Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.
A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available Indicators of Compromise (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179 would communicate over port 8888 using the mTLS authentication protocol.
After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd and etc/machine-id and then communicated back with the C2 again. The contents of passwd and machine-id provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.
The Sliver C2 connection was later used to execute wget commands used to download Kerbrute, Traitor, and Fscan to the servers. Kerbute was executed from dev/shm and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor binary was executed from the var/tmp directory which contains the functionality to leverage Pwnkit and Dirty Pipe as seen within evidence on the system. Fscan was executed from the var/tmp directory with the file name f and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.
To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:
Ensure that unnecessary ports and services are disabled on publicly-facing servers.
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
Publicly-facing servers hosting web applications should implement a restricted shell, where possible, to limit the capabilities and scope of commands available when compared to a standard bash shell.
| Tactics | Techniques | Details |
|---|---|---|
| Command and Control | Application Layer Protocol (T1071) | Sliver C2 connection |
| Discovery | Domain Account Discovery (T1087) | Kerbrute enumeration of Active Directory |
| Reconnaissance | Active Scanning (T1595) | Fscan enumeration |
| Privilege Escalation | Setuid and Setgid (T1548.001) | Traitor privilege escalation |
| Execution | Unix Shell (T1059.004) | The Sliver payload and follow-on command executions |
| Credential Access | Brute Force (T1110) | Kerbrute Active Directory brute force component |
| Credential Access | OS Credential Dumping (T1003.008) | Extracting the contents of /etc/passwd file |
| Impact | Resource Hijacking (T1496) | Execution of cryptomining software |
| Initial Access | Exploit Public-Facing Application (T1190) | Evidence of text-inline abuse within Confluence logs |
| Attribute | Value | Description |
|---|---|---|
| Filename and Path | /dev/shm/traitor-amd64 | Privilege escalation binary |
| SHA256 | fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 | Hash for Traitor binary |
| Filename and Path | /var/tmp/kerbrute_linux_amd64 | Kerbrute enumeration of Active Directory |
| SHA256 | 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | Hash for Kerbrute binary |
| Filename and Path | /var/tmp/f | Fscan enumeration |
| SHA256 | b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 | Hash for Fscan binary |
| Filename and Path | /tmp/X0 | Sliver binary |
| SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | Hash for Sliver binary |
| Filename and Path | /tmp/X-org | Sliver binary |
| SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | Hash for Sliver binary |
| IP Address | 193.29.13.179 | Sliver C2 IP address |
| Filename and Path | /tmp/w.sh | Bash script for XMrigCC cryptominer |
| SHA256 | 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 | Hash for bash script |
| Filename and Path | /tmp/javs.tar.gz | Compressed crypto installation files |
| SHA256 | ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b | Hash for crypto installation files |
| Log-Based IOC | "POST /template/aui/text-inline.vm HTTP/1.0 200" followed by GET request containing curl | Exploit behavior within Confluence access.log |
| IP Address | 195.80.148.18 | IP address associated with exploit behavior of text-inline followed by curl |
| IP Address | 103.159.133.23 | IP address associated with exploit behavior of text-inline followed by curl |
Login