“Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” Palo Alto explained.“The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added.The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT.The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect.EarthwormandReverseSocks5have predominantly been used by Chinese APT groups, includingVolt TyphoonandAPT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
“The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary,” it added.The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT.The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect.EarthwormandReverseSocks5have predominantly been used by Chinese APT groups, includingVolt TyphoonandAPT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
The attackers deployed the open source Earthworm and ReverseSocks5 tools. The former is a network tunneling tool that enables attackers to establish a covert communications channel, while the latter allows them to bypass firewalls and NAT.The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect.EarthwormandReverseSocks5have predominantly been used by Chinese APT groups, includingVolt TyphoonandAPT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
The cybersecurity firm has stopped short of attributing the attacks to a specific country, but the evidence it has presented points to China as the main suspect.EarthwormandReverseSocks5have predominantly been used by Chinese APT groups, includingVolt TyphoonandAPT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
EarthwormandReverseSocks5have predominantly been used by Chinese APT groups, includingVolt TyphoonandAPT41. Log destruction has also often been observed during attacks attributed to Chinese threat actors.Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
Active Directory targeting is also a hallmark of Chinese groups, though other nation-state hackers and cybercriminals use this technique as well.“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration,” Palo Alto noted. “This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.”Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
Related:Critical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsRelated:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
Related:Microsoft Patches Exploited SharePoint Zero-Day and 160 Other VulnerabilitiesRelated:Adobe Patches Reader Zero-Day Exploited for Months
Related:Adobe Patches Reader Zero-Day Exploited for Months
Source: SecurityWeek
