Threat Research

Analyzing Initial Web Shell and VPN Threats: An MXDR Perspective

TrendMicro

Trend Micro MXDR analyzes two incidents involving web shells and VPN compromises, detailing attack chains, tools used, and security recommendations. It emphasizes behavioral analysis and layered defenses to detect and disrupt early-stage intrusions. #WebShell #VPNCompromise #AnyDesk #Impacket #SECRETSDUMP #Zerologon

Keypoints

  • Cyberattacks using web shells and VPN compromises remain common.
  • Attackers deploy multiple tools to maintain access, employing a layered fallback strategy.
  • Web shells allow attackers to interact with compromised servers and adapt tactics quickly.
  • Compromised VPN accounts help attackers blend into networks, avoiding detection.
  • Behavioral analysis and anomaly detection are crucial for early threat detection.
  • Two case studies illustrate the attack chains and methods used in web shell and VPN compromise incidents.
  • Recommendations include implementing layered security, regular audits, and strong authentication measures.

MITRE Techniques

  • [T1193] Web Shell – Attackers upload web shell files to compromised servers to execute commands. ‘Attackers upload web shell files to compromised servers to execute commands.’
  • [T1219] Remote Access Software – Attackers use tools like AnyDesk to maintain access and control over compromised systems. ‘Attackers use tools like AnyDesk to maintain access and control over compromised systems.’
  • [T1003] Credential Dumping – Utilization of tools like Impacket’s SECRETSDUMP to harvest password hashes. ‘Utilization of tools like Impacket’s SECRETSDUMP to harvest password hashes.’
  • [T1021] Lateral Movement – Using compromised accounts to move laterally within the network via RDP. ‘Using compromised accounts to move laterally within the network via RDP.’
  • [T1071] Command and Control – Establishing C&C through compromised hosts using remote access tools. ‘Establishing C&C through compromised hosts using remote access tools.’
  • [T1068] Privilege Escalation – Creating local admin accounts to gain higher privileges within the environment. ‘Creating local admin accounts to gain higher privileges within the environment.’

Indicators of Compromise

  • [IP Address] context – 45.154.12.246, 111.223.247.193
  • [File name] context – lcx5qm.jpg, zxin.jpg

Read more: https://www.trendmicro.com/en_us/research/24/j/understanding-the-initial-stages-of-web-shell-and-vpn-threats-an.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint