Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

MITRE Techniques

• [T1588.007] Obtain Capabilities: Artificial Intelligence – The actors used AI services and agentic CLI tools to generate offensive commands and scripts. (‘used agentic AI capabilities to drive attack operations’)
• [T1590] Gather Victim Network Information – The campaign collected internal network details and attack surface information from targeted environments. (‘identify the attack surface of the targeted organizations’)
• [T1595] Active Scanning – SHADOW-AETHER-064 scanned exposed services on ports 443 and 8443 to find vulnerable systems. (‘Scanned port 443 and 8443 across the target’s network ranges’)
• [T1190] Exploit Public-Facing Application – The actors exploited vulnerable JBoss AS servers and web-facing systems to gain access. (‘vulnerable JBoss AS servers, successfully compromised them’)
• [T1059] Command and Scripting Interpreter – AI agents generated shell scripts and commands to perform scanning, credential theft, and other tasks. (‘Generated a shell script to conduct scanning across an internal network’)
• [T1203] Exploitation for Client Execution – The campaign deployed and used webshells and other code to execute malicious actions on victims. (‘deploy webshells, such as Neo-reGeorg’)
• [T1053] Scheduled Task/Job – Persistence was maintained through cron jobs and related startup mechanisms. (‘Created a cron job or modified the .bashrc configuration’)
• [T1068] Exploitation for Privilege Escalation – The actors attempted privilege escalation through vulnerabilities such as Dirty COW and PwnKit. (‘Attempted to exploit vulnerabilities such as Dirty COW and PwnKit’)
• [T1036] Masquerading – The backdoor binary was renamed to resemble a legitimate PostgreSQL worker process. (‘Renamed the backdoor binary as pg_stat_worker’)
• [T1003] OS Credential Dumping – The actor searched for private keys and passwords to obtain credentials from victim systems. (‘inspected .bash_history to discover leaked passwords’)
• [T1187] Forced Authentication – SHADOW-AETHER-040 used SMB Relay with PetitPotam to force authentication. (‘Performed an SMB Relay attack using PetitPotam’)
• [T1552.001] Unsecured Credentials: Credentials In Files – The actors searched configuration files, logs, and history files for embedded secrets. (‘extract any internal network information or embedded credentials’)
• [T1110.003] Brute Force: Password Spraying – Both campaigns used collected credentials for password spraying against internal targets. (‘Utilized previously collected credentials to conduct password spraying attacks’)
• [T1087] Account Discovery – The AI agent examined systems and directories to identify accounts and related access material. (‘search for private key files matching filename patterns’)
• [T1482] Domain Trust Discovery – The campaign investigated directory and domain relationships during internal operations. (‘domain trust discovery’ listed in MITRE mapping)
• [T1654] Log Enumeration – The actor inspected shell history and logs to identify useful information and leaked secrets. (‘Inspected .bash_history’)
• [T1046] Network Service Discovery – The campaign scanned internal and exposed services to map reachable hosts. (‘perform connection scanning across the internal network’)
• [T1018] Remote System Discovery – The AI agent queried and scanned remote internal systems to identify live hosts. (‘operate other servers inside the internal network’)
• [T1057] Process Discovery – The actors checked running processes to detect EDR or antivirus tools. (‘Executed ps -fade command to list all running processes’)
• [T1082] System Information Discovery – The actor reviewed server configuration files and code to extract system and environment information. (‘inspect server configuration files and application code’)
• [T1210] Exploitation of Remote Services – The actors exploited remote services and later used them to move laterally. (‘deploy backdoor SSH key’)
• [T1021.004] Remote Services: SSH – SSH was used through ProxyChains and within custom tooling for lateral movement and remote command execution. (‘use ProxyChains to create SSH connections’)
• [T1213] Data from Information Repositories – The actors queried databases and repositories to locate and extract sensitive data. (‘Explored databases using SQL queries’)
• [T1090] Proxy – SOCKS5 proxies, ProxyChains, Chisel, and custom tools were used to relay traffic and hide source connections. (‘establish a SOCKS5 tunnel’)
• [T1572] Protocol Tunneling – Traffic was tunneled through SOCKS5, WebSocket, HTTP POST, and SSH-based relays. (‘encapsulating the malicious traffic within HTTP POST requests and responses’)
• [T1071] Application Layer Protocol – The backdoor communicated over HTTP and used WebSocket for C2 and traffic relay. (‘This backdoor utilizes HTTP protocol for C&C communication’)
• [T1020] Automated Exfiltration – The actors automated data theft and bulk download of backups and files. (‘downloaded the backup files with the scp command’)
• [T1041] Exfiltration Over C2 Channel – Data was exfiltrated through the command-and-control infrastructure. (‘facilitate the exfiltration of large files over the C&C channel’)
• [T1136.001] Create Account: Local Account – SHADOW-AETHER-064 created unauthorized service accounts on victim servers. (‘Created unauthorized service accounts, specifically identified as svcbackup or svcmon’)
• [T1136.002] Create Account: Domain Account – The campaign created or leveraged accounts within Active Directory environments. (‘within both victim servers and the Active Directory environment’)
• [T1484.001] Domain or Tenant Policy Modification: Group Policy Modification – The attackers changed Group Policy settings to elevate access and weaken restrictions. (‘Modified Group Policy Preferences (GPP)’)
• [T1550.002] Use Alternate Authentication Material: Pass the Hash – The campaign used stolen NTLM hashes to move laterally and deploy backdoors. (‘Used stolen NTLM hashes to perform Pass-the-Hash over SMB’)
• [T1021.002] Remote Services: SMB/Windows Admin Shares – The attackers used SMB and admin shares for lateral movement and backdoor deployment. (‘Pass-the-Hash over SMB’)