Attackers workflow mapped
Attacker's Summary
This summary will cover the attackers workflow as discovered from my point of view. I believe the attack first started with port scanning based on the high volume of SYN packets to various ports. While looking through web request logs I discovered HTTP POST and GET Requests. From here, there was a credential stuffing attempt against the target that eventually lead to a successful authentication. The attacker took advantage of CVE-2022-25237 to conduct a command injection attack, where they passed a bash command to curl a SSH key from a pastebin into the authorized keys folder.
Triaging Summary
We are provided with a pcap file and Suricata alerts in a JSON file which you can import into Brimcap (Brim Security) with the Suricata Module.
References
Sherlock Questions
1. We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?
For this question, I felt I could quickly and accurately narrow down our surface area by filtering the packet capture by protocol. It was likely that the Business Management Platform was a cloud app communicating with clients over HTTP. I also observed the Bonita soft string when analyzing the pcap from within DynamiteLab, a free online pcap analysis software.
2. We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?
3. Does the vulnerability exploited have a CVE assigned - and if so, which one
4. Which string was appended to the API URL path to bypass the authorization filter by the attacker's exploit
5. How many combinations of usernames and passwords were used in the credential stuffing attack?
6. Which username and password combination was successful?
7. If any, which text sharing site did the attacker utilise?
8. Please provide the filename of the public key used by the attacker to gain persistence on our host.
9. Can you confirmed the file modified by the attacker to gain persistence?
10. Can you confirm the MITRE technique ID of this type of persistence mechanism?