Table of Contents
1. Initial Entry and Exploitation
In the first stage of this attack, the adversary set up a command-and-control (C2-1 in Figure 1) infrastructure to launch their attack. They targeted a Linux Tomcat server, exploiting a known vulnerability to gain root access. Once inside, they conducted reconnaissance using standard tools like LDAP search to enumerate network shares and identify additional systems for lateral movement. This reconnaissance yielded additional credentials, enabling lateral movement across the environment. This phase highlights the risk of leaving critical vulnerabilities exposed, as adversaries can exploit them to infiltrate servers running essential services.
2. Lateral Movement and Identity Exploitation
After gaining initial access, the adversary moved laterally through the network using compromised credentials. They transitioned from the Linux Tomcat server to a Windows system, expanding their reach. To maintain covert communication, they generated SSH keys to set up SSH tunnels. Additionally, they targeted the System Security Services to harvest more credentials and gather information on the organization’s cloud infrastructure, enabling deeper access. CrowdStrike Falcon® Identity Protection detected these actions, even as the adversary operated from unmanaged boxes.
3. Privileges and Administrator Access
The adversary compromised accounts with elevated privileges to gain administrative access. The permissions associated with these accounts allowed them to escalate the attack while avoiding detection. This phase illustrates the complexity of privileged account attacks, where admin access is exploited to maintain and expand footholds in compromised networks.
4. Second Stage and Cloud Targeting
To avoid being traced back to their original infrastructure, the adversary set up another command-and-control infrastructure (C2-2) to target the victim’s cloud environment. If one C2 infrastructure was detected, the other remained functional. Using access to Services Systems Manager (SSM), they focused on cloud service instances, bypassing endpoint protections to query sensitive data directly from the control plane. Rather than attacking Windows or Linux instances with installed endpoint detection and response (EDR) agents, the adversary manipulated the control plane to issue commands against cloud service hosts without direct interaction. By exploiting cloud security blind spots, they were able to extract sensitive data, such as intellectual property, without triggering endpoint detection alerts.
5. Persistence and Further Expansion
To ensure persistence, the adversary created additional accounts using SSM and spun up a new cloud service Windows instance. This instance acted as a “break glass” mechanism, providing a fallback in case existing access was lost. This tactic is particularly insidious, as a single instance running quietly in the background often goes unnoticed unless it impacts performance. By blending into normal cloud activity, the adversary maintained long-term access without detection.
While monitoring the environment, CrowdStrike OverWatch threat hunters observed suspicious activities in real time. Once there was enough evidence confirming an intrusion, CrowdStrike immediately alerted the customer and advised on countermeasures to stop the adversary in their tracks. CrowdStrike connected the dots, revealing how the adversary gained credentials, moved through endpoints and clouds, and exploited the control plane. Continuous hunting and cross-domain correlation of malicious activities were key to understanding the adversary’s full scope and stopping the breach.
Turning Insight into Action with Intelligence-Led Defense
Threat hunting and threat intelligence are critical to stay ahead of modern cross-domain attacks, such as the incident described here. Real-time intelligence provides the insights needed to uncover hidden threats early, while proactive threat hunting, such as CrowdStrike Falcon® Adversary OverWatch, delivers 24/7 monitoring to analyze telemetry, identify abnormal patterns, and leverage adversary tradecraft knowledge to detect and stop threats.
By integrating advanced threat intelligence with proactive hunting in a unified security platform, organizations can detect and disrupt attacks faster, reduce response times, and prevent widespread damage. As demonstrated in this case study, this unified, intelligence-driven approach is the key to staying one step ahead of even the most sophisticated adversaries.
Additional Resources
Leave a Reply