A sophisticated state-sponsored threat actor, likely a China-nexus, infiltrated a large organization’s network for three years, where attackers exploited a legacy internet-facing F5 BIG-IP appliance for internal command and control, achieving persistence by establishing footholds throughout the environment.
The fact that they were able to quickly switch to different footholds after being discovered is illustrative of the importance of having strong defenses against threats that are sponsored by foreign governments.
A holistic approach combining continuous monitoring, threat hunts, stringent traffic controls, and system hardening for both legacy and public-facing devices is crucial to deter and counter such persistent actors.
The attackers used DLL search order hijacking to load a malicious DLL from a legitimate application, leveraging this DLL to inject code into Svchost processes. By analyzing memory dumps of the injected processes, investigators were able to identify stolen credentials and internal network scanning activities.
They also used Impacket to move laterally and tamper with EDR products, while the investigation also revealed a PlugX C&C server and a local firewall rule created by the malware.
Hackers compromised F5 BIG-IP appliances, which were directly connected to the internet. By exploiting vulnerabilities in the outdated operating system, they gained remote access, created a reverse SSH tunnel to a C&C server, and then used the F5 appliances as a pivot point to infect a file server with PlugX malware.
PlugX on the file server acted as an internal C&C server, allowing hackers to move laterally through the network by enumerating active connections, listing directories, and transferring additional PlugX variants using WmiExec over SMB.
As a result of the fact that this traffic was not encrypted, the hackers’ tactics, techniques, and procedures (TTPs) were revealed through SMB communication.
Forensic analysis of F5 appliances by Sygnia revealed four malicious binaries. VELVETSTING, a tool connecting to the attacker’s C&C server every hour to receive commands encoded with a passphrase, was executed via csh.
VELVETTAP captured network packets on the management interface, as both were added to /etc/rc.local for persistence. SAMRID, an open-source SOCKS proxy used by Chinese threat actors, was identified but not running, while ESRDE, similar to VELVETSTING using bash, was also found inactive.
Also Read: