A recent discovery has highlighted a critical vulnerability in the Sliver Command and Control (C2) framework, a tool commonly used by threat actors for post-exploitation activities.
This flaw can potentially enable TCP/IP hijacking, allowing attackers to intercept and manipulate network traffic.
Sliver, originally designed as a legitimate penetration testing tool, has been increasingly adopted by malicious actors due to its versatility and scalability.
Exploitation of Sliver C2 Framework
Threat actors have been leveraging vulnerabilities in various software to deploy the Sliver C2 framework.
For instance, known flaws in Sunlogin remote desktop software have been exploited to install Sliver, alongside other malware like BYOVD and Gh0st RAT.
This exploitation chain often begins with remote code execution vulnerabilities, followed by the deployment of Sliver or other malicious payloads.
The use of Sliver allows threat actors to maintain persistence on compromised networks and execute further malicious activities, such as internal network reconnaissance and credential theft.
The Sliver framework’s ability to communicate over specific ports, such as TCP port 8888, using the mTLS authentication protocol, makes it challenging to detect without proper network monitoring tools.
Once deployed, Sliver can facilitate the execution of various commands, including reading system files like /etc/passwd and communicating back with the C2 server.
This level of access can lead to significant network exposure, especially if combined with techniques like TCP/IP hijacking.
TCP/IP Hijacking Risks
TCP/IP hijacking is a sophisticated attack where an attacker intercepts and alters data packets between two communicating systems, exploiting the trust model inherent in TCP/IP protocols.
According to the researchers, this attack can lead to unauthorized access to sensitive data, disruption of communication sessions, or even control of targeted systems.
The combination of Sliver’s capabilities with TCP/IP hijacking techniques could amplify the severity of network breaches, allowing attackers to manipulate network traffic and remain undetected for extended periods.
To mitigate these risks, organizations must implement robust network monitoring and security measures, including encryption and multi-factor authentication.
Regular updates to software and protocols, along with vigilant monitoring of network traffic, are crucial in preventing such attacks.
As threat actors continue to evolve their tactics, staying ahead of these vulnerabilities is essential for maintaining network security.
 framework, a tool commonly used by threat actors for post-exploitation activities.){kind=link}