Ssh Rd Rev Jar ☠


Ssh Rd Rev Jar ☠

Download » DOWNLOAD


Ssh Rd Rev Jar

The Cortex XDR threat prevention service inspects a wide variety of data from these files to detect and block known threat samples (such as LDAP, SQL Injection, VNC, etc.) as well as those that are not historically known. Several attacks are detected by cortex XDR, such as:

  • The ssh -i command line option
  • The enable parameter
  • The pass parameter
  • The -c command line option

We observed an increasing number of SSH executions on our network from the fourth quarter of 2018 to the first quarter of 2019. These events seemed to be associated with the internal deployment of a vulnerability in a specific version of the AWS SDK. A scan of the Docker containers on the RPi showed the following files were created/upddated during this period:

Kali Linux 2018.2 is based on the Debian “Buster” distribution. A vulnerability in the Cortex Threat Prevention service was disclosed on April 10, 2019. The attack surface for this vulnerability can be described as follows:

These detection points are complemented by network flow and protocol analysis, resulting in elevated IOCs for network traffic anomalies, such as outbound SSH or VNC requests, as well as inbound port-forward requests from the RPi.

The lack of a publicly available post exploit version makes it more difficult to identify. We tried to determine if any version of a container could be used against the Cortex XDR service. We determined that if we could build a docker container from an image that contained the ssh binary that triggered the Cortex XDR service, that we could then instantiate that container and gain a foothold on the affected device. So we scoped out the specific techniques to build the docker containers. We looked for the enable parameter and checked if there were any other ways to trigger Cortex XDR.

from the folder created by the webshell, the actor then executes the webshell as a plain-text script, copying a powershell or poshc2 script from a usb memory device. the copied script then downloads an executable from one of the publicly available proof of concept tool sites, most of which are publicly available command-and-control servers. the intent of this methodology is to avoid having to use command-and-control servers on a computer that is targeted due to the location of a highly sensitive computer resource being compromised. the compromised computer resource in this case is the endpoint of a threat insertion process, which allows the actor to quickly execute code and leave behind evidence that is logged on the endpoint.
we have logged open source alerts and other standard remediation actions in our s2b repository to ensure you have a complete audit log of the work we have done on your behalf. the more directly we can guide you to remediation, the less likely you are to be blindsided by a threat. not all attackers stick to the open source scanning and cleanup approach. we always recommend attackers clean up as much evidence as possible, but some of them prefer to hide and be sneaky.
at this point, the actor may attempt to communicate with the c&c server for additional instructions. the communication with the c&c server may be encrypted as the actor may use a publicly available encryption toolkit to encrypt the data. this could be done with something such as tiny encryption algorithm, which is an open source implementation of the tea block cipher and stream cipher. this toolkit provides an easy and secure way to encrypt and decrypt data on the fly and can be used inside of a webshell. it might also be encrypted to avoid any chance of capturing its communications.

Leave a Reply Cancel reply