Analysis of Attack Case Installing VPN on Korean ERP Server
June 17, 2024, 11:37 a.m.
Tags
External References
Description
This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a command-and-control infrastructure. Proper password management and restricting external access could have prevented this incident.
Date
Published: June 17, 2024, 11:19 a.m.
Created: June 17, 2024, 11:19 a.m.
Modified: June 17, 2024, 11:37 a.m.
Indicators
https://bashupload.com/-nsU2/1.txt
http://45.77.44.127/vmtoolsd.xn--exe-to0a
http://45.77.44.127/vmtoolsd.exe
http://167.99.75.170/vmtoolsd.exe
http://167.99.75.170/tun02/vpn_server.config
http://167.99.75.170/tun02.bat
http://167.99.75.170/dns003/sqlwritel.exe
http://167.99.75.170/dns003/hamcore.se2
http://116.202.251.4/vmtoolsd.exe
Attack Patterns
SoftEther VPN
T1587.002
T1550.002
T1003.001
T1543.003
T1059.001
T1547.001
T1485
Additional Informations
Manufacturing
Korea, Democratic People's Republic of
Korea, Republic of