Analysis of Attack Case Installing VPN on Korean ERP Server

June 17, 2024, 11:37 a.m.

Description

This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a command-and-control infrastructure. Proper password management and restricting external access could have prevented this incident.

External References

https://asec.ahnlab.com/en/66843/
https://otx.alienvault.com/pulse/66701bbd4c046c7375b72e00
Tags
sql injection
credential theft
remote access
2024-06-17
vpn
erp
softether vpn

Date

  • Created: June 17, 2024, 11:19 a.m.
  • Published: June 17, 2024, 11:19 a.m.
  • Modified: June 17, 2024, 11:37 a.m.

Indicators

  • 45.76.53.110
  • 167.99.75.170
  • https://bashupload.com/-nsU2/1.txt
  • http://45.77.44.127/vmtoolsd.xn--exe-to0a
  • http://45.77.44.127/vmtoolsd.exe
  • http://167.99.75.170/vmtoolsd.exe
  • http://167.99.75.170/tun02/vpn_server.config
  • http://167.99.75.170/tun02.bat
  • http://167.99.75.170/dns003/sqlwritel.exe
  • http://167.99.75.170/dns003/hamcore.se2
  • http://116.202.251.4/vmtoolsd.exe
Download all indicators here!

Attack Patterns

  • SoftEther VPN

Additional Informations

  • Manufacturing
  • Korea, Democratic People's Republic of
  • Korea, Republic of