This is an analysis of a recent attack observed on a on a large enterprise network. The attackers compromised multiple servers via JBOSS JMX console vulnerabilities. With this access they were able to install tools for remote access and transmit data from the enterprise network to their C&C systems. The attack, while not sophisticated, demonstrates some of the techniques used by the hackers and burns their IP addresses that were used. We will discuss the attack and our methodology for the detection and response.
From this timeline it can be seen that the attackers went after the load balancer virtual IP address and not the service directly. This meant that they would be sent to one of the two servers depending on the server load and algorithm used. Because server two was never fully compromised, we suspect that the attacker didn’t know they were dealing with two different servers and not just one.
In any case, the attackers were able to get server one, deploy a rogue URL, push a remote shell and then drop Zmeu. Server two had its URL configuration updated, but because of complications getting files/executing commands, it appeared to keep trying to get the WAR/JAR from the remote server with no luck.
- 126.96.36.199 (Romania) – Main attacker address
- 188.8.131.52 (Netherlands) – Attacker callback
- 184.108.40.206 (Sweden) – Public IRC
- 220.127.116.11 (Hungary) – Public IRC
- 18.104.22.168 (Florida) – Public IRC
- 22.214.171.124 (Spain) – Compromised server used to hold WAR/JAR files?
- 126.96.36.199 (Spain) – Backup compromised server?
- rocarp.com – Compromised server used to hold remote shell script