ITSEC Newsletter 2024-02-22

As a company specializing in realistic defensive training, we are highly interested in the inner workings of Command and Control (C2) frameworks. Empire is a modernized, open-source framework equipped with a wide array of capabilities. Examining its inner workings offers two opportunities: first, to improve adversary simulation, and second, to develop novel defensive techniques. While scrutinizing the staging and tasking processes, we pinpointed several vulnerabilities that an attacker could exploit to gain root access to a C2 server.

Sometimes, the shared data contains secrets, or information that should not have been published. There are ways to delete them, but they are not intuitive at all. During a recent security evaluation, we had a repo with deleted commits, and identified a GitHub flaw that isn’t well known. It allows access to commits not listed in the project’s history, including commits that have been removed using a forced push. We have created github-secrets to search for and find such commits on any public repository so that users can determine whether supposedly deleted commits are currently publicly visible in their repository.

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.