From PHP vuln to Sliver execution via cron

According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment using an RCE vulnerability affecting PHP applications on multiple Linux machines. The actor enumerated the environment and attempted to query the IMDS to retrieve cloud credentials (the report does not clarify if they were successful or not). They also created a cron job for persistence which downloaded and ran Sliver, and executed Python remote shells.