Type
Incident
Actors
Unknown
Pub. date
June 5, 2023
Initial access
Web vulnerability
Impact
Unknown
Observed techniques
IMDS abuseCron persistence
Observed tools
Sliver
Targeted technologies
PHP
References
https://www.crowdstrike.com/cloud-risk-report/
Status
Finalized
Last edited
Jun 2, 2024 11:54 AM
According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment using an RCE vulnerability affecting PHP applications on multiple Linux machines. The actor enumerated the environment and attempted to query the IMDS to retrieve cloud credentials (the report does not clarify if they were successful or not). They also created a cron job for persistence which downloaded and ran Sliver, and executed Python remote shells.