Type
Incident
Actors
Unknown
Pub. date
June 5, 2023
Initial access
1-day vulnerability
Impact
Unknown
Observed techniques
IMDS abuse
Observed tools
Chisel
References
https://www.crowdstrike.com/cloud-risk-report/
Status
Finalized
Last edited
Jun 2, 2024 11:54 AM
According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a vulnerability affecting an Internet-facing web app and gaining command shell access. The actor used Chisel for C2 purposes (specifically, a version of the tool already in use in the target organization's environment), and queried the IMDS via PowerShell. Through their Chisel tunnel, they attempted to move laterally via SSH, RDP, MSSQL and MySQL.