From web app exploitation to Chisel tunneling

According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a vulnerability affecting an Internet-facing web app and gaining command shell access. The actor used Chisel for C2 purposes (specifically, a version of the tool already in use in the target organization's environment), and queried the IMDS via PowerShell. Through their Chisel tunnel, they attempted to move laterally via SSH, RDP, MSSQL and MySQL.