Type
Incident
Actors
Unknown
Pub. date
June 5, 2023
Initial access
1-day vulnerability
Impact
Unknown
Observed techniques
Timestomping
Observed tools
fscanGodzilla
Targeted technologies
WSO2
References
https://www.crowdstrike.com/cloud-risk-report/
Status
Stub
Last edited
Jun 2, 2024 8:02 AM
According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a WSO2 RCE vulnerability (CVE-2022-29464) affecting Linux machines. The actor downloaded several tools including cryptominers and webshells, which they hid using timestomping. They also conducted a local network scan for discovery purposes, and searched for cloud credentials in /etc/shadow and bash history. The actor also attempted to move laterally to other machines in the local network via SSH.