From WSO2 RCE to SSH lateral movement

According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a WSO2 RCE vulnerability (CVE-2022-29464) affecting Linux machines. The actor downloaded several tools including cryptominers and webshells, which they hid using timestomping. They also conducted a local network scan for discovery purposes, and searched for cloud credentials in /etc/shadow and bash history. The actor also attempted to move laterally to other machines in the local network via SSH.