Pivot techniques: In addition to the payloads themselves, the investigation also revealed new techniques. For example, the legitimate shell script convert_hosts.sh that exists on these appliances has been modified to include the path of the backdoors to achieve persistence.The SLAYSTYLE web shell, which is designed to receive commands over HTTP and execute them on the system, was used to set up proxy rules via the Linux iptables utility. Namely, incoming traffic on port 443 (HTTPS) that contained a particular HEX string was silently redirected to port 10443 for the next 5 minutes.Another novel technique was the creation of temporary network ports on existing virtual machines on VMware ESXi servers to access other services inside the environments.Charles Carmakal, CTO at Mandiant, described the technique on LinkedIn as deploying “ghost NICs on virtual machines to evade defenders” because it left investigators chasing network activity from IP addresses that no longer existed and were never documented.Network-edge appliances have become a common entry point into enterprise networks for sophisticated attackers. These appliances are not typically covered by logging solutions, lack endpoint malware detection, yet contain troves of credentials and provide great pivot points to internal services.Dell recommends RecoverPoint for VMs be deployed inside a trusted, access-controlled network behind appropriate firewalls and segmentation, not on public-facing infrastructure. Meanwhile, the Mandiant blog post includes indicators of compromise and YARA detection rules for the new GRIMBOLT and SLAYSTYLE payloads.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4134158/chinese-hackers-exploited-zero-day-dell-recoverpoint-flaw-for-1-5-years.html
