Cyberattackers Exploit HPE Operations Agent for Stealthy Intrusions
In a recent cybersecurity incident, attackers leveraged the legitimate HPE Operations Agent (OA) to infiltrate enterprise systems without deploying traditional malware. This sophisticated approach allowed them to evade detection by blending malicious activities with routine administrative tasks.
Initial Compromise and Stealthy Movement
The breach began when the attackers gained access through a compromised third-party IT services provider. Utilizing the trusted HPE OA, they executed VBScripts across multiple servers, including web servers and domain controllers. These scripts collected system information and mapped the network, all under the guise of legitimate administrative operations.
Establishing Persistence
To maintain long-term access, the attackers deployed web shells named Errors.aspx and a modified Signoff.aspx on internet-facing servers. These backdoors ensured continued control over the compromised systems, even if other malicious tools were discovered and removed.
Credential Theft and Lateral Movement
The attackers registered a malicious network provider DLL called mslogon.dll on domain controllers. This allowed them to intercept Windows authentication processes, facilitating credential theft and enabling further lateral movement within the network.
Implications and Recommendations
This incident underscores the evolving tactics of cybercriminals who exploit trusted tools to conduct stealthy operations. Organizations are advised to monitor the use of legitimate administrative tools closely and implement robust security measures to detect and prevent such abuses.
