In a recent cybersecurity investigation, researchers uncovered a complex intrusion where two distinct threat actors simultaneously compromised the same network environment. This discovery highlights the increasing sophistication of cyberattacks, where adversaries employ legitimate tools to maintain stealthy and persistent access.
The primary focus of the attack was on on-premises SharePoint servers, which have been frequent targets due to their critical role in organizational infrastructure. The attackers, identified as Storm-2603, exploited known vulnerabilities within these servers to gain initial access. Their reconnaissance efforts included requests for sensitive configuration files, indicating a search for further exploitable weaknesses.
Utilization of Legitimate Tools for Malicious Purposes
Once inside the network, Storm-2603 leveraged several legitimate tools to establish and maintain their foothold:
- Velociraptor: This open-source digital forensics and incident response (DFIR) tool was deployed with SYSTEM-level privileges. Its legitimate use in security operations allowed the attackers to conduct reconnaissance and data collection without raising suspicion.
- Cloudflare Tunnels: By configuring these tunnels, the attackers created secure outbound connections that bypassed traditional network monitoring, facilitating covert communication channels.
- Zoho Assist: This remote management tool provided the attackers with persistent, unattended access to the compromised systems, enabling continuous control over the environment.
- Visual Studio Code SSH: SSH connections established through Visual Studio Code offered another layer of remote access, further diversifying the attackers’ methods to maintain their presence.
The strategic use of these tools allowed the attackers to blend their activities with normal administrative operations, significantly reducing the likelihood of detection.
Privilege Escalation and Defense Evasion
Beyond establishing access, the attackers took steps to escalate their privileges and disable security measures:
- Creation of Administrator Accounts: New local and domain administrator accounts were created, granting the attackers elevated privileges and control over the network.
- Exploitation of Vulnerable Drivers: By exploiting known vulnerabilities in certain drivers, the attackers were able to tamper with system memory, effectively disabling security protections and further concealing their activities.
These actions ensured that the attackers could maintain long-term control over the compromised environment while evading detection by traditional security tools.
Complication Due to Multiple Threat Actors
Adding to the complexity of the situation, a second, unrelated threat actor was discovered operating within the same network environment. This group employed different techniques, such as malicious DLL sideloading and custom backdoors, to achieve their objectives. The simultaneous presence of multiple threat actors not only complicates attribution but also underscores the challenges organizations face in detecting and responding to sophisticated cyber intrusions.
The use of legitimate tools like Velociraptor, Cloudflare Tunnels, and Zoho Assist by malicious actors highlights a concerning trend in cybersecurity. Organizations must enhance their monitoring capabilities to detect the misuse of such tools and implement robust security measures to prevent unauthorized access. This incident serves as a stark reminder of the evolving tactics employed by cybercriminals and the need for continuous vigilance in protecting network environments.
