Full Report
According to CrowdStrike research, in a certain incident an unknown actor compromised a target organization’s cloud environment by exploiting a WSO2 RCE vulnerability (CVE-2022-29464) affecting Linux machines. The actor downloaded several tools including cryptominers and websh...
Analysis Summary
# Incident Report: Cloud Compromise via WSO2 RCE
## Executive Summary
An unknown threat actor successfully compromised a target organization's cloud environment by exploiting a known WSO2 Remote Code Execution (RCE) vulnerability (CVE-2022-29464) on underlying Linux machines. Following access, the actor deployed cryptominers and webshells, utilized timestomping for evasion, conducted internal network discovery, and attempted lateral movement via SSH. The full impact and scope of the compromise remain partially unknown based on the provided data.
## Incident Details
- Discovery Date: Not explicitly stated (Reported June 5, 2023)
- Incident Date: Not explicitly stated
- Affected Organization: Not disclosed
- Sector: Cloud Environment Target (General)
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated
- Vector: Exploitation of a publicly known vulnerability.
- Details: Actor exploited the WSO2 RCE vulnerability (CVE-2022-29464) on Linux machines hosting the WSO2 service.
### Lateral Movement
- Date/Time: Post-initial compromise
- Vector: Internal network scanning and use of standard credentials/services.
- Details: Actor conducted a local network scan (using `fscan`) and attempted to move laterally to other machines in the local network via SSH.
### Data Exfiltration/Impact
- Date/Time: Post-initial access
- Vector: Deployment of dual-use tools.
- Details: Actor downloaded and deployed cryptominers and webshells. They also searched sensitive system files (`/etc/shadow` and bash history) for cloud credentials.
### Detection & Response
- Date/Time: Post-compromise activity observed by CrowdStrike research.
- Vector: Behavioral monitoring/Endpoint Detection and Response (EDR).
- Details: Response actions are inferred by the observed mitigation of active malware/tools rather than explicitly detailed in the provided text.
## Attack Methodology
- Initial Access: Exploitation of WSO2 RCE vulnerability (CVE-2022-29464).
- Persistence: Deployment of webshells (implied).
- Privilege Escalation: Not explicitly detailed, but RCE suggests ability to run commands with service context.
- Defense Evasion: Use of **Timestomping** to hide deployed tools/files.
- Credential Access: Searching `/etc/shadow` and bash history for cloud credentials.
- Discovery: Local network scanning using tools like **`fscan`**.
- Lateral Movement: Attempted movement via **SSH** to adjacent machines.
- Collection: Searching system files for credentials.
- Exfiltration: Not explicitly documented, but cryptomining activity is the primary objective mentioned.
- Impact: Installation of cryptominers leading to resource utilization.
## Impact Assessment
- Financial: Potentially high due to unauthorized compute resource usage (cryptomining).
- Data Breach: Potential exposure of cloud configuration/service credentials found in system files.
- Operational: Potential degradation of cloud service performance due to cryptomining activity.
- Reputational: Dependent on public disclosure, but compromise involving known vulnerabilities is damaging.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: Cryptominers, Webshells. **Tool:** `fscan`.
- Behavioral indicators: **Timestomping**, SSH lateral movement attempts, scanning of `/etc/shadow`.
## Response Actions
- Containment measures: Inferred removal/isolation of compromised Linux machines.
- Eradication steps: Deletion of downloaded cryptominers and webshells.
- Recovery actions: Remediation of the WSO2 RCE vulnerability (patching).
## Lessons Learned
- Reliance on legacy or unpatched software (WSO2 RCE vulnerability) remains a primary entry vector into cloud environments.
- Cloud environments are vulnerable to traditional Linux-based exploitation chains.
- Adversaries actively search for credentials within common configuration paths (`/etc/shadow`, shell history).
## Recommendations
- Immediately patch or update all instances of WSO2 application servers to eliminate CVE-2022-29464 across the environment.
- Implement strict egress filtering to prevent unauthorized outbound connections required for cryptomining command-and-control.
- Harden OS security configurations to restrict access to sensitive files like `/etc/shadow` and limit bash history retention for service accounts.
- Ensure robust EDR solutions are in place to detect file system tampering techniques like Timestomping.