The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.
Tag: T1190
Inside Water Barghests Rapid Exploit
Water Barghest actively scans the internet for vulnerable IoT devices, particularly those with known vulnerabilities or default credentials. Upon identifying a vulnerable device, they exploit it to gain initial access. This may involve exploiting vulnerabilities in web interfaces, using default or weak credentials, or leveraging unpatched software flaws.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.
Volt Typhoon Engagement
Volt Typhoon actors rely on valid accounts for persistence. They first gain initial access to a network by exploiting vulnerabilities in public-facing applications. Then, they obtain administrator credentials and maintain persistence on the network. They are known to use compromised credentials for follow-on activities, such as logging into the victim’s network via VPN.
Tropic Trooper – Exploit Web Facing App
Tropic Trooper exploits vulnerabilities in public-facing web servers, such as Microsoft Exchange Server, to gain initial access to target networks. They leverage known vulnerabilities (like CVE-2023-26360) to establish a foothold and deploy web shells like “ByPassGodzilla” for further malicious activities.