All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

APT Attack Compromises Reverse Gateway Infrastructure Through Kernel and NFS Server Malware

By

ogurechny

20d ago· 15 min readenInsight

Summary

A detailed incident response blog post describing a sophisticated Advanced Persistent Threat (APT) attack discovered during a routine security assessment. The attacker compromised an organization's reverse gateway infrastructure through a multi-stage attack involving: (1) a modified Linux kernel that altered NFS client behavior to mark file handles, (2) a malicious NFS-ganesha server module that exfiltrated data through covert channels, (3) kernel-level hooks injected into a Go application to intercept decrypted HTTPS traffic containing PII, and (4) a complex command-and-control system using pseudo-files. The attacker exploited a weak point in the CI/CD pipeline where the kernel was manually built on a developer's laptop. The investigation uncovered multiple malware components, covert channels, self-destruct mechanisms, and data exfiltration of PII from HTTPS traffic.

Source

Hacker NewsAPT Attack Compromises Reverse Gateway Infrastructure Through Kernel and NFS Server Malwareigor-blue.github.io

Key quotes

· 5 pulled
I think my setup is sh*t, can anyone resend me the config files?
To quote the client 'I don't care who else they are attacking. I just want them off my lawn!', and he thinks publishing will prevent them from returning to THIS network.
Before this case I did not think there was any nice way to hook random GO binaries, this technique is pretty cool.
Reversing malware you always find some feeble attempt to obfuscate string using XOR or RC4, or just scrambling the letter ordering. In this case I pretty quickly found a function I called get_obfuscated_string(buffer, string_id). The difference however, was that this one was just horrendous, practically irreversible
This investigation started scary but turned out be quite fun, and I hope reading it will be informative to you too.
Snippet from the RSS feed
A few weeks ago an ordinary security assessment turned into an incident response whirlwind. It was definitely a first for me, and I was kindly granted permission to outline the events in this blog post. This investigation started scary but turned out be q

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.