APT Attack Compromises Reverse Gateway Infrastructure Through Kernel and NFS Server Malware
By
ogurechny
Summary
A detailed incident response blog post describing a sophisticated Advanced Persistent Threat (APT) attack discovered during a routine security assessment. The attacker compromised an organization's reverse gateway infrastructure through a multi-stage attack involving: (1) a modified Linux kernel that altered NFS client behavior to mark file handles, (2) a malicious NFS-ganesha server module that exfiltrated data through covert channels, (3) kernel-level hooks injected into a Go application to intercept decrypted HTTPS traffic containing PII, and (4) a complex command-and-control system using pseudo-files. The attacker exploited a weak point in the CI/CD pipeline where the kernel was manually built on a developer's laptop. The investigation uncovered multiple malware components, covert channels, self-destruct mechanisms, and data exfiltration of PII from HTTPS traffic.
Source
Key quotes
· 5 pulledI think my setup is sh*t, can anyone resend me the config files?
To quote the client 'I don't care who else they are attacking. I just want them off my lawn!', and he thinks publishing will prevent them from returning to THIS network.
Before this case I did not think there was any nice way to hook random GO binaries, this technique is pretty cool.
Reversing malware you always find some feeble attempt to obfuscate string using XOR or RC4, or just scrambling the letter ordering. In this case I pretty quickly found a function I called get_obfuscated_string(buffer, string_id). The difference however, was that this one was just horrendous, practically irreversible
This investigation started scary but turned out be quite fun, and I hope reading it will be informative to you too.
You might also wanna read
Working Exploit Released for Linux Kernel Use-After-Free Flaw CVE-2026-23111 Enabling Local Root Access
Security researchers have released a working exploit for CVE-2026-23111, a Linux kernel use-after-free vulnerability in nf_tables. The flaw
hendryadrian.com·26d agoAI-assisted vulnerability discovery raises concerns about Linux kernel security
This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln
Why the 'APT' framework fails to capture modern Chinese cyber operations: The case for composite responsibility
The article analyzes the evolving nature of Chinese cyber operations, arguing that the traditional "Advanced Persistent Threat" (APT) framew
Malicious 'Miasma' Framework Compromises 32 Red Hat npm Packages in Supply Chain Attack
A malicious open-source framework called 'Miasma' (a Shai-Hulud clone) compromised 32 Red Hat npm packages. GitHub removed the repository, b
Red Hat npm packages compromised in Miasma supply chain attack exposing developer credentials
Security researchers at Wiz have identified a campaign called Miasma, the latest evolution of the Shai-Hulud malware family, targeting npm s

Comments
Sign in to join the conversation.
No comments yet. Be the first.