Junior Hacker Leveraged Tailscale and OpenSSH to Maintain Access After C2 Outage

Cyber Intrusion at French Automotive Firm: A Case Study of Persistent Threats

Recently, a French-speaking cybercriminal infiltrated a small automotive business in France, deploying a keylogger to capture sensitive banking and email credentials. The breach, characterized by conventional tactics, took an unexpected turn with a strategic decision made towards the end of the operation.

Prior to the shutdown of the attacker’s command-and-control (C2) server, the intruder installed OpenSSH and Tailscale on the compromised machine, creating a persistent access path that did not require the C2 server at all. When the Havoc server went dark, the attacker maintained access. Eighteen days later, upon the C2’s return, the malicious agents automatically reconnected, allowing the intruder to continue exploiting the compromised environment.

The operation was meticulously documented by Cato Networks, which tracked 339 command executions over 33 days after the attacker inadvertently left SSH keys and an operational playbook in an unsecured storage location. The detailed analysis, authored by Cato CTRL researcher Vitaly Simonovich, offers a rare glimpse into the attack from the criminal’s perspective, rather than just the aftermath.

It is imperative to note that simply taking down a C2 server does not mitigate the threat if an alternate access route has been established. The infiltrator, identified by the handle “Poisson,” does not belong to a sophisticated advanced persistent threat (APT) group. Instead, he is characterized as a junior operator, active predominantly after 3 p.m. CET, utilizing low-cost tools and services like DuckDNS and Backblaze B2.

Throughout the intrusion, Poisson repeatedly exposed his own environment. He mismanaged his operational security by leaking directory paths and naming storage buckets after his online handle. Despite this, he managed to compromise four machines, achieving his objectives without employing advanced techniques.

The malware used in this attack primarily operated in memory. Initially, a VBScript stager, designed to evade sandbox detection, decrypted a PowerShell loader that subsequently fetched a .NET loader to execute Havoc’s Demon agent without writing malicious files to disk. While attempting privilege escalation using Start-Process with a Verb RunAs command, the attacker had to contend with user consent prompts, often requiring multiple attempts.

Once established, the intruder set up a scheduled task with the highest privileges, injected shellcode into the Windows Explorer process, and created a custom RustDesk version as a backup access channel. The Python-based keylogger captured keystrokes without any beaconing or exfiltration servers. Poisson manually retrieved files, keeping systems awake to facilitate ongoing data collection.

Significantly, during a concentrated effort on April 7, the attacker installed OpenSSH Server and Tailscale, integrating the victim’s system into his private Tailscale network, which provided access via an encrypted channel with no visible ports exposed. When the C2 infrastructure went offline the next day, the access was unaffected due to this alternate route.

Upon the return of the C2 on April 26, the threat actors resumed operation seamlessly, executing an additional 145 commands in the subsequent days, probing for security tokens and certificates. The limited scope of Poisson’s objectives became evident; he focused solely on gathering login information for banking and government services crucial for the small business, leaving behind no trace of exfiltrated documents.

Historically, the techniques employed, particularly the use of Tailscale for stealthy communications, have been observed in operations by noted APTs, emphasizing that the tools and tactics employed by Poisson are not novel but highlight a growing trend of combining legitimate software for malicious purposes.

Cato Networks emphasizes the importance of vigilance in identifying potential threats. Monitoring for unexpected installations of OpenSSH or unusual VPN activity is essential, as is recognizing scheduled tasks set for the highest privileges. The overarching takeaway remains: even when a C2 is taken offline, the discovered persistence mechanisms necessitate thorough investigations to eliminate all potential access points left available to the attacker.

Understanding such operations under the MITRE ATT&CK framework reveals the adversarial tactics at play—ranging from initial access to persistence, privilege escalation, and eventually, credential access. This incident serves as a potent reminder that cybersecurity vulnerabilities can be deeply rooted and multifaceted, necessitating a comprehensive and proactive approach for mitigation.

Source link