Analysis of Attack Case Installing VPN on Korean ERP Server

216.73.216.226

Analysis of Attack Case Installing VPN on Korean ERP Server

· Published 17/06/2024 11:19 · Modified 17/06/2024 11:37

Essential information

Published: 17/06/2024 11:19
Modified: 17/06/2024 11:37
Tags: 2024-06-17 credential-theft erp remote access softether vpn sql injection vpn
Related entities: 11 observables, 7 techniques (mitre), 1 malware, 3 others

Description

This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a command-and-control infrastructure. Proper password management and restricting external access could have prevented this incident.

External references

https://asec.ahnlab.com/en/66843/
https://otx.alienvault.com/pulse/66701bbd4c046c7375b72e00

Analysis of Attack Case Installing VPN on Korean ERP Server

Essential information

Description

Related entities

Observables (11)

Techniques (MITRE) (7)

Malware (1)

Others (3)

External references