{
  "name": "Analysis of Attack Case Installing VPN on Korean ERP Server",
  "slug": "analysis-of-attack-case-installing-vpn-on-korean-erp-server",
  "description": "This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a command-and-control infrastructure. Proper password management and restricting external access could have prevented this incident.",
  "published": "2024-06-17T09:19:25+00:00",
  "created_at": "2024-06-17T09:19:25+00:00",
  "modified_at": "2024-06-17T09:37:32+00:00",
  "created_at_opencti": "2024-06-17T09:19:25+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-17",
    "credential-theft",
    "erp",
    "remote access",
    "softether vpn",
    "sql injection",
    "vpn"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.76.53.110"
      },
      {
        "id": "",
        "name": "167.99.75.170"
      },
      {
        "id": "",
        "name": "https://bashupload.com/-nsU2/1.txt"
      },
      {
        "id": "",
        "name": "http://45.77.44.127/vmtoolsd.xn--exe-to0a"
      },
      {
        "id": "",
        "name": "http://45.77.44.127/vmtoolsd.exe"
      },
      {
        "id": "",
        "name": "http://167.99.75.170/vmtoolsd.exe"
      },
      {
        "id": "",
        "name": "http://167.99.75.170/tun02/vpn_server.config"
      },
      {
        "id": "",
        "name": "http://167.99.75.170/tun02.bat"
      },
      {
        "id": "",
        "name": "http://167.99.75.170/dns003/sqlwritel.exe"
      },
      {
        "id": "",
        "name": "http://167.99.75.170/dns003/hamcore.se2"
      },
      {
        "id": "",
        "name": "http://116.202.251.4/vmtoolsd.exe"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:43a699fbc99646bf",
        "name": "SoftEther VPN",
        "slug": "softether-vpn"
      }
    ],
    "attack_patterns": [
      {
        "id": "5ad57ae8-89d5-41e0-8ab6-ad9f99713232",
        "name": "T1587.002"
      },
      {
        "id": "f7bc1740-747c-458e-aca7-fd05c60f06f3",
        "name": "T1550.002"
      },
      {
        "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d",
        "name": "T1003.001"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c1e3fabe-9e8b-4e8f-a1f8-bf23e234e770",
        "name": "T1485"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Korea, Democratic People's Republic of"
      },
      {
        "id": "",
        "name": "Korea, Republic of"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/66843/",
    "https://otx.alienvault.com/pulse/66701bbd4c046c7375b72e00"
  ]
}