CheckMesh: Hidden Threats in Your FW
Essential information
- Published
- 05/08/2024 08:43
- Modified
- 05/08/2024 09:05
- Tags
- 2024-08-05 advanced persistent threat credential-theft encrypted communication firewall compromise lateral movement meshagent
- Related entities
- 9 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware, 1 others
Description
This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.