Trusted Design

Digging for groundhogs: holes in your linux server

概要

In July 2015, Check Point’s Incident Response team was contacted by a customer after they noticed strange file system activities in one of their Linux-based DNS BIND servers. This strange behavior consisted of a large amount of peculiar files being written into sensitive system directories. A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised. The source of this compromise was traced to an SSH brute force attack that took place earlier the same month. The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers. Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server. Once they obtained access to the server, the attackers infected the system with two malicious payloads.

Created: 2026-02-23

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Magic Hound

Score: 11.29
Matched TTPs:
  • T1099 - Timestomp
  • T1578 - Modify Cloud Compute Infrastructure
  • T1547.002 - Authentication Package
  • T1547.008 - LSASS Driver
MITREへのリンク →

HEXANE

Score: 9.64
Matched TTPs:
  • T1099 - Timestomp
  • T1091 - Replication Through Removable Media
  • T1097 - Pass the Ticket
  • T1547.002 - Authentication Package
MITREへのリンク →

APT29

Score: 13.65
Matched TTPs:
  • T1099 - Timestomp
  • T1592.004 - Client Configurations
  • T1546.018 - Python Startup Hooks
  • T1547.008 - LSASS Driver
MITREへのリンク →

Gamaredon Group

Score: 17.15
Matched TTPs:
  • T1099 - Timestomp
  • T1091 - Replication Through Removable Media
  • T1562.010 - Downgrade Attack
  • T1542.004 - ROMMONkit
  • T1547.002 - Authentication Package
  • T1546.017 - Udev Rules
MITREへのリンク →

TA2541

Score: 7.87
Matched TTPs:
  • T1099 - Timestomp
  • T1091 - Replication Through Removable Media
  • T1546.017 - Udev Rules
MITREへのリンク →

FIN13

Score: 6.59
Matched TTPs:
  • T1099 - Timestomp
  • T1144 - Gatekeeper Bypass
MITREへのリンク →

Turla

Score: 10.50
Matched TTPs:
  • T1099 - Timestomp
  • T1097 - Pass the Ticket
  • T1547.002 - Authentication Package
  • T1546.016 - Installer Packages
MITREへのリンク →

Volt Typhoon

Score: 5.58
Matched TTPs:
  • T1099 - Timestomp
  • T1546.016 - Installer Packages
MITREへのリンク →

Ember Bear

Score: 6.14
Matched TTPs:
  • T1578 - Modify Cloud Compute Infrastructure
  • T1097 - Pass the Ticket
MITREへのリンク →

Silent Librarian

Score: 3.62
Matched TTPs:
  • T1578 - Modify Cloud Compute Infrastructure
MITREへのリンク →

Scattered Spider

Score: 12.00
Matched TTPs:
  • T1578 - Modify Cloud Compute Infrastructure
  • T1144 - Gatekeeper Bypass
  • T1027.002 - Software Packing
MITREへのリンク →

Sandworm Team

Score: 11.74
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1547.002 - Authentication Package
  • T1075 - Pass the Hash
  • T1546.016 - Installer Packages
MITREへのリンク →

Earth Lusca

Score: 4.81
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1546.016 - Installer Packages
MITREへのリンク →

Mustang Panda

Score: 10.64
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1169 - Sudo
  • T1055.005 - Thread Local Storage
MITREへのリンク →

Kimsuky

Score: 7.66
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1547.002 - Authentication Package
  • T1008 - Fallback Channels
MITREへのリンク →

Mustard Tempest

Score: 6.51
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1543.002 - Systemd Service
MITREへのリンク →

OilRig

Score: 7.02
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1097 - Pass the Ticket
  • T1547.008 - LSASS Driver
MITREへのリンク →

Threat Group-3390

Score: 5.12
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1546.017 - Udev Rules
MITREへのリンク →

BlackByte

Score: 8.22
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1562.010 - Downgrade Attack
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

APT32

Score: 8.22
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1592.004 - Client Configurations
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

Moonstone Sleet

Score: 6.89
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1027.007 - Dynamic API Resolution
  • T1547.008 - LSASS Driver
MITREへのリンク →

Contagious Interview

Score: 8.34
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1562.010 - Downgrade Attack
  • T1547.008 - LSASS Driver
MITREへのリンク →

FIN7

Score: 6.77
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1547.002 - Authentication Package
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

EXOTIC LILY

Score: 4.50
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1547.008 - LSASS Driver
MITREへのリンク →

Aquatic Panda

Score: 3.84
Matched TTPs:
  • T1144 - Gatekeeper Bypass
MITREへのリンク →

BRONZE BUTLER

Score: 10.16
Matched TTPs:
  • T1592.004 - Client Configurations
  • T1542.004 - ROMMONkit
  • T1008 - Fallback Channels
MITREへのリンク →

Fox Kitten

Score: 5.56
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1542.004 - ROMMONkit
MITREへのリンク →

APT41

Score: 8.21
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1027.007 - Dynamic API Resolution
  • T1008 - Fallback Channels
MITREへのリンク →

APT38

Score: 8.54
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1027.007 - Dynamic API Resolution
  • T1216 - System Script Proxy Execution
MITREへのリンク →

APT39

Score: 7.32
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1547.002 - Authentication Package
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

Dragonfly

Score: 5.36
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1546.016 - Installer Packages
MITREへのリンク →

Storm-0501

Score: 6.37
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1055.009 - Proc Memory
MITREへのリンク →

APT28

Score: 17.03
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1542.004 - ROMMONkit
  • T1547.002 - Authentication Package
  • T1146 - Clear Command History
  • T1546.007 - Netsh Helper DLL
MITREへのリンク →

RedCurl

Score: 6.88
Matched TTPs:
  • T1542.004 - ROMMONkit
  • T1055.009 - Proc Memory
MITREへのリンク →

Sowbug

Score: 3.03
Matched TTPs:
  • T1542.004 - ROMMONkit
MITREへのリンク →

Chimera

Score: 5.43
Matched TTPs:
  • T1542.004 - ROMMONkit
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

menuPass

Score: 3.03
Matched TTPs:
  • T1542.004 - ROMMONkit
MITREへのリンク →

APT37

Score: 6.02
Matched TTPs:
  • T1547.002 - Authentication Package
  • T1216 - System Script Proxy Execution
MITREへのリンク →

Lazarus Group

Score: 15.51
Matched TTPs:
  • T1547.002 - Authentication Package
  • T1546.016 - Installer Packages
  • T1055.005 - Thread Local Storage
  • T1547.008 - LSASS Driver
  • T1216 - System Script Proxy Execution
MITREへのリンク →

INC Ransom

Score: 6.24
Matched TTPs:
  • T1055.009 - Proc Memory
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Leviathan

Score: 5.98
Matched TTPs:
  • T1546.016 - Installer Packages
  • T1546.017 - Udev Rules
MITREへのリンク →

Medusa Group

Score: 10.56
Matched TTPs:
  • T1027.007 - Dynamic API Resolution
  • T1216 - System Script Proxy Execution
  • T1094 - Custom Command and Control Protocol
MITREへのリンク →

FIN6

Score: 4.92
Matched TTPs:
  • T1027.007 - Dynamic API Resolution
  • T1547.008 - LSASS Driver
MITREへのリンク →

PLATINUM

Score: 4.54
Matched TTPs:
  • T1686 - Disable or Modify System Firewall
MITREへのリンク →

Rocke

Score: 3.29
Matched TTPs:
  • T1008 - Fallback Channels
MITREへのリンク →

RTM

Score: 3.29
Matched TTPs:
  • T1008 - Fallback Channels
MITREへのリンク →

Patchwork

Score: 3.29
Matched TTPs:
  • T1008 - Fallback Channels
MITREへのリンク →

Molerats

Score: 3.15
Matched TTPs:
  • T1546.017 - Udev Rules
MITREへのリンク →

Higaisa

Score: 3.15
Matched TTPs:
  • T1546.017 - Udev Rules
MITREへのリンク →

Mofang

Score: 3.15
Matched TTPs:
  • T1546.017 - Udev Rules
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT28

Score: 0.83
Matched TTPs:
  • T1542.004 - ROMMONkit
  • T1097 - Pass the Ticket
  • T1146 - Clear Command History
  • T1547.002 - Authentication Package
  • T1546.007 - Netsh Helper DLL
MITREへのリンク →

Gamaredon Group

Score: 0.80
Matched TTPs:
  • T1542.004 - ROMMONkit
  • T1091 - Replication Through Removable Media
  • T1099 - Timestomp
  • T1562.010 - Downgrade Attack
  • T1547.002 - Authentication Package
  • T1546.017 - Udev Rules
MITREへのリンク →

Lazarus Group

Score: 0.72
Matched TTPs:
  • T1547.008 - LSASS Driver
  • T1055.005 - Thread Local Storage
  • T1216 - System Script Proxy Execution
  • T1547.002 - Authentication Package
  • T1546.016 - Installer Packages
MITREへのリンク →

APT29

Score: 0.67
Matched TTPs:
  • T1592.004 - Client Configurations
  • T1099 - Timestomp
  • T1547.008 - LSASS Driver
  • T1546.018 - Python Startup Hooks
MITREへのリンク →

Sandworm Team

Score: 0.60
Matched TTPs:
  • T1547.002 - Authentication Package
  • T1546.016 - Installer Packages
  • T1091 - Replication Through Removable Media
  • T1075 - Pass the Hash
MITREへのリンク →

Scattered Spider

Score: 0.59
Matched TTPs:
  • T1144 - Gatekeeper Bypass
  • T1027.002 - Software Packing
  • T1578 - Modify Cloud Compute Infrastructure
MITREへのリンク →

Magic Hound

Score: 0.56
Matched TTPs:
  • T1547.008 - LSASS Driver
  • T1099 - Timestomp
  • T1547.002 - Authentication Package
  • T1578 - Modify Cloud Compute Infrastructure
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る