Hackers often attack ERP servers, as these servers contain crucial information about a company’s activities and operations, its customers, and various business processes in the organization.
Compromising an ERP server can enable a threat actor to access sensitive and valuable information, facilitate fraud, and disrupt business operations, making it a high-value target for threat actors.
Recently, the AhnLab Security Intelligence Center (ASEC) revealed an attack in which a hacker hacked into a Korean company’s enterprise resource planning server and set up a SoftEther VPN server.
Hackers Attacking ERP Server
At first, the attacker directed his or her efforts towards MS-SQL service, establishing control over it and then introducing a web shell for future use before finally installing SoftEther VPN service to turn the infected host into a VPN server.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Threat actors often employ proxy tools such as HTran and FRP alongside malware like SystemBC or Bunitu to access internal networks.
Sometimes, VPN services have been installed, though proxy tools and malware are usually involved.
Occasionally, GALLIUM, ToddyCat, and UNC3500, among other threat actors, exploit SoftEther VPN, intending to infiltrate target systems via its implemented VPN servers since it is an open-source program.
The attacker launched a strike on the Korean company’s ERP server, which had been connected to a very weak MS-SQL server. The attacker used these commands to survey networks and test payload downloads.
An effort was made to install “vmtoolsd1.exe” along with a genuine MS VisualStudio Code download.
After trying this, the attacker then challenged through a web shell from “bashupload.com” and stole people’s passwords via commands. They also enabled credential caching and saved the SAM registry hive.
Here below, we have mentioned all the commands used:-
- ping -n 10 127.0.0.1
- whoami
- ipconfig
- hostname
- tasklist
- query user
- netstat -ano -p tcp
The “sqlwrite1.exe” file was executed as a batch script, and the SoftEther VPN server using “hamcore.se2” and “vpn_server.config” files was installed in one go.
Command execution using the web shell (Source – ASEC).
The attacker seemingly aimed to use the compromised ERP server as part of the C&C infrastructure, not a standalone VPN server.
The configuration file sets up a “cascade connection” to another VPN server, enhancing security/privacy and hindering C&C tracking.
The initial infiltration vector was poorly secured MS-SQL database credentials.
Admins must use strong, regularly changed passwords and restrict external access to database servers via firewalls to prevent such breaches, allowing continuous malware infections.
IoCs
MD5s:-
- aac76af38bfd374e83aef1326a9ea8ad: Downloader Batch (tun02.bat)
- ef340716a83879736e486f331d84a7c6: SoftEther Config (vpn_server.config)
C&C Server:-
- 45.76.53[.]110:443: VPN server
Download URLs:-
- hxxp://45.77.44[.]127/vmtoolsd.exe
- hxxp://116.202.251[.]4/vmtoolsd.exe
- hxxp://167.99.75[.]170/vmtoolsd.exe
- hxxps://bashupload[.]com/-nsU2/1.txt
- hxxp://167.99.75[.]170/tun02.bat
- hxxp://167.99.75[.]170/dns003/hamcore.se2
- hxxp://167.99.75[.]170/dns003/sqlwritel.exe
- hxxp://167.99.75[.]170/tun02/vpn_server.config
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free