Moses Staff Campaigns Against Israeli Organizations
The initial infiltration was accomplished by leveraging the ProxyShell exploit in Microsoft Exchange servers to allow an unauthenticated attacker to execute arbitrary commands on them through an exposed HTTPS port. As a result, the attackers were able to deploy two web shells:
C:/inetpub/wwwroot/aspnet_client/system_web/iispool.aspx
C:/inetpub/wwwroot/aspnet_client/system_web/map.aspx
These two web shells are used in conjunction with one another, and some of their functionalities overlap.
On numerous occasions, map.aspx was used to validate the results of the commands executed by iispool.aspx. Post infection, the attackers dedicated several days to the exfiltration of PST files and other sensitive data from the compromised server.
Next, they attempted to steal credentials by creating a memory dump of lsass.exe using a LOLBin.
Finally, the attackers dropped and installed the backdoor components.
Featured Resources
blog
7 Essential Steps to Becoming Ransomware Resilient
According to Nationwide, the ransomware attacks have already surpassed one every 14 seconds and are expected to increase to every
blog
How Do You Know? Answers to help the board understand the value of your security program
This is Part 5 of our five-part series on Continuous Threat Exposure Management (CTEM). Boards and business leaders need more
CUSTOMERS
Insurance Leader Strengthens Security to Drive Innovation with Cymulate
This Indian insurance leader relies on Cymulate for automated exposure validation that optimizes security controls, tests the latest threats and
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe