🔍 What

An attacker from 89.187.185.184 brute-forced SSH on host Clark (172.16.20.43), successfully authenticated as the analyst user after multiple failed attempts, and escalated privileges to root via sudo su. Following privilege escalation, the attacker ran user enumeration (getent passwd), base64-encoded the /etc/passwd file into /root/Documents/encoded.dat, and attempted to exfiltrate it via a curl POST to an external domain. No outbound firewall log was found to confirm whether the transfer succeeded, but the staged file was confirmed to contain /etc/passwd content.

🕐 When

• Aug 07, 2024, 08:21 AM — Successful SSH login for analyst from 89.187.185.184 following failed brute-force attempts
• Aug 07, 2024, 08:26 AM — Alert triggered on suspicious Base64 encoding command
• audit(1723019072.835:8470) — getent passwd executed (user recon)
• audit(1723019219.904:8535) — curl exfil attempt executed

📍 Where

• Hostname: Clark
• Internal IP: 172.16.20.43
• Attacker IP: 89.187.185.184
• Exfil target: http://ukr-net-files-loading-application.ru/upload
• Staged file: /root/Documents/encoded.dat

👤 Who

External attacker operating from 89.187.185.184, flagged on AbuseIPDB for repeated brute-force activity. The compromised account was analyst, which held sudo privileges. The attacker leveraged this to escalate to root.

❓ Why

The attacker brute-forced SSH access, used the analyst account’s sudo rights to reach root, encoded /etc/passwd to obfuscate exfiltrated content, and attempted to POST the file to an external server hosted on a .ru domain. The goal was likely credential harvesting — /etc/passwd exposes which accounts exist and have shell access, enabling follow-on attacks or lateral movement.

🎯 MITRE ATT&CK

📋 IOCs

🔬 Analysis Reports IPAbuseDB https://www.abuseipdb.com/check/89.187.185.184?page=5 🦠 VirusTotal https://www.virustotal.com/gui/url/c78d42195e5a114d333d70812fc29d36425921fbb27d794b20327fb9fcfff08b/details