{"id":8916,"date":"2025-12-04T04:03:34","date_gmt":"2025-12-04T04:03:34","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/32536\/"},"modified":"2025-12-04T04:03:34","modified_gmt":"2025-12-04T04:03:34","slug":"32536","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/32536\/","title":{"rendered":"Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th)"},"content":{"rendered":"\n<div>Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu <a href=\"https:\/\/www.sans.edu\/cyber-security-programs\/bachelors-degree\/\">BACS<\/a> program]<\/p>\n<p>The ISC internship didn&#8217;t just teach me about security, it changed how I thought about threats entirely. There&#8217;s something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That&#8217;s where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!<\/p>\n<p><strong><span style=\"font-size:16px;\">The Beginning\u2026<\/span><\/strong><\/p>\n<p>On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.<\/p>\n<p><span style=\"font-size:16px;\"><strong>What happened?<\/strong><\/span><\/p>\n<p>Suspicious activity was detected when the IP address 103[.]148[.]195[.]161 successfully SSH\u2019d into my honeypot using the credentials username \u201croot\u201d and password \u201clinux\u201d. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named \u201csshd\u201d designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary (<span style=\"font-family:Courier New,Courier,monospace;\">7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d<\/span>) that was classified as malicious by VirusTotal and Hybrid-Analysis.<\/p>\n<p>We won\u2019t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/Jackie_Nguyen_pic1.png?ssl=1\" style=\"width: 624px; height: 309px;\"><\/p>\n<p>A screenshot of the cowrie output using Jesse La Grew\u2019s cowrieprocessor [<a href=\"http:\/\/https\/\/github.com\/jslagrew\/cowrieprocessor\">4<\/a>]<\/p>\n<p><span style=\"font-size:16px;\"><strong>Trojan File Analysis<\/strong><\/span><\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/Jackie_Nguyen_pic2.png?ssl=1\" style=\"width: 744px; height: 86px;\"><\/p>\n<p><span style=\"font-size:16px;\"><strong>MITRE ATT&amp;CK MAPPING<\/strong><\/span><\/p>\n<p>\u2022\u00a0 \u00a0 T1078 &#8211; Valid Accounts<br \/>\n\u2022\u00a0 \u00a0 T1110.001 &#8211; Brute Force<br \/>\n\u2022\u00a0 \u00a0 T1204.002 &#8211; User Execution<br \/>\n\u2022\u00a0 \u00a0 T1036.005 &#8211; Masquerading<br \/>\n\u2022\u00a0 \u00a0 T1554 &#8211; Compromise Client Software Binary<br \/>\n\u2022\u00a0 \u00a0 T1548.001 &#8211; Abuse Elevation Control Mechanism<br \/>\n\u2022\u00a0 \u00a0 T1027 &#8211; Obfuscated Files or Information<br \/>\n\u2022\u00a0 \u00a0 T1497 &#8211; Virtualization\/Sandbox Evasion<br \/>\n\u2022\u00a0 \u00a0 T1480 &#8211; Execution Guardrails<br \/>\n\u2022\u00a0 \u00a0 T1003.008 &#8211; OS Credential Dumping<\/p>\n<p><span style=\"font-size:16px;\"><strong>Prevent Similar Attacks<\/strong><\/span><\/p>\n<p>1.\u00a0 \u00a0 Disable Password Authentication and utilize SSH keys instead<br \/>\n2.\u00a0 \u00a0 IP Allowlisting<br \/>\n3.\u00a0 \u00a0 IDS\/IPS\/EDR<br \/>\n4.\u00a0 \u00a0 Threat Hunting<br \/>\n5.\u00a0 \u00a0 MFA<\/p>\n<p><span style=\"font-size:16px;\"><strong>What does this show?<\/strong><\/span><\/p>\n<p>This really shows how much effort sophisticated attackers would put in for long-term persistence and advanced evasion. Attacks from a government IP address doesn\u2019t always mean it\u2019s the government; it more than likely would mean that they were compromised. If you think about it logically, why would a nation-state threat actor use their actual government IP address to execute attacks?<\/p>\n<p><span style=\"font-size:16px;\"><strong>Importance?<\/strong><\/span><\/p>\n<p>It\u2019s important when working on a high performing security team to not attribute attacks to the wrong threat actor. Politically, this may cause problems, especially if the company you\u2019re working for has a large media presence. Problems including wrongful retaliation and political tension could arise from making this mistake.<\/p>\n<p>This attack also shows how threat actors use legitimate processes to blend in with normal ones. We must remember that the goal of this attacker is most likely long-term so they will do everything they can to evade your defenses.<\/p>\n<p><span style=\"font-size:16px;\"><strong>Actionable Intelligence for Defenders<\/strong><\/span><\/p>\n<p>Threat hunting is a critical part of any security program and having concrete Indicators of Compromise (IOCs) like file hashes, malicious IP addresses, and more would give teams actionable intelligence to use immediately. This observation also helps defenders understand what to look for. Brief sessions without commands can be just as dangerous as those with suspicious activity.<\/p>\n<p><span style=\"font-size:16px;\"><strong>Key Takeaways<\/strong><\/span><\/p>\n<p>This attack really shows how threat actors are getting more sophisticated. By uploading a legitimate looking trojan instead of running commands, the attacker could have avoided the typical red flags most monitoring tools look for. The use of a government IP address also teaches us an important lesson not to immediately jump to conclusions solely based on IP block owner since it might have been compromised. For analysts out there, what seems to be a quiet session can sometimes be the most dangerous.<\/p>\n<p>[1] https:\/\/www.virustotal.com\/gui\/file\/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d\/detection<br \/>\n[2 ]https:\/\/www.abuseipdb.com\/whois\/103.148.195.161<br \/>\n[3] https:\/\/hybridanalysis.com\/sample\/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d\/6542c8b6abeb51c5ee0bbf2a<br \/>\n[4] https:\/\/github.com\/jslagrew\/cowrieprocessor<br \/>\n[5] https:\/\/www.sans.edu\/cyber-security-programs\/bachelors-degree\/<\/p>\n<p>&#8212;&#8212;&#8212;&#8211;<br \/>\nGuy Bruneau <a href=\"http:\/\/www.ipss.ca\/\">IPSS Inc.<\/a><br \/>\n<a href=\"https:\/\/github.com\/bruneaug\/\">My GitHub Page<\/a><br \/>\nTwitter: <a href=\"https:\/\/twitter.com\/guybruneau\">GuyBruneau<\/a><br \/>\ngbruneau at isc dot sans dot edu<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32536\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) [This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program] The ISC internship didn&#8217;t just teach me about security, it changed how I thought about threats entirely. There&#8217;s something intriguing about watching live attacks materialize on your [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-8916","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8916"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8916"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8916\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}