Hackers Attacking ERP Servers to Deploy Proxy and VPN Services
Hackers often target ERP servers because these servers store crucial information about a company’s operations, customers, and various business processes. Compromising an ERP server can give attackers access to sensitive information, enabling fraud and disrupting business operations.
Recently, the AhnLab Security Intelligence Center (ASEC) uncovered an attack where a hacker infiltrated a Korean company’s enterprise resource planning server and set up a SoftEther VPN server.
How the Attack Unfolded
Initially, the attacker compromised the MS-SQL service on the ERP server. From there, they introduced a web shell to maintain future access and finally installed the SoftEther VPN service, converting the compromised server into a VPN server.
Threat actors often use proxy tools like HTran and FRP, along with malware such as SystemBC or Bunitu, to access internal networks. Sometimes, they also install VPN services, typically involving proxy tools and malware.
Notable Threat Actors Using SoftEther VPN
Groups like GALLIUM, ToddyCat, and UNC3500 exploit the SoftEther VPN to infiltrate target systems via its VPN servers since it is an open-source program.
Steps the Attacker Took
The attacker launched an attack on the Korean company’s ERP server, which was linked to a weak MS-SQL server. Commands were executed to survey the network and test payload downloads, including efforts to install “vmtoolsd1.exe” alongside a genuine MS VisualStudio Code download.
Subsequently, the attacker used a web shell from “bashupload.com” to steal passwords through commands. Here are the commands used:
ping -n 10 127.0.0.1
whoami
ipconfig
hostname
tasklist
query user
netstat -ano -p tcp
Command execution using the web shell (Source – ASEC).
The attacker aimed to use the compromised ERP server as part of a Command & Control (C&C) infrastructure, not just a standalone VPN server. The configuration set up a “cascade connection” to another VPN server, enhancing security and hindering C&C tracking.
Main Security Breach
The initial infiltration vector was poorly secured MS-SQL database credentials. Admins should implement strong, regularly changed passwords and restrict external access to database servers through firewalls to prevent such breaches.
Indicators of Compromise (IoCs)
MD5s:
- aac76af38bfd374e83aef1326a9ea8ad: Downloader Batch (tun02.bat)
- ef340716a83879736e486f331d84a7c6: SoftEther Config (vpn_server.config)
C&C Server:
- 45.76.53[.]110:443: VPN server
Download URLs:
- hxxp://45.77.44[.]127/vmtoolsd.exe
- hxxp://116.202.251[.]4/vmtoolsd.exe
- hxxp://167.99.75[.]170/vmtoolsd.exe
- hxxps://bashupload[.]com/-nsU2/1.txt
- hxxp://167.99.75[.]170/tun02.bat
- hxxp://167.99.75[.]170/dns003/hamcore.se2
- hxxp://167.99.75[.]170/dns003/sqlwritel.exe
- hxxp://167.99.75[.]170/tun02/vpn_server.config
Preventive Measures
To avoid such breaches, it is essential to:
- Implement strong passwords.
- Regularly update these passwords.
- Restrict external access to crucial servers via firewalls.
By following these guidelines, companies can better protect their sensitive information and operational integrity.
