Hackers Exploit ERP Server to Deploy Proxy and VPN Services

Lilu Anderson
Photo: Finoracle.net

Hackers Attacking ERP Servers to Deploy Proxy and VPN Services

Hackers often target ERP servers because these servers store crucial information about a company’s operations, customers, and various business processes. Compromising an ERP server can give attackers access to sensitive information, enabling fraud and disrupting business operations.

Recently, the AhnLab Security Intelligence Center (ASEC) uncovered an attack where a hacker infiltrated a Korean company’s enterprise resource planning server and set up a SoftEther VPN server.

How the Attack Unfolded

Initially, the attacker compromised the MS-SQL service on the ERP server. From there, they introduced a web shell to maintain future access and finally installed the SoftEther VPN service, converting the compromised server into a VPN server.

Threat actors often use proxy tools like HTran and FRP, along with malware such as SystemBC or Bunitu, to access internal networks. Sometimes, they also install VPN services, typically involving proxy tools and malware.

Notable Threat Actors Using SoftEther VPN

Groups like GALLIUM, ToddyCat, and UNC3500 exploit the SoftEther VPN to infiltrate target systems via its VPN servers since it is an open-source program.

Steps the Attacker Took

The attacker launched an attack on the Korean company’s ERP server, which was linked to a weak MS-SQL server. Commands were executed to survey the network and test payload downloads, including efforts to install “vmtoolsd1.exe” alongside a genuine MS VisualStudio Code download.

Subsequently, the attacker used a web shell from “bashupload.com” to steal passwords through commands. Here are the commands used:

ping -n 10 127.0.0.1
whoami
ipconfig
hostname
tasklist
query user
netstat -ano -p tcp

Command execution using the web shell (Source – ASEC).

The attacker aimed to use the compromised ERP server as part of a Command & Control (C&C) infrastructure, not just a standalone VPN server. The configuration set up a “cascade connection” to another VPN server, enhancing security and hindering C&C tracking.

Main Security Breach

The initial infiltration vector was poorly secured MS-SQL database credentials. Admins should implement strong, regularly changed passwords and restrict external access to database servers through firewalls to prevent such breaches.

Indicators of Compromise (IoCs)

MD5s:

  • aac76af38bfd374e83aef1326a9ea8ad: Downloader Batch (tun02.bat)
  • ef340716a83879736e486f331d84a7c6: SoftEther Config (vpn_server.config)

C&C Server:

  • 45.76.53[.]110:443: VPN server

Download URLs:

  • hxxp://45.77.44[.]127/vmtoolsd.exe
  • hxxp://116.202.251[.]4/vmtoolsd.exe
  • hxxp://167.99.75[.]170/vmtoolsd.exe
  • hxxps://bashupload[.]com/-nsU2/1.txt
  • hxxp://167.99.75[.]170/tun02.bat
  • hxxp://167.99.75[.]170/dns003/hamcore.se2
  • hxxp://167.99.75[.]170/dns003/sqlwritel.exe
  • hxxp://167.99.75[.]170/tun02/vpn_server.config

Preventive Measures

To avoid such breaches, it is essential to:

  • Implement strong passwords.
  • Regularly update these passwords.
  • Restrict external access to crucial servers via firewalls.

By following these guidelines, companies can better protect their sensitive information and operational integrity.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.