A recent cybersecurity incident involving a junior hacker employing OpenSSH and Tailscale has raised concerns in the industry. This attacker, targeting a small French automotive company, initially managed to plant a keylogger and extract sensitive banking and email credentials. What seemed like an ordinary breach took an unexpected turn with the hacker’s strategic use of OpenSSH and Tailscale, allowing continued access even after the loss of a command-and-control (C2) server.
Hacker’s Innovative Approach
The attacker’s clever move came just before their C2 server went offline. By integrating OpenSSH and Tailscale into the compromised system, the hacker established a secure and independent access route. This move ensured that, even when the C2 infrastructure was deactivated, the attacker retained connectivity. After an 18-day hiatus, the C2 server was reactivated, and the hacker’s agents seamlessly reconnected, demonstrating the robustness of the alternative access pathway.
Researchers from Cato Networks documented this incident meticulously, capturing 339 commands over a span of 33 days. The operator, using the alias “Poisson,” inadvertently left behind crucial evidence such as SSH keys and operational instructions, providing a unique perspective into the hacker’s activities.
Analyzing the Hacker’s Operation
Despite being labeled as a junior operator, Poisson’s actions highlighted significant vulnerabilities. Operating primarily on free-tier services like DuckDNS and IONOS VPS, the hacker’s approach was marked by several missteps. Nevertheless, the attack compromised four machines, demonstrating the potential impact of even less sophisticated cybercriminals.
The attack chain was complex, involving malware that predominantly functioned in memory. Techniques included a VBScript stager to evade sandboxes, followed by a PowerShell loader to execute Havoc’s Demon agent. For privilege escalation, Poisson relied on a non-silent method, requiring user interaction to proceed, which took multiple attempts.
Security Implications and Recommendations
The case underlines crucial security lessons. As demonstrated, removing a C2 server is insufficient if alternative access routes like Tailscale exist. Security experts suggest monitoring for unusual installations such as OpenSSH on Windows workstations and vigilance for Tailscale or reverse SSH tunnels on systems without justified usage.
Additional recommendations include observing for specific script executions from user directories and high-privilege scheduled tasks. Changes in system settings that prevent machines from entering standby mode should also be flagged, alongside blocking services like DuckDNS which are often misused by attackers.
Ultimately, the incident emphasizes the need for comprehensive threat detection strategies that go beyond identifying malicious files to recognizing behavioral patterns indicative of persistent threats. While questions remain about the specifics of files like Thales.zip used in this breach, the broader lesson is clear: a C2 server takedown does not equate to complete remediation if alternative access points remain active.
