Incident Score: Analysis & Impact (REA1772713454)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (95%), supported by evidence indicating exploitation of CVE-2025-55182 (React2Shell, CVSS 10.0) and Phishing: Spearphishing Attachment (T1566.001) with lower confidence (30%), supported by evidence indicating no direct evidence, but common in DPRK crypto campaigns. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Python (T1059.004) with moderate to high confidence (80%), supported by evidence indicating python script reused Tron wallet keys for balance checks and Exploitation for Client Execution (T1203) with high confidence (90%), supported by evidence indicating arbitrary commands executed via React2Shell (CVE-2025-55182). Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (70%), supported by evidence indicating aWS access tokens abused for cloud infiltration and Server Software Component: Web Shell (T1505.003) with moderate confidence (60%), supported by evidence indicating vShell server (port 8082) used for C2. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating aWS access tokens validated via AWS STS and Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate confidence (50%), supported by evidence indicating kubernetes cluster access via `aws eks update-kubeconfig`. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), supported by evidence indicating aWS access tokens abused to blend with legitimate traffic, Impair Defenses: Disable or Modify System Firewall (T1562.004) with lower confidence (40%), supported by evidence indicating wAF-bypass techniques used for mass scanning, and Masquerading: Rename System Utilities (T1036.003) with moderate confidence (60%), supported by evidence indicating fast Reverse Proxy (FRP) on port 53 for covert tunneling. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), supported by evidence indicating private keys, AWS credentials, Kubernetes ConfigMaps extracted, Unsecured Credentials: Cloud Instance Metadata API (T1552.005) with moderate to high confidence (70%), supported by evidence indicating aWS Secrets Manager accessed for credentials, and Steal Application Access Token (T1528) with high confidence (90%), supported by evidence indicating aWS access tokens abused for cloud infiltration. Under the Discovery tactic, the analysis identified Account Discovery: Cloud Account (T1087.004) with high confidence (90%), supported by evidence indicating aWS IAM enumerated for high-value artifacts, Network Service Discovery (T1046) with moderate to high confidence (80%), supported by evidence indicating mass-scanning tools used to identify exposed crypto platforms, Cloud Storage Object Discovery (T1619) with high confidence (90%), supported by evidence indicating s3, RDS, EC2, Lambda, EKS enumerated for secrets, and Container and Resource Discovery (T1622) with high confidence (90%), supported by evidence indicating kubernetes pods listed across namespaces. Under the Collection tactic, the analysis identified Data from Cloud Storage (T1530) with high confidence (90%), supported by evidence indicating terraform state files, private Git repos cloned, Data from Code Repositories (T1213.003) with high confidence (90%), supported by evidence indicating private Git repositories cloned for backend visibility, and Unsecured Credentials: Container API (T1552.008) with moderate to high confidence (80%), supported by evidence indicating docker images pulled from private ECR registries. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating vShell server (port 8082) and FRP (port 53) used for C2, Proxy: External Proxy (T1090.002) with moderate to high confidence (70%), supported by evidence indicating vPN exit nodes used to obscure origins, and Encrypted Channel: Asymmetric Cryptography (T1573.002) with moderate confidence (60%), supported by evidence indicating c2 infrastructure consistent with DPRK-linked operations. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating backend source code, Docker images, Git repos exfiltrated and Transfer Data to Cloud Account (T1537) with moderate to high confidence (70%), supported by evidence indicating data likely staged in attacker-controlled cloud storage. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with moderate to high confidence (80%), supported by evidence indicating cryptocurrency theft via compromised wallet keys and Account Access Removal (T1531) with moderate confidence (50%), supported by evidence indicating potential future denial of service via infrastructure sabotage. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.