In this lab, you assume the role of an incident responder investigating a sophisticated compromise of a Linux server within a financial services organization. The server, which was flagged for unusual SSH traffic, has been identified as running a vulnerable version of the XZ Utils software package. This vulnerability, part of a supply chain attack CVE-2024-3094, introduced a malicious backdoor into the library used by the XZ Utils compression tool. The incident highlights the growing threat of supply chain compromises, where attackers manipulate trusted software to gain access to critical systems.
Your task is to uncover the attacker’s tactics, techniques, and procedures (TTPs) used to infiltrate and maintain persistence on the compromised server. The investigation will focus on analyzing the injected web shell, identifying key artifacts, and tracing the attacker’s activities through log analysis. You will also explore the attacker’s fallback mechanisms and extract vital indicators of compromise (IOCs) to aid in a comprehensive incident response.
By engaging in this lab, you will gain hands-on experience with endpoint forensics, web shell analysis, and log correlation, key skills required for detecting and mitigating real-world cyber threats. This scenario not only provides insights into the technical aspects of the attack but also emphasizes the importance of proactive security measures, such as supply chain monitoring, robust logging practices, and strict access controls, to prevent similar breaches in the future.