009. Anti-Forensics and China-nexus

Hello everyone! Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. The vulnerability impacts Ivanti Connect Secure VPN appliances, and successful exploitation could result in unauthenticated remote code execution. This activity was attributed to a China-nexus cluster.

Despite the fact threat actors used a zero-day to gain initial access, there are lots of detection and hunting opportunities for post exploitation!

Let's focus on anti-forensics techniques:

  • The adversary leverages dmesg with -C parameter for removing entries from the debug logs: dmesg -C
  • Used sed with -i parameter to remove various log application event log entries: sed -i '/segfault/d' debuglog
  • Deleted state dumps and any core dumps using rm with -rf parameters: rm -rf /data/var/statedumps/*
As you can see, threat actors may make forensic examination a tough task. At the same time, anti-forensic methods often quite common and easy detectable if appropriate logs are collected.
Have you seen any interesting anti-forensic techniques recently? Share it in the comments section!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!