{"id":7860,"date":"2026-02-22T19:39:46","date_gmt":"2026-02-22T17:39:46","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?post_type=docs&#038;p=7860"},"modified":"2026-02-22T19:39:47","modified_gmt":"2026-02-22T17:39:47","password":"","slug":"analysis-of-insight-nexus-breach","status":"publish","type":"docs","link":"https:\/\/scalemedia.co.za\/cybermedia\/docs\/analysis-of-insight-nexus-breach\/","title":{"rendered":"Analysis of Insight Nexus Breach"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Incident Scenario<\/h2>\n\n\n\n<p>The victim in this incident is&nbsp;<code>Insight Nexus<\/code>, a mid-sized market research and data analytics firm headquartered in Singapore. They provide competitive intelligence and consumer insights for global clients, including Fortune 500 companies in IT and finance. Their infrastructure includes many applications, servers, and hosts, but we&#8217;ll focus on the important ones, such as an internet-facing application stack for clients, a ManageEngine server for IT administration, and a PHP-based customer reporting portal. Because of the nature of their work, they became an attractive target for adversaries interested in client data theft.<\/p>\n\n\n\n<p>Let&#8217;s take a look at the incident to understand some challenges that incident handlers face. This incident shows an example of the patterns repeatedly observed in real-world incidents. The victim in this scenario is&nbsp;<code>Insight Nexus<\/code>, a global market research firm that handles sensitive competitive data for high-profile clients in the IT sector. The firm becomes a target of two distinct threat groups operating simultaneously within its environment. The first threat actor gained entry when system administrators forgot to change the default admin\/admin password on an internet-facing application, i.e.,&nbsp;<code>ManageEngine ADManager Plus<\/code>, after a product update. By leveraging this, the attackers logged in successfully, performed reconnaissance, mapped users and machines, and eventually created new privileged Active Directory accounts. Using one of the newly created accounts, the adversaries pivoted further into the environment, identifying an external RDP service exposed by misconfiguration. Exploiting that entry point, they escalated their control and eventually used Group Policy Objects (GPOs) to deploy spyware using an MSI package across multiple endpoints.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights.png\" alt=\"Network monitoring flow diagram. Left: Internet connects to two web consoles\u2014ManageEngine AD Manager and a Client Reports Portal (PHP)\u2014in front of a Firewall. Center: Internal network block containing a Domain Controller, multiple Windows machines, a Database server, and File servers. Event logs from AD Manager and the internal hosts go to a SIEM. Right: SIEM integrates with TheHive, which sends notifications to a SOC Analyst; analyst performs analysis resulting in Alerts and Cases.\"\/><\/figure>\n\n\n\n<p>For days, these activities went unnoticed. The incident was first discovered one day when an analyst from the SOC team investigated an alert on&nbsp;<code>TheHive<\/code>&nbsp;(Security Incident Response Platform) related to the creation of a suspicious file named&nbsp;<code>checkme.txt<\/code>&nbsp;in the root of a web server. Upon investigation, they discovered that it was deliberately placed there as a signature \u2014 &#8220;SilentJackal was here&#8221;. This unusual artifact triggered a deeper investigation. What made the situation more complex was that the SOC team then realized two different threat actor groups were active in the same environment. While the first group was still exploring and deploying persistence mechanisms, a second actor had already compromised a vulnerable PHP application earlier, exfiltrated sensitive market research data, and significantly reduced their activity after achieving their objective, leaving only occasional connections to an external IP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Actors<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Crimson Fox<\/code>\u00a0(Primary threat actor): A group with known links to the IT industry supply chain targeting, suspected to be state-backed. They specialize in credential theft and long-term persistence for data exfiltration. It is a capable and persistent group known for several previous successful attacks related to supply-chain and corporate intelligence.<\/li>\n\n\n\n<li><code>Silent Jackal<\/code>\u00a0(Secondary actor): A loosely organized criminal group focused on opportunistic website defacements and proof-of-concept intrusions, not necessarily financially motivated but disruptive. The members of this group are low-skill web intruders.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Environment &amp; Important Assets<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Public Internet<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>External Web Application (<code>manage.insightnexus.com<\/code>): The web application\u00a0<code>ManageEngine ADManager Plus<\/code>\u00a0provides the capability for Active Directory management to the organization&#8217;s system administrators. HTTPS (port 443) was accessible from the Internet (management portal).<\/li>\n\n\n\n<li>Client Reports Portal (<code>portal.insightnexus.com<\/code>): A PHP-based client reporting portal (file upload enabled for reports).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Internal environment structure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Domain Controller<\/code>: DC01.insight.local<\/li>\n\n\n\n<li><code>File Server<\/code>: FS01.insight.local (file share: \\fs01\\projects)<\/li>\n\n\n\n<li><code>Database Server<\/code>: DB01.insight.local contains sensitive databases.<\/li>\n\n\n\n<li><code>Workstations<\/code>: This includes the developer fleet (ranging from DEV-001 to DEV-120), including some workstations with permissions to allow incoming RDP connections. A Windows machine with external RDP exposure was discovered during reconnaissance: DEV-021 (misconfigured).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Perimeter\u00a0<code>firewall<\/code>\u00a0with default logging (<strong>no integration with Threat Intelligence<\/strong>).<\/li>\n\n\n\n<li>Basic\u00a0<code>IDS<\/code>\u00a0with a high false-positive rate.<\/li>\n\n\n\n<li><code>Wazuh<\/code>\u00a0agents on most Windows hosts (partial coverage).<\/li>\n\n\n\n<li>Centralized\u00a0<code>SIEM<\/code>\u00a0(Wazuh) ingesting Windows Sysmon, Windows Security, web server logs, and firewall logs (limited retention).<\/li>\n\n\n\n<li><code>TheHive<\/code>\u00a0is used for case management, with Cortex available for enrichment.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Incident Analysis<\/h2>\n\n\n\n<p>A system administrator noticed unusual outbound connections from the ManageEngine server to an IP address in Eastern Europe while working on the server for scheduled maintenance. He called the SOC team and collaborated with them to investigate the alerts to find anything suspicious. One of the SOC analysts started investigating the alerts and found an alert mentioning a suspicious&nbsp;<code>checkme.txt<\/code>&nbsp;file on the same server.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><code>Detection Gap:&nbsp;<\/code>There were too many alerts about new files being created on the servers, and this alert was not escalated due to alert fatigue. They need to reduce some false positives and add more filters.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>The SOC team started investigating this incident and found many reconnaissance attempts on the external web applications.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights1.png\" alt=\"Network monitoring diagram. From Internet, traffic reaches two web consoles: ManageEngine AD Manager and a PHP Client Reports Portal (noted: threat actors performing reconnaissance), both behind a Firewall. Internal network includes a Domain Controller, multiple Windows machines, a Database server, and File servers. Event logs from AD Manager and internal hosts flow to a SIEM. The SIEM integrates with TheHive, which sends notifications to a SOC Analyst; analyst performs analysis resulting in Alerts and Cases.\"\/><\/figure>\n\n\n\n<p>Upon further investigation, the responders found that on&nbsp;<code>2025-10-01 03:12:02<\/code>, the threat actor&nbsp;<code>Crimson Fox<\/code>&nbsp;obtained initial access via ManageEngine. Initially, they performed targeted login attempts against&nbsp;<code>manage.insightnexus.com<\/code>. They found that the default credentials (i.e.,&nbsp;<code>admin\/admin<\/code>) worked, which means either the system administrators forgot to change the default credentials after an update or they left the web application accessible to everyone on the public internet. The result was unfortunate for the organization, and the threat actors performed an interactive web login via HTTPS. The logon audit report shows this successful login activity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><code>Organizational oversight:&nbsp;<\/code>Despite vendor advisories, the default credentials were never changed. Multi-factor authentication was not enforced, and there was no&nbsp;<a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/web-application-firewall-waf\/\" target=\"_blank\" rel=\"noreferrer noopener\">WAF<\/a>&nbsp;inspection on the endpoint. The logon events of the web application were not sent to a centralized SIEM.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights2.png\" alt=\"Network-SOC flow. From the Internet, an attacker logs in to ManageEngine AD Manager with default credentials; Internet also reaches a PHP Client Reports Portal behind a Firewall. Internal network includes a Domain Controller, multiple Windows machines, a Database server, and File servers. Event logs from AD Manager and internal hosts go to a SIEM. The SIEM integrates with TheHive, which sends notifications to a SOC analyst; the analyst performs analysis, producing alerts and cases.\"\/><\/figure>\n\n\n\n<p>There was a Java web vulnerability related to the ManageEngine ADManager Plus product where unauthenticated remote code execution was possible. The actor utilized this and established an outbound C2 over HTTPS to&nbsp;<code>103.112.60.117<\/code>&nbsp;(an attacker-controlled cloud host), impersonating update traffic. The following Sysmon Event ID 3 (Network Connection detected) was logged:<\/p>\n\n\n\n<p>&nbsp;&nbsp;Analysis of Insight Nexus Breach<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-eeec4cee\"\n     id=\"betterdocs-code-snippet-eeec4cee\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-eeec4cee .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>Event 3, Sysmon \n\nNetwork Connection detected:\nUtcTime: 2025-10-01 03:18:32.557\nImage: C:\\ManageEngine\\jre\\bin\\java.exe\nDestinationIp: 103.112.60.117\nDestinationPort: 443<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-eeec4cee');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>On&nbsp;<code>2025-10-02 04:02:11<\/code>, attackers enumerated domain users and computers via queries from the ManageEngine console. Using the ManageEngine foothold, they also created a new Domain Administrator account. During Active Directory enumeration, they found that a Windows 10 machine (<code>DEV-021<\/code>) had a publicly exposed RDP port. This desktop machine is used occasionally by developers to perform development and release tasks by taking RDP directly on its public IP while working from home. The attacker took RDP directly into this machine using the newly created Domain Administrator account.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights3.png\" alt=\"Network security flow diagram. From the Internet, an attacker establishes C2 and uses RDP to an internal host via a Firewall (no threat intel integration). Exposed web consoles: ManageEngine AD Manager and a PHP Client Reports Portal. Inside the network: a Domain Controller, multiple Windows machines (one labeled DEV-021), a Database server, and File servers. Event logs from AD Manager and internal hosts go to a SIEM. The SIEM integrates with TheHive, which sends notifications to a SOC Analyst; analyst performs analysis producing alerts and cases.\"\/><\/figure>\n\n\n\n<p>For this activity, the following event log was created in the Windows Event Logs with Event ID&nbsp;<code>4624<\/code>.<\/p>\n\n\n\n<p>&nbsp;&nbsp;Analysis of Insight Nexus Breach<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-sjtf65t\"\n     id=\"betterdocs-code-snippet-sjtf65t\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-sjtf65t .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>An account was successfully logged on.\n\n Subject:\n    Security ID: SYSTEM\n    Account Name: DEV-021$\n    Account Domain: INSIGHT\n    Time: 2025-10-04T02:03:12Z\n\n Logon Information:\n    Logon Type: 10\n\n Network Information:\n    Workstation Name: DEV-021\n    Source Network Address: 103.112.60.117\n\n New Logon:\n    SubjectUserName: insight\\svc_deployer\n    SourceNetworkAddress: 103.112.60.117<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-sjtf65t');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>After a successful logon, the attackers conducted some domain reconnaissance. They found some interesting file shares on the file server, which they attempted to access multiple times. On the file server, they located client project folders that contained draft reports, survey data, and market forecasts.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights0.png\" alt=\"Network attack and monitoring flow. From the Internet, an attacker establishes C2 and uses VPN\/RDP through a Firewall (no threat\u2011intel integration) to internal host DEV\u2011021. Exposed web consoles: ManageEngine AD Manager and a PHP Client Reports Portal. Internal network includes a Domain Controller, multiple Windows machines, a Database Server, and File Servers; sensitive data accessed on network shares. Event logs from AD Manager and internal hosts go to a SIEM, which integrates with TheHive to send notifications to a SOC Analyst, who performs analysis producing alerts and cases.\"\/><\/figure>\n\n\n\n<p>On the file server, multiple event logs were created, such as&nbsp;<code>5140(S, F): A network share object was accessed<\/code>. However, there were no rules created for generating alerts specifically for these public IP RDP events.<\/p>\n\n\n\n<p>These kinds of event logs can be detected using the following&nbsp;<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules\/windows\/builtin\/security\/account_management\/win_security_successful_external_remote_rdp_login.yml\" target=\"_blank\" rel=\"noreferrer noopener\">Sigma rule<\/a>, for example:<\/p>\n\n\n\n<p>Code:&nbsp;sigma<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-kbuhwsa\"\n     id=\"betterdocs-code-snippet-kbuhwsa\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-kbuhwsa .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>title: External Remote RDP Logon from Public IP\nid: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2\nrelated:\n    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc\n      type: derived\nstatus: test\ndescription: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.\nreferences:\n    - https:\/\/www.inversecos.com\/2020\/04\/successful-4624-anonymous-logons-to.html\n    - https:\/\/twitter.com\/Purp1eW0lf\/status\/1616144561965002752\nauthor: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)\ndate: 2023-01-19\nmodified: 2024-03-11\ntags:\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1133\n    - attack.t1078\n    - attack.t1110\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 10\n    filter_main_local_ranges:\n        IpAddress|cidr:\n            - &#039;::1\/128&#039;  # IPv6 loopback\n            - &#039;10.0.0.0\/8&#039;\n            - &#039;127.0.0.0\/8&#039;\n            - &#039;172.16.0.0\/12&#039;\n            - &#039;192.168.0.0\/16&#039;\n            - &#039;169.254.0.0\/16&#039;\n            - &#039;fc00::\/7&#039;  # IPv6 private addresses\n            - &#039;fe80::\/10&#039;  # IPv6 link-local addresses\n    filter_main_empty:\n        IpAddress: &#039;-&#039;\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.\nlevel: medium<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-kbuhwsa');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>After exploring and observing for a week, they started compressing and exfiltrating selected data. The attackers packaged stolen client materials into a file named&nbsp;<code>diagnostics_data.zip<\/code>, a filename chosen to resemble routine telemetry. The archive was then uploaded to the attacker-controlled host over HTTPS. Because the filename resembled legitimate diagnostics data and the upload used standard HTTPS, it did not immediately raise alarms. This tactic increases the attackers chance of exfiltrating data before defenders escalate.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights6.png\" alt=\"Network attack and monitoring flow. From the Internet, an attacker establishes C2 and uses VPN\/RDP through a Firewall to internal host DEV\u2011021. Exposed web consoles: ManageEngine AD Manager and a PHP Client Reports Portal. Internal network contains a Domain Controller, multiple Windows machines, a Database server, and File servers where data is exfiltrated. Event logs from AD Manager and internal hosts go to a SIEM, which integrates with TheHive to notify a SOC analyst, who performs analysis producing alerts and cases.\"\/><\/figure>\n\n\n\n<p>Then, on&nbsp;<code>2025-10-04 02:10:45<\/code>, from&nbsp;<code>DEV-021<\/code>, they executed some PowerShell scripts that used domain administrator credentials to create a Group Policy Object (GPO) that pushes an MSI package (<code>java-update.msi<\/code>) across the domain. This MSI package created a scheduled task to run a process that performs spying and data exfiltration on the machines.<\/p>\n\n\n\n<p>These events were also captured in the event logs, such as the creation of a new&nbsp;<code>.msi<\/code>&nbsp;file as Sysmon Event ID 11.<\/p>\n\n\n\n<p>&nbsp;&nbsp;Analysis of Insight Nexus Breach<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-uz7zqj8\"\n     id=\"betterdocs-code-snippet-uz7zqj8\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-uz7zqj8 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>Sysmon Event 11: TargetFilename: C:\\Windows\\Temp\\java-update.msi\n<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-uz7zqj8');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>Also, Sysmon Event ID 1 captures the command line for the execution of the&nbsp;<code>.msi<\/code>&nbsp;file in the background.<\/p>\n\n\n\n<p>&nbsp;&nbsp;Analysis of Insight Nexus Breach<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-hss3qz7\"\n     id=\"betterdocs-code-snippet-hss3qz7\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-hss3qz7 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>Sysmon Event 1: Image: C:\\Windows\\System32\\msiexec.exe CommandLine: &quot;msiexec \/i C:\\Windows\\Temp\\java-update.msi \/quiet&quot;\n<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-hss3qz7');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>This malware, with spying and data exfiltration capabilities, is deployed on all domain machines using GPO.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights4.png\" alt=\"Network attack and monitoring flow. From the Internet, an attacker establishes C2 and installs spyware via the exposed ManageEngine AD Manager web console; spyware is later pushed by GPO across the domain. A PHP Client Reports Portal is also exposed. Through the Firewall, VPN\/RDP reaches internal host DEV\u2011021 and the wider network: a Domain Controller, multiple Windows machines, a Database server, and File servers (data access\/exfil path shown). Event logs from AD Manager and internal hosts go to a SIEM, which integrates with TheHive to send notifications to a SOC Analyst, who performs analysis generating alerts and cases.\"\/><\/figure>\n\n\n\n<p>Around the same time, another threat actor,&nbsp;<code>Silent Jackal<\/code>, also performed some activities on a separate PHP-based reporting portal. This server had an unpatched file upload vulnerability, which was exploited by the threat actor to gain access to this server. Silent Jackal uploaded a file into the root directory of the web server. Their activities appeared limited to leaving the&nbsp;<code>checkme.txt<\/code>&nbsp;marker file. This created noise in the environment and provided defenders with the first clue of compromise.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/insights5.png\" alt=\"Diagram of an attack and monitoring flow. An attacker from the Internet abuses an exploited file\u2011upload vulnerability in a PHP Client Reports Portal (web console) and can reach the internal network through a Firewall. The internal network includes a Domain Controller, multiple Windows machines, a Database Server, and File Servers. ManageEngine AD Manager (web console) and internal hosts send event logs to a SIEM. The SIEM integrates with TheHive, which sends notifications to a SOC analyst, who performs analysis and generates alerts and cases.\"\/><\/figure>\n\n\n\n<p>However, the threat actor did not proceed beyond their initial access. This was likely a low-skill intrusion meant to signal presence rather than cause immediate damage.<\/p>\n\n\n\n<p><code>Organizational oversight:&nbsp;<\/code>No web application firewall monitoring and no regular vulnerability assessments of internet-facing portals.<\/p>\n\n\n\n<p>Crimson Fox reduced high-activity operations, with only occasional low-rate beacons to 103.112.60.117 to check for new instructions. Silent Jackal similarly reduced activity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Immediate Incident Response Actions<\/h2>\n\n\n\n<p>The first tangible discovery was&nbsp;<code>checkme.txt<\/code>&nbsp;by a SOC analyst. That file alone would normally be low priority, but the SOC analyst performing correlation saw that the same time window had ManageEngine events with unusual outbound traffic and multiple login events from an unfamiliar foreign IP.<\/p>\n\n\n\n<p>The correlation of the following was done as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ManageEngine successful admin logins from foreign IPs.<\/li>\n\n\n\n<li>Sysmon process creation of\u00a0<code>msiexec<\/code>\u00a0installing an MSI across many hosts.<\/li>\n\n\n\n<li>LDAP enumeration logs and GPO changes.<\/li>\n\n\n\n<li>File server file compression and upload logs.<\/li>\n\n\n\n<li>Outbound HTTPS to an unusual IP address.<\/li>\n<\/ul>\n\n\n\n<p>After the correlation, the SOC analyst immediately escalated the incident to the incident response team and opened a case in&nbsp;<code>TheHive<\/code>. The following actions and findings completed the investigation and response:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>Case creation and triage<\/code>\n<ul class=\"wp-block-list\">\n<li>The SOC created a TheHive case titled \u201cInsight Nexus \u2014 ManageEngine Compromise,\u201d linked all related alerts (ManageEngine admin logins, Sysmon msiexec events, LDAP enumeration, file server uploads, and the portal\u00a0<code>checkme.txt<\/code>\u00a0event), and assigned roles: Triage Analyst, Forensics Lead, Containment Lead, and Communications Lead.<\/li>\n\n\n\n<li>Priority was set to Critical due to confirmed data exfiltration.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>Containment \u2014 network controls<\/code>\n<ul class=\"wp-block-list\">\n<li>Blocked outbound traffic to\u00a0<code>103.112.60.117<\/code>\u00a0at the perimeter firewall and on host-based firewalls. Added temporary egress block rules for the attacker IPs.<\/li>\n\n\n\n<li>Added an IDS signature to alert on connections to\u00a0<code>103.112.60.117<\/code>\u00a0and similar endpoints.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>Containment \u2014 credential &amp; account actions<\/code>\n<ul class=\"wp-block-list\">\n<li>Disabled the ManageEngine admin account and rotated all high-privilege credentials exposed in logs (service accounts, deployer accounts, and any account showing suspicious activity).<\/li>\n\n\n\n<li>Restricted the ManageEngine web console to be accessed only internally.<\/li>\n\n\n\n<li>Implemented forced password changes and immediate revocation of active sessions where possible.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>Host isolation<\/code>\n<ul class=\"wp-block-list\">\n<li>Isolated\u00a0<code>manage.insightnexus.com<\/code>,\u00a0<code>DEV-021<\/code>, and any machines that showed evidence of MSI installation from the production network for forensic collection (network access blocked, but preserved in a manner to allow analysis).<\/li>\n\n\n\n<li>Suspended scheduled tasks and disabled GPO-initiated deployments until confirmation of remediation.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>Collect forensic artifacts<\/code>\n<ul class=\"wp-block-list\">\n<li>On isolated hosts, collected volatile memory, process lists, registry hives, and disk images. Exported ManageEngine audit logs and the web server access logs with full timestamps.<\/li>\n\n\n\n<li>Preserved copies of the MSI file (<code>java-update.msi<\/code>), the compressed exfiltrated package (<code>diagnostics_data.zip<\/code>), and any web shell files found in management app directories.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Mapping to MITRE ATT&amp;CK<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Reconnaissance<\/code>: Scanning public assets; MITRE\u00a0<code>T1595<\/code>\u00a0(Active Scanning).<\/li>\n\n\n\n<li><code>Weaponization \/ Initial Access<\/code>: ManageEngine default credentials (<code>T1078.004<\/code>\u00a0&#8211; Valid Accounts), PHP upload exploitation (<code>T1190<\/code>\u00a0&#8211; Exploit Public-Facing Application).<\/li>\n\n\n\n<li><code>Delivery \/ Exploitation<\/code>: Web shell uploads, console command execution; (<code>T1505<\/code>\u00a0&#8211; Server Software Component).<\/li>\n\n\n\n<li><code>Installation \/ Persistence<\/code>: Scheduled tasks, services, GPO-deployed MSI (<code>T1547<\/code>,\u00a0<code>T1543<\/code>,\u00a0<code>T1069<\/code>).<\/li>\n\n\n\n<li><code>Command &amp; Control<\/code>: HTTPS to attacker-controlled IP (<code>T1071.001<\/code>\u00a0&#8211; Web Protocols).<\/li>\n\n\n\n<li><code>Action on Objective \/ Exfiltration<\/code>: Compress and upload project data (<code>T1560<\/code>\/<code>T1041<\/code>).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons Learned<\/h2>\n\n\n\n<p>The following lessons were learned:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Default credentials<\/code>\u00a0on Internet-facing applications remain one of the simplest but most damaging oversights.<\/li>\n\n\n\n<li><code>Multiple concurrent threat actors<\/code>\u00a0can be present in a single environment, with different motivations \u2014 one opportunistic, one highly targeted. This complicates response because defenders may underestimate the severity if they only see the \u201cloud\u201d intruder.<\/li>\n\n\n\n<li><code>Failure to correlate alerts<\/code>\u00a0across teams delays containment, giving advanced actors more time to achieve objectives.<\/li>\n\n\n\n<li><code>Post-incident monitoring<\/code>\u00a0must include scanning for persistence mechanisms, since deleting an attacker\u2019s marker file does not neutralize the root cause.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Incident Scenario The victim in this incident is&nbsp;Insight Nexus, a mid-sized market research and data analytics firm headquartered in Singapore. They provide competitive intelligence and consumer insights for global clients, including Fortune 500 companies in IT and finance. Their infrastructure includes many applications, servers, and hosts, but we&#8217;ll focus on the important ones, such as&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[44],"doc_tag":[],"class_list":["post-7860","docs","type-docs","status-publish","hentry","doc_category-incident-handling-process"],"year_month":"2026-04","word_count":2088,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Incident Handling Process","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/incident-handling-process\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7860"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7860\/revisions"}],"predecessor-version":[{"id":7861,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7860\/revisions\/7861"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7860"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7860"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}