Security News > 2022 > February > NSA-linked Bvp47 Linux backdoor widely undetected for 10 years
Pangu Lab's incident analysis involved three servers, one being the target of an external attack and two other internal machines - an email server and a business server.
According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload. "At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks" - Pangu Lab.
Machine A connects to port 80 of the V1 server to send a knock request and start the backdoor program on the V1 server.
The V2 server connects to the backdoor web service opened on the V1 server, and obtains PowerShell execution from the V1 server.
The V1 server synchronizes data interaction with the A machine, and the V1 server acts as a data transfer between the A machine and the V2 server.
Referring to the above communication technology between the three servers, the researchers assess that the backdoor is the creation of "An organization with strong technical capabilities."