Infostealer Malware: How Attackers Gain Persistent Access #shorts

First of all, I wondered how the Infostealer malware got on the system on in the first place? Uh so the first question that would be that it starts with the code execution to these Docker containers that have network access. And then there's some kind of tunnel from that on-premises server up to Google Cloud. Um So that's basically how they how they got there. So they had sufficient credentials for that basically in the environment secrets and so on. So they were able to yeah connect up to that machine. Uh Um the other question was how long? It's also like yeah keep in mind it's different cases, but one of them is like 2 years something from the start to

the end and we were the third company that investigated it. Um so it's like the first team that investigated it. Uh they are a really really good team, but I think that the customer gave them a too narrow scope where it was like you need to look how this specific thing happened. And they just did that kind of which means that they missed the rats and so on. So we see that you know after the investigation they reset a bunch of credentials and then 2 days later the threat actor dumped the entire Jenkins machine again and they have all credentials just as nothing happened. So um The So for that reason and that the threat actor didn't really stress.

They were more interested in keeping access So installing a bunch of sneaky persistence and all of that. Uh And focus on keeping the access more than we need this access now kind of. I mean it the investigation is usually quite fast. Um The attack is usually very long. Um I guess it's the short answer.