Here is the alert received on the SIEM
Firstly, what is CVE-2024-24919? Here is the description on the NIST website.
After some more research, CVE-2024-24919 is a path traversal attack, which explains the request being made to the '/etc/passwd' directory.
The /etc/passwd directory stores user account information, including the user's username, user ID (UID), group ID (GID), home directory, and login shell
This is enough for me to contain the server, and I'll investigate further for any more signs of compromise.
First, I'll start by checking the source IP on the threat intelligence feed. It has been flagged as malicious, specifically because of CVE-2024-24919
It has also been reported on AbuseIPDB and VirusTotal
Searching the logs for the source IP shows three events.
Two of the events correlate with what was seen on the SIEM alert.
Investigating the first log (No Event Time), it says the source address is 203.160.68.12 (the suspicious IP).
However, the raw log says that the IP is 203.160.68.13; this time, it's requesting the '/etc/shadow' directory. This directory stores the encrypted password hashes for user accounts on the system. Also, searching the logs for 203.160.68.13 shows no results, and it's not flagged in the threat intel feed or on AbuseIPDB/Talos/VirusTotal.
Checking the logs for the destination IP (172.16.20.146) shows the same logs seen above and another containing a list of IPs that accessed the server. Here, we see 203.160.68.12 did make three separate connections, and 203.160.68.13 made only one.
The destination address (172.16.20.146) is a server, and it made three connections with 203.160.68.12 and two with 203.160.68.13
