Spoiler: Hackers aren’t impressed by your Advanced Threat Protection technology – Here’s why

In this blog, I will share insights about a recent detection miss we identified during our research and development efforts aimed at enhancing prevention and detection measures for widespread Linux distributions. This detection miss allowed us to gain full remote control over a Linux host protected by a top-tier SASE provider and an EDR sensor from a leading cybersecurity company, both configured according to the latest security best practices. Since the issues have been addressed by the affected vendors, we are committed to fixing the shortcomings before full disclosure.

“Prevention is ideal, but detection is a must, and detection without response is of little value”
– well known principle in the cyber defense domain

Following the emerging identity threats paired with the growing abuse of legitimate standard tools and cloud services, we developed an assumed breach scenario in which a threat actor gains a foothold on a Linux host and leverages the capabilities of a standard user’s identity with filtered internet access, as well as a machine learning- and behavior analysis-based EDR.

The goal was to infect the Linux host with a Remote Access Trojan, circumvent network and host protections, and gain persistent remote access to the Linux host.

The concept we selected is not new. It involves using an Amazon AWS S3 bucket as a Command & Control hub, where base64-encoded payloads containing execution commands are asynchronously exchanged with the remote victim.

The R&D tasks resulted in a simple yet undetected Remote Access Trojan called „blake-shell.elf“, which allowed us to stealthily remote control the target host without being disrupted or detected during our command executions. The issue has since been addressed by the involved vendors to ensure proper detection and response to such behaviour.

The results once again highlight the ongoing cat-and-mouse game between defenders and attackers, where an effective cyber defense strategy must involve proactive threat hunting, periodic attack simulation trainings, and both active and passive defense measures to stop skilled hackers – rather than relying solely on multiple, yet similar, „Advanced Threat Protection“ technologies.

Even though the EDR sensor on the victim host was configured to be highly sensitive, we expected the custom .elf binary to evade static detection. However, the process still should have been terminated eventually due to its suspicious behaviour: spawning multiple Bash child processes using base64-encoded piped commands within a short time frame, originating from an unsigned and unknown parent that was making numerous external beaconing connections. At the very least, a low-severity detection should have been triggered.

At the network level, we assumed that the intercepted Command and Control channel would have been blocked based on established security best practices.

To improve our detection sensors, we maintain close communication with vendors to address any missed detections. We are also conducting extensive testing and validation with other vendors and technology partners – at the NDR and SIEM levels, as well as across different operating systems – to gain an overview on current detection and response coverage.

Stay tuned for a full breakdown and demo of our investigation, aimed at strengthening the detection and response capabilities of leading cybersecurity providers.

Are you ready to face unknown cyber threats?

If not, connect with the experts at the AVANTEC Cyber Defense Center. We will help you craft a practical, winning strategy to stay protected.