The login events observed by Arctic Wolf used spoofed source IP addresses such as the local loopback address 127.0.0.1 or the IP addresses of public DNS resolvers run by Google and Cloudflare: 1.1.1.1, 2.2.2.2, 8.8.8.8, and 8.8.4.4. Sometimes the attackers forgot to spoof their source addresses, revealing addresses associated with a virtual private server (VPS) provider.
Following this initial scan stage, which involved very short-lived login and logout events that seemed indiscriminate and targeted organizations from various sectors, the attackers returned and began making configuration changes, first by altering a setting that controls how output is displayed over multiple pages in the jsconsole and then adding new superadmin accounts following five- or six-character patterns.
These new accounts were then used to create up to six local users per device using a similar naming scheme and adding those users to existing user groups with SSL VPN access. In some cases, they hijacked existing accounts or reset the password for the guest account and added them to SSL VPN groups.
