AIX Server Exploit Reinforces Need for Enhanced Security on Legacy Systems

Posted on September 25, 2024 by Dean Lombardo

By Scott Shinn

(Are your AIX servers safe against advanced persistent threats? Boost AIX server security and block lateral movement into Windows and Linux environments—with Atomicorp.)

The AIX Server Hack in Review

AIX is a venerable operating system still employed by an estimated tens of thousands of global organizations, including many Fortune 500 companies. It is a popular and widely deployed platform due to its reliability, uptime, and scalability. However, AIX is not inherently a security system and it needs to be reinforced with modern endpoint detection and response (EDR)/ extended detection and response (XDR) to mitigate the risk of well-executed attacks.

Case in point, between March and August of this year, cyber intruders infiltrated and compromised three largely unmanaged AIX servers hosted by a U.S. organization. They, then, moved laterally onto web servers and into Windows Active Directory environments through a combination of reconnaissance, default and stolen credentials, and JSP shells. Once there, the hackers harvested data for a secondary exploitation and then attempted to spoof users before they were finally detected after five months and removed from the systems. Artifacts of command language collected by third-party forensic analysts pointed to the likely involvement of the China-nexus threat group.

Don’t let your legacy systems be the weak link as hackers use them to pivot into your enterprise jewels. For versatile and affordable security for modern and under-supported software operating systems, visit Atomicorp

Request a Solution Demo

Lessons Learned: Bolster AIX Security With More of a Zero Trust Approach

The AIX exploit offers a reminder for IT security departments to renew their focus on crucial security measures, such as XDR and zero trust configuration practices and policies, which—in this case—seem to have been lacking on the exploited legacy servers. On the other hand, AIX exploits aren’t widely reported or well analyzed, so the transparency and reported forensic details of the case are impressive and offer helpful insights into what happened. This allows us to also discuss what should be done to prevent easy recurrence.

Be able to:

Maintain visibility on older systems such as AIX and all their points of connection. Don’t forget about server and endpoint environments—and don’t stop monitoring them—just because they’re dev environments or due to a perception that they are undiscoverable or not a big threat. It’s just the opposite. These lower-profile systems represent an easy foothold for malware injection, intrusion and lateral movement to your more sensitive environments.
Protect every endpoint and connection through monitoring and IDS including AV, antimalware, and behavioral tracking such as file integrity monitoring (FIM) and a robust vulnerability management program. A true zero trust model dictates that every endpoint is a potential threat and requires protection and verification. If a software provider’s “out of the box” security is not adequate against today’s multi-stage attack chain realities, organizations must reinforce with EDR to mitigate risk and prevent damage to operations.
Keep under-supported systems off the internet. Proper secure configuration of your AIX endpoints is a must, so you are not allowing unfettered access to and from web servers. If you’re not going to apply advanced protection on older systems, at least air-gap them from the web, because traditional internet firewalls can be bypassed and unmanaged vulnerabilities exploited—as was the case in this attack.
Detect and protect against lateral movement. AIX is not inherently a security product and should be reinforced with on-device and/or hub-based data flow defense so connected systems and users do not become infected as well. This should include the ability to detect malicious activity spreading to Windows and other systems with a trust relationship.
Don’t compound these security risks by abandoning zero trust principles. A zero trust approach entails never assuming a resource is trusted, and your zero trust architecture should extend to casual relationships between active internet database resources such as web servers and old and largely neglected servers to ensure that trust verification is a two-way street.

Schedule an Atomicorp demo.

How to Defend Against Lateral Movement in Windows With OSSEC

Be able to thwart malicious lateral movement into Windows applications. Atomicorp detection and response solutions protect cross-platform endpoint systems, software and cloud APIs, and the path-traversal courses into web server, application, and container environments.

Watch Atomicorp isolate malicious activity, capture artifacts, and thwart lateral movement in a Windows environment.

Read Article

Watch Replay Video

Endpoint Protection for Windows, Linux, AIX, Solaris; Web Servers

Discover how you can easily and affordably apply advanced security and compliance controls across under-protected AIX systems, as well as current and end of life (EOL) Red Hat Linux Enterprise, Ubuntu, Windows, CentOS, Solaris, web servers Apache and IIS, and more.

We support both modern and legacy system security requirements.

Visit Atomicorp.

Atomic Products For Workload Security and Compliance

Built on the open source foundation of OSSEC, Atomicorp offers comprehensive host intrusion detection, attack protection and compliance all in a single unified platform that runs anywhere.

Atomicorp protects critical workloads in the cloud, the data center and in hybrid environments.

Learn More