CheckMesh: Hidden Threats in Your FW

SUMMARY :

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.

OPENCTI LABELS :

lateral movement,credential theft,meshagent,encrypted communication,advanced persistent threat,firewall compromise


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CheckMesh: Hidden Threats in Your FW