https://www.huntress.com/blog/nightmare-eclipse-intrusionTL;DR: Huntress has observed the use of Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, during a
real-world intrusion investigation. In the clearest case, the activity included suspicious binaries staged in user-writable directories,
hands-on-keyboard reconnaissance, likely
compromised FortiGate SSL VPN access, and follow-on tunneling behavior. Organizations should review VPN logs, investigate the artifacts and paths below, and treat any confirmed execution as high-priority incident activity.
The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing. Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a
source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions. Those findings are covered in more detail below.
俄佬已經用緊呢個exploit
