From Santiago Bassett:
The article, written by a Kaspersky analyst (
Alexander Kryazhev), explains how Wazuh is misused by attackers who already had full administrative privileges over the victim's system.
This scenario is similar to how attackers might abuse other legitimate tools, like SSH, once they control a system.
According to the article, attackers installed the Wazuh agent and enabled "remote_commands" feature, which requires manual activation and admin-level access. This feature is useful for incident responders and digital forensics, and it is common in XDR (eXtended Detection and Response) products. The attackers misused it to run commands in the already compromised system.
In summary, Wazuh is not the attack vector. The system was already fully compromised. This is a common case of attackers abusing legitimate tools for malicious purposes after gaining admin access.
Wazuh itself is a defensive tool designed to protect systems, not to attack them.
I hope it helps.
securelist.com
