Ransomware ate my network (III)

23 de July de 2021 Por
A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we left the investigation with the IP 10.11.2.14 as the source of the connections to the DC (and with connections to the C2 101.143.122.216 as well as the antivirus disabled prior to the generalized attack).

Since we are talking about connections and considering that we have the RAM memory, the first thing Angela does is to use the Volatility netscan plugin to remove the network connections (the memory profile is Win10x64_17134) and confirm the connections with the C2:

Netscan returns a few additional results:

A connection to a remote SSH?

What is this computer doing providing a service on port 443/TCP? Has it gone mad? Clearly we need to dig deeper into these connections to find out what is behind them.

Angela decides to check the Sysmon logs, which should show the network connections… but it seems that the FFP (remember, the Federation of Patron Festivities) did not correctly apply the standard MINAF Sysmon configuration, so no such data is being collected (grrrrrrr).

[Read more…]

Ransomware ate my network (II)

20 de July de 2021 Por
A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we saw how MINAF narrowly avoided a ransomware attack, but we still have a lot of questions to answer. First, finding out the identity of the ransomware group that had affected MINAF.

To do this, Angela converts the MFT of the DC with mftdump.exe and performs a quick search of the v2.exe and v2c.exe files, which seemed a priori those in charge of deploying the ransomware. She hits the spot because she finds the files in the c:\temp\scheduler folder:

Quickly calculates her hashes:

5994df288813a7d9588299c301a8de13479e3ffb630c49308335f20515ffdf57  v2c.exe

b2a304e508415d96f417ed50d26e0b987b7cbd9a77bb345ea48e803b5a7afb49  v2.exe

ffa8722a09829acd7ef8743688947f6ccb58d2ef  v2c.exe

7320b34c07206fcaf1319d6ce9bef2b29648a151  v2.exe

eddc0e293b0f0ee90bab106f073a41c9  v2c.exe

91438699bed008be9405995f0a158254  v2.exe

The next thing is to check if they are known. VirusTotal gives you a quick answer:

[Read more…]

Ransomware ate my network (I)

19 de July de 2021 Por
A brief explanation of this series with some clarifying notes can be read below.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

Note 1: This series of posts is a narration of a forensic analysis of a totally fictional incident response case study (but told, we hope, in a didactic and humorous way). If you want a version with the same technical dose but with less narrative, you can check the video of the talk that the author gave at the XIV CCN-CERT STIC Conference, or take a look at the slides of the presentation.

Note 2: These posts reveal a forensic analysis workshop encompassed within the incident response. There will be some things that could be done more efficiently and elegantly, but the idea was to make them simple so that they are easy to understand. And like any practical workshop, you can take advantage of it in several ways: you can download from LORETO the evidence  already worked to follow the case step by step, you can download the raw evidence to do your own investigation… or you can play the CTF DFIR that we have prepared and that will be unfolding the case as you respond to the various challenges.

There are few good months for cybersecurity in a Public Administration, and November is not one of them: projects must be closed, status reports must be made, and it is necessary to make sure that the entire budget is executed (and justified with the corresponding invoices).

Angela de la Guarda, CISO of the MINAF (Ministerio of Alegría y Felicidad, Joy and Happiness in English) has not had a particularly happy year: the pandemic forced the deployment of teleworking for a large part of the personnel, which caused a significant overload on all ICT personnel… and even more so on her and her team, responsible for ensuring the security of all systems.

To make things worse, in the usual restructuring with each change of government, the MINAF has been entrusted with the mission of “unifying all state agencies with skills on joy and happiness.” This has led to the absorption of several entities of different sizes, among which the FFP (Federation of Patron Festivities, in charge of managing all town festivals in Spain) stands out. The FFP has, so to speak… a rather relaxed view of cybersecurity, which made assimilation highly conflictive. In the end, the upper echelons have ruled, and the MINAF finally absorbed the FFP.

It’s 5:00 p.m., and Angela is checking emails to finish the first of a week full of reports and go home, when Salvador Bendito (MINAF security analyst) calls her on her mobile: “Boss, we have a very serious problem. One of the canaries has jumped: we are losing the goalkeepers. All of them”.

[Read more…]

The supply chain and the elephant in the room

8 de July de 2021 Por

A few days ago, in the wake of ransomware attacks “related” to the Kaseya remote IT management product, I posted on LinkedIn a short post in which I said the following:

Supply chain is the elephant in the room and we need to talk more about it.

Yes, let’s talk a little bit about prevention and leave detection and management for another time. As the saying goes, better safe than sorry. To develop it a bit further, I added that:

 

we should start thinking that third-party software and hardware are insecure by default and that an obligation should be imposed on software manufacturers to perform and publish, to some extent, serious, regular, in-depth pentesting for the critical applications they sell (and their updates). And even then, any third-party software or device should be considered insecure by default, unless proven otherwise.

 

In a comment, Andrew (David) Worley referred to SOC 2 reports, which should be able to minimally prevent these kinds of “problems”, and commented on a couple of initiatives I was unaware of: the Software Bill of Materials (SBoMs) and the Digital Bill of Materials (DBoMs).

I promise to talk about it in another post, but for now let’s move on.

[Read more…]

OSEP certificate (Offensive Security Experienced Penetration Tester)

2 de July de 2021 Por
La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png
PEN-300 and the OSEP Certification | Offensive Security

In this post we are going to talk about one of the new certifications offered by Offensive Security, specifically OSEP (Offensive Security Experienced Penetration Tester).

This certification is part of the new OSCE along with the, also new, OSED (Offensive Security Exploit Developer) and OSWE (Offensive Security Web Expert).

Like all Offensive Security certifications, it is mandatory to take the course associated with the certification, called “Evasion techniques and breaching defenses” which we will talk about later as well.

As of today, the price of the course is $1299, which includes 2 months of lab access and the exam sitting (of 48 fantastic hours :P).

I guess, if you’re reading this post, you already knew all of the above, so let’s dig into what you probably don’t know!

[Read more…]

Do Math or Windows Dies! – customizing a .NET ransomware

21 de June de 2021 Por
NOTE: the content of this article is educational and informative. The goal is to learn how malware works and how can we identify its capabilities. The author is not responsible for any bad actions derived from the information of the post. The author does NOT ENCOURAGE to execute the sample OUTSIDE OF AN ISOLATED LABORATORY.

In this article we are going to analyze, gut and customize a little screen-locker (a member of ransomware family that locks the machine without encrypt the data). This is a clumsy but effective sample that we will alter to create our own ScreenLocker.

SSHBOT, the cr*ppy ScreenLocker

SSHBOT, also known as P4YME, is an old and unsophisticated malware from ransomware family.

We will use a public sample submited to VirusTotal, where is detected by 54 Anti-virus:

When executed, it restarts the machine and shows this message:

[Read more…]

GOTO XII: Security Certifications

7 de June de 2021 Por
Please bear in mind several things before going ahead. One: this post, even still very much alive today, was published back in June 2015 in the Spanish section of the blog. Two: this “GOTO” title thing makes reference to the controversial GOTO programming instructions. Three: even though this is the 12nd part of the GOTO series, they have not been translated, but they are not really connected but for their controversial nature… so just ignore that “XII” and move ahead. Enjoy!

There are few topics capable of generating as much debate in the field of IT security as certifications: they’re great, they’re useless, generalist, product specific… Proponents and detractors put forward quite valid arguments when it comes to defending and questioning the real value of security certifications.

Let’s imagine for a moment that we have a helmet that allows us, at the push of a button, to become either a fanboy of certifications or their staunchest enemy. Helmet in hand (well, head on, safety first) let’s go over some arguments for or against security certifications.

[Read more…]

Enterprise immortality?

4 de May de 2021 Por

Too long ago I spent about a year at the Georgia Institute of Technology in Atlanta, continuing my university studies. Shortly after arriving, the person who was in charge of campus security gave us a talk in which he congratulated us on the fact that Atlanta was no longer the most dangerous city in the USA, but the second most dangerous (we are talking about 1999). He also warned, with emphasis on the younger ones, to be careful with the illusions of immortality typical of teenagers, to avoid unnecessary risks and to adopt certain safety measures.

I have a feeling that this kind of illusion applies quite adequately to many companies. In general, the thinking that still prevails in many organizations is the familiar one: it can’t happen to us. The equivalent is the one who gets in the car thinking that accidents happen to everyone but him and ignores seat belts and any “reasonable” speed limit.

[Read more…]

European Cybersecurity Framework

26 de April de 2021 Por

In recent times, the European Union has been reinforcing the regulatory framework on cybersecurity to deal with the growing threat posed by cyberattacks. To this end, it is providing the Member States with a common framework especially focused on cybersecurity aimed at guaranteeing the cyber-resilience of the processes that support different essential services for society.

The NIS Directive or Directive (EU) 2016/1148 was the first cybersecurity law of the European Union and provided a common framework to improve the resilience of the Union’s networks and information systems against cybersecurity risks. It has proven to be a useful Directive, but over the years it has also shown its limitations in the face of increasing cyber threats and the growing reliance on digital solutions.

That is why, at the end of last year, the European Commission presented the new EU cybersecurity strategy based on three main pillars:

  • Resilience, technological sovereignty and leadership;
  • Operational ability to prevent, deter and respond;
  • Cooperation to promote a global, secure and open cyberspace.
[Read more…]

Threat hunting (VII): hunting without leaving home. Process creation

19 de January de 2021 Por
See previous entries: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks, VI: Creating our víctim

Good hunters, how’s the hunt going?

I hope you have had time to play with your lab and feel more and more comfortable consulting and analyzing the data.

As I said in the previous article, now it’s time to get down into the mud and start understanding what is happening in our laboratory. In this case we are going to talk about the creation of processes, what happens when a process is created, what ways there are to create them and the traces that creation leaves behind.

Understanding the environment

Windows is organized in layers as far as interaction with the system is concerned.

The upper layers are those with which the user or the programs that he launches interacts, the lower layers those used by the operating system itself to function.

For security reasons, the upper layers are well documented and Windows offers facilities to interact with them, but with the lower layers things change, they are not documented and due to the complexity of their operation, it is very difficult or directly not possible for security reasons.

[Read more…]