How they swindle $100,000 without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (IV)

26 de noviembre de 2020 Por
See the first part of this series, with some notes on the full series content, the second part and the third part

In the previous article, we saw how the attackers had been monitoring and manipulating the MINAF CEO’s email at will … and that they had done it through OWA (Outlook Web Access), the Exchange webmail.

To know how these logs work, we have to see how Exchange works. If we simplify it a lot, Exchange has two main components: CAS (Client Access Server) and DAG (Database Availability Group), which would be roughly equivalent to a web server and the database of a web application.

MORE

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (III)

6 de noviembre de 2020 Por
See the first part of this series, with some notes on the full series content, and the second part.

In the previous article we verified that a series of emails had been sent from the MINAF CEO’s account to the CFO, and through social engineering a series of unauthorized transfers had been made. We are at a point in the investigation where we want to know more about those emails, and for this we have to go to the low-level database of Exchange: EventHistoryDB.

EventHistoryDB is a database that collects with minute detail the entire life cycle of an email in Exchange. Thanks to EventHistoryDB we can know such granular details as:

  • When an email was written.
  • When it was sent.
  • Whether or not it was read by the recipient, and when.
  • If the mail was moved to a folder.
  • If the email was answered.
  • If the mail was sent to the trash, or even if it was deleted from it.

Unfortunately, not everything is perfect in the EventHistoryDB. It is only accessible via Powershell (no nice graphical interfaces), and only the last 7 days are saved by default. However, in this case the MINAF has reacted very quickly and this has allowed us to enter comfortably within that time frame, so it is possible to fully recover the records for the two affected users.

[Read more…]

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (II)

23 de octubre de 2020 Por
See the first part of this series, with some notes on the full series content.

We left the previous article with many gaps in the mail coverage from both the CEO and CFO of the MINAF. A first (and above all) quick solution is to use the MessageTracking logs. As we have already mentioned, MessageTracking is a high-level Exchange log that provides us with some basic data about the message (origin, destination, date and subject) along with some low-level identifiers (of which we will tell something in due course since they will be fundamental in our investigation).

To give you an idea, this is what a MessageTracking log (that we have minimally adapted) looks like:

If we open the log and take a quick look at it, we find a wave of messages (about 1000) quite worrisome:

(Remote data device deletion confirmation / abelardo.alcazar@minaf.es)

Apparently someone ordered the remote deletion of Abelardo Alcázar’s mobile device, something that can be done from Exchange if the terminal is configured correctly (very useful in case of theft or loss, since we do not require a remote management solution for mobile terminals or MDM).

This log agrees with Abelardo Alcazar’s statement, coinciding with the dates (remember that in Spain in summer we are at UTC + 2, so 18.47h UTC becomes 20.47h Spanish time).

[Read more…]

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (I)

19 de octubre de 2020 Por

Note 0: This series of articles is a description (hopefully entertaining) of the case study (fictional, beware) that Maite Moreno and myself presented at the c1b3rwall digital security and cyber-intelligence conference, organized by the Spanish National Police. If you want more information on CEO scams you can check the (in Spanish) slides of our talk,full of data as well as a real case that we researched.

Note 1: We emphasize that this case is fictitious. However, the techniques and procedures used are identical to those used by the attackers, with the difference that we offer evidence to study them in detail. Note that he investigation could have been done more efficiently, but we wanted to show some interesting elements and techniques to deep into Exchange, hence the steps taken.

Note 2: Before starting the case study… you can play it! We have set up an open-access forensic CTF you can use to practice your technical skills. Try it before reading these articles (recommended), or later to reinforce concepts. If you only want the raw evidence, you can get them here. You can also download the step-by-step guide with all the tools and evidence needed for each step of the articles, perfecto to continue with the slides.

Those of us who work in incident response and forensics would love want attackers to warn us before doing their wrongdoing. We want it together with the Lamborghini, the yacht and the unicorn with a rainbow in the background, but we get the same response in almost all cases: no f****** way.

What a pain in the ass it is to have an incident at 14:55 on a Friday,” you would think. There are worse things: a call from your boss at 15h on a Saturday while you are taking a nap: “Grab your incident suitcase, ‘we’re going to party’».

The party consists of about 4 hours of travel from Madrid to Ponferrada, where the headquarters of the MINAF (Minerías Alcázar y Ferrán) is located. MINAF is a mining company that will not ring a bell, but which has a turnover of more than 40 million euros and operates in 12 countries.

[Read more…]