Ransomware ate my network (IV)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

[Editor’s note: Clicking on many images – those whose detail is not fully visible with the size of the main page – shows an enlarged version]


In the previous article we saw how Angela had deduced that the attackers had entered the computer used to connect to the DC from another computer using the PsExec tool. Determined to find the PsExec, Angela begins by converting the MFT extracted by CyLR with mftdump.exe to .csv, and searching for activity around the time she saw the connection on the other computer (about 2:16 p.m. 1:16 p.m. in UTC which is what the MFT shows us).

There is no clear target, but that stalin.exe Prefetch looks suspicious (remember that Prefetches are created the first time the software is run, with a delay of a few seconds).

[Read more…]

Ransomware ate my network (III)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we left the investigation with the IP 10.11.2.14 as the source of the connections to the DC (and with connections to the C2 101.143.122.216 as well as the antivirus disabled prior to the generalized attack).

Since we are talking about connections and considering that we have the RAM memory, the first thing Angela does is to use the Volatility netscan plugin to remove the network connections (the memory profile is Win10x64_17134) and confirm the connections with the C2:

Netscan returns a few additional results:

A connection to a remote SSH?

What is this computer doing providing a service on port 443/TCP? Has it gone mad? Clearly we need to dig deeper into these connections to find out what is behind them.

Angela decides to check the Sysmon logs, which should show the network connections… but it seems that the FFP (remember, the Federation of Patron Festivities) did not correctly apply the standard MINAF Sysmon configuration, so no such data is being collected (grrrrrrr).

[Read more…]

Ransomware ate my network (II)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we saw how MINAF narrowly avoided a ransomware attack, but we still have a lot of questions to answer. First, finding out the identity of the ransomware group that had affected MINAF.

To do this, Angela converts the MFT of the DC with mftdump.exe and performs a quick search of the v2.exe and v2c.exe files, which seemed a priori those in charge of deploying the ransomware. She hits the spot because she finds the files in the c:\temp\scheduler folder:

Quickly calculates her hashes:

5994df288813a7d9588299c301a8de13479e3ffb630c49308335f20515ffdf57  v2c.exe
b2a304e508415d96f417ed50d26e0b987b7cbd9a77bb345ea48e803b5a7afb49 v2.exe
ffa8722a09829acd7ef8743688947f6ccb58d2ef v2c.exe
7320b34c07206fcaf1319d6ce9bef2b29648a151 v2.exe
eddc0e293b0f0ee90bab106f073a41c9 v2c.exe
91438699bed008be9405995f0a158254 v2.exe

The next thing is to check if they are known. VirusTotal gives you a quick answer:

[Read more…]

Ransomware ate my network (I)

A brief explanation of this series with some clarifying notes can be read below.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

Note 1: This series of posts is a narration of a forensic analysis of a totally fictional incident response case study (but told, we hope, in a didactic and humorous way). If you want a version with the same technical dose but with less narrative, you can check the video of the talk that the author gave at the XIV CCN-CERT STIC Conference, or take a look at the slides of the presentation.

Note 2: These posts reveal a forensic analysis workshop encompassed within the incident response. There will be some things that could be done more efficiently and elegantly, but the idea was to make them simple so that they are easy to understand. And like any practical workshop, you can take advantage of it in several ways: you can download from LORETO the evidence  already worked to follow the case step by step, you can download the raw evidence to do your own investigation… or you can play the CTF DFIR that we have prepared and that will be unfolding the case as you respond to the various challenges.


There are few good months for cybersecurity in a Public Administration, and November is not one of them: projects must be closed, status reports must be made, and it is necessary to make sure that the entire budget is executed (and justified with the corresponding invoices).

Angela de la Guarda, CISO of the MINAF (Ministerio of Alegría y Felicidad, Joy and Happiness in English) has not had a particularly happy year: the pandemic forced the deployment of teleworking for a large part of the personnel, which caused a significant overload on all ICT personnel… and even more so on her and her team, responsible for ensuring the security of all systems.

To make things worse, in the usual restructuring with each change of government, the MINAF has been entrusted with the mission of “unifying all state agencies with skills on joy and happiness.” This has led to the absorption of several entities of different sizes, among which the FFP (Federation of Patron Festivities, in charge of managing all town festivals in Spain) stands out. The FFP has, so to speak… a rather relaxed view of cybersecurity, which made assimilation highly conflictive. In the end, the upper echelons have ruled, and the MINAF finally absorbed the FFP.

It’s 5:00 p.m., and Angela is checking emails to finish the first of a week full of reports and go home, when Salvador Bendito (MINAF security analyst) calls her on her mobile: “Boss, we have a very serious problem. One of the canaries has jumped: we are losing the goalkeepers. All of them”.

[Read more…]

GOTO XII: Security Certifications

Please bear in mind several things before going ahead. One: this post, even still very much alive today, was published back in June 2015 in the Spanish section of the blog. Two: this “GOTO” title thing makes reference to the controversial GOTO programming instructions. Three: even though this is the 12nd part of the GOTO series, they have not been translated, but they are not really connected but for their controversial nature… so just ignore that “XII” and move ahead. Enjoy!

There are few topics capable of generating as much debate in the field of IT security as certifications: they’re great, they’re useless, generalist, product specific… Proponents and detractors put forward quite valid arguments when it comes to defending and questioning the real value of security certifications.

Let’s imagine for a moment that we have a helmet that allows us, at the push of a button, to become either a fanboy of certifications or their staunchest enemy. Helmet in hand (well, head on, safety first) let’s go over some arguments for or against security certifications.

[Read more…]

How they swindle $100,000 without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (IV)

See the first part of this series, with some notes on the full series content, the second part and the third part

In the previous article, we saw how the attackers had been monitoring and manipulating the MINAF CEO’s email at will … and that they had done it through OWA (Outlook Web Access), the Exchange webmail.

To know how these logs work, we have to see how Exchange works. If we simplify it a lot, Exchange has two main components: CAS (Client Access Server) and DAG (Database Availability Group), which would be roughly equivalent to a web server and the database of a web application.

MORE

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (III)

See the first part of this series, with some notes on the full series content, and the second part.

In the previous article we verified that a series of emails had been sent from the MINAF CEO’s account to the CFO, and through social engineering a series of unauthorized transfers had been made. We are at a point in the investigation where we want to know more about those emails, and for this we have to go to the low-level database of Exchange: EventHistoryDB.

EventHistoryDB is a database that collects with minute detail the entire life cycle of an email in Exchange. Thanks to EventHistoryDB we can know such granular details as:

  • When an email was written.
  • When it was sent.
  • Whether or not it was read by the recipient, and when.
  • If the mail was moved to a folder.
  • If the email was answered.
  • If the mail was sent to the trash, or even if it was deleted from it.

Unfortunately, not everything is perfect in the EventHistoryDB. It is only accessible via Powershell (no nice graphical interfaces), and only the last 7 days are saved by default. However, in this case the MINAF has reacted very quickly and this has allowed us to enter comfortably within that time frame, so it is possible to fully recover the records for the two affected users.

[Read more…]

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (II)

See the first part of this series, with some notes on the full series content.

We left the previous article with many gaps in the mail coverage from both the CEO and CFO of the MINAF. A first (and above all) quick solution is to use the MessageTracking logs. As we have already mentioned, MessageTracking is a high-level Exchange log that provides us with some basic data about the message (origin, destination, date and subject) along with some low-level identifiers (of which we will tell something in due course since they will be fundamental in our investigation).

To give you an idea, this is what a MessageTracking log (that we have minimally adapted) looks like:

If we open the log and take a quick look at it, we find a wave of messages (about 1000) quite worrisome:

(Remote data device deletion confirmation / abelardo.alcazar@minaf.es)

Apparently someone ordered the remote deletion of Abelardo Alcázar’s mobile device, something that can be done from Exchange if the terminal is configured correctly (very useful in case of theft or loss, since we do not require a remote management solution for mobile terminals or MDM).

This log agrees with Abelardo Alcazar’s statement, coinciding with the dates (remember that in Spain in summer we are at UTC + 2, so 18.47h UTC becomes 20.47h Spanish time).

[Read more…]

How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (I)

Note 0: This series of articles is a description (hopefully entertaining) of the case study (fictional, beware) that Maite Moreno and myself presented at the c1b3rwall digital security and cyber-intelligence conference, organized by the Spanish National Police. If you want more information on CEO scams you can check the (in Spanish) slides of our talk,full of data as well as a real case that we researched.

Note 1: We emphasize that this case is fictitious. However, the techniques and procedures used are identical to those used by the attackers, with the difference that we offer evidence to study them in detail. Note that he investigation could have been done more efficiently, but we wanted to show some interesting elements and techniques to deep into Exchange, hence the steps taken.

Note 2: Before starting the case study… you can play it! We have set up an open-access forensic CTF you can use to practice your technical skills. Try it before reading these articles (recommended), or later to reinforce concepts. If you only want the raw evidence, you can get them here. You can also download the step-by-step guide with all the tools and evidence needed for each step of the articles, perfecto to continue with the slides.


Those of us who work in incident response and forensics would love want attackers to warn us before doing their wrongdoing. We want it together with the Lamborghini, the yacht and the unicorn with a rainbow in the background, but we get the same response in almost all cases: no f****** way.

What a pain in the ass it is to have an incident at 14:55 on a Friday,” you would think. There are worse things: a call from your boss at 15h on a Saturday while you are taking a nap: “Grab your incident suitcase, ‘we’re going to party’».

The party consists of about 4 hours of travel from Madrid to Ponferrada, where the headquarters of the MINAF (Minerías Alcázar y Ferrán) is located. MINAF is a mining company that will not ring a bell, but which has a turnover of more than 40 million euros and operates in 12 countries.

[Read more…]

I discovered a crime … and now what?

[Author’s note: The author of this article is a technician, not a lawyer. Although several jurists have been consulted to corroborate that no legal barbarity has been said, it is strongly recommended to consult with a trusted legal professional if necessary].
[Author’s note 2: I would like to thank the ideas and comments offered by the Forensic Computing Telegram group: https://t.me/forense, whose activity has fostered and promoted this article].

Let’s imagine that Mary is a forensic analyst who is working on a case of corporate espionage. While analyzing some compressed files with strange names, she discovers with horror that they are full of images of child pornography.

Imagine that Pete is a pentester whose objective is to take control of a mail server, having to submit as evidence a half dozen high-level emails. Once he has achieved his objective, he extracts several mails at random from the mail accounts, but verifies with indignation that they contain information about a civil servant being bribed for the granting of an important public contract.

Both Mary and Pete have signed a strict confidentiality agreement with the company in which they work, which clearly states that “all the information they have knowledge of during their working activity must be kept in the strictest secrecy.” [Read more…]