Ransomware ate my network (I)

A brief explanation of this series with some clarifying notes can be read below.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

Note 1: This series of posts is a narration of a forensic analysis of a totally fictional incident response case study (but told, we hope, in a didactic and humorous way). If you want a version with the same technical dose but with less narrative, you can check the video of the talk that the author gave at the XIV CCN-CERT STIC Conference, or take a look at the slides of the presentation.

Note 2: These posts reveal a forensic analysis workshop encompassed within the incident response. There will be some things that could be done more efficiently and elegantly, but the idea was to make them simple so that they are easy to understand. And like any practical workshop, you can take advantage of it in several ways: you can download from LORETO the evidence  already worked to follow the case step by step, you can download the raw evidence to do your own investigation… or you can play the CTF DFIR that we have prepared and that will be unfolding the case as you respond to the various challenges.


There are few good months for cybersecurity in a Public Administration, and November is not one of them: projects must be closed, status reports must be made, and it is necessary to make sure that the entire budget is executed (and justified with the corresponding invoices).

Angela de la Guarda, CISO of the MINAF (Ministerio of Alegría y Felicidad, Joy and Happiness in English) has not had a particularly happy year: the pandemic forced the deployment of teleworking for a large part of the personnel, which caused a significant overload on all ICT personnel… and even more so on her and her team, responsible for ensuring the security of all systems.

To make things worse, in the usual restructuring with each change of government, the MINAF has been entrusted with the mission of “unifying all state agencies with skills on joy and happiness.” This has led to the absorption of several entities of different sizes, among which the FFP (Federation of Patron Festivities, in charge of managing all town festivals in Spain) stands out. The FFP has, so to speak… a rather relaxed view of cybersecurity, which made assimilation highly conflictive. In the end, the upper echelons have ruled, and the MINAF finally absorbed the FFP.

It’s 5:00 p.m., and Angela is checking emails to finish the first of a week full of reports and go home, when Salvador Bendito (MINAF security analyst) calls her on her mobile: “Boss, we have a very serious problem. One of the canaries has jumped: we are losing the goalkeepers. All of them”.

[Read more…]

The supply chain and the elephant in the room

A few days ago, in the wake of ransomware attacks “related” to the Kaseya remote IT management product, I posted on LinkedIn a short post in which I said the following:

Supply chain is the elephant in the room and we need to talk more about it.

Yes, let’s talk a little bit about prevention and leave detection and management for another time. As the saying goes, better safe than sorry. To develop it a bit further, I added that:

 

we should start thinking that third-party software and hardware are insecure by default and that an obligation should be imposed on software manufacturers to perform and publish, to some extent, serious, regular, in-depth pentesting for the critical applications they sell (and their updates). And even then, any third-party software or device should be considered insecure by default, unless proven otherwise.

 

In a comment, Andrew (David) Worley referred to SOC 2 reports, which should be able to minimally prevent these kinds of “problems”, and commented on a couple of initiatives I was unaware of: the Software Bill of Materials (SBoMs) and the Digital Bill of Materials (DBoMs).

I promise to talk about it in another post, but for now let’s move on.

[Read more…]

OSEP certificate (Offensive Security Experienced Penetration Tester)

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png
PEN-300 and the OSEP Certification | Offensive Security

In this post we are going to talk about one of the new certifications offered by Offensive Security, specifically OSEP (Offensive Security Experienced Penetration Tester).

This certification is part of the new OSCE along with the, also new, OSED (Offensive Security Exploit Developer) and OSWE (Offensive Security Web Expert).

Like all Offensive Security certifications, it is mandatory to take the course associated with the certification, called “Evasion techniques and breaching defenses” which we will talk about later as well.

As of today, the price of the course is $1299, which includes 2 months of lab access and the exam sitting (of 48 fantastic hours :P).

I guess, if you’re reading this post, you already knew all of the above, so let’s dig into what you probably don’t know!

[Read more…]

Do Math or Windows Dies! – customizing a .NET ransomware

NOTE: the content of this article is educational and informative. The goal is to learn how malware works and how can we identify its capabilities. The author is not responsible for any bad actions derived from the information of the post. The author does NOT ENCOURAGE to execute the sample OUTSIDE OF AN ISOLATED LABORATORY.

In this article we are going to analyze, gut and customize a little screen-locker (a member of ransomware family that locks the machine without encrypt the data). This is a clumsy but effective sample that we will alter to create our own ScreenLocker.

SSHBOT, the cr*ppy ScreenLocker

SSHBOT, also known as P4YME, is an old and unsophisticated malware from ransomware family.

We will use a public sample submited to VirusTotal, where is detected by 54 Anti-virus:

When executed, it restarts the machine and shows this message:

[Read more…]

GOTO XII: Security Certifications

Please bear in mind several things before going ahead. One: this post, even still very much alive today, was published back in June 2015 in the Spanish section of the blog. Two: this “GOTO” title thing makes reference to the controversial GOTO programming instructions. Three: even though this is the 12nd part of the GOTO series, they have not been translated, but they are not really connected but for their controversial nature… so just ignore that “XII” and move ahead. Enjoy!

There are few topics capable of generating as much debate in the field of IT security as certifications: they’re great, they’re useless, generalist, product specific… Proponents and detractors put forward quite valid arguments when it comes to defending and questioning the real value of security certifications.

Let’s imagine for a moment that we have a helmet that allows us, at the push of a button, to become either a fanboy of certifications or their staunchest enemy. Helmet in hand (well, head on, safety first) let’s go over some arguments for or against security certifications.

[Read more…]

Enterprise immortality?

Too long ago I spent about a year at the Georgia Institute of Technology in Atlanta, continuing my university studies. Shortly after arriving, the person who was in charge of campus security gave us a talk in which he congratulated us on the fact that Atlanta was no longer the most dangerous city in the USA, but the second most dangerous (we are talking about 1999). He also warned, with emphasis on the younger ones, to be careful with the illusions of immortality typical of teenagers, to avoid unnecessary risks and to adopt certain safety measures.

I have a feeling that this kind of illusion applies quite adequately to many companies. In general, the thinking that still prevails in many organizations is the familiar one: it can’t happen to us. The equivalent is the one who gets in the car thinking that accidents happen to everyone but him and ignores seat belts and any “reasonable” speed limit.

[Read more…]

European Cybersecurity Framework

In recent times, the European Union has been reinforcing the regulatory framework on cybersecurity to deal with the growing threat posed by cyberattacks. To this end, it is providing the Member States with a common framework especially focused on cybersecurity aimed at guaranteeing the cyber-resilience of the processes that support different essential services for society.

The NIS Directive or Directive (EU) 2016/1148 was the first cybersecurity law of the European Union and provided a common framework to improve the resilience of the Union’s networks and information systems against cybersecurity risks. It has proven to be a useful Directive, but over the years it has also shown its limitations in the face of increasing cyber threats and the growing reliance on digital solutions.

That is why, at the end of last year, the European Commission presented the new EU cybersecurity strategy based on three main pillars:

  • Resilience, technological sovereignty and leadership;
  • Operational ability to prevent, deter and respond;
  • Cooperation to promote a global, secure and open cyberspace.
[Read more…]

Threat hunting (VII): hunting without leaving home. Process creation

See previous entries: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks, VI: Creating our víctim

Good hunters, how’s the hunt going?

I hope you have had time to play with your lab and feel more and more comfortable consulting and analyzing the data.

As I said in the previous article, now it’s time to get down into the mud and start understanding what is happening in our laboratory. In this case we are going to talk about the creation of processes, what happens when a process is created, what ways there are to create them and the traces that creation leaves behind.

Understanding the environment

Windows is organized in layers as far as interaction with the system is concerned.

The upper layers are those with which the user or the programs that he launches interacts, the lower layers those used by the operating system itself to function.

For security reasons, the upper layers are well documented and Windows offers facilities to interact with them, but with the lower layers things change, they are not documented and due to the complexity of their operation, it is very difficult or directly not possible for security reasons.

[Read more…]

Mr Natural, an iced meeting in traffic

ISC’ crew have a montly Traffic Analysis Quiz, and I want to practice some Network Forensic Kung-Fu, so allow me to introduce you Mr Natural.

What we have

  • a packet capture (pcap) of infection traffic (let’s keep reading, don’t open it yet!)
  • an image of the alerts shown in Squil (em ok)
  • a text file listing the alerts with a few more details (now this is yummy)
  • a PDF document with answers to the questions below. (SPOILERS!)

What do we know

  • LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
  • Domain: mrnatural.info
  • Domain controller: 10.12.1.2 – MrNatural-DC
  • LAN segment gateway: 10.12.1.1
  • LAN segment broadcast address: 10.12.1.255

What our b0$$ want to know

  1. What is the IP address of the infected Windows host?
  2. What is the MAC address of the infected Windows host?
  3. What is the host name of the infected Windows host?
  4. What is the Windows user account name used on the infected Windows host?
  5. What is the date and time of this infection?
  6. What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72?
  7. Which two IP addresses and associated domains have HTTPS traffic with “Internet Widgets Pty” as part of the certificate data?
  8. Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?
[Read more…]

What can Artificial Intelligence do for us? (Or against us)

AI is one of the technologies that will have a greater social and economic impact in the coming years (we are already experiencing). Some studies (PwC, Accenture) estimate this impact at a global scale up to 2030 to be around 16 trillion USD, led by China and the USA.

As expected, everyone is jumping on this bandwagon and the world of cyber security is no exception. But how much reality is in the applicability of AI to cybersecurity? Let’s take a look at the possibilities from both sides of the battlefield: the attacker and the defender.

Machine Learning (ML) techniques can be applied to detect vulnerabilities in software using fuzzing tools. This is done by the attackers and can be done by the developers, preventing vulnerabilities from reaching live environments.

One of the most successful AI recent advances is the ability to automatically generate “credible” text that is hard to distinguish from that written by humans. This technique is being used to generate fake news content in news sites or to comment on social networks.

[Read more…]