Check yourself: can you protect the company from cyber attacks?
Recently, an international information security competition VolgaCTF was held in Samara. Vladimir Dryukov, director of Solar JSOC's cyber attack and monitoring center, told the competition participants about three real attacks and asked how they could be identified. Check if you can answer correctly.
Below is a transcript of Vladimir’s speech, but for those who want to see the uncensored and uncut version (including listeners ’answers), here’s a video:
So, a word to Vladimir:
')
I want to tell a few stories from our lives. Most of them, I will tell from the end - that is, starting with what it was for the incident. And you try to figure out how this attack could be seen at the start, what would you, as a defender of the company, have done so that the actions of the attackers hit your radar.
I hope this will help you in the future when you become professional pentesters and work at Positive Technologies, Digital Security or with us. You will know how the monitoring center sees such attacks, how it reacts to them, and - who knows - maybe this will help you bypass the defense, achieve your goal and show the customer that he is not as invulnerable as he thought. Here we go?
The story began with the fact that the head of the information security service of one company came to us and said:
“Guys, I have some kind of strange nonsense going on. There are four cars that start to reboot spontaneously, fall out of the blue screen - in general, some sort of nonsense happens. Let's ponder. "
When the guys from the Forsenziki group arrived at the site, it turned out that the security logs on all the machines were cleaned - there are so many activities that the security magazine rotates quickly (overwrites). The Master File Table also failed to find anything interesting - the fragmentation is strong, the data is quickly overwritten. Nevertheless, we managed to find something in the system journal: about four times a day, the it_helpdesk service appears on these four machines, does something unknown (there is no security log, as we remember) and disappears.
Our head fornziki appeared about the following expression:
Began to understand further, and it turned out that the service it_helpdesk - actually renamed PSExec.
After checking the system logs on other machines, we saw that not 4 workstations were involved, but 20, plus another 19 servers, including one critical server. We talked with IT specialists and found out that they have nothing to do with this, they have no such subsystem. They started digging the case further, and then a rather curious and rarely occurring thing was discovered - DNS-tunneling, which was used by the VPO module responsible for communication with the botnet control center.
The malicious code got into the organization through mail, spread across the infrastructure and interacted with the C & C server through the DNS tunnel. Therefore, the prohibitions on interaction with the Internet, which stood in the server segment, did not work.
On one of the critical servers was a keylogger, who automatically read passwords, and the malware tried to crawl further, receiving new user credentials, including dropping machines into the BSOD and reading the passwords of the administrators who were raising it.
What did it lead to? During that time, while the malware was living in the infrastructure, many records were compromised and, in addition, a large amount of other potentially sensitive data. During the investigation, we localized the scope of the attackers and ousted them from the network. The customer also received another four months of flour - it took to reload half of the machines and reissue all the passwords - from databases, records and so on. People with IT experience do not need to explain how difficult this story is. But, nevertheless, everything ended well.
So the question is: how was it possible to identify this attack and catch the cybercriminal’s hand?
Task number 2. Terrible tales
A large bank, a woman works in the financial service and has access to the AWP of the CBD.
This financial officer brought a flash drive with a file called Skazki_dlya_bolshih_i_malenkih.pdf.exe to work. She had a little daughter, and the woman wanted to print a children's book at work, which she downloaded from the Internet. The extension of the .pdf.exe file did not seem suspicious to her, and even then, when she launched the file, the usual pdf opened.
The woman opened the book and went home. But the .exe extension, of course, was not random. Behind him was the Remo Admin Tool, who sat down at the workstation and entrenched himself there in the system processes for more than a year.
How do such malware work? First of all, make screenshots of the screen about 15 times per minute. In a separate file, they add the data received from the keylogger - logins and passwords, correspondence in the mail, instant messengers and much more. Having connected the client, we quickly noticed the infected host and cleaned out the virus from the network.
Question: how was it possible to detect "invisible" malware, not detected by the antivirus?
Task number 3. "Bloody warez"
The system administrator had to compare and “glue” together a 2 .xml file. He went a simple way - typed in the search engine "download xml merger without registration and sms." The official site of the developer of this utility was in 3rd place in the issuance, and in the first two - file sharing. There the administrator and downloaded the program.
As you probably already guessed, a good, high-quality privilege elevation module was built into the “free” utility. He demolished the anti-virus agent on the machine and created a file with the same name instead. So the malware hung on the machine, periodically contacting the control center.
The worst thing was that the IT administrator is the king of the castle, he has access everywhere. From his machine, the virus can reach any host or server. The malware crawled over the network through domain sharepoint, trying to get to the car of the main financier. At that moment, she was caught by the tail, and the story was extinguished.
Question: how to detect such an attack on the machine privileged user?
Below is a transcript of Vladimir’s speech, but for those who want to see the uncensored and uncut version (including listeners ’answers), here’s a video:
So, a word to Vladimir:
')
I want to tell a few stories from our lives. Most of them, I will tell from the end - that is, starting with what it was for the incident. And you try to figure out how this attack could be seen at the start, what would you, as a defender of the company, have done so that the actions of the attackers hit your radar.
I hope this will help you in the future when you become professional pentesters and work at Positive Technologies, Digital Security or with us. You will know how the monitoring center sees such attacks, how it reacts to them, and - who knows - maybe this will help you bypass the defense, achieve your goal and show the customer that he is not as invulnerable as he thought. Here we go?
Task number 1. This service is both dangerous and difficult, and at first glance it seems not to be visible ...
The story began with the fact that the head of the information security service of one company came to us and said:
“Guys, I have some kind of strange nonsense going on. There are four cars that start to reboot spontaneously, fall out of the blue screen - in general, some sort of nonsense happens. Let's ponder. "
When the guys from the Forsenziki group arrived at the site, it turned out that the security logs on all the machines were cleaned - there are so many activities that the security magazine rotates quickly (overwrites). The Master File Table also failed to find anything interesting - the fragmentation is strong, the data is quickly overwritten. Nevertheless, we managed to find something in the system journal: about four times a day, the it_helpdesk service appears on these four machines, does something unknown (there is no security log, as we remember) and disappears.
Our head fornziki appeared about the following expression:
Began to understand further, and it turned out that the service it_helpdesk - actually renamed PSExec.
Utilities, such as Telnet, and remote management programs, such as Symantec’s PC Anywhere, can run on remote systems, but they are not as easy to install as you also need to install client software on remote systems that you need to install. access.
PsExec is a lightweight version of Telnet. It allows you to perform processes in remote systems, using all the capabilities of an interactive interface for console applications, and without the need to manually install client software. The main advantage of PsExec is the ability to invoke the command-line interface interactively on remote systems and launch tools such as IpConfig remotely. This is the only way to display local system information on the local computer.
technet.microsoft.com
After checking the system logs on other machines, we saw that not 4 workstations were involved, but 20, plus another 19 servers, including one critical server. We talked with IT specialists and found out that they have nothing to do with this, they have no such subsystem. They started digging the case further, and then a rather curious and rarely occurring thing was discovered - DNS-tunneling, which was used by the VPO module responsible for communication with the botnet control center.
DNS tunneling is a technique that allows you to send arbitrary traffic (in fact, raise the tunnel) on top of the DNS protocol. It can be used, for example, in order to get full access to the Internet from the point where DNS name resolution is allowed.
DNS tunneling cannot be denied by simple firewall rules, while allowing the rest of the DNS traffic. This is due to the fact that DNS tunnel traffic and legitimate DNS queries are indistinguishable. DNS tunneling can be detected by request rate (if the traffic through the tunnel is large), as well as by more sophisticated methods using intrusion detection systems.
xgu.ru
The malicious code got into the organization through mail, spread across the infrastructure and interacted with the C & C server through the DNS tunnel. Therefore, the prohibitions on interaction with the Internet, which stood in the server segment, did not work.
On one of the critical servers was a keylogger, who automatically read passwords, and the malware tried to crawl further, receiving new user credentials, including dropping machines into the BSOD and reading the passwords of the administrators who were raising it.
What did it lead to? During that time, while the malware was living in the infrastructure, many records were compromised and, in addition, a large amount of other potentially sensitive data. During the investigation, we localized the scope of the attackers and ousted them from the network. The customer also received another four months of flour - it took to reload half of the machines and reissue all the passwords - from databases, records and so on. People with IT experience do not need to explain how difficult this story is. But, nevertheless, everything ended well.
So the question is: how was it possible to identify this attack and catch the cybercriminal’s hand?
The answer to the first task
First, as you remember, the infection has affected a critical server. If a new, previously unknown service is started on such a host, this is an incident of a very high degree of criticality. This should not happen. If you at least monitor services that run on critical servers, this alone will help to identify such an attack at an early stage and prevent it from developing.
Secondly, we should not neglect the information from the most basic means of protection. PSExec is well detected by antivirus, but is marked not as malware, but as Remote Admin Tool or Hacking Tool. If you carefully look into the logs of the antivirus, you can see the response in time and take appropriate measures.
Secondly, we should not neglect the information from the most basic means of protection. PSExec is well detected by antivirus, but is marked not as malware, but as Remote Admin Tool or Hacking Tool. If you carefully look into the logs of the antivirus, you can see the response in time and take appropriate measures.
Task number 2. Terrible tales
A large bank, a woman works in the financial service and has access to the AWP of the CBD.
ARM KBR is an automated workplace for a client of the Bank of Russia. It is a software solution for secure information exchange with the Bank of Russia, including sending payment orders, bank flights, etc.
This financial officer brought a flash drive with a file called Skazki_dlya_bolshih_i_malenkih.pdf.exe to work. She had a little daughter, and the woman wanted to print a children's book at work, which she downloaded from the Internet. The extension of the .pdf.exe file did not seem suspicious to her, and even then, when she launched the file, the usual pdf opened.
The woman opened the book and went home. But the .exe extension, of course, was not random. Behind him was the Remo Admin Tool, who sat down at the workstation and entrenched himself there in the system processes for more than a year.
How do such malware work? First of all, make screenshots of the screen about 15 times per minute. In a separate file, they add the data received from the keylogger - logins and passwords, correspondence in the mail, instant messengers and much more. Having connected the client, we quickly noticed the infected host and cleaned out the virus from the network.
Question: how was it possible to detect "invisible" malware, not detected by the antivirus?
The answer to the second problem
First, malware, as a rule, does something in the file system, changes registry entries — in a word, it is somehow loaded into the system. This can be traced if you monitor the host at the level of the logs that the operating system itself writes - security logs, running processes, modifying the registry.
Secondly, it is important to remember that such a malware does not live autonomously, it will definitely knock somewhere. Often, workstations on the network access the Internet only through a proxy, so if the machine tries to knock somewhere directly, this is a serious incident that needs to be dealt with.
Secondly, it is important to remember that such a malware does not live autonomously, it will definitely knock somewhere. Often, workstations on the network access the Internet only through a proxy, so if the machine tries to knock somewhere directly, this is a serious incident that needs to be dealt with.
Task number 3. "Bloody warez"
The system administrator had to compare and “glue” together a 2 .xml file. He went a simple way - typed in the search engine "download xml merger without registration and sms." The official site of the developer of this utility was in 3rd place in the issuance, and in the first two - file sharing. There the administrator and downloaded the program.
As you probably already guessed, a good, high-quality privilege elevation module was built into the “free” utility. He demolished the anti-virus agent on the machine and created a file with the same name instead. So the malware hung on the machine, periodically contacting the control center.
The worst thing was that the IT administrator is the king of the castle, he has access everywhere. From his machine, the virus can reach any host or server. The malware crawled over the network through domain sharepoint, trying to get to the car of the main financier. At that moment, she was caught by the tail, and the story was extinguished.
Question: how to detect such an attack on the machine privileged user?
The answer to the third problem
Again, you can listen to traffic, trying to catch the malware "red-handed" - at the time of the request to the C & C server. However, if the company does not have NGFW, IDS, a network traffic analysis system or SIEM that catches anything valuable out of traffic, you can listen to it endlessly.
It is more efficient to look at the logs of the operating system, sending them to some external system. While the malware was removing the anti-virus agent, it could not clear the audit file, so the logs transmitted on the external system will accurately contain information about the removal of the anti-virus agent or at least about the very fact that the audit was cleared. After that, the logs on the machine will be empty, and no traces will be found.
It is more efficient to look at the logs of the operating system, sending them to some external system. While the malware was removing the anti-virus agent, it could not clear the audit file, so the logs transmitted on the external system will accurately contain information about the removal of the anti-virus agent or at least about the very fact that the audit was cleared. After that, the logs on the machine will be empty, and no traces will be found.
Source: https://habr.com/ru/post/425861/
All Articles