Christmas Hancitor Campaign - Artem Artemov

hello everyone and thank you for being here after lunch so uh my story is a story about um instant response um and you probably already heard some some stories today some instruments tools that use to do forensic stuff and Etc and my question uh for you what is incident response for you you're probably um familiar with the narrative like company a has the incident then they called uh the company the cyber security company and then we have instant response yeah it's like usual picture but I want to tell you the different story I want to tell you the story where we were able to prevent the impact so there were no incident yet and that's uh that's the Christmas miracle as as I'm trying to like feel it inside me so how threat intelligence and attribution helped to identify the attack uh what was the inant response and uh a few words about thre intelligence proactive uh techniques let's start with threat intelligence um what is threat intelligence we as a cyber security specialist we always want to to get indicators of compromise to be sure that our systems are clean and we don't have that indicators inside our environment but when do we get those indicators of compromise usually nowadays the victim um in the wild was uh infected they detected the attack uh probably respond to that attack and then threat intelligence provider gets some indicat indicators of compromise and then uh he send it to us it's uh like it used to be with antivirus Solutions first we see the sample on I don't know virus tootal for example then the companies provide um the signature for for specific virus and we have uh we have it in our databases in in a days in a day or two for example but we want to do different we want to get indicators of compromise at the very first step when the adversary prepares the infrastructure does it sound strange for you so to do that to identify common and control server before the attack even started we need a few things we need the information on analyzed server like open ports answers on that open ports SSL certificates on these ports domains registration information and you can get uh this information from risk IQ from shodon from URL scan but of course uh you need also uh the specific guy who can re um who can reverse the malve who can find the dependencies between all the things the guy like this in one in one [Music] moment we found the advertisement on dark web forum and it said that we are selling the uh we are selling the back connect model so we try to find the model we reverse engineered it and we find a specific specific request from uh from the back door to the potential compromise and common server comment and control server here the is the IP of This Server about the back door itself it called system BC it creates at the first launch the hidden task and then he collects some information Cod it and sent to sent back to CNC and it can upload some some I don't know payload and execute Powell scripts uh bdch files executable files Etc and it works as a proxy so that tool usually used as um at the moment of lateral movement okay going to incident so we found the system BC sample we reverse engineer it we found the specific commands and then we identify uh the IP address and with a little bit of magic and the help of law enforcement we get uh inside the panel so that's the admin panel of system BC and you can see here a lot of um a lot of data and a lot of uh countries for example Italy Hong Kong Australia United States Portugal Sri Lanka uh these are all victims so we choose one of the victims and let's identify who who was it so we have Dom name we have the computer name we have username and we have the country it was uh Belgium company so we called the Belgium SE and ask them guys could you please inform the company that they have been breached and we don't know the the state at the moment and luckily um the employee of the C he just uh walks uh out of the building turn around the corner and there was that company so he knocks at the door like hello I from the national s and you have been breached do you want instant response they were like yeah okay why not that's how the incident response started um so for me for uh instant response guy um it's a like good luck to already obtain the information what tool we're used by the attackers so I already know that there was the back door system BC uh I already know the functionality of uh of the sample and I already know at least one host that is uh uh infected and here's the kill chain and we are on the stage of lateral movement for ransom work cases usually we start the incident here when impact was already made so we have uh at least a few hours before encryption and it was why I call it um Christmas miracle because it was on 24th of December with start incident response uh on the Christmas Eve and I told uh I told the company probably you'll be encrypted today today uh evening because in the morning you will get no help for from everyone not not from the police everyone will be celebrating the Christmas so we have a few hours and the first findings um was in event loocks uh I saw the Powershell script on 21st of December Powershell script for dumping uh Elsas probably for further uh mini Cuts execution to get credentials and before um the mimic cards I see the net scan it's very well-known tool soft perfect Network scanner so it looks like the first steps of the intrusion you doing reconnaissance inside the network then you go for credentials yes so the initial step was like few minutes or hours before probably then I I took a look at a soft perect Network scanner itself the first thing that uh grabbed my attention it's Russian interface so it was easier for me and in inside the license file along with uh software Network scanner it's Russian and even the name of username is also in Russian it's sire like like some Lord I don't know so but I was surprised that uh inside the config inside the scan config we already have a list of users and uh and the passwords so I was thinking we have a network scan and after uh a few minutes we have uh mimik ads where did they get those passwords that was the first question and the second question popped up in my mind uh a few moments later in the same system log I saw that someone Le the uh the whole system Lo the whole all the events and I was like why did someone clean the system lock so early you just started the intrusion you just doing the first things and here's the answer where did they get credentials already on 20th of uh December in the night the out output of mimicas already was uh found in uh C users administrator download 64 folder okay and why to clean all the log so early because the first Intruder tried to clean clear his traces okay after um after a few uh hours of recovering the data I got some information about the actions uh that was made by the first Intruder uh first race on 17 of December it was Friday evening so 11: p.m. on Friday evening everyone is drunk already so it's I believe it was malicious action administrator uh runs the CMD tool on on the server with open sdp port extraordinary open sdp port next uh on Sunday at 5: uh in the morning the administrator installed any desk the remote remote access tool and later on Sunday in the evening we see a bunch of tools Advance sport scanner bash script to delete backups uh PS exac uh total Network inventory web browser pass view net pass so tools for achieving passwords tool for scanning Etc the next day uh Monday morning um the actor created the new folder uh CNL uh I think because of the language he thought that it it was Netherlands so he didn't know that it was Belgium then um he runs winp up probably to catch some traffic and see what's happening then we see mimik cats and then he surfed some folders through the day through the working hours he did nothing and in the evening we see Advanced sport scanner we see that threat actor um triy to examine some folders and to delete some backups but he faced a really good backup solution and probably that's why he sold the access to the second threat actor why why am I so sure that there were two guys because second thre actor used different folder music folder they used uh same tools with the different names for example Advanced Port scanner Advanced C Port scanner web browser pass view same tools netp pass one and just netp pass and the second threat actor conducted um the network scan and we know that the first one already did that the day before so it nonsense so we faced uh how we call it the partner program and the first guy was just a pentester was the nf8 okay what did the second thre actor do um he changed uh the registry a little bit to allow mimik cats to execute properly then he runs power run it's a tool to escalate privilege privileges then he run uh VM manage setup it's our system BC back door then Advan C Port scanner to scan the network and then uh Visual Basic script for mimicat and finally we see some uh some connections from RDP so we have some IP uh IPS okay but as it always happens it's VPN probably mulat VPN so no no data from there and more tools uploaded on 24 when we started instant response why the first tool is uh DF control uh it's a tool that can disable Windows Defender and the second PC Hunter is an uh analog of um process hacker so the tool that that can show you all the processes running on the host and probably kill the process but why do they need these tools because we start at instant response and deploy EDR solution and mimic cats stop to stop working yeah so I imagine the dialogue between me and uh the three actors at the moment why my mimik cats don't want to start because we are working here okay so let me upload DF control and and probably it's Defender I'll will stop it no you will not because we stop it we stop Defender control okay what's happening I need to know I need to check all the processes I run uh PC Hunter oh yeah there's group IB release the Kraken and the Kraken was Cobalt strike welln tool for pesters for attackers but it was their mistake because we identified the coment control server of Comal strike uh block it and at the same moment we understand who is behind the attack and it was the hitor group and the second name for them balbas um it translated from Russian as idiots yeah uh at that moment they used uh Cuba run someware and mlock run someware so the whole picture of uh of the incident is like that reconnaissance and initial access probably it was scanning of the internet and Brute Force open RDP on server on Friday evening delivery and execution upload mimic ads Advan ip scanner total Network inventory and password stealing tools then the access was sold then Discovery and lateral Movement by Advanced typ scanner soft perfect net net scanner system BC and Cobble strike and action on objectives attempts to avoid defense panic and sadness so this incident happened at the end of 2021 almost 2 years ago and you may ask why am I uh why am I telling that story now it's 2 years already and at that moment um it was a unique case for us so like the first case when we were able to prevent the impact for the company but since then it's already more than 100 companies sometimes well late by a few days by a few hours maybe um for example the last incident happened um this Wednesday last Wednesday so we called company in the evening hello you were breached do you want instant response and they were like oh yeah okay let us check the infrastructure and we'll get back to you in the morning and in the morning they told us we are encrypted already so the encryption um was like uh this morning and we want instant response so the main point here um it's better it's always better to prevent um to prevent the attack and prevent the threat than to investigate it and here is where uh threat intelligence really shines and I think we should go further to um identification of of infrastructure and prevent uh prevent the attacks than to investigate it yeah that's all from me do I have more time no it's it's time for questions [Applause] test okay do we have any questions for artam no one fell asleep and it's already good normally um as a teacher you always wait 15 seconds because somebody might have a usually it takes time to process so um I actually have a question so I uh you talked about how you actually were able to do attribution it was through Cobalt strike but I wasn't complet completely clear how did you use Cobalt strike to do the attribution uh so the main point uh we identified the comment and control IP address that uh was inside the Cobble strike Beacon and we already knew the group so the the main um the main task of threat intelligence of threat intelligence Department itself to track uh different uh groups and try to find the infrastructure and the tools they use and all for example IP addresses of their Cobble strike and uh and so on so yeah we were lucky enough I have a question back here um thank you for the talk um how deep was the threat actor inside the network like how many computers were um compromised and how did they have domain administrator similar as as I remember um it was about 20 hosts compromised but um they were focused only on on the server infrastructure and only on Windows infrastructure and as a follow-up question like are you able to stop um a threat actor when he's already like fully compromised the network or only in the early stages uh I can tell you different story uh the fresh one so few few months month ago we were able to stop the threat actor who were inside the huge infrastructure about 15K of different and um it was like raised from our knowledge of the attx St the company uh our company was uh started as investigation team and instant response we collect a lot of info and then divide like create the separate department and we invest a lot in those guys but for for the moment for now it's the most valuable product of our company threat intelligence so I think we earn more from our threat intelligence then uh invest to it yeah so go for it invest in threat intelligence okay um I think our time is about up so thank you everyone please give artam around of Applause for our post lunch story