Intelligence Driven Incident Response

okay hello everyone

um my so let me continue in English uh my name isov I'm from group IB and my colleague uh V Alano yes sir and looks like our pointer don't want to work oops check it

out looks nice yeah now it's okay so the agenda for today is pretty simple I will tell you a little bit about inant response it's totally different from what Vladimir uh told you about a few minutes ago but I'm happy that uh he highlighted um that edrs need to be in the infrastructure and also he told that the sock could be uh very slow the presentation is brand new it's a recent case and I see it for the second time so I made it and send to uh organizers and VTO uh see this presentation for the first time so he doesn't know about the small gifts that I put it into the presentation it's surprise for for

him okay I will tell you about instant response and we will tell you the part about red Intel how is it started it was the 1st of September 2024 uh it's a huge international company uh with a lot of uh branches worldwide and we were working for the branch in Netherlands so good morning is it serious and you already know the the thread group the threat actor it's Ransom Hub so yeah this is serious they stated it probably all the machines are encrypted and we as instant responders we already know one of the technique the data data encrypted for impact okay it's already something but we as a company we have external sock 24/7 moreover our infrastructure is

fully covered by their errs so it should be fine no it's not dear customer this is your Global sock the global sock detected malicious behavior the uninstall of our err sensors we observed that multiple err sensors were uninstalled shortly after PC Hunter 64 XZ was executed you see the following command the EAS rxz SL uninstall that's it so you can have the errs but uh the thread actor could just uninstall it this is serious and it was fun and we have the new uh TTP impaired defenses disable or modified tools okay we are in it's 1st of September let's take a look at event locks probably that's the first thing that uh every instant responder will uh

take a look on on event locks the locks are cleared audit locks clear application system everything is clear and we were lucky that Powershell locks are still there and we see couple of commands the one of the commands is to stop the VMS and the second command to clear Shadow copy yeah to delete Shadow copy who made it the locker. XZ okay so the the day before in the evening there was the uh ransomware itself and we have the new technique clear windows event locks okay let's go let's take a look at ransomware itself The Ransom Hub what do we know about Ransom Hub do you heard about the log bit I think you all

do and Ransom hub we suppose that they are like the children of of the log bit wait a second wait wait wait wait wait wait wait it's too early we noticed a few uh new features like allow fast encryption skip uh virtual machines and something else yeah okay but it's just a locker let's go finally we found PC Hunter have you heard about PC Hunter anyone yeah so we see this tool for the second time and it's suppos to help companies it was designed to spot and remove malware including the Rook kids it's pretty funny because what PC Hunter did it stopped the Microsoft Defender antivirus and then it stopped the edrs so the tool itself is beautiful we like

it I'm pretty light yeah and how it was uh delivered just in an archive what happened One Step before do you have any idea before stopping the errs and before uh encryption what does the Run someware group did anyone the previous step and exfiltration yeah so they used file Zilla they search through a lot of servers extracted some data and we got some cnc's we got the IP addresses of file Zilla servers and couple of names the black eye and the fox and the new technique exfiltration over C2 no way so what next those guys they don't like backups so while they was searching and surfing through the infrastructure they used Veritas backup the solution used by the the company and

they just turn on off the the backups let's see pretty easy and here somewhere we realized that they were moving lateral movement was conducted through RDP and then uh we're trying to reconstruct the the picture and found down that the first was uh poo alter remote Services new technique remote desktop protocol the step before what did they use for privilege escalation it was zero zero Lon the critical

vulnerability it's not only zero Lon we found a new thing Sam accounts poofing I was seeing that for for the first time I have 17 years of experience in digital forensics but this this thing I seen for the first time do you know what is it it's pretty nice uh the threat actor adding new computer to the domain and trying to rename it to uh impersonate uh to impersonate the domain controller and get the right ticket that how it looks like in the events so the first event uh you need to pay attention a new computer was created okay and the second one take a look attempted account name don't have uh the dollar sign so they tried to create create

couple of times the new names without the dollar sign to get uh to fool the domain controller and to get the ticket what goes before privilege escalation what do you think what is it come on come on we have instant responders here I believe it's reconnaissance so a lot of logs and we don't know what was the tool exactly but it looks like something maybe angry AP scanner or an map or something like this so we have the reconnaissance and everything goes to back to Palo Alto looks like we are close to our entry point maybe maybe there was using of cve for power Alto because it was affected by that CV and in our previous cases we saw a

lot of um issues with Pao Al so we were happy yeah again PA Alta but no this time it was just a brute force and the interesting thing here that the brute force was tailored for the company so somehow tractors got the understanding that uh you have only five attempts and then uh there is the P for half an hour so the attempts to Brute Force the specific user was made like every five minutes every five minutes yeah so it was not like the the Doos Brute Force yeah essentially it was an attempt to uh P user uh the attack tried five attempts um and uh with a delay of few minutes uh in order to avoid the user

lock uh lockout so it gave enough time to understand what was the best user uh to exploit to anywh to access uh silently the the perimeter yeah so okay the whole attack take just uh I think less than 20 4 hours and the company has the EAS ARS the company has the 24/7 sock um they have Own It guys and security team but let's reconstruct the whole picture the tail Brute Force they got the credentials then use zero L go [Music] to uh escalate privileges then internal scan something like in map angry P scanner angry ip scanner then exfiltration through file Zilla then PC Hunter to totally shut down the defense and the locker ex

encrypt and yes this is serious what do we get from from the instant response we got a few IPS so just uh three cnc's and at that moment Vito my colleague was like okay I think I have an idea and Stage is yours oh yeah thank you uh who doesn't know who is Edmund loard please raise your hand up who knows in no one okay um actually locard is let's say the father of the forensics the the forensic science and the his main principle was the culprit whenever he acts uh he leaves always uh a trace and this is what we use to thread down the our threat um you know that tracing a trato

is like uh playing into uh a big game following some Clues and uh uh left inside the huge and complex Maze and the instant respond as to reconstruct to rebuild the right uh overview to find the culprit and this is what we have done essentially we got into this huge maage uh starting with uh uh the analysis of the public IP addresses in particular two of them to understand who was behind uh the the trato and what could be could have been the infrastructure used by the tror uh anyone knows the parameter pain somebody raise your hand up okay good so essentially the parameter pain is considered sort of model in threat for the threat intelligence to

understand what is the real value of uh the ioc different kind of ioc from H values to TTP so usually uh the those one on the bottom part are the most the more are reliable let's say because anyway the attacker could always change tools change the IP addresses change the domain name and so on but the main one is always the TTP how the actor somehow uh acts during an attack um in our case the IP addresses were quite useful let's say that our best friend when we have to investigate about an IP address is V is usually it is a tool a command anyway that a database a huge database that provides information about

a specific IP addresses and uh uh it provides information about who registered who is the owner uh and when was registered also some contacts so it let's say that uh it can reveal a tons of breadcrumbs in our case we consider just few part of the V is uh result so the IP address space the company name the company address the contacts the phone number and the autonomous system so uh we started from the uh the address space and the autonomous system where this address space is uh somehow stored so the uh do you know what is an autonomous system many of you are like Network I guess so um let's say that the automo system is like a huge group

uh of IP addresses and internet is composed by many automo system that are interconnected by themel via the so-called uh Ro peering rooting so they are like Island interconnected to each other through this exterior uh rooting so it's just a start of Journey thank you yeah I didn't see the final presentation actually so um we found out that inside this automo system the were three this autom system name there were three different autonomous systems with three different uh not many different address spaces we were quite impressed because the infrastructure uh used by the attack was quite huge and just making a simple check we f tons of ioc's related to many IPS that somehow led to many kind of malware rat

run somewhere and so on so we were quite curious to understand okay let's go go on let's just use the company name and the address let's see if there is something else sometimes when you use wiiz you just stop to the other space maybe the company name and then you look for uh these two indicators to understand if they have been somehow already seen but you don't maybe you don't notice about the the address or the phone number and the address interesting it was in the Panama papers so an offshore company oh that that's good actually in China okay let's go on let's use now the company name and the email address what would you use uh what would

be interested for you uh which part of the email address would be useful for you anyone right domain what will you do with domain no again our best friend whiz to understand what is the whiz gave us another Trace another contact another the domain name the regist name the older when it was registered the expiration and also the name and Sun name of the person who registered and uh analyzing carefully uh all the subdomains registered we found the SOA record assigned to a specific email that's good we have another couple of traces so we just look for this couple of M in our threat intelligence platform and we found a huge cluster so those two

indicators were assigned and already identified somehow uh to a huge cluster of uh domain files Ash IP and so on and uh those clusters essentially were composed by forums telegram Channel jabber accounts card markets also malicious mail account malicious domain users and files so we we just said okay let's check carefully the second mail to understand and ENT both males were associated to this part of the cluster and mostly that mail recorded within the SOA record was assigned and directory linked to a specific domain name and it is unbelievable because this was an email legis said to a legit uh domain and this one was a malicious domain and and uh it was even more

interesting to see that uh the first level domain where H H uh do HQ HK and a uh dot Ru so China and Russia so let's check again uh let's use the oh let me sorry uh let's use now another indicator the phone number let's see if it is uh already known which tool we can use for checking and phone number uh let's say that Google is your best friend in this case so the phone number was Associated linked to another domain another company and uh another let's say owner so different companies same same phone number but different country you could say is it a trace is it an indicator you can use actually in this

case yes because behind that phone number essentially there was like a huge collection of indicator so again we use the this V registered in Cyprus we accepted the abuse mailbox so again the mail address the domain name IP addresses and wh again we are in the middle thank you so again the IP the mail address domain name and the IP address the IP address was a part of a IP address space Associated to the autal system that we found at the beginning it was quite interesting to different comp companies to different countries different domains by same autonomous system so okay let's try to understand so which are the indicator let's use the address maybe we will find something and

in this case Yandex was our best friend it returned another domain another country but an interesting control panel and essentially this control panel had two logos the Russian company and the Chinese that's one that we have seen we observed at the beginning and uh this was an offshore company this was a Russian official company so we said okay maybe um they are somehow in Partnership who knows so we access this control panel and we observe uh we analyze the uh the response in the uh had a in the packet set and we found the IP address again same IP address same autonomous system different companies different country but this time dot Russia mostly it was interesting because

I didn't put this image in the second part of uh the response uh there was essentially the way many packets uh many responses generated by a needen uh let's say web socket responding to a in uh in a specific Port indeed uh the OS was responding in that uh by that uh IP address but with another domain. true and within the port 6001 in interesting because essentially this web socket was responding with this malicious domain that we have seen previously but that's quite interesting so same adominal system different companies different countries but link all geted to the same malicious cluster so we just Tred to find uh information and we found the document interesting where essentially this

Russian company was setting look in Russia we are registered in St Petersburg in Cyprus we are registered with this name and in China and on Kong we are registered with this name and uh thank to uh the government services in Russia we thank our best friend uh we obtained the information about the company the Russian one uh now the O uh in Russia is the uh what in the UK could be or other uh European countries could be the limited uh company so it was registered in 2019 in St Peters book here there is the address and there was a name essentially who registered the owner and we were quite uh interested uh to this kind of

information so three companies regist by the same person but that one reducing onong Kong and that one and Cyprus are well recognized and identified within the Panama papers and off sh leaks paper and we succeeded to get some other information about people who registered all this let's say Chinese boook uh and we ar to a couple of names so essentially we know but it is it was interesting because at the end I had to to make it make this long story shorter because it it could require a long time to to be explained at the end one honer but one admin of all these uh virtual companies and all those in all those like automo system and this

huge infrastructure is actually currently managed by the same operator that is who is well known really famous in the dark web and also within the cyber crime landscape and it is like let's say a trusted party for many Ransom ransomware groups there we are almost ready so this huge bulletproof uh infra infrastructure as a service is currently used by many threat actors even I sometimes uh and uh somehow it is linked to Ransom work GRS like black Busta kir Lo bit transom up and other minor let's say but is also well known for uh cyber crime actors like carers frosters and so on and all these um addresses or these systems uh that are running inside this huge

infrastructure are actually used for many uh Scopes and uh by many people but there is just one person who is managing everything we could know the name maybe let's see so to finish um the cyber crime landscape is quite huge and complex but um there are many connections between the groups different threat actors and uh they always operate and act uh to build something reliable that could be somehow enough uh strong and arate to resist against our law enforcement operations and this is somehow our story how we succeeded to uh track this trato and arrive to A couple of names and we don't know if one day the law enforcement will do something but as I said at the

beginning the trato leaves always a trace and you can use these traces to uh to find the coolprint and uh you have many information on Internet on the internet and in our case W is was the best source of information if you want to know more uh we are going to publish uh this investigation uh quite soon I think in April so you will know more details about it so thank you uh for your attention our marketing asked me to put the slide so please uh check the Q codes it's our annual report like cyber crime Trends and that's the only pretty uh slide here in that presentation yeah so what's the main uh what's the

main point of U of the whole presentation uh we highlighted that the sock should be faster the easr uh not uh like silver bullet and sometimes the small incident response the easiest incident response could lead to uh revealing such kind of infrastructure the whole autonomous system is uh malicious and you can block the whole IP range uh and leave happy yeah and essentially uh it is a proof that uh threat actors are semi interconnected to each other there are no different let's say groups maybe there are for sure but they are somehow operating all together interconnected through the same systems the same infrastructure and sometimes there is like just one actor behind everything so this uh investigation was quite

interesting because from a couple of ips we discovered uh many other in other information quite useful do you have any questions

so you discovered so many as numbers and according to the slide it was uh repe based as numbers so do you approach to the repair or to the global IP to block those as numbers from their routing tables or do you approach uh law enforcement or some other agency and say okay we find this on those I numbers can you remove it from the net or how do you go from those information forward uh well um the autonomous systems as I said were registered um through different companies many of them uh were offshore companies and uh our investigation revealed hundred of limited companies behind those names but all led to a couple of names in Cyprus

and they are well known they are also within the Panama papers so yes we will approach with the law enforcement so it will be up to them to decide what to do essentially but um essentially those automo system are in Russia so the process should be the law enforcement Europe should the law enforcement in Russia through maybe Interpol or something like this and they should understand what to do but in Russia if I remember I don't remember that you need to um you need to like make a crime in Russia to be persecuted somehow and the providing the bulletproof uh infrastructure bulletproof servers is not a crime basically oh and I I forgot one thing um

Ransom up um warned all his affiliates with one important rule that most of you uh already know don't attack the ex Soviet Union space but in the last one year I think they also added China so don't attack any system in Russia don't attack any system in China we seen that one of the domains were was in registered in China so all roads led to the same acto and the problem is if the ATO does not uh breach any system in Russia the law enforcement cannot do anything there is a specific law in Russia that uh is uh essentially like the guideline for law enforcement to act in case of a cyber crime Act but you can publish those is numbers and

some other isps can use them as a ioc and block on their bgp routers we will yeah we will uh we will publish and share all the indicators in our uh report uh we will release it in April we have a long pipeline so I in April you will know almost

everything uh you've mentioned that this is shorter version of the whole story I was just wondering uh how long did it take from that single IP address that you discovered to get the whole information so where was it today's uh I think that 50% of information have been extracted in less than 48 hours because our team is quite big and we have our investigation team and our threat intelligence so uh we worked all together but the to track the offshore company the Chinese Bo took a little bit of time so I think about a couple of months day by day we tried to filter to clean and to extract what was really important unfortunately the offshore companies uh

have been registered as a sort of long chain of Chinese boxes so we had to understand to track every single box to understand what was at the end this name so it took really a little bit of time okay thank you so maybe I missed it in presentation but uh did you manage to track where those IPS literally are like in what country what data center on what territory like Russian and Chinese Europe the add space is let's see let's say in Russia by the companies so the on are reging in China Cyprus and Russia so they are operating from three different countries that somehow are connected to each other we live in as let's say weird historical moment and

uh some countries in Europe are like let's say they allow to create offshore companies and trators of course they use this countries to hide the to cover their trases so this is it I'm just asking because apparently Russian IP space is monitored by what Rosco nador or how is the state company called no no uh yes the main one is the Russian Telecom provider but uh all those uh autonomous systems actually are impairing via bgp uh with one single provider Russian so the rooting the information are root by uh from these automo systems to one huge automo syst then then is interconnected to the entire uh internet thank you

hello and thank you for presentation so I will be having two specific questions first you have mentioned that the uh uh attacker was brute forcing with the interval of five minutes or or something like that do you uh have the understanding did the attacker had some kind of internal info of uh infrastructure to use such a timing or he used reconizing technique teques in order to uh reconstruct the the uh what could be the version of of a firewall that the customer was using and the second question um I rarely when I would do the incident investigation I would rarely see uh such a detail information about attacker let's say having addressed the name of the company and so

so what would you do if you would on a who is get only the name cheap uh domain with a redacted information and how successful you would be in into retrieving any thank you okay uh let me answer the first question um in April 2024 uh some vendors released uh the their investigations about the exploitation by by a Chinese trator of Pao Alto firew Wars and just one Chinese AP group was exploiting this uh specific technology from April till July it was just silence but then in August we observed that uh many actors started to use uh po of this exploit uh affecting to uh impact the Palo Al to firewalls and in this case we also found uh the specific

script used by the atake because of the indicators and because of the logs um and some details related the logs we identified a specific script but this actor essentially started to um to do a reconnaissance of the paloalto Exposed on Internet on the internet understand if it was affected essentially it was vulnerable but uh they did not use uh that exploit to access the perimeter they just went uh further using the uh this sort of tailored brute force uh if I remember the data set of username was quite huge 5000's username so it was uh let's say two three days of scanning to understand which specific user was valid to reply to the second question uh

it is let's say in the United States usually Engineers used to say it depends so when we find uh ioc's we investigate for a long time and when we are sure that uh we found we found the culprit we always contact the law enforcement it depends where for example the infrastructures is hosted if for example a common and control survey is hosted I don't know in Germany uh or in Switzerland and so on WE contact the law enforcement and as them we shed we share every information with them all details and they immediately act to size the command and control and then they usually ask us to to to analyze the the command control server so what

we we do essentially is to share everything with the law enforcement and it will be up to them to decide what to do because they have that power to react in some other cases if we notice that the infrastructure is somehow uh composed by compromise systems or other companies we try also to contact that the the security officer of that company sharing all the ioc to help them to investigate or to uh to plan a sort of reaction uh I hope I reply to your question any more questions okay thank you for the presentation thank you thank [Applause] you uh the next presentation is in 20