True Story: I Saw Phishing Done by a Panda(Doc)

all right so this should be an exciting talk or at least exciting to me right um let's get into this uh as we do that I'll take a quick second to kind of introduce myself and as Murphy Law would have it I got some technical difficulties but we will prevail all right cool so uh I'm Nando I'm a principal IR consultant with mandiant uh a company of Google now I got to figure out the right terminology to use when I'm saying that uh nonetheless I'm retired from the US Army right here uh locally I did 20 years uh the better half of my career in the latter half rather was in cyber security to form a

half was in I.T so no stranger to really technology uh did some time overseas not really important I'm also a cyber security adjunct professor where I just really am effectuated with education right I recall my time really getting started in this I had no idea what I'm doing don't tell anybody but I still have no idea what I'm doing but somebody took the time to invest in me and I try my hardest to to Really invest in others there's some Powershell training platforms again all about education and then there's a number of other places where I have a presence on the web but enough about that we're not here to talk about me we're here to talk about some

fishing right right and let's get into some numbers right some statistics if you will and to do this I'll reference a report from mandiant a trusted leader of cyber security but nonetheless a report called M Trends right it's a annual report produced by the company where we highlight things that we've saw within the previous year if you have not checked it out I highly recommend you do that there's some other cyber security companies who also produce an annual report recommend you check those out as well but nonetheless we highlight the top 10 frequently seeing techniques right that we saw within the previous year and you see a number of things that are shown there but really number one

obfuscated files and or information and that's where fishing really falls into fishing isn't new right and when we look at the next-gen exploit like I heard somebody talk about earlier today and when they're talks and not really that being the thing that we need to focus on well fishing is one of those things that is like super tried and true and it just continues to work all right so from that perspective when we look at the top organizations or really industries that are impacted by this well the numbers don't lie and again this is what we see firsthand we start to see Business and Professional Services clearly at the top and then you start to see kind of

cascading with the number of other organizations and industries as well but largely speaking they're all impacted by fishing like there's not one of them that I can say is not has not not been impacted by fishing and those techniques they continue to involve some of them have varying levels of success however it is still a technique that continues to be used on a daily basis and it isn't just run-of-the-mill entities that are doing this fishing you know the 400 pound person in the basement as I once heard somebody say it's apts it's been groups it's unks uncategorized groups as mandiant knows it it's all facets of Industry Industries or malicious actors that are utilizing this and I keep going

back to why and it's because it's working right does it work 100 of the time no but it works enough to where it doesn't deter them so cool it's not new is it detected yes it is detected varying levels success associated with that detection and really just looking at some numbers here we have essentially our our Asia area we have uh our Europe area if you will and we have the Americas right and then we have overall and we can see from the perspective of intrusions at large this is encompassing efficient as well but not specific to Just Fishing we start to see the detection based upon internal we also see it based upon external and really

from that perspective you would hope that fishing is largely detected internally right because John Bob gets an email John Bob says it smells fishy you know no pun intended and he or she reports it you would hope that it isn't reported externally well I would tell you my experience shows that it is is a subset of both and in some cases it certainly is not as quick as it should be so what does really fishing give us right well for an act of malicious cyber actor to have some type of action if you will in an environment they need to have initial compromise initial access right so this is kind of what that category in

which fishing falls into we'll we'll come back to this in a minute we also have things like establishing a foothold in that Network right so being able to have a presence in that organization's Network even if it is a a low-level user that doesn't have any rights a foothold is a foothold is a foothold and then at some point well that lonely user was good for you know the original purpose but we need to elevate to be able to do what we really need to be able to do and have the ability to likely move in a fashion that we want to move and or do other things so there's going to be a time in which uh privilege

escalation is going to take place how that take place well that's not for this talk a number of means but after that well let's spread I've elevated let's see what else is out there we're going to spread our wings if you will it's going to be some form of reconnaissance internally and then they're going to laterally move the other thing this is where we start to lay down an actual true presence so we've got the initial foothold all right we're on the the system itself but this is where things like C2 come into play and you'll note that there is kind of like a um an arrow if you will because it's a continuous thing right kind of rinse and

repeat and then there's going to come a point where they're going to complete the mission well what is the mission could be data exfiltration staging could be destruction of the machine well that all truly varies but back to this Vision piece or really this initial compromise as we look at the numbers you know exploitation uh is is up there and there's no shortage of that and we see other things that are being shown Supply chains stolen credentials and then we see things like fishing on there and it's not at the top and I'm not here to tell you it is the number one thing it is certainly not however it is in the conversation in

terms of initial access in most conversations that any of us would have a cyber Security Professionals and that's because the numbers don't lie and certainly the data does not lie either foreign that let's talk about a story right uh this is a use case real world some things have been uh you know changed to protect the the organization if you will but this is one example of many uh that I've dealt with and other of my peers in the organization have dealt with and we continue to deal with I'll talk about at the end here as of roughly two weeks ago how this is still going on and it's going to continue to to persist as well

so getting into this I'll paint this situation we get this guy he's got the nice comb over let me see right um and we're going to call him John Doe because it seems fitting John Doe works for a company we'll call company a and there's his email J Doe at company a he also works for a company called Company B and his username essentially same thing J Doe but that domain Company B right so he's got two different email accounts for two different companies where the bad practice starts to come in as we paint this situation is when he needs to interact with other individuals in company a you would think that he would utilize his company a

email and you would think other individuals in that organization would be accustomed to receiving emails from him from his company a email that's what we would think that is not the case however he actually utilizes his company B email to do all this business that concerns company a and it had been going on for so long that everybody had became desensitized to that fact that that's what he was doing and it was the norm right so being that that is the case anytime they receive something from his company B email nobody thought anything about it it was normal in their eyes is this on still

both of them I think uh we'll be right back guys okay what about now I'm back okay uh if you're watching this two weeks from now I apologize I didn't say anything important so don't worry um yeah so they're used to this nobody thinks anything about it because homeboy's been doing it for a long time so painting this story some more there was a day uh early February this is about seven months eight months something like that owed at this point uh there was a day where buddy utilizing his company B address sent a number of emails to company a and as we get to the end we'll talk about why some of this stuff was

bad outside of some of the obvious right and some of those emails he sent to individuals in company a well it was the same email but he sent it to 180 individual email addresses and then he sent it to 40 distribution lists uh can anyone guess how many distribution lists were in this organization yes there were 40. so we're talking anything from you know I.T support with a couple of folks in there to the Budget Group to organization-wide uh email addresses right or distro lists right so cool they get it this guy is a very senior person in company a nobody thinks anything about it they open it up and that's where stuff starts to get really a little bit

Shady so what are some of those things well actually let's talk about the email some both company a and Company B they're M365 organizations two different tenants so in this case uh to bypass email filters in which they had which were not optimally configured which is also a different story for later in the talk um he was sending essentially encrypted messages in in Outlook or o365 or M365 rather protected messages so when received and you have to forgive all my redaction where I tried to go back in and add company a company B when received they see something like this right this email you've been sent it's protected it's encrypted you need to be able to open it and for you to do so you

need to click the read the message button normally that photo is there right in that red box and when you do that you're going to have an option you can either a authenticate to your uh using utilizing your M365 account for the email that it was sent to or B you can request a one-time password so in this case uh most people all people actually during an investigation requested one-time passwords right so this is the screen that they would see nothing really special they get that one-time password again they're going to put that in because at this point you know John Bob meant to send this to me or John Doe rather right if it was bad somebody would have

stopped it before it got to me so since it made it to me I'm going to actually do what it needs to do and I'm going to open this up so when they finally decrypt the message this is what they see right and you may or may not be able to see actually maybe you can but in circled in red there it talks about this message is being sent from again company a because it contains particularly sensitive information at this point most people are curious but they still think it's for them because again this is normal activity in some respect so for them to access it they actually need to to click in that little window

there now it looks interesting because you'll see that in the bottom left hand corner there is uh what appears to be like a Word document it's a static photo it's not even tied to the actual message right it's more to to draw in the person so they're going to click on it and again still bypassing filters it takes them here right and you may or may not be able to see but in the URL bar it says something like Panda doc right and then we get a little message in the middle of the screen and if you can't see that message actually you probably can but if you can't you'll see that that document no longer exists so you

know Panda doc what is Panda doc anybody know what Panda Doc is I'm sorry let me sweeten the deal I got a black hat python book for anybody that knows what pentadoc is yes sir uh close enough here come actually I'll leave this over here for you good job all right so a little Panda doc right it's a site used to create share track documents right so maybe I wanted to create an invoice well I could use Penta dot create it and then send it or send a link to them and have them go inside it kind of like what we see in the bottom left-hand corner of those two photos or maybe I want to have a form where people

are filling out information or whatever the case most people when they think of developing the form or they do it in word and leave it as something that you can change okay that's not you all I know or you might use something like Adobe or whatever the case pentadoc is another method to be able to do that and it's online so that way you don't have to download it send it all the other good stuff it's a great platform right um they do great stuff but people are loading documents that are laced with other things up there right all methods to bypass filters and things that are in place so cool now that we've diverted from our originally

programmed station let's go back right because now we see that um that that email when decrypted really is pointed to Panda doc that document no longer exists cool so what do we do right and this is me pretty much throughout the day actually I typically have a pencil in my hand or something and I'm doodling and drawing like ponies and stuff like that all right or playing Tic-Tac-Toe by myself nonetheless um well let's look at the data right you start looking at other things that we have on you know either known systems there was like one or two people that self-reported blessed their heart and then there was other people like nah I didn't touch it and I'm like

it says right here you did all right so we start looking at the data right and looking at the data we see that this person they actually received the email twice they received it once because they're part of the managers group they also received it again because they're part of payroll and looking at the time stamps they're fairly close to each other roughly within a minute all right which homeboy did not try to really stagger it out he kind of just launched at will now from there we see a number of things that talk to o365 well because this is him interacting with the message going through that process to be able to decrypt it but nonetheless ultimately we

see where the person went to Panda Doc and when we're following the chain is we have available evidence we see shortly after that that they're going to a site that's redacted now but looks kind of weird Office 365 of dictation updation right um I tried to look at one of the YouTube videos and make sure I was saying it right because you know I wanna say it right but nonetheless uh it looked weird so it's like well what is this we'll we'll go check it out right um and you would guess that by this time um that site no longer what the site existed however that page no longer existed right all this activity was

happening on February 4th uh roughly about two something uh local EST if you will and then by the time we got involved it was middle to late February all right so this campaign this piece of the campaign had already subsided and homeboy had moved on to the next part um cool so it doesn't exist we're a little bit further ahead we go back to the draw dry erase board I finished my game with tic-tac-toe by myself at this point and then um what else can we do well there's this site called URL scan actually let's go back anybody know what URL scan let's sweeten the question here I got a let's see here I got a smart key logger

by keycroc anybody know what URL scan is

yes

that's for you good job I didn't mean to cut you off you were absolutely right I just didn't want you to go in a different direction that would make you absolutely wrong all right so cool so you know URL scan now this isn't what you know my team and I use as our Full Source right but just like the organizations you work in there's some things that you use that are publicly available and then there are some things that are some Secret Sauce that you use internally right so I want to give you the piece that you can use today not telling you what we use that you can't have access to or you'll never see right that doesn't make any

sense and it does nothing good for you so anyway URL scan developed 2016 a service certainly that we can scan sites and do some analysis all in an automated fashion free in nature however there's some restrictions associated with the free version if you will there's a commercially available aspect of this as well it captures things like domains and IPS and the resources I think one of the big things that it does that's super helpful for us is it captures a screen screenshot of that page for us all right so the other thing associated with it is if deemed malicious there'll be a thing up there that says malicious now I'm not going to take that to full heart however

it could be helpful but certainly not a Smoking Gun so given that we tried to look at the URL in this platform and luckily is luck with habit somebody had already submitted this URL earlier now earlier in my slides I think it was somewhere around like 225 right which would have been like 725 UTC that's about the point where those emails started to go out in the organization well almost at eight o'clock UTC that time somebody had submitted the URL the site or excuse me the document on Panda doc was still up so they were able to get a screenshot of it all right so we see the URL associated with the pendant dock piece

with the URI we also see that time stamp showing when somebody submitted it and then in the bottom right hand corner we see what data a screenshot of the data that was being housed at that time now mind you when my team and I go out there it no longer exists at that at this moment however we know as of roughly eight o'clock on that day it still existed and it's cool now we see this screenshot and you know we're like well what is that it obviously looks different than that other image that I showed you because again it had nothing to do with it but when we start to blow that up we see this right you receive two

documents really some other data that doesn't really mean anything but if you're a user you're like oh okay yeah it's John Doe send me a document we're used to him doing random stuff or whatever so this is still uh for us now in the top left hand corner there's a piece where the document actually depicts um who it was generated by and if you can't see that it actually says it says John Doe because I wrote it but it says the actual person's name who were already tracking if you will so cool now we're a little bit further ahead we see that the person's using encrypted messages they're using Penta docs from pentadox some way it is making its way

to uh that one site that's redacted office 365. so we still have a little bit more to go now looking back at that main Panda dock piece where we have highlighted up top the URL in the time there's also a category where it will retrieve the links so at the time that the page was submitted roughly about eight o'clock and it still existed the links associated with that Panda doc document actually went to a site that's also redacted that has essentially almost the same URI right different site same URI uh or excuse me the sorry the same site that we saw in the logs right so cool we see that how the system got from Office

365 Panda doc that 0365 urri we now can tie how it made it there well somehow some weight in that Panda doc document it linked there we don't have the actual Panda document to be able to fully confirm that analysis however at the time of this submission the link had a link pointed to it all right cool well let's go out there as you recall a couple of slides ago we did try to go out there and it didn't exist now there's a couple of methods we could utilize to uh try to see what existed at that time but for the sake of what we're doing now let's say that none of those methods work

so we look at it from another perspective where we're looking at what else was pointed to that one site that no longer existed not the pentadox site the other site that no longer existed the 0365 and then reversing that we found a different Panda doc link that was pointed to it and what do we know it was actually submitted at nine o'clock on the same day right so this guy is very active that day he's not reusing certain domains and stuff but his ttps are not shifting so now that we kind of figured that out and guess what it too has the same document so he's uploaded two different Panda doc documents and both of them

um pointed to similar sites if not the same site now from this perspective we recognize this guy is still active even though we're coming in a couple weeks after the fact and we have yet a different Panda doc link it costs them nothing right they use the free version they create a document they lace it and then they're good to go if it stays up there an hour and gets 20 people cool if it stays longer cool as well now here right nine o'clock we see the links and this link that is actually redirected to is different from the very first one but the tactic is still the same just off of the URI if

you will but guess what when we look at that actual site it was still up so we're able to see something that we didn't have the ability to see before what is actually being housed there and you would guess it it's a fake o365 login right now the other aspect to this is what's behind it looks kind of blurred out and you may be thinking or some people thought well if I log in I'll be able to see the real data right this is a lot to go through for John Doe the guy that works at your organization maybe a little bit senior up like it's like a a Chase if you will nonetheless looking at it I was very

interested in like well what is it blurred out not like it was really going to show it to me for real but it's like created tax invoice no payment schedule it's like all right well that's kind of interesting but uh at this point it's certainly fishing right uh Panda doc to a random site that was likely compromised that's now housing this data that's going to harvest and collect credentials uh super interested in the method in which it does so I go to log in with my email of course TomTom outlook.com and that's what's happening on the left hand side on the right hand side I fire up burp we intercept that traffic and I want to see what's

actually being sent so in doing so logging in this TomTom we see the URI and essentially it's a post request that's being done and down at the bottom I see that my creds are being posted to a another URI called next.php we see that at the top and one highlighted in red or circled in red okay so dudes harvesting credits okay got it now I'm really interested because we want to know how does this full thing work how does this ecosystem of sorts continue well aside from grabbing those crates he sends it to this next.php we look at the page Source right and it's JavaScript in there so really looking at a couple of things highlighted here and I can barely

see from up here so let me go over here um the the first one we see that they're returning things like the position of the AD Sign and then they're coming through and they're trying to essentially split um the domain versus the username and then coming through and trying to get the actual domain name and what's interesting here is you got this base64 piece right so decoding that that actually decodes to next dot PHP it's like oh okay well we already know that's going to be important here in a second and then you know looking at the actual uh or noting the actual email supplied by the user and the password um associated with it we then see that

the email and the user information is being stored to a new variable uh and then you know we have some regex here this is looking for an actual email address looking in that specific format and then we're checking to see if anything was received in the actual field so somebody made it to that front 0365 page did they actually put any credentials in from there trying to check if the credentials that were supplied actually fits the structure of an email or at least the username and then lastly checking to see if a password was input now of this uh code it's kind of interesting because what I didn't have highlighted here and there's another screen with some more stuff

homeboy is like writing but he's commenting out code and then there's a spot in here a number of spots where he's got things misspelled he doesn't care because it works all right so from this perspective same thing where he's doing some slicing associated with the the domain and then what's interesting here uh this third one I have highlighted is no matter what username and password you put in the first time it's going to error out saying it's incorrect and then you're gonna well somebody's natural reaction that part excuse me uh somebody's natural reaction is oh well let me put it in again and after you put it in again it's going to error out but

at that point it's then going to redirect you to the real logon page if you put in Nando at outlook.com twice after that it would then redirect you to the real Outlook page right so he's trying to harvest he or she is trying to harvest credentials of the same user either from the perspective to do a confirmation or in case they try to log on with two different accounts and that's what's happening on this fourth one as well all right so uh you know not very you would think it would be more than this but I was trying to find the misspelling in there it's like verify without a y is one of them that comes up

but so that's next. or excuse me so that's the the main JavaScript and we note in there that there was base64 that talked about next.php well here's the next.php um for any actor that's out there you got to secure your infrastructure right like we shouldn't be able to get this far in your uh your stuff but nonetheless next.php receives those credentials and then you'll see that there's an include statement this is PHP at this point where it's going to essentially read in Make available uh email dot PHP and this is going to be on the server side email.php is going to contain the actual email address to sin said credentials the other thing it's going to actually

send is not only the credentials but the IP address associated with the machine in which the user attempted to quote unquote log in if you will it then tries to get the geolocation of that at and it utilizes a built-in function of PHP mail essentially to then mail those credentials so I couldn't get to the next piece the email PHP or I couldn't get to the point where I could get it into brief but um nonetheless looking back and really highlighting this full timeline right so encrypted emails are sent emails are decrypted pentadoc URL is visited whatever site of their choosing that's laced in that pentadoc document is then having that user redirected to it the

user is inputting their creds those creds are harvested and sent off so looking at this right we talk about and hopefully you went to David's talk earlier right but the Pyramid of pain changing things like the IP addresses or the the websites the domains essentially in which they're forwarding that information or the penta dot document all that stuff is easy right really what's not changing with homeboy and I like to call them homeboy is uh the ttps his ttps remains and he or she well you guessed it right they're still doing it today uh but at the time we were able to tie back and then we stopped at this point because it became not even fun a number of sites tied to

to this actor right a subset of actors right and a lot of it was based upon redirection from Panda doc because there's a lot of that going on but they're utilizing the same URI and then the identical web page was the same as well every now and then we would find small deviations But ultimately would tie back to what we would assess is the the same actor here's a number of roughly 12 to 15 sites that were the same at the time and there's no shortage of them and really within the last two weeks they're still up to these Antics right so we see that site there and this was roughly two weeks ago so uh did have

this hasn't changed it's not going to change because it continues to work we've had conversations with panda doc they're very forthcoming and certainly great a great organization but you know they they're working through some things as well and this is going to continue to be a tactic that's going to be used so knowing that this is still being used today you know what are some things that could have helped you know maybe that organization at the time this is not an all-inclusive list of things to do to you know prevent fission I'm only speaking to that organization at that time in that space and what we were brought in to really address right education is education is

education that's always going to be number one however you might not have noticed and one of the screenshots they have proof point that was their email filtering platform it was implemented in such a way almost like a firewall that's turned on but doesn't have any rules applied right so if if they were being inspected they might have passed I have an email filtering platform but it wasn't actually doing anything so optimal configuration was needed validation and even then there's some concern that it may not have picked up the first piece but possibly would have picked up other aspects uh while Company B they're not tied to the investigation that we were brought in to do that's a different tenant

that's a different organization so really how did they get their initial compromise I don't know it could be one of a million things however um be it that that that is a different tenant it's an M365 tenant I would assess that that initial compromise was through that tenant I'd also assess that it probably was a spray in pray don't know for real but things like Azure active duty password protection right having things like that enabled and the organization that we were investigating they did not have that enabled if you're not familiar with that that really starts to prevent the use of weak passwords spray and pray could still work but let's not make it easy where it's like

password One Two Three or like seasons and things of that nature the organization is noted they allowed any and everybody to send emails to their organizational wide distro lists from the outside should not happen right and when we look at it it was a very it was they were in such a place where there was lots of room for opportunity right so as we could see it's a bad example to be able to do that now I get it maybe individual email or excuse me uh distro list with smaller people but not allowing somebody from the outside to send an email that can reach the whole organization so certainly recommend against that MFA can't say

that enough even though there's certain issues with it they did not have MFA enabled and then as we were leaving recommended that they do MFA and they were allowing MFA registration from anywhere right so we've seen in the past where an actor is already in the network the organization seeks to enable MFA and the actor just you know registers MFA from their own space or somewhere else out in the world so you really didn't impact them because they still have access so when this organization um was seeking to enable MFA based upon the recommendation certainly we want them to enable it and have people register from their own trusted IP space there are some concerns there but let's

lessen the tax service associated with it and given that that really brings me to the end of what I have um I'll have this brief up sometime today if you want to chat there's my email I did some coding every now and then there's my GitHub and if you want to just connect there I am but if there's any questions I'll take one or two if not I'll hang around for a little bit foreign

yeah so good question the question was did MFA resolve the issue so we were only focused on the one organization that was receiving the emails not the organization that was sending them the MFA piece although the organization that was receiving it it wouldn't have made any difference however we certainly would recommend it in case somebody did complete the full process of going to that site supplying their credentials now allowing a potential actor to get back in that Network we would certainly want to have something in place where MFA would have at least triggered and made it a little bit more difficult I also note MFA because I I feel fairly confident that the organization in which the emails

originated from did not have something like that in place again I won't say that's a full you know feature that will stop everything but any little speed bump we can put in place that could potentially illuminate and and highlight you know malicious activity is great so hopefully that answers your question yes

correct yeah so good point so because he was only using the the affected uh organization's tenant the one that was impacted his account had been disabled for some time because of lack of use and at the time of the investigation it was still disabled

yeah yeah very good question so you know in my day job is an incident responder I respond to an incident I tell you what happened I write a report and then I move on to the next one so there's some organizations that literally don't have the right people in place to understand they're told to go to the cloud because it's cost effective and as long as it works they think they're good right and then there's other organizations where there's competing requirements and there's funding or you know something else that's impeding or they're going to get to it in the next quarter all right so there's always a chance that organizations are taken there's also a

group of people who have some technology that could illuminate some of this activity but they don't have the necessary checks and balances in place to highlight when that technology is no longer in place in working case in point you might have some type of endpoint solution agent that's on all your machines if that thing stops checking in not having the ability to identify that is stop checking in and investigate it is just as bad as essentially it not being there from the very beginning which we see actives get on there and disable endpoint Security Solutions all the time sir

I think it depends on the the situation um so rewriting to then you know funnel it through some other platform I think is certainly useful uh in this case they were like Bare Bones they were one of these organizations where they were told to go to the cloud the cloud admin is like the network admin is you know somebody else but yeah I think certainly the URL rewrites the time into place for it for sure

that's fair I could see that approach almost like a young child right like I could educate them and say don't touch the stove but I need to have preventive measures in place to ensure that they don't get to the stove problem with that is our technology will have gaps as well so it's sometimes like the chicken and egg I certainly agree with you know that as an approach as well maybe both of them are just as equally important I appreciate that thought sir last one

yeah so if I think I understand um we were talking about setting up MFA with geo location or geofencing to where

foreign

well I mean you could do it by IP subnet to say you know company trusted space as opposed to it you know pushing or actually don't use push but uh retrieve it if you will from a different uh IP space yeah there's a couple of things that could be done

yeah yeah absolutely yes and I wouldn't use push right I mean we just seen in the last two weeks uh another example where uh pushing it could be bad but yeah to your point uh there's a method to not necessarily say you know this location per se but you can lower it down to IP space that would put it in a otherwise trusted IP space foreign

I would want them in the internal subnet space and where applicables if you can see them that's cool but in this day and age that's going to be much harder but if they're VPN and to internal space that's that's a method as well yeah yeah good questions okay all right everybody thanks for joining certainly appreciate it