Overview
As part of a simulated cybersecurity investigation, I worked on analyzing and mitigating a complex cyber attack targeting Haunted Company Inc., a credit reporting agency with operations in major financial hubs including New York, London, and Tokyo. The incident occurred days before the company’s IPO, posing a significant threat to its reputation and financial future. The attack included a website defacement and a compromise of their Tokyo server. Using various threat intelligence tools and techniques, I collaborated with other analysts to uncover the attacker’s identity, assess the breach mechanism, and propose detection and prevention measures.
Available External and Internal Threat Intelligence:
New York(External: Business Commonality): Report on the 2017 GenX Breach, a major cyber attack on a leading Credit Reporting Agency. London(Internal Intelligence: Adversary Analysis): Analysis report for Haunted Company Inc., including Asset-Threat Mapping and adversary analysis featuring FIN7, APT27, Twisted Spider, and TG-3390, all of which are known to target the finance sector. Tokyo(Cyber Activity Attribution): Malware analysis from the compromised server, providing critical insights into the tools used during the attack.
Tools Used
- ExifTool: For metadata extraction and analysis of files related to the attack.
- OfficeMalScanner: To analyze suspicious Microsoft Office documents for embedded malware and shellcode.
- CyberChef: To decode obfuscated data, extract strings, and analyze encoded payloads.
Indicator Of Compromise
This is the folder that contains the tools needed to investigate this cyberattack. We also have 2 test encoded files we need to decode to get more information. Starting with README.txt
This contains the scenario and a website link for more information.
DecodeME.txt file contains base64 strings and we have to decode it using cyberchef , lets access link provided in README.txt first.
DecodeME.txt from Base 64 gives us an html code. Let's visit the link in the README.txt
The website is asking us to paste the decoded text in here so let’s do that and see the outcome.
This decoded code was combined with the HTML code from the website to reconstruct a fully functional webpage. After submitting the combined code, a threat intelligence feed became available.
Step 4: Analyzing the Threat Intelligence Feed
The threat intelligence feed featured a map with three markers: New York, London, and Tokyo. Each marker represented intelligence reports relevant to the investigation. Clicking on the markers(Bat) allowed us to download three separate files. However, the Tokyo IOC file was password-protected, which required additional effort to unlock. We will come back to that.
Regional Intelligence Analysis
Q1: The 2017 Breach
By analyzing the London Threat Report, we identified the 2017 GenX breach, in which GenX Finance, US, Credit Reporting Agency suffered a major data breach. This provided valuable context and insights into potential adversaries and vulnerabilities.
Q2) According to the data breach summary, one of their critical assets was compromised, and they later discovered a vulnerability in one of their public-facing applications. What type of weakness was exploited to breach their network? (Format: Axxxxxxxxxx Vxxxxxxxxxxxxx)
The breach exploited an Application Vulnerability (CVE-2017-5638) within Apache Struts, enabling attackers to perform Remote Code Execution (RCE).
Q3) How long did this breach go undetected? What was the Mean Time to Detect (MTTD)? (Format: XX days)
The breach remained undetected for 78 days, highlighting a need for reducing Mean Time to Detect (MTTD) in such scenarios.
Q4) What application was targeted by the attacker? What vulnerability was exploited, and where is this application located within the network? (Format: Xxxxxx Xxxxxx, CVE-XXXX-XXXX, XXXX)
The adversary targeted Apache Struts, CVE-2017-5638, ACIS, as revealed in the intelligence.
Q5) The attackers exfiltrated millions of records. How many consumer details were estimated to be exposed, and how was this data left from the premises and through which channel was the data exfiltrated? (Format: XXX Million, xxxxxxxxx)
The attackers exfiltrated 150 million consumer records. The data was removed via a Webshell, leveraging encrypted network traffic to evade detection.
Q6) Later, during the investigation, a flaw was discovered in their ACIS code rendering system. What were these flaws? (Format: XXX Xxxxxxxxx, Xxxxxxxx Xxxxxx Xxxxxx Xxxxxxxxx)
From Incident Scope, it was mentioned that ACIS code has several vulnerabilities and that include IDOR and SQL Injection.
Q7) What file was inserted during the attack, and which country did the attack originate from? (Format: XXX, Xxxxx)
GenX observed that a suspicious IP address owned by a German ISP but leased to a Chinese provider so the country is China and the file inserted during the attack is JSP file which exploited SQL injection attack to deliver it.
Q8) It is said that if a specific network security technique had been properly implemented, the attacker likely would have failed to accomplish their mission. What is this technique called? (Format: Nxxxxxx Sxxxxxxxxxxx)
The lack of Network Segmentation allowed the attackers to move laterally within the network, escalating the breach’s impact.
Q9) Adversary Analysis, this one group in particular as being involved in numerous attacks, including an attack on a medical research company during COVID-19. What is the name of this threat group (according to MITRE), what threat vector do they use, what is their country of origin, and what is their motivation? (Format: XXXX, Xxxxxxxxxx, Xxxxxx, Xxxxxxxxx)
Q9: Adversary Profile (FIN7)
FIN7, a Russian-speaking threat group, was identified as a financially motivated adversary. Known for ransomware and double extortion tactics, they had previously targeted high-profile entities.
Q10) Investigating the other threat group. What is the APT number assigned to this group? What is the name of the specific operation that involved dropping web shells on SharePoint servers? In what year was this group first observed, and what is their possible motivation? (Format: APTXX, XxxxxXxxxx Xxxxxx Xxxxxxxxxx, XXXX, Xxxxxxxxx)
Ans
APT27, also known as Threat Group 3390, was associated with this attack. Their campaigns involve intellectual property theft and espionage. One of their notable operations was the SharePoint Server Compromise, first observed in 2020.
Q11) Haunted Company Inc. in Tokyo is under cyber attack. Based on the IOCs that were provided (hint: BAT!), what attack vectors did the threat actor use? (Format: Sxxxxx Exxxxxxxxxx, Wxxxxxxx)
Its time to find Tokyo IOC zip password, lets take a look at what we have. Unlocking Tokyo IOC Files
Password Retrieval
The README.txt file hinted to “Look out for bats!” This led us to examine the Base64-decoded HTML code, where we discovered clickable bat images. Clicking on five of these bats revealed a downloadable image. Using ExifTool, we extracted the image’s metadata and found the password hidden in the Title tag. This password unlocked the Tokyo IOC archive.
File Analysis
The unlocked Tokyo IOC archive contained two files:
ASPX Webshell: This was identified as the ChinaChopper webshell, a tool frequently used by advanced threat groups for remote access and lateral movement.
Malicious RTF Document: Using OfficeMalScanner, we identified embedded shellcode designed for exploitation through phishing or social engineering.
Q12) One of the IOCs contains shellcode. Use a tool and review the output to identify the offset of the PEB (Process Environment Block). (Hint: Output + OSINT!) (Format: 0x..)
Using OfficeMalScanner, we analyzed the RTF document and retrieved the Process Environment Block (PEB) offset as 0x7ffd7000.
Q13) Based on the intelligence gathered, which threat group was responsible for the cyberattack on Haunted Company Inc.? What is the name of the malware they used to compromise Tokyo’s infrastructure? (Hint: OSINT!) (Format: Xxxxxx Xxxxx-XXXX, XxxxxXxxxxxx)
First, I searched rtf file hash on VirusTotal which reveals CVE related to this exploit and we can also see that there are a lot of community comments about this file.
Then we can see that this file is used by APT27.
Q14) It seems the attacker leveraged a weakness in Tokyo’s infrastructure. What is the latest CVE for this version that the threat actor exploited, and what type of attack was it? (Format: CVE-XXXX-XXXXX, XXX)
