WEBVTT

00:00:30.206 --> 00:00:37.260
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]

00:00:37.260 --> 00:00:42.187
it's late in the evening this is meleeway stage in case you're wondering

00:00:42.230 --> 00:00:48.176
and the next talk is going to be about incident report responses

00:00:48.476 --> 00:00:59.520
so if you're curious about how to even get there to have an incident response how you could 
prepare for an incident response and how you could support a new organization

00:00:59.520 --> 00:01:07.258
uh, the incident response team in doing the job and trying to fix whatever broke

00:01:07.258 --> 00:01:11.677
let's put it that way um we have the right talk for you

00:01:11.677 --> 00:01:17.352
this is stories from the life of an incident from incident responders Harry and Chris

00:01:17.352 --> 00:01:23.500
please a very warm Round of Applause [Applause]

00:01:28.925 --> 00:01:36.675
so, good evening and thank you for joining us today um we will tell you a little bit of our

00:01:36.675 --> 00:01:43.664
life as incident responders and I'm Chris I did my computer science

00:01:43.664 --> 00:01:48.784
studies at the University of alang and Nuremberg I do this security stuff for

00:01:48.784 --> 00:01:55.394
over 10 years now so my CV is a little bit longer at the moment I'm a detection

00:01:55.415 --> 00:02:01.425
engineer before that I was a long time working in dfir so digital forensic incident

00:02:01.425 --> 00:02:06.062
response in different organizations and

00:02:07.411 --> 00:02:12.388
yeah I'm Harryr I studied electrical and computer engineering at RWTH

00:02:12.395 --> 00:02:18.165
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH

00:02:18.165 --> 00:02:24.523
during my masters I worked at x41 dsac doing pen testing patch analysis

00:02:24.589 --> 00:02:32.359
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced

00:02:32.359 --> 00:02:36.619
analytics doing digital forensics and incident handling

00:02:38.080 --> 00:02:45.390
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks

00:02:45.390 --> 00:02:51.097
like and in the second part of the talk I will tell you how the incident

00:02:51.097 --> 00:02:58.167
responders work and what you can do in advance to make it go as smooth as possible and support the incident

00:02:58.167 --> 00:03:05.035
response team so as Harryr told you I will probably

00:03:05.035 --> 00:03:12.290
we'll talk about ransomware because the customers we usually have are small and

00:03:12.290 --> 00:03:17.543
medium-sized businesses universities and hospitals and those are regularly

00:03:17.543 --> 00:03:23.268
unfortunately regularly hit by um um

00:03:24.017 --> 00:03:29.557
ransomware gangs the main reason for this and that's if you heard the last

00:03:29.557 --> 00:03:35.096
talk um why they maybe not that responsive

00:03:35.096 --> 00:03:42.058
and are not so interested in they just lack the resources so the manpower to do

00:03:42.058 --> 00:03:48.424
uh proper security measurements to secure their systems especially in in erm

00:03:48.424 --> 00:03:53.618
situations where you are for example in a hospital have medical devices

00:03:53.618 --> 00:03:59.378
um which where you cannot simply install an AV on or even patch the system

00:03:59.378 --> 00:04:07.321
because you lose the certification as a medical device then but also in in

00:04:07.321 --> 00:04:12.953
companies manufacturing companies on the shop floor we're talking about systems


00:04:12.953 --> 00:04:21.292
that have run times of 25 plus years so if you look back now 2023

00:04:21.292 --> 00:04:26.823
we're talking about XP and older systems fun fact I was in a ransomware case and

00:04:26.823 --> 00:04:34.230
Wannacry in 2017 when I got a call from from a person from the shop floor

00:04:34.230 --> 00:04:38.000
asking me if we have a nt4 expert, um

00:04:40.200 --> 00:04:47.380
that can tell us if WannaCry is affecting nt4 of course you don't need

00:04:47.380 --> 00:04:54.071
to be a expert for NT-4 this one requires of course not affecting nt4

00:04:54.071 --> 00:04:59.602
systems so due to the time uh slot we thought

00:04:59.602 --> 00:05:04.915
memes are the best way to to tell you those stories and we have a lot of them

00:05:06.453 --> 00:05:12.822
so in the first uh um section I tell you a little bit of how an attack Works

00:05:12.822 --> 00:05:21.062
um there are a lot of different possibilities how you can describe and how to structure the how an attack works

00:05:22.257 --> 00:05:28.993
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko

00:05:28.993 --> 00:05:34.854
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have

00:05:37.190 --> 00:05:42.480
stuff from from companies like Mandy and their targeted the tech life cycle but

00:05:42.480 --> 00:05:47.550
that's all in my opinion two two fine-grained it's that's the reason I

00:05:47.550 --> 00:05:53.275
just take three simple steps yeah get a foothold in the door

00:05:53.275 --> 00:06:00.645
look move play around and cash out those three uh I will just go over

00:06:03.141 --> 00:06:07.835
so start with uh get a foot in the door so normally we

00:06:07.835 --> 00:06:14.756
see three ways how attackers can can get into the environment in the ransomware

00:06:14.756 --> 00:06:20.655
cases you have vulnerabilities in uh remote uh internet facing systems you

00:06:20.655 --> 00:06:25.875
have the remote Services itself and you have malware

00:06:26.712 --> 00:06:35.507
starting with the with the the vulnerabilities and um I just looked uh up the last four

00:06:35.507 --> 00:06:42.060
years and maybe somebody remembers netscaler the the so-called Citrix

00:06:42.060 --> 00:06:49.789
vulnerability in December 2019 um it was released mid of uh 2019 uh

00:06:49.789 --> 00:06:55.889
December 2019 the first POC publicly available POC was in beginning of

00:06:55.889 --> 00:07:03.293
January and the patch was available in middle of January so there was a round one week to one and a half weeks between

00:07:03.293 --> 00:07:10.494
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw

00:07:10.494 --> 00:07:17.194
during 2020 a lot of companies patched but the patch didn't remove the the

00:07:17.194 --> 00:07:25.469
compromise so they were already compromised and um yeah with it with the patch they

00:07:25.469 --> 00:07:31.114
didn't remove the compromise so what we found what we could provable

00:07:31.114 --> 00:07:36.184
see or proof evidence for uh was nine

00:07:36.184 --> 00:07:42.286
month uh customer was breached after nine months using this this vulnerability

00:07:43.176 --> 00:07:51.434
and we had other customers where we could see that the netscaler was affected after two years but we couldn't

00:07:51.434 --> 00:08:00.073
prove that this this compromise was the reason for the actual ransomware case

00:08:00.275 --> 00:08:04.914
and of course such vulnerabilities happen not that often

00:08:06.295 --> 00:08:13.035
yeah so 2021 gave us uh hafnium exchange

00:08:13.035 --> 00:08:18.736
vulnerability also a similar situation the patch

00:08:18.736 --> 00:08:25.406
appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time

00:08:26.479 --> 00:08:32.529
we saw during our uh incidents or the the assessments we did that

00:08:34.476 --> 00:08:41.516
um the first exploit exploitation attempts were seen on Wednesday in the morning at

00:08:41.516 --> 00:08:50.308
5:00 am so around seven eight hours later um I know one guy who could patch

00:08:50.308 --> 00:08:56.691
because he was online when the patch was released otherwise Germany was unable to patch in

00:08:56.691 --> 00:09:04.149
time and of course we can go on with 2021 proxy shell also

00:09:04.149 --> 00:09:10.039
exchange vulnerability proxy nutshell also exchange vulnerability

00:09:10.039 --> 00:09:16.367
we have uh in 2022 VMware Horizon the the virtual desktop infrastructure

00:09:16.367 --> 00:09:23.627
from VMware just to name also open source stuff Zimbra a collaboration platform

00:09:23.627 --> 00:09:28.922
including an email server uh has had a vulnerability actually the vulnerability

00:09:28.922 --> 00:09:34.675
was in cpio from 2015 I think which led

00:09:34.675 --> 00:09:40.164
to a compromise using via email so you send an email

00:09:40.164 --> 00:09:48.387
with a cpio with a specially crafted archive file and you could drop a web

00:09:48.387 --> 00:09:55.947
shell in one of the directories yeah you have of course 40 OS which is a

00:09:55.947 --> 00:10:02.069
40 gate VPN and firewall operating system

00:10:03.220 --> 00:10:08.250
and if you read the news we start at the beginning again

00:10:08.251 --> 00:10:15.121
netscaler had some issues several weeks ago according to foxIT we have 1900

00:10:15.121 --> 00:10:21.545
still unpatched net scalers worldwide how many patched

00:10:22.393 --> 00:10:27.743
was netscale has exists that um have not been checked for compromise we

00:10:27.743 --> 00:10:32.058
don't know of course so that will be a nice year probably

00:10:33.728 --> 00:10:41.564
um so what can you can you do against this kind of of attack vector patch your systems is one thing as you

00:10:41.810 --> 00:10:49.378
see this that doesn't lead to the the um or what you need to do afterwards in

00:10:49.378 --> 00:10:57.354
such cases you need to check your systems for possible compromise

00:10:57.354 --> 00:11:03.973
that is important to reduce this I highly suggest put your

00:11:03.973 --> 00:11:11.583
uh Services behind some VPN so that only people who already have

00:11:11.583 --> 00:11:17.054
connection to the VPN um can access your services or the services

00:11:17.054 --> 00:11:22.649
they need and that would reduce the attack surface

00:11:22.649 --> 00:11:28.289
at least to the VPN server so but I

00:11:28.289 --> 00:11:32.996
of course we can also think about remote services without vulnerabilities

00:11:34.661 --> 00:11:41.591
um there can be configuration mistakes so the admin does something wrong there can

00:11:41.591 --> 00:11:50.339
be insecure default configurations like this um I don't know if you know it but the

00:11:50.339 --> 00:11:55.614
local admins or the administrators on the Windows system are are

00:11:55.614 --> 00:12:02.101
automatically in the remote desktop users group you know and so

00:12:02.101 --> 00:12:08.428
we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and

00:12:08.428 --> 00:12:15.545
they needed to put people fast in the position to to access their the assist

00:12:15.545 --> 00:12:22.125
the internal systems again they just put a RDP server on the internet and hope for the best

00:12:25.136 --> 00:12:29.767
um additionally if you put services on the internet of course brute forcing and

00:12:29.767 --> 00:12:35.947
credential uh stuffing are attacks that are possible so brute forcing just trying the the

00:12:37.115 --> 00:12:42.195
username and password combinations uh credential stuffing using already leaked

00:12:42.195 --> 00:12:47.636
passwords or credentials from leaks you find on the internet

00:12:48.536 --> 00:12:53.923
what you can do about this kind of of attack Vector is uh just as I said use

00:12:53.923 --> 00:13:00.912
multi-factor Authentication and reduce the attack surface as in the

00:13:00.912 --> 00:13:06.695
point with the vulnerabilities before by moving the services behind a VPN and

00:13:06.695 --> 00:13:09.691
then use multi-factor authentication on VPN of course

00:13:12.791 --> 00:13:18.141
the last Vector that we see normally that the attackers can get in the

00:13:18.141 --> 00:13:23.887
network is malware we all know this about

00:13:23.887 --> 00:13:28.658
those funny emails you get with the attachments

00:13:28.658 --> 00:13:35.031
um include that have either Word documents

00:13:35.031 --> 00:13:41.764
attached either zip files with with Visual Basic scripts javascripts and

00:13:41.764 --> 00:13:47.344
what you can get isos you see a lot these days

00:13:48.850 --> 00:13:54.210
um or what you can also have that you can have just a link inside the email and

00:13:54.210 --> 00:14:01.901
you download the respective file from some some shady file sharing website

00:14:03.381 --> 00:14:09.435
um what we saw over the last year was uh USB sticks again funnily

00:14:10.744 --> 00:14:16.484
um I'm not sure if you have heard about raspberry Robin which is a malware that

00:14:16.484 --> 00:14:26.427
warms via USB sticks um but I haven't seen it as a vector for

00:14:27.234 --> 00:14:31.784
ransomware yet on my own but there are people who said that it's

00:14:33.220 --> 00:14:37.770
an initial access broker for some of the ransomware gangs

00:14:38.734 --> 00:14:42.884
so what can you do about this if you think the

00:14:45.169 --> 00:14:53.042
you can of course ban simply some file extensions in your mail server or you

00:14:53.723 --> 00:15:00.953
change the file Association types in your operating system meaning that you

00:15:00.953 --> 00:15:06.274
don't open the JavaScript and Visual Basic script files using for example the

00:15:06.274 --> 00:15:11.610
windows scripting host but open it with notepad and that will

00:15:11.610 --> 00:15:14.757
of course some people will be

00:15:18.146 --> 00:15:23.006
uh some people will think about what this this is then and ask the IT guys

00:15:23.006 --> 00:15:27.408
but it's better than running the the script itself

00:15:28.260 --> 00:15:35.110
one thing I I I don't like to to say it but keep your AV updated

00:15:35.547 --> 00:15:39.791
um uh this is one thing keep it updated and read the logs