1 00:00:30,206 --> 00:00:37,260 Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)] 2 00:00:37,260 --> 00:00:42,187 it's late in the evening this is meleeway stage in case you're wondering 3 00:00:42,230 --> 00:00:48,176 and the next talk is going to be about incident report responses 4 00:00:48,476 --> 00:00:59,520 so if you're curious about how to even get there to have an incident response how you could prepare for an incident response and how you could support a new organization 5 00:00:59,520 --> 00:01:07,258 uh, the incident response team in doing the job and trying to fix whatever broke 6 00:01:07,258 --> 00:01:11,677 let's put it that way um we have the right talk for you 7 00:01:11,677 --> 00:01:17,352 this is stories from the life of an incident from incident responders Harry and Chris 8 00:01:17,352 --> 00:01:23,500 please a very warm Round of Applause [Applause] 9 00:01:28,925 --> 00:01:36,675 so, good evening and thank you for joining us today um we will tell you a little bit of our 10 00:01:36,675 --> 00:01:43,664 life as incident responders and I'm Chris I did my computer science 11 00:01:43,664 --> 00:01:48,784 studies at the University of alang and Nuremberg I do this security stuff for 12 00:01:48,784 --> 00:01:55,394 over 10 years now so my CV is a little bit longer at the moment I'm a detection 13 00:01:55,415 --> 00:02:01,425 engineer before that I was a long time working in dfir so digital forensic incident 14 00:02:01,425 --> 00:02:06,062 response in different organizations and 15 00:02:07,411 --> 00:02:12,388 yeah I'm Harryr I studied electrical and computer engineering at RWTH 16 00:02:12,395 --> 00:02:18,165 University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH 17 00:02:18,165 --> 00:02:24,523 during my masters I worked at x41 dsac doing pen testing patch analysis 18 00:02:24,589 --> 00:02:32,359 so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced 19 00:02:32,359 --> 00:02:36,619 analytics doing digital forensics and incident handling 20 00:02:38,080 --> 00:02:45,390 first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks 21 00:02:45,390 --> 00:02:51,097 like and in the second part of the talk I will tell you how the incident 22 00:02:51,097 --> 00:02:58,167 responders work and what you can do in advance to make it go as smooth as possible and support the incident 23 00:02:58,167 --> 00:03:05,035 response team so as Harryr told you I will probably 24 00:03:05,035 --> 00:03:12,290 we'll talk about ransomware because the customers we usually have are small and 25 00:03:12,290 --> 00:03:17,543 medium-sized businesses universities and hospitals and those are regularly 26 00:03:17,543 --> 00:03:23,268 unfortunately regularly hit by um um 27 00:03:24,017 --> 00:03:29,557 ransomware gangs the main reason for this and that's if you heard the last 28 00:03:29,557 --> 00:03:35,096 talk um why they maybe not that responsive 29 00:03:35,096 --> 00:03:42,058 and are not so interested in they just lack the resources so the manpower to do 30 00:03:42,058 --> 00:03:48,424 uh proper security measurements to secure their systems especially in in erm 31 00:03:48,424 --> 00:03:53,618 situations where you are for example in a hospital have medical devices 32 00:03:53,618 --> 00:03:59,378 um which where you cannot simply install an AV on or even patch the system 33 00:03:59,378 --> 00:04:07,321 because you lose the certification as a medical device then but also in in 34 00:04:07,321 --> 00:04:12,953 companies manufacturing companies on the shop floor we're talking about systems 35 00:04:12,953 --> 00:04:21,292 that have run times of 25 plus years so if you look back now 2023 36 00:04:21,292 --> 00:04:26,823 we're talking about XP and older systems fun fact I was in a ransomware case and 37 00:04:26,823 --> 00:04:34,230 Wannacry in 2017 when I got a call from from a person from the shop floor 38 00:04:34,230 --> 00:04:38,000 asking me if we have a nt4 expert, um 39 00:04:40,200 --> 00:04:47,380 that can tell us if WannaCry is affecting nt4 of course you don't need 40 00:04:47,380 --> 00:04:54,071 to be a expert for NT-4 this one requires of course not affecting nt4 41 00:04:54,071 --> 00:04:59,602 systems so due to the time uh slot we thought 42 00:04:59,602 --> 00:05:04,915 memes are the best way to to tell you those stories and we have a lot of them 43 00:05:06,453 --> 00:05:12,822 so in the first uh um section I tell you a little bit of how an attack Works 44 00:05:12,822 --> 00:05:21,062 um there are a lot of different possibilities how you can describe and how to structure the how an attack works 45 00:05:22,257 --> 00:05:28,993 there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko 46 00:05:28,993 --> 00:05:34,854 um here on the stage there's the original cyber kill chain from from Lockheed Martin you have 47 00:05:37,190 --> 00:05:42,480 stuff from from companies like Mandy and their targeted the tech life cycle but 48 00:05:42,480 --> 00:05:47,550 that's all in my opinion two two fine-grained it's that's the reason I 49 00:05:47,550 --> 00:05:53,275 just take three simple steps yeah get a foothold in the door 50 00:05:53,275 --> 00:06:00,645 look move play around and cash out those three uh I will just go over 51 00:06:03,141 --> 00:06:07,835 so start with uh get a foot in the door so normally we 52 00:06:07,835 --> 00:06:14,756 see three ways how attackers can can get into the environment in the ransomware 53 00:06:14,756 --> 00:06:20,655 cases you have vulnerabilities in uh remote uh internet facing systems you 54 00:06:20,655 --> 00:06:25,875 have the remote Services itself and you have malware 55 00:06:26,712 --> 00:06:35,507 starting with the with the the vulnerabilities and um I just looked uh up the last four 56 00:06:35,507 --> 00:06:42,060 years and maybe somebody remembers netscaler the the so-called Citrix 57 00:06:42,060 --> 00:06:49,789 vulnerability in December 2019 um it was released mid of uh 2019 uh 58 00:06:49,789 --> 00:06:55,889 December 2019 the first POC publicly available POC was in beginning of 59 00:06:55,889 --> 00:07:03,293 January and the patch was available in middle of January so there was a round one week to one and a half weeks between 60 00:07:03,293 --> 00:07:10,494 a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw 61 00:07:10,494 --> 00:07:17,194 during 2020 a lot of companies patched but the patch didn't remove the the 62 00:07:17,194 --> 00:07:25,469 compromise so they were already compromised and um yeah with it with the patch they 63 00:07:25,469 --> 00:07:31,114 didn't remove the compromise so what we found what we could provable 64 00:07:31,114 --> 00:07:36,184 see or proof evidence for uh was nine 65 00:07:36,184 --> 00:07:42,286 month uh customer was breached after nine months using this this vulnerability 66 00:07:43,176 --> 00:07:51,434 and we had other customers where we could see that the netscaler was affected after two years but we couldn't 67 00:07:51,434 --> 00:08:00,073 prove that this this compromise was the reason for the actual ransomware case 68 00:08:00,275 --> 00:08:04,914 and of course such vulnerabilities happen not that often 69 00:08:06,295 --> 00:08:13,035 yeah so 2021 gave us uh hafnium exchange 70 00:08:13,035 --> 00:08:18,736 vulnerability also a similar situation the patch 71 00:08:18,736 --> 00:08:25,406 appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time 72 00:08:26,479 --> 00:08:32,529 we saw during our uh incidents or the the assessments we did that 73 00:08:34,476 --> 00:08:41,516 um the first exploit exploitation attempts were seen on Wednesday in the morning at 74 00:08:41,516 --> 00:08:50,308 5:00 am so around seven eight hours later um I know one guy who could patch 75 00:08:50,308 --> 00:08:56,691 because he was online when the patch was released otherwise Germany was unable to patch in 76 00:08:56,691 --> 00:09:04,149 time and of course we can go on with 2021 proxy shell also 77 00:09:04,149 --> 00:09:10,039 exchange vulnerability proxy nutshell also exchange vulnerability 78 00:09:10,039 --> 00:09:16,367 we have uh in 2022 VMware Horizon the the virtual desktop infrastructure 79 00:09:16,367 --> 00:09:23,627 from VMware just to name also open source stuff Zimbra a collaboration platform 80 00:09:23,627 --> 00:09:28,922 including an email server uh has had a vulnerability actually the vulnerability 81 00:09:28,922 --> 00:09:34,675 was in cpio from 2015 I think which led 82 00:09:34,675 --> 00:09:40,164 to a compromise using via email so you send an email 83 00:09:40,164 --> 00:09:48,387 with a cpio with a specially crafted archive file and you could drop a web 84 00:09:48,387 --> 00:09:55,947 shell in one of the directories yeah you have of course 40 OS which is a 85 00:09:55,947 --> 00:10:02,069 40 gate VPN and firewall operating system 86 00:10:03,220 --> 00:10:08,250 and if you read the news we start at the beginning again 87 00:10:08,251 --> 00:10:15,121 netscaler had some issues several weeks ago according to foxIT we have 1900 88 00:10:15,121 --> 00:10:21,545 still unpatched net scalers worldwide how many patched 89 00:10:22,393 --> 00:10:27,743 was netscale has exists that um have not been checked for compromise we 90 00:10:27,743 --> 00:10:32,058 don't know of course so that will be a nice year probably 91 00:10:33,728 --> 00:10:41,564 um so what can you can you do against this kind of of attack vector patch your systems is one thing as you 92 00:10:41,810 --> 00:10:49,378 see this that doesn't lead to the the um or what you need to do afterwards in 93 00:10:49,378 --> 00:10:57,354 such cases you need to check your systems for possible compromise 94 00:10:57,354 --> 00:11:03,973 that is important to reduce this I highly suggest put your 95 00:11:03,973 --> 00:11:11,583 uh Services behind some VPN so that only people who already have 96 00:11:11,583 --> 00:11:17,054 connection to the VPN um can access your services or the services 97 00:11:17,054 --> 00:11:22,649 they need and that would reduce the attack surface 98 00:11:22,649 --> 00:11:28,289 at least to the VPN server so but I 99 00:11:28,289 --> 00:11:32,996 of course we can also think about remote services without vulnerabilities 100 00:11:34,661 --> 00:11:41,591 um there can be configuration mistakes so the admin does something wrong there can 101 00:11:41,591 --> 00:11:50,339 be insecure default configurations like this um I don't know if you know it but the 102 00:11:50,339 --> 00:11:55,614 local admins or the administrators on the Windows system are are 103 00:11:55,614 --> 00:12:02,101 automatically in the remote desktop users group you know and so 104 00:12:02,101 --> 00:12:08,428 we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and 105 00:12:08,428 --> 00:12:15,545 they needed to put people fast in the position to to access their the assist 106 00:12:15,545 --> 00:12:22,125 the internal systems again they just put a RDP server on the internet and hope for the best 107 00:12:25,136 --> 00:12:29,767 um additionally if you put services on the internet of course brute forcing and 108 00:12:29,767 --> 00:12:35,947 credential uh stuffing are attacks that are possible so brute forcing just trying the the 109 00:12:37,115 --> 00:12:42,195 username and password combinations uh credential stuffing using already leaked 110 00:12:42,195 --> 00:12:47,636 passwords or credentials from leaks you find on the internet 111 00:12:48,536 --> 00:12:53,923 what you can do about this kind of of attack Vector is uh just as I said use 112 00:12:53,923 --> 00:13:00,912 multi-factor Authentication and reduce the attack surface as in the 113 00:13:00,912 --> 00:13:06,695 point with the vulnerabilities before by moving the services behind a VPN and 114 00:13:06,695 --> 00:13:09,691 then use multi-factor authentication on VPN of course 115 00:13:12,791 --> 00:13:18,141 the last Vector that we see normally that the attackers can get in the 116 00:13:18,141 --> 00:13:23,887 network is malware we all know this about 117 00:13:23,887 --> 00:13:28,658 those funny emails you get with the attachments 118 00:13:28,658 --> 00:13:35,031 um include that have either Word documents 119 00:13:35,031 --> 00:13:41,764 attached either zip files with with Visual Basic scripts javascripts and 120 00:13:41,764 --> 00:13:47,344 what you can get isos you see a lot these days 121 00:13:48,850 --> 00:13:54,210 um or what you can also have that you can have just a link inside the email and 122 00:13:54,210 --> 00:14:01,901 you download the respective file from some some shady file sharing website 123 00:14:03,381 --> 00:14:09,435 um what we saw over the last year was uh USB sticks again funnily 124 00:14:10,744 --> 00:14:16,484 um I'm not sure if you have heard about raspberry Robin which is a malware that 125 00:14:16,484 --> 00:14:26,427 warms via USB sticks um but I haven't seen it as a vector for 126 00:14:27,234 --> 00:14:31,784 ransomware yet on my own but there are people who said that it's 127 00:14:33,220 --> 00:14:37,770 an initial access broker for some of the ransomware gangs 128 00:14:38,734 --> 00:14:42,884 so what can you do about this if you think the 129 00:14:45,169 --> 00:14:53,042 you can of course ban simply some file extensions in your mail server or you 130 00:14:53,723 --> 00:15:00,953 change the file Association types in your operating system meaning that you 131 00:15:00,953 --> 00:15:06,274 don't open the JavaScript and Visual Basic script files using for example the 132 00:15:06,274 --> 00:15:11,610 windows scripting host but open it with notepad and that will 133 00:15:11,610 --> 00:15:14,757 of course some people will be 134 00:15:18,146 --> 00:15:23,006 uh some people will think about what this this is then and ask the IT guys 135 00:15:23,006 --> 00:15:27,408 but it's better than running the the script itself 136 00:15:28,260 --> 00:15:35,110 one thing I I I don't like to to say it but keep your AV updated 137 00:15:35,547 --> 00:15:39,791 um uh this is one thing keep it updated and read the logs 138 00:15:40,722 --> 00:15:46,066 we see a lot of incidents where we see that the already 139 00:15:46,544 --> 00:15:51,714 days or weeks before we you can could have seen that there's something going 140 00:15:51,714 --> 00:15:59,612 on in your network yeah and if you see malware in your AV logs 141 00:16:00,476 --> 00:16:05,846 then react to it just check it you don't know how long this AV this malware has 142 00:16:05,846 --> 00:16:11,302 been on your system the thing is that 143 00:16:11,302 --> 00:16:16,792 just because you're AV detected it now it might have been get received an 144 00:16:16,792 --> 00:16:22,287 update for its signatures and the malware was active for days or weeks 145 00:16:22,287 --> 00:16:27,597 before so when they are inside 146 00:16:29,770 --> 00:16:34,030 then they usually look move and play around a little bit 147 00:16:36,020 --> 00:16:41,420 so when they look around what they do 148 00:16:41,420 --> 00:16:47,612 is they they enumerate AD they do Ports scan the you they search for 149 00:16:47,612 --> 00:16:54,388 vulnerabilities they check uh what they how they can escalate 150 00:16:54,388 --> 00:16:59,826 their privileges they try to find credentials 151 00:16:59,826 --> 00:17:03,871 um Kerber roasting we heard in the talk before for example is this one thing 152 00:17:07,890 --> 00:17:11,700 um they try to identify accounts you around 153 00:17:11,700 --> 00:17:16,981 have running on your systems they can use they can get the credentials from and you reuse 154 00:17:18,060 --> 00:17:24,150 and for that reason one of the most important things I think is that you 155 00:17:24,150 --> 00:17:33,254 have a principle of least privileges in your environment so only what a account needs 156 00:17:33,365 --> 00:17:38,385 you should be able to do you should use dedicated service 157 00:17:38,385 --> 00:17:43,661 accounts for your services of course and just for your information