-
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
-
it's late in the evening this is meleeway stage in case you're wondering
-
and the next talk is going to be about incident report responses
-
so if you're curious about how to even get there to have an incident response how you could
prepare for an incident response and how you could support a new organization
-
uh, the incident response team in doing the job and trying to fix whatever broke
-
let's put it that way um we have the right talk for you
-
this is stories from the life of an incident from incident responders Harry and Chris
-
please a very warm Round of Applause [Applause]
-
so, good evening and thank you for joining us today um we will tell you a little bit of our
-
life as incident responders and I'm Chris I did my computer science
-
studies at the University of alang and Nuremberg I do this security stuff for
-
over 10 years now so my CV is a little bit longer at the moment I'm a detection
-
engineer before that I was a long time working in dfir so digital forensic incident
-
response in different organizations and
-
yeah I'm Harryr I studied electrical and computer engineering at RWTH
-
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH
-
during my masters I worked at x41 dsac doing pen testing patch analysis
-
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced
-
analytics doing digital forensics and incident handling
-
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks
-
like and in the second part of the talk I will tell you how the incident
-
responders work and what you can do in advance to make it go as smooth as possible and support the incident
-
response team so as Harryr told you I will probably
-
we'll talk about ransomware because the customers we usually have are small and
-
medium-sized businesses universities and hospitals and those are regularly
-
unfortunately regularly hit by um um
-
ransomware gangs the main reason for this and that's if you heard the last
-
talk um why they maybe not that responsive
-
and are not so interested in they just lack the resources so the manpower to do
-
uh proper security measurements to secure their systems especially in in erm
-
situations where you are for example in a hospital have medical devices
-
um which where you cannot simply install an AV on or even patch the system
-
because you lose the certification as a medical device then but also in in
-
companies manufacturing companies on the shop floor we're talking about systems
-
that have run times of 25 plus years so if you look back now 2023
-
we're talking about XP and older systems fun fact I was in a ransomware case and
-
Wannacry in 2017 when I got a call from from a person from the shop floor
-
asking me if we have a nt4 expert, um
-
that can tell us if WannaCry is affecting nt4 of course you don't need
-
to be a expert for NT-4 this one requires of course not affecting nt4
-
systems so due to the time uh slot we thought
-
memes are the best way to to tell you those stories and we have a lot of them
-
so in the first uh um section I tell you a little bit of how an attack Works
-
um there are a lot of different possibilities how you can describe and how to structure the how an attack works
-
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko
-
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have
-
stuff from from companies like Mandy and their targeted the tech life cycle but
-
that's all in my opinion two two fine-grained it's that's the reason I
-
just take three simple steps yeah get a foothold in the door
-
look move play around and cash out those three uh I will just go over
-
so start with uh get a foot in the door so normally we
-
see three ways how attackers can can get into the environment in the ransomware
-
cases you have vulnerabilities in uh remote uh internet facing systems you
-
have the remote Services itself and you have malware
-
starting with the with the the vulnerabilities and um I just looked uh up the last four
-
years and maybe somebody remembers netscaler the the so-called Citrix
-
vulnerability in December 2019 um it was released mid of uh 2019 uh
-
December 2019 the first POC publicly available POC was in beginning of
-
January and the patch was available in middle of January so there was a round one week to one and a half weeks between
-
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw
-
during 2020 a lot of companies patched but the patch didn't remove the the
-
compromise so they were already compromised and um yeah with it with the patch they
-
didn't remove the compromise so what we found what we could provable
-
see or proof evidence for uh was nine
-
month uh customer was breached after nine months using this this vulnerability
-
and we had other customers where we could see that the netscaler was affected after two years but we couldn't
-
prove that this this compromise was the reason for the actual ransomware case
-
and of course such vulnerabilities happen not that often
-
yeah so 2021 gave us uh hafnium exchange
-
vulnerability also a similar situation the patch
-
appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time
-
we saw during our uh incidents or the the assessments we did that
-
um the first exploit exploitation attempts were seen on Wednesday in the morning at
-
5:00 am so around seven eight hours later um I know one guy who could patch
-
because he was online when the patch was released otherwise Germany was unable to patch in
-
time and of course we can go on with 2021 proxy shell also
-
exchange vulnerability proxy nutshell also exchange vulnerability
-
we have uh in 2022 VMware Horizon the the virtual desktop infrastructure
-
from VMware just to name also open source stuff Zimbra a collaboration platform
-
including an email server uh has had a vulnerability actually the vulnerability
-
was in cpio from 2015 I think which led
-
to a compromise using via email so you send an email
-
with a cpio with a specially crafted archive file and you could drop a web
-
shell in one of the directories yeah you have of course 40 OS which is a
-
40 gate VPN and firewall operating system
-
and if you read the news we start at the beginning again
-
netscaler had some issues several weeks ago according to foxIT we have 1900
-
still unpatched net scalers worldwide how many patched
-
was netscale has exists that um have not been checked for compromise we
-
don't know of course so that will be a nice year probably
-
um so what can you can you do against this kind of of attack vector patch your systems is one thing as you
-
see this that doesn't lead to the the um or what you need to do afterwards in
-
such cases you need to check your systems for possible compromise
-
that is important to reduce this I highly suggest put your
-
uh Services behind some VPN so that only people who already have
-
connection to the VPN um can access your services or the services
-
they need and that would reduce the attack surface
-
at least to the VPN server so but I
-
of course we can also think about remote services without vulnerabilities
-
um there can be configuration mistakes so the admin does something wrong there can
-
be insecure default configurations like this um I don't know if you know it but the
-
local admins or the administrators on the Windows system are are
-
automatically in the remote desktop users group you know and so
-
we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and
-
they needed to put people fast in the position to to access their the assist
-
the internal systems again they just put a RDP server on the internet and hope for the best
-
um additionally if you put services on the internet of course brute forcing and
-
credential uh stuffing are attacks that are possible so brute forcing just trying the the
-
username and password combinations uh credential stuffing using already leaked
-
passwords or credentials from leaks you find on the internet
-
what you can do about this kind of of attack Vector is uh just as I said use
-
multi-factor Authentication and reduce the attack surface as in the
-
point with the vulnerabilities before by moving the services behind a VPN and
-
then use multi-factor authentication on VPN of course
-
the last Vector that we see normally that the attackers can get in the
-
network is malware we all know this about
-
those funny emails you get with the attachments
-
um include that have either Word documents
-
attached either zip files with with Visual Basic scripts javascripts and
-
what you can get isos you see a lot these days
-
um or what you can also have that you can have just a link inside the email and
-
you download the respective file from some some shady file sharing website
-
um what we saw over the last year was uh USB sticks again funnily
-
um I'm not sure if you have heard about raspberry Robin which is a malware that
-
warms via USB sticks um but I haven't seen it as a vector for
-
ransomware yet on my own but there are people who said that it's
-
an initial access broker for some of the ransomware gangs
-
so what can you do about this if you think the
-
you can of course ban simply some file extensions in your mail server or you
-
change the file Association types in your operating system meaning that you
-
don't open the JavaScript and Visual Basic script files using for example the
-
windows scripting host but open it with notepad and that will
-
of course some people will be
-
uh some people will think about what this this is then and ask the IT guys
-
but it's better than running the the script itself
-
one thing I I I don't like to to say it but keep your AV updated
-
um uh this is one thing keep it updated and read the logs
