An email is received indicating a Hacktivist organization, “Mysterious”, has stated they have compromised Company servers. They will be releasing sensitive and embarrassing emails associated with several executives.
There is a link to pastebin-hosted text which does describe threats to the Company and several other companies in the same Industry. The pastebin text contains a list of actual company servers and the text of an email that the Company CFO (Jack)sent to the/a VP of Product Marketing (Jill).
This is the triggering event for the incident response effort:
An email is received indicating a Hacktivist organization, called Mysterious, has stated they have compromised Company servers and will be releasing sensitive and embarrassing emails associated with several executives.
There is a link to pastebin-hosted text which does describe threats to the Company and several others in the same Industry. The pastebin text contains the text of an email that the Company CFO sent to the VP of Product Marketing.
Incident Narrative (do not provide to audience)
A group, called “Mysterious”, unhappy with The Company’s industry has breached The Company. They performed some open source research and identified several administrative assistants for executives and high-value targets. They crafted emails to each targeted person, based on LinkedIn details, and sent a link to a malicious site, disguised as a funny cat video. One of these emails, sent last Friday afternoon, was received by the assistant (Ms. Jane Doe) for the CFO who opened the email, accessed the malicious site, and had her computer compromised.
The compromise of Ms. Doe’s computer installed a backdoor which gave the Adversary full access to the computer, including: keystroke logging, screen capture, webcam recording, file search and archive creation, file transfer, email dumping, and an interactive shell. The malware uses SSL to communicate with a dynamically-hosted domain controlled by Mysterious.
The Adversary leveraged this access to collect all of Ms. Doe’s email and passwords. Since Ms. Doe has access to the CFO’s email they were able to collect all of that email too. Because the Executives have a shared File Server (or Sharepoint site) for transferring important, and sometimes personal, files and all executive assistants have access the Adversary had access to a large amount of highly sensitive information. They accessed the file share as Ms. Doe, and exfiltrated that info successfully.
All but two of the 8 emails Mysterious sent last week were deleted by the recipients, who did not report it to security since they didn’t know they should or how. The 7th of the emails went to a junior person (George) in executive support who was out of the office last week. George opened the link today and his computer is compromised but has not yet been accessed by the Adversary. That system is now their backup-plan. George’s system WILL be accessed by the Adversary WITHIN 30 minutes of Ms. Joe’s system going offline UNLESS the C2 Domain is blocked. George’s system has communicated to the C2 server and a backup domain is configured. If the primary C2 domain is blocked the malware will call out to an alternate domain, also dynamically hosted. The last of the 8 was Ms. Doe.
Hidden Incident Details
- CFO’s administrative assistant received a spear-phishing email last week
- Her computer is compromised and beaconing, with sporadic heavily SSL traffic volume to an apparent C2 server
- The C2 server is dynamically hosted
- Forensic analysis of Ms Doe’s system would show several documents, including several documents on an un-announced acquisition (or make up something important), information about this quarter’s financial performance, pictures from a recent executive party, and a 200mb password-protected RAR archive. The RAR contents are hidden. A second 500mb RAR file can be forensically recovered, also hidden.
- Seven other malicious emails were also sent by the Adversary
- Six were ignored and deleted
- One was opened yesterday (George, in exec support), since the target had been out of the office, and was also compromised. It is beaconing but has not been accessed yet by the Adversary.
- Administrative assistant has access to CFO’s email via Exchange Delegate’s feature
- Executive support operates a file server (or Sharepoint) share for the executives, and Admin assistants have access to this, for easy collaboration and document transfer
- The Adversary found this and copied a lot of data, via the Assistant’s computer
- Analysis of that server’s authentication logs is the only way to spot this
- Unless there are audit logs what was accessed will be hard to determine…
- The Assistant’s account has not been used on any other computers on the network.
- Does the team know how to engage executive support?
- What tools does The Company have to triage any systems which may be compromised?
- Does the team search web proxy logs for Ms. Doe’s system for odd traffic?
- Does the team search logs for other systems accessing the C2 site before taking Ms. Doe’s system offline?
Closing Questions (to the participant group)
These questions are also in the Participant Brief.
How did the Team’s ability to respond during the TTX compare to your expectations at the start?
Were there any short-term changes that can be done to improve your response capability?
What could be done to reduce the breach exposure time?”
•How did the Team’s ability to respond during the TTX compare to your expectations at the start?
•Are there any short-term changes that can be done to improve your response capability?
•What could be done to reduce the breach exposure time? •