ICT Security Basics from Trust to Blockchain Course

H1

Summary of Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains paper.

Framework includes 7 steps:

  1. Reconnaissance - research and information gathering.
  2. Weaponization - for example pairing remote access trojan and a payload.
  3. Delivery - delivering payload to the target, for example via USB stick that can be dropped on the street or handled to the target, or a malicious link that victim clicks.
  4. Exploitation - for example with a USB stick, the mallwear that installed on the USB stick can start to execute automatically after it was inserted into the computer aka USB Rubber Ducky. (Source: https://shop.hak5.org/blogs/usb-rubber-ducky)
  5. Installation - installation of the backdoor that an attacker can use for remote access.
  6. Command and Control (C2) - establishing the connection between the attacked target and command control server.
  7. Actions on Objectives - at this stage actual goals can be achieved: stealing or destroying the data etc.

Mitre Att&ck Framework

Mitre Att&ck Framework is more detailed and describes different tecniques and sub-tenchinques. It’s not strictly stuctured as Cyber Kill Chain. Also it containes different Matrixes for different entities, such as separate Enterprise Matrix that contains sub-categories such as Windows, macOS ets. Mitre Att&ck Framework has separate Matrix for Mobile and Matrix for Industrial Control Systems.

Table 1. Mitre Att&ck Framework Enterprise Matrix Summary. Source: What is Mitre Att&ck Framework? - Definition (cyberark.com)
Tactic The Adversary is Trying to:
Reconnaissance Gather information they can use to plan future operations
Resource Development Establish resources they can use to support operations
Initial Access Get into your network
Execution Run malicious code
Persistence Maintain their foothold
Privilege Escalation Gain higher-level permissions
Defense Evasion Avoid being detected
Credential Access Steal account names and passwords
Discovery Figure out your environment
Lateral Movement Move through your environment
Collection Gather data of interest to their goal
Command and Control Communicate with compromised systems to control them
Exfiltration Steal data
Impact Manipulate, interrupt, or destroy your systems and data

Comparison of Cyber Kill Chain and ATT&CK Enterprise matrix

First of all, the ATT&CK Enterprise matrix is more detailed, it contains more steps in the chain and also possible techniques and sub-techniques. But the Cyber Kill Chain and ATT&CK Enterprise matrix have the same backbone, the difference is just ATT&CK Enterprise matrix has several steps that can fit in one in the Cyber Kill Chain.

Another difference is that the Cyber Kill Chain has a defined order, “where adversaries are expected to move linearly from one phase to another. The MITRE ATT&CK Framework is deliberately unordered to acknowledge that an adversary may move through Tactics out of order, skip some Tactics, and revisit some Tactics multiple times throughout the course of an attack.” (Poston, H. 2020. How to Use the MITRE ATT&CK® Framework and the Lockheed Martin Cyber Kill Chain Together, https://resources.infosecinstitute.com/topic/how-to-use-the-mitre-attck-framework-and-the-lockheed-martin-cyber-kill-chain-together/)

I think that both attackers and defenders can benefit from these models. As well as other stakeholders of the business. In my opinion MITRE ATT&CK Framework could be useful in learning what kind of attacks are possible and what are the risks of the business.

What is missing from these models? I couldn’t find a step in the MITRE ATT&CK Matrix about stealing the data.

Security incident description and analisys

Cloud Hopper, episode 103, Darknet Diaries.

Source: https://darknetdiaries.com/episode/103/

Some company was informed by the Swedish Security Service that their computer was reaching out to some known bad source. Turned out that it was the jump server of the MSP, the server that was used to manage many customers, was reaching out to some command and control server.

MSP works by taking on other enterprises as clients, they monitor and patch their services if needed. Source So finding a breach in such a thing as a jump server was a really bad thing for the MSP.

“A jump server is defined as a system on a network that accesses and manages all the devices in a different zone of security.” - Source

To start the investigation, a threat analyst from Truesec received disc images and a memory dump from the attacked server. Because the antivirus didn’t trigger, he started to check manually. The first thing he checked was the /temp folder. Temp folder is used to store temporary files. Source VG. 2012

The file that was the output of the mimikatz software was discovered in the temp folder. Mimikatz is used to extract pins, hashes and passwords from the memory. Source. And it was a Windows server, which has a known vulnerability. It keeps passwords that are used to login in the memory, sometimes in plain text.

After scanning memory and disc for the IP address that was given to them by Swedish Security Service of this malicious command and control server. They found a process that was connected to this server. It was a legitimate software that scans for rootkits. But it was in an unusual location. And next to that file there were several dll files. So threat analysts suspected dll side-loading.

“DLL side loading is an attack where malware places a spoofed malicious DLL file in a Windows directory so that the operating system loads it instead of the legitimate file.” Source

Also they found an executable file - nbt.exe, it’s a legitimate file that is used to scan networks and it’s how windows computers connect to shared network drives. Another file had a list of public IP addresses that were scanned. Turned out that some of these IP addresses belonged to the US Department of Defense. Another malware was found on the server and it was PlugX, PlugX is a known RAT (Remote Access Trojan) and it can control the computer remotely.

Also they found out that the attack was running for weeks. And because the attack was running already for a long time. They tried not to reveal that they found out the breach and didn’t kill the process, because it’s easy to work on an attack that is ongoing, and attackers won’t be able to react.

In the end it turned out that somebody planted the malware from the MSP premises using stolen credentials of the MSP employee.

In short, the threat actor wanted to get into the US Department of Defense network, so they decided to hack MSP, hoping that some of the MSP customers would be connected by NetBIOS to the US Department of Defense, so they could get access. So the attackers did have an advanced persistent threat or APT.

“Advanced persistent threat is a covert cyber attack on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period”. - Cisco. What Is an Advanced Persistent Threat (APT)

The hack was associated with the Apt10 group. Source. Thousands of social security numbers were stolen, as well intellectual property in order to gain the competitive advantage.

To fix the breach MSP had to change all the passwords, which took lots of time and effort.

Analysis

Reconnaissance There is no information about the Reconnaissance phase, but threat actors definitely conducted Active Scanning and Gathering Victim Host Information to define that the target server was running Windows, it helped them to plant mimikatz, the software that targets Windows systems.

Resource Development Also we know that credentials for the jump station were compromised from the MSP employee, so probably it was done by using some Phishing techniques. Credentials of the jump station were stolen to plant mimikatz.

Initial Access At this stage attacks used the Valid account of the MSP employee.

Execution At this point attackers were collecting credentials of users that were connecting to other servers via this jump station. So attackers needed some User Execution. For the second stage, when attackers used a DLL loading attack, the Shared Modules technique was used. Persistence Attackers were really successful at this stage. The attack was running for several weeks without being noticed. Hijack Execution flow was used when malicious dll was placed using Valid Account.

Privilege escalation Attackers used Create or Modify System Process technique and Hijack Execution flow, when they installed mimikatz, rootkit and RAT using Valid Account and RAT.

Defence evasion Trusted Developer Utilities Proxy Execution was used. Payloads that were placed on the target server were legitimate software. Also valid account credentials were used.

Credential Access Input capture was used to get credentials for other servers that were accessed via compromised jump server. The first login to the jump server was done from MSP premises using stolen credentials of the MSP employee.

Discovery To attack the jump server, threat actors might have used System owner/user discovery to steal MSP employee credentials. For the next stage of the attack Network Service Scanning was used to see if there are servers in this Network that are connected to the Department of Defense.

Lateral Movement Attackes used Remote Services to connect to the server. (PlugX trojan)

Collection Input Capture was used to steal credentials via keyloggers. Data From Local System, the file with credentials that was created by mimikatz was accessed.

Command and Control Remote Access Software was used, particularly PlugX trojan.

Exfiltration Exfiltration Over C2 Channel was used.

Impact Various data was stolen from customers of the attacked MSP. As well as data from the Department of Defense including social security numbers of the US Navy. (For some reason MITRE Matricx doesn’t have anything about stealing the data).

Install Debian on VM

VirtualBox_CS-course_01_04_2022_14_46_04

H2

Summary of Santos et al 2017: Security Penetration Testing - The Art of Hacking Series LiveLessons: Lesson 6: Hacking User Credentials

Vulnerable passwords are:
Ways of stealing the password
Why is it easy to crack passwords?
How to improve password security?

Consumer:

Company:

Cracking hashes

Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?

Because we are not cracking the hash itself, but using the hash algorithm to hash password from the pasword lists and then comparing these two hashes.

Summary of Schneier 2015: Applied Cryptography: Chapter 2 - Protocol Building Blocks

Public-key cryptography

The protocol was designed by Whitfield Diffie and Martin Hellman in 1976 and it changed that paradigm of cryptography forever.

Key exchange process

Public area

Nothing from the public area can be combined to get the private key value. And the private key is never shared or never gets into the public area.

Source: Secret Key Exchange (Diffie-Hellman) - Computerphile https://www.youtube.com/watch?v=NmM9HA2MQGI

H3

Summary of Schneier 2015: Applied Cryptography Chapter 1: Foundations

hiddenmsg

(Source Hide Your Message Inside the Image : 5 Steps - Instructables copy /b some.jpg + msg.txt hiddenmsg.jpg)

Examples of public-key cryptography.

Encrypting and signing a message

1

2

3

4

H4

Summary of Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser.

Installing Tor

tor

Searching in Dark Web

Anonimity compromise case in Tor

Since 2020 threat actors was placing malicious exit nodes to perform SSL stripping attacks on users who were accessing cryptocurrency-related sites. It was reported that in May 2020, they ran a quarter of all Tor exit relays. SSL stripping attack is the attack when a user’s traffic is downgraded from using HTTPS to HTTP. The primary goal of this attack was to replace bitcoin addresses.

“Bitcoin mixers are websites that allow users to send Bitcoin from one address to another by breaking the funds into small sums and transferring them through thousands of intermediary addresses before re-joining the funds at the destination address. By replacing the destination address at the HTTP traffic level, the attackers effectively hijacked the user’s funds without the users or the Bitcoin mixer’s knowledge.” (Source: https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/)

Other networks from Tor

Other networks than Tor. For example, there is ZeroNet. It is a decentralized peer-to-peer network. Instead of having the IP address, the website is identified by a public key. And the owner of the website, having a private key, can add changes there. Zero net uses Bitcoin cryptography, it’s not anonymous by itself but it can route the traffic through the Tor network. The killer feature of ZeroNet is the possibility to browse websites even without an internet connection. (Source: https://en.wikipedia.org/wiki/ZeroNet?msclkid=0d91920bc3a311ecb55b7af6c42d4053)

How does anonymity work in Tor?

The security of Tor is in its essence to direct the traffic through randomly chosen relays. It also uses elliptic curve cryptography. The traffic is encrypted starting from the first relay, and then the second relay strips the first layer of the traffic and sends it to the next relay. It continues till the last exit node that passes unencrypted traffic to the destination. The exit node changes every 10 minutes.

Tor threat models

Tor can be used in Reconnaissance, so the target won’t be able to identify the IP address while the threat actor brows website. Or threat analytic can conceal his IP so the target won’t see that there was a connection from the police or some governmental office. Also, Tor can be used for phishing attacks using hidden services for sending an email.

H5

Summary of Felten et al 2015: Bitcoin and Cryptocurrency Technologies,

Summary of Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System.

How much is one BitCoin (BTC) worth now?

The price of bitcoin on 01.05.22 (10:53) Finnish time is 37 991.73 dollars for one bitcoin.

If I would buy bitcoin on 8 of November in 2021 when bitcoin was all time high, I would lose lots of money in the next couple of month. image2

Or if I would buy Bitcoin on 21 of September in 2020, when Bitcoin costs 10 601 dollars, I would gain a lot in the next several months. image1

(Source: #1 Bitcoin Price History Chart (2009, 2010 to 2022))

It is legal to own Bitcoin in Finland. Bitcoin is treated as a commodity in Finland and not as a currency. Also there are tax rules for bitcoin in Finland. When trading Bitcoin, it’s treated as a capital gain. On the other hand, when used as a payment for goods and services, Bitcoin is treated as a trade. (Source: 9 Exchanges to Buy Crypto & Bitcoin in Finland (2022)) (Source: Legal Status of Bitcoin. NewsBTC)

What’s a block chain?

Block chain is a decentralized hash pointer based data structure, where blocks are connected and the next block keeps the information about data of the previous block. So if one of the blocks in the chain is modified it will be detected straight away.

Altcoins

Cardano (ADA) is an altcoin developed by a group of researchers and scientists. The main advantage of Cardano is that it uses less energy to compute the next block, therefore is more sustainable than Bitcoin. (Source: What is Cardano? | Coinbase, https://www.cardano.com) Also Cardano has smart contracts. Cardano is built on Ouroboros proof-of-stake consensus protocol.

“Ouroboros is a Proof of Stake (PoS)-based permissionless consensus protocol for cryptocurrencies. It is deployed as part of Cardano, which has a cryptocurrency called ADA associated with it. The basic idea in PoS is to replace the energy-expensive Proof of Work (PoW) common in first generation Blockchain protocols such as Bitcoin and the current version of Ethereum (although Ethereum has its own PoS protocols under development), with a lighter-weight mechanism where each node’s probability of being a block producer is proportional to how many coins it has.” - Bhaskar Krishnamachari. (Source: Formalizing Proof of Stake-based Consensus: Ouroboros | by Bhaskar Krishnamachari | Medium) Currently the best Bitcoin altcoin is Ethereum. Etherium is not only a currency but also a programmable blockchain.

H6

Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 summary

Can of worms

First I run a tutorial task to understand how it works. It was ransomware, which was encrypting the data on the computer and showed the message with information on how to pay the attacker in order to decrypt the data.

image2

Then I picked the task Interactive analysis. ANY.RUN from a list of public tasks and it ran on a Windows machine. I chose FormBook trojan as an example of malware. FormBook is a data stealer that is distributed as MaaS (Mobility as a Service). MaaS integrates various forms of transport services into a single mobility service accessible on demand. (Source: What is MaaS?). FormBook is a well-known commercial malware, so dubbed because it has been sold “as-a-service” on hacking forums since 2016. (Source: Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I. FortiGuard Labs)

image1

(I was trying to understand the tree of processes and how the trojan works, and I’m not sure if I got it correctly :) But this is what I understood)

On this screenshot we can see a list of processes, and look up how the malware acts step by step.

From this screen shot we can also see that the HTTP request was made by the receipt.exe process. And this HTTP request was checking for an IP address from http://checkip.dyndns.org/. Response body is <html><head>Current IP Check</head><body>Current IP Address: 45.134.22.115</body></html> We can see that the IP address of the attacked machine is 45.134.22.115.

image4

On this screenshot we can see what kind of techniques and tactics this malware uses. For example we can see that the malware steals credentials from browsers and files (Credential access). Or in Execution we see that first of all the malicious file is executed by the user, but then the malicious file triggers Windows Command Shell to run the next steps (processes) of the mallwear.

image5

I found a great explanation of the Heartbleed vulnerability on the ServerFault stackexchange openssl - How to explain Heartbleed without technical terms? - Information Security Stack Exchange.

Heartbeat was added to OpenSSL protocol to send “keep-alive” messages between client and a server to reduce requests amount that TLS requires to set up the connection. Heartbeat message contains a payload and the length of this payload. So when the client sends this Heartbeat message, the server saves the payload and a length in the memory. Then when the server sends a “keep-alive” response back to the client it reads those next 18 characters of memory starting from where it stored the payload and sends it back to the client (who checks that they received the right data back) and then the connection is kept alive. So the vulnerability occured, because server never checked for the length of the payload and does it really equal the length that was sent in this message. For example the client sends a short payload, but says that it’s maximum length (maximum value is 65535 bytes). So because the server never checks for the length of the payload itself, the server will start to send the response from where it saved the payload, and then 65635 bytes of additional information that is stored in the memory near the short payload message, such as passwords, emails and so on.

And the best way of explaining it:

wiE3n.png

H7

Bitcoin block structure

Each block contains a block header as well as transaction data — two crucial sets of information integral to the network’s proper function and ability to transfer value. Each block must also contain certain specific information in order to be recognized by the network and subsequently become properly validated and appended to the blockchain.

Screenshots are taken from Detailed Info about Block 614926. BitcoinChain.com

explain-bitcoin-block

explain-bitcoin-block-1

References

Useful tools

Checks

``` ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d “username=FUZZ&email=x&password=x&cpassword=x” -H “Content-Type: application/x-www-form-urlencoded” -u http://10.10.87.232/customers/signup -mr “username already exists”

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d “username=W1&password=W2” -H “Content-Type: application/x-www-form-urlencoded” -u http://10.10.87.232/customers/login -fc 200 ```

Terms

IDOR

If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users’ content using their Id number while still being logged in with a different account (or not logged in at all), you’ve found a valid IDOR vulnerability.