Lol ANU

tl;dr - Snarky comments about http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

What

• Some place got hacked
• “This report details the level of sophistication, the likes of which has shocked even themost experienced Australian security experts”.
  • No idea what they mean by “experts”
  • It’s 4x sophisticated, based on how many times ‘sophisticated’ was mentioned in the document

What happened

9 November 2018: spearphishing email one.

The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of
staff. Based on available logs this email was only previewed but the malicious code contained in the
email did not require the recipient to click on any link nor download and open an attachment. This
“interaction-less” attack resulted in the senior staff member’s credentials being sent to several external
web addresses. It is highly likely that the credentials taken from this account were used to gain access
to other systems. The actor also gained access to the senior staff member’s calendar – information
which was used to conduct additional spearphishing attacks later in the actor’s campaign.

Assuming they’re (Victim) using Outlook, this is probably just an email with a link to an image on an external SMB share, and someones ran a server to prompt for credentials. This isn’t new, and is fairly well known - with places like NCC, Wildfire and CMU blogging about this back in early 2018.

As it’s been a year, it’s probably about the level of skill you’d get out of an average pentest in 2019 - so probably not that sophisticated.

12−14 November 2018: webserver infrastructure compromised.

It is probable that the actor used credentials gained on 9 November to successfully access an
Internet-facing webserver used by one of the University’s schools. The actor successfully created a
webshell on this webserver which was then used, over two days, to conduct command and control
(C2) operations through what is known as a TOR exit node. These activities were likely designed to
set up infrastructure and tools to be used throughout the actor’s campaign.

It’s not clearly explained here, but either:

• They phished someone with admin rights, and shelling a webserver was done with admin creds; or
• They shelled an average PHP webapp

The use of TOR isn’t too exciting.

Apparently, the credentials were not administrative credentials, as they explain in the next section.

16 November 2018: compromise of legacy infrastructure.

From the compromised school webserver, the actor was able to gain access to a legacy server hosting
trial software. This server was scheduled for decommissioning in late 2019 and at the time of this report
no longer active. Unfortunately, the server was attached to a virtual LAN with extensive access across
the ANU network. It is unclear how the actor found this legacy server, but we believe that the credentials
stolen on 9 November were used to log on to this machine. The senior user whose credentials were
stolen was not a system administrator, so it is likely that a privilege escalation exploit was used to gain
full control of the server – referred to as attack station one in the remainder of this report

I read this as:

• Some shitty box could hit internal assets, which means there wasn’t segregation between what should have had some level of segregation (although that shouldn’t have been the control, and we wish everything was zero trust, it’s not.)
• “legacy server” sounds pretty weird
  • Giving benefit of the doubt, this could just mean “We were about to decomission it”
  • Gut feeling is that it was probably also a very, very old machine
• “trial software” - “it was meant to be in dev but wasnt”
• “unfortunately the server was attached to a VLAN with extensive access” - lol, it’s probably for the same reason the first webapp box could hit everything :)
• “It is uncear how the actor found it” - They looked for an old box, and it was probably easy to shell
• “The senior user whose credentials were stolen was not a system administrator”
  • They don’t really explain what kind of login it was, but i’m betting that the account could RDP to this box

Privesc on a “legacy server” (read: unmaintained box) isn’t terribly hard, so again, not really crazy sophistication here yet.

20−21 November 2018: the creation of attack station one.

Over the course of two days the actor downloaded tools and scripts to build attack station one. To
download these tools the actor also compromised a second Internet facing webserver using a webshell
and used this server to download software tools to attack station one. These tools were used to run
scripts and perform remote management tasks including scheduled deletion of logs to hide their
activities. The actor started to map the ANU network on 21 November.

• The actor wanted another popped box in case the first externally facing webserver was discovered
• This is fairly standard tradecraft, to establush multiple ways back in just in case
• “These tools were used to run scripts and perform remote management tasks … deletion of logs”
  • No logs no crime!
  • Still not amazing tradecraft, this should be standard. Except in a Pentest/Redteam, apparently the goal is to get caught so you probably wouldn’t delete logs, but it’s not for any technical reason.
• “The actor started to map the network”
  • Read: They waited 4 days to do recon.
  • They were probably doing recon a bit earlier than this :)

22 November 2018: the creation of virtual machines on attack station one.

The following day the actor set up two virtual machines on attack station one, one using Windows XP
and the second Kali Linux. Both operating systems were download using BitTorrent. Shortly after the
creation of these virtual machines the actor used a network session logger to “sniff” credentials from
monitored or redirected network traffic. The actor also gained access (through remote desktop) to a
machine in a school which had a publicly routable IP address. Age and permissiveness of the machine
and its operating system are the likely reasons the actor compromised this machine – which will be
referred to as school machine one for the remainder of this report. The actor continued to map the
ANU network on this day

Lol what, this is where it gets weirder:

• They made a pile of noise by torrenting
  • This is probably what actually triggered the SOC’s response, not a security event but a “someone might be pirating things” concern
  • This is pretty poor tradecraft, you don’t want to get picked up
• Two virtual machines
  • Setting up a VM is crazy, setting up two is even funnier
  • Why WinXP
  • Kali kind of makes sense, at least you’ve got a pile of tools useable by literally everyone else on the internet (read: skids)
• “network session logger to sniff credentials” - Read: They ran Responder
• “The actor gained access to a machine with a public IP”
  • Recon pays off eventually, keep that in mind! :)
• “Age and permissiveness of the machine and operating system”
  • Read: It was running server 2003, or EternalBlue worked, pick one out of metasploit
• “The actor continued to map”
  • At least this was sensible, doing more recon is always good :)

23 November 2018: exfiltration of network mapping data.

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike
the University’s primary mail server, this legacy mail server requires no authentication. The emails sent
out likely held data gained from the actor’s network mapping from the previous two days, as well as
user and machine data. On the same day, the actor set up what is known as a tunnelling proxy which
is typically used for C2 and taking data out of the network. The actor commenced network packet
captures, most likely to collect more credentials or gain more knowledge about the network.

Tl;dr:

• The actor emailed stuff out
  • “likely contained” - “we don’t know what they sent lol”
• “The actor set up what is known as a tunnelling proxy which is typically used for C2 and taking data out of the network.”
  • I would have liked a bit of speculation here as to why - or what they actually meant.
  • I think they’re trying to genericaly say that they were using this box to forward C2 traffic out of the network to bypass a proxy, or to be slightly quieter in their ops
  • This is also fairly standard tradecraft, it’s even been in metasploit since at least 2010, so the tooling has existed forever - no innovation required

25−26 of November: spearphishing email two.

The actor started a second attempt to gain credentials using spearphishing emails. This email entitled
“invitation” was sent to one external and 10 ANU email addresses. Some of these emails appear
to be tests to determine if the ANU mail filters would block the actor’s spearphishing emails. This
spearphishing attempt resulted in only one user’s credentials being compromised but usage of this
credential was limited, suggesting it did not have the accesses the actor was seeking. The actor
also accessed the network’s Lightweight Directory Access Protocol (LDAP) infrastructure, gaining
information on the ANU pool of Windows users and devices.

• “The actor also accessed the networks LDAP infrastructure”
  • Pulling a list of users is a good idea, this was probably what they used to fuel the next wave of phishing
  • Still, this isn’t innovative, or new, or sophisticated. It’s querying LDAP for users.
• Unsure what this was about, the actor might have been trying to figure out if the network positioning is useful for another op
  • sidenote: This should be in your threat model, that one of the organisations you deal with gets popped and is used for your goals

They got creds though, so good on them - 1 in 11 isnt amazing numbers, but all the same - you only need one to get a foothold (which is how the place was allegedly popped anyway).

27 November: access to ESD file shares achieved.

At this stage the actor did not appear to have the relevant credentials needed for their campaign and
over the course of 27 November, began a network-wide attempt to compromise a range of servers
using exploits or stolen credentials. The actor eventually found credentials to access file shares in
ESD and other parts of the network; and mapping directory structures. However the actor displays
no interest in file shares other than those in ESD. The file share in ESD is a temporary storage location
used by several business units, normally to facilitate the routine extraction and manipulation of data
such as finance and HR records.

The actor probably knew what they wanted, or nothing else looked exciting enough to steal.

The actor also starts to map out machines in ESD and locates servers housing the databases
underpinning ANU HR, finance, student administration and e-forms systems. Upon finding these
databases the actor tries repeatedly, and unsuccessfully, to access these systems. Late on
27 November the actor downloads source code for a bespoke toolset or malware; this code is
then compiled and run. The nature of this code is unknown as the actor wiped it and the compiled
executable after use. Executable files allow source code to run on a machine. Forensic evidence also
shows the extensive use of password cracking tools at this stage. The combination of the bespoke
code and password cracking is very likely to have been the mechanism for gaining access to the
above administrative databases or their host systems.

Cool, they downloaded poc.c. This doesn’t really mean much either way here.

The actor then accessed the administrative databases directly using a commercial tool. This tool
allowed the actor to connect to several databases at once to search and extract records; and convert
them to PDF format. The PDFs were then sent to the compromised school machine one for extraction
from the ANU network.

Read: The actor used SQL management studio, or whatver tooling one uses for whatever DBMS it was.

29 November 2018: third spearphishing attempt.

The actor continues to look for credentials and tries to maximise the effectiveness of their
spearphishing efforts by connecting to the University’s spam filer and attempting to disable its ability
to detect malicious emails. There is no forensic evidence to suggest that they were successful in this
attempt. The actor then sent 75 emails, 50 to ANU addresses and the remainder to external email
addresses. These were used to either exfiltrate data or to undertake more spearphishing. The actor
was able to harvest at least one administrator credential during this spearphishing phase.

• Actor fiddled with spam filters
  • Apparently they had rights to this, but not to anything to dump creds from (like AD)
• They should have instead, just git gud and stop getting v& by spam filters
• They then phished 25 eternal users
  • Keep on pivoting!
• Actor got one set of admin creds
  • Yes, you can phish admins too. They’re about as bad as normal users.

29 November−13 December 2018: clean-up operations and loss of attack station one

As noted earlier, the actor displayed a very high degree of operational security and routinely erased
files and logs.

No. They torrented a bunch of shit, on their target network, that’s not really good opsec. They also set up VMs on their target, that’s a lot of heavy things on ones target.

As noted earlier, the actor displayed a very high degree of operational security and routinely erased
files and logs. One such clean up phase commenced on 29 November with the actor erasing files and
tools with logs packaged for exfiltration through school machine one, which itself was also subject to
clean up operations. It is believed that the actor was preparing attack station one for the next phase of
their campaign. 

Read: We don’t know what happened other than they deleted some logs, and we wanted to have something for our timeline.

On 30 November the ANU implemented a routine firewall change. This cut the actor off from attack
station one. The actor immediately then initiated activity to try and get back on to attack station one or
to find another place in the network to resume operations. This activity continued until 13 December.

• Read: The attacker got cut out not by security intervention, but from some random change.
• Attack station one is the ‘legacy’/‘trial’ one, which didn’t have a public IP

13−20 December 2018: new attack station and resumption of exfiltration.

After nearly two weeks of effort the actor restores their access to the network through a machine
running a legacy operating system in a second school – referred to in the remainder of the report
as attack station two. This machine was subject to a large amount of C2 activity between 13 and
19 December. Forensic analysis suggests this activity is associated with the actor preparing attack
station two presumably to either continue extracting data from ESD or to start a new phase of the
campaign. On 19 December, the actor exfiltrated 13 additional files, compressed into archives,
through TOR.

At the time of this activity, the school hosting attack station two was not behind the University firewalls
and was using publicly routable IP addresses. The actor also probed other parts of the network for
other vulnerable systems and began updating malware on attack station two. These updates were
likely preparing attack station two for continued access into ESD or the rest of the network.

• This is why you set up multiple ways out of the network :)

21 December 2018: fourth spearphishing attempt and loss of attack station two.

The actor starts to target users with administrative access and sends 40 phishing emails to ANU staff
with privileged accounts. This email, entitled “New Planning for Information Technology Services”
used calendar information gained from the first spearphishing campaign. This phishing attempt
was successful in harvesting a handful of privileged accounts, but ANU IT staff detected the unusual
behaviour and were able to remove the new attack station from the network. At the time, however, this
activity was treated as an individual event, by ANU IT, rather than part of a broader campaign.

Prior to the loss of attack station two the actor was able to scan an Internet facing web server. This
formed the basis of a subsequent intrusion attempt in February 2019.

• Attacker phished some admins, with a topical email - thanks to previous recon, and managed to get more admin creds
  • Again, admins aren’t that much better than regular users.
• “But ANY IT staff detected the unusual behaviour”
• They didn’t pick up a bunch of other phishing
• They didn’t pick up torrenting from some old server
• Attacker scanned an internet facing webserver
  • more recon, good job!
  • It’s not clear why this is mentioned, either they know its the same attacker because they scanned from an internal position (not mentioned), or because they were starting to become aware of the attackers external infrastructure.

22 December 2018 – March 2019: C2 activity and second intrusion attempt

As noted above there was an intrusion attempt in February 2019 against an externally facing
webserver. This attack was ultimately unsuccessful but given the similarities in tradecraft used between
the November and February attacks, the latter was likely a further attempt by the same actor to regain
access to ESD. This activity also aligns to C2 activity seen throughout January and in early March,
which was the last known activity by the actor.

• Attack was unsucessful, but given similar tradecraft - we think it’s the same actor
  • Maybe? What tradecraft? Phishing and looking for old infrastructure? :)

“MALWARE AND TRADECRAFT ANALYSIS”

The actor exhibited exceptional operational security during the campaign and left very little in the way
of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign. The exception
was attack station one which the actor lost control of on 30 November. At this point, the actor was
part way through its clean-up cycle and as such was not able to fully erase all traces. It is the forensic
analysis of these traces that form much of the content of this report. Analysis of attack station one is
still underway at the time of this report

• A reminder of why you should delete logs as you go, but ultimately this isn’t fantastic tradecraft, or sophistication. It just means they cared enough to delete logs.

The analysis of attack station one yielded several insights. The actor was able to, in several cases,
avoid detection by altering the signatures of more common malware used during the campaign. Also,
the malware and some tools were assembled inside the ANU network after a foothold had been
established. This meant that the downloaded individual components did not trigger the University’s
endpoint protection. There is also evidence of bespoke malware in the form of source code (compiled
within the network) used to gain access to ESD. The purpose of this code remains unknown, and no
forensic traces of it or the executable file which was compiled from the code have been found at the
time of this report. 

• “avoid detection by altering signatures” - Not hard tradecraft. Everyone does this to avoid AV, and there’s pretty cheap tooling on hackforums if you’re too lazy to do it yourself.
• “some tools were assembled inside the network” - running gcc inside a network is apparently sophisticated?
• “bespoke malware” - Seeing as victim don’t have a copy of the source, they can’t really make this claim, it could just be off github for all they know

Other software used by the actor included network session capture and mapping tools, bespoke
clean-up, JavaScript and PowerShell scripts as well as a proxy tool. The actor downloaded several
types of virtualisation software before selecting one and downloaded disk images for Windows XP and
Kali Linux. There is little evidence to suggest much use of Kali Linux.

• Noting they didn’t say “bespoke” network session capture tools, or “bespoke” mapping tools here - $50 they used responder
• “bespoke cleanup, javascript and powershell scripts, as well as a proxy tool” - Kind of doubting it
• “actor downloade several types of virtualisation software before selecting one” - Read. they dicked around and did it in prod, rather than trying it out on their on infra, and fumbled their way through it.
• “little evidence to suggest much use of kali” - They still pulled it down, and didn’t really use it? Sounds like shitty tradecraft to me, pulling down more than one needed

The first phishing email was designed to be interaction-less and likely used some form of scripting.
It is assumed the actor anticipated a high degree of security awareness on the part of the intended
recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible. 

The only line you need here is Unfortunately, a copy of this email was not recoverable, ignore the rest of that statement as theres nothing to back it up.

Subsequent phishing attachments were designed to harvest credentials and used similar scripts. The
user opened the attached Word document and the credentials were sent to the remote server. All the
attachments in the second, third and fourth spear-phishing cycles used the same technique with the
credentials sent to the active attack station instead of the internet. 

The word trick is probably DDE or something similar - also not new (https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)

Due to the operational security and clean-up operations of the actor, it has not been possible to retrieve
copies of the files exfiltrated from the network. In some cases, there was enough forensic and log
data to ascertain file sizes. However, because these files were compressed and likely to have been
encrypted, it is difficult to infer what specific data sets was taken from the affected systems. However,
based on log analysis and known data volumes it is highly likely that the actor took much less than the
19 years’ worth of data first noted at the time of the breach announcement.

Reading between the lines, ANU didn’t have SMB logging on their fileservers, so they’ve resorted to looking for where the files were staged for indications of what was nicked. The fact that they didn’t steal 19 years of records based on analysis isn’t exciting, other than being some kind of weasel word of ‘its not as bad as it could have been’

The actor’s use of a third-party tool to extract data directly from the underlying databases of our
administrative systems effectively bypassed application-level logging. Safeguards against this
happening again have been implemented.

• This wasn’t mentioned earlier! - In an earlier section they said ‘commercial tool’, which reads as ‘they used the same tools an Admin would have used’
• They should have mentioned this part significantly earlier, as it’s somewhat interesting

However, reading this with a little less respect to the IR team - they’re saying that because the actor didn’t use the app attached to the database, they’ve bypassed logging, which is to say they’ve just dumped the database directly.

Analysis of school machine one, through which most of the data was taken, is ongoing. However,
this machine has been subject to a range of erasure and clean-up techniques, so it is not possible to
identify precisely what data was taken at the time of writing.

This is a disclaimer, which should be read as “Don’t expect more reporting on this, but we’re going to bill for a couple more weeks”.

Wrapup

So we’ve got a sophisticated actor which:

• Phished with year old techniques
• popped an old box
• Torrented a bunch of stuff, fumbled through installing Virtualbox, then only ended up using the oldest OS they could possibly use

They used TOR though, so they’re obviously sophisticated.

In less snarkyness, good on ANU for releasing details about it, even though they’re fairly high level and it’s claiming to be super sophisticated (Where I put forward that it is not).