Break things, write reports

Lol ANU

Some place got hacked, it's clearly sophisticated and not at all a result of shitty security, old systems.

Tags — | news | commentary | Categories: — news | incident-response |
Posted at — Oct 8, 2019

tl;dr - Snarky comments about http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

What

What happened

9 November 2018: spearphishing email one.

The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of
staff. Based on available logs this email was only previewed but the malicious code contained in the
email did not require the recipient to click on any link nor download and open an attachment. This
“interaction-less” attack resulted in the senior staff member’s credentials being sent to several external
web addresses. It is highly likely that the credentials taken from this account were used to gain access
to other systems. The actor also gained access to the senior staff member’s calendar – information
which was used to conduct additional spearphishing attacks later in the actor’s campaign.

Assuming they’re (Victim) using Outlook, this is probably just an email with a link to an image on an external SMB share, and someones ran a server to prompt for credentials. This isn’t new, and is fairly well known - with places like NCC, Wildfire and CMU blogging about this back in early 2018.

As it’s been a year, it’s probably about the level of skill you’d get out of an average pentest in 2019 - so probably not that sophisticated.

12−14 November 2018: webserver infrastructure compromised.

It is probable that the actor used credentials gained on 9 November to successfully access an
Internet-facing webserver used by one of the University’s schools. The actor successfully created a
webshell on this webserver which was then used, over two days, to conduct command and control
(C2) operations through what is known as a TOR exit node. These activities were likely designed to
set up infrastructure and tools to be used throughout the actor’s campaign.

It’s not clearly explained here, but either:

The use of TOR isn’t too exciting.

Apparently, the credentials were not administrative credentials, as they explain in the next section.

16 November 2018: compromise of legacy infrastructure.

From the compromised school webserver, the actor was able to gain access to a legacy server hosting
trial software. This server was scheduled for decommissioning in late 2019 and at the time of this report
no longer active. Unfortunately, the server was attached to a virtual LAN with extensive access across
the ANU network. It is unclear how the actor found this legacy server, but we believe that the credentials
stolen on 9 November were used to log on to this machine. The senior user whose credentials were
stolen was not a system administrator, so it is likely that a privilege escalation exploit was used to gain
full control of the server – referred to as attack station one in the remainder of this report

I read this as:

Privesc on a “legacy server” (read: unmaintained box) isn’t terribly hard, so again, not really crazy sophistication here yet.

20−21 November 2018: the creation of attack station one.

Over the course of two days the actor downloaded tools and scripts to build attack station one. To
download these tools the actor also compromised a second Internet facing webserver using a webshell
and used this server to download software tools to attack station one. These tools were used to run
scripts and perform remote management tasks including scheduled deletion of logs to hide their
activities. The actor started to map the ANU network on 21 November.

22 November 2018: the creation of virtual machines on attack station one.

The following day the actor set up two virtual machines on attack station one, one using Windows XP
and the second Kali Linux. Both operating systems were download using BitTorrent. Shortly after the
creation of these virtual machines the actor used a network session logger to “sniff” credentials from
monitored or redirected network traffic. The actor also gained access (through remote desktop) to a
machine in a school which had a publicly routable IP address. Age and permissiveness of the machine
and its operating system are the likely reasons the actor compromised this machine – which will be
referred to as school machine one for the remainder of this report. The actor continued to map the
ANU network on this day

Lol what, this is where it gets weirder:

23 November 2018: exfiltration of network mapping data.

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike
the University’s primary mail server, this legacy mail server requires no authentication. The emails sent
out likely held data gained from the actor’s network mapping from the previous two days, as well as
user and machine data. On the same day, the actor set up what is known as a tunnelling proxy which
is typically used for C2 and taking data out of the network. The actor commenced network packet
captures, most likely to collect more credentials or gain more knowledge about the network.

Tl;dr:

25−26 of November: spearphishing email two.

The actor started a second attempt to gain credentials using spearphishing emails. This email entitled
“invitation” was sent to one external and 10 ANU email addresses. Some of these emails appear
to be tests to determine if the ANU mail filters would block the actor’s spearphishing emails. This
spearphishing attempt resulted in only one user’s credentials being compromised but usage of this
credential was limited, suggesting it did not have the accesses the actor was seeking. The actor
also accessed the network’s Lightweight Directory Access Protocol (LDAP) infrastructure, gaining
information on the ANU pool of Windows users and devices.

They got creds though, so good on them - 1 in 11 isnt amazing numbers, but all the same - you only need one to get a foothold (which is how the place was allegedly popped anyway).

27 November: access to ESD file shares achieved.

At this stage the actor did not appear to have the relevant credentials needed for their campaign and
over the course of 27 November, began a network-wide attempt to compromise a range of servers
using exploits or stolen credentials. The actor eventually found credentials to access file shares in
ESD and other parts of the network; and mapping directory structures. However the actor displays
no interest in file shares other than those in ESD. The file share in ESD is a temporary storage location
used by several business units, normally to facilitate the routine extraction and manipulation of data
such as finance and HR records.

The actor probably knew what they wanted, or nothing else looked exciting enough to steal.

The actor also starts to map out machines in ESD and locates servers housing the databases
underpinning ANU HR, finance, student administration and e-forms systems. Upon finding these
databases the actor tries repeatedly, and unsuccessfully, to access these systems. Late on
27 November the actor downloads source code for a bespoke toolset or malware; this code is
then compiled and run. The nature of this code is unknown as the actor wiped it and the compiled
executable after use. Executable files allow source code to run on a machine. Forensic evidence also
shows the extensive use of password cracking tools at this stage. The combination of the bespoke
code and password cracking is very likely to have been the mechanism for gaining access to the
above administrative databases or their host systems.

Cool, they downloaded poc.c. This doesn’t really mean much either way here.

The actor then accessed the administrative databases directly using a commercial tool. This tool
allowed the actor to connect to several databases at once to search and extract records; and convert
them to PDF format. The PDFs were then sent to the compromised school machine one for extraction
from the ANU network.

Read: The actor used SQL management studio, or whatver tooling one uses for whatever DBMS it was.

29 November 2018: third spearphishing attempt.

The actor continues to look for credentials and tries to maximise the effectiveness of their
spearphishing efforts by connecting to the University’s spam filer and attempting to disable its ability
to detect malicious emails. There is no forensic evidence to suggest that they were successful in this
attempt. The actor then sent 75 emails, 50 to ANU addresses and the remainder to external email
addresses. These were used to either exfiltrate data or to undertake more spearphishing. The actor
was able to harvest at least one administrator credential during this spearphishing phase.

29 November−13 December 2018: clean-up operations and loss of attack station one

As noted earlier, the actor displayed a very high degree of operational security and routinely erased
files and logs.

No. They torrented a bunch of shit, on their target network, that’s not really good opsec. They also set up VMs on their target, that’s a lot of heavy things on ones target.

As noted earlier, the actor displayed a very high degree of operational security and routinely erased
files and logs. One such clean up phase commenced on 29 November with the actor erasing files and
tools with logs packaged for exfiltration through school machine one, which itself was also subject to
clean up operations. It is believed that the actor was preparing attack station one for the next phase of
their campaign. 

Read: We don’t know what happened other than they deleted some logs, and we wanted to have something for our timeline.

On 30 November the ANU implemented a routine firewall change. This cut the actor off from attack
station one. The actor immediately then initiated activity to try and get back on to attack station one or
to find another place in the network to resume operations. This activity continued until 13 December.

13−20 December 2018: new attack station and resumption of exfiltration.

After nearly two weeks of effort the actor restores their access to the network through a machine
running a legacy operating system in a second school – referred to in the remainder of the report
as attack station two. This machine was subject to a large amount of C2 activity between 13 and
19 December. Forensic analysis suggests this activity is associated with the actor preparing attack
station two presumably to either continue extracting data from ESD or to start a new phase of the
campaign. On 19 December, the actor exfiltrated 13 additional files, compressed into archives,
through TOR.

At the time of this activity, the school hosting attack station two was not behind the University firewalls
and was using publicly routable IP addresses. The actor also probed other parts of the network for
other vulnerable systems and began updating malware on attack station two. These updates were
likely preparing attack station two for continued access into ESD or the rest of the network.

21 December 2018: fourth spearphishing attempt and loss of attack station two.

The actor starts to target users with administrative access and sends 40 phishing emails to ANU staff
with privileged accounts. This email, entitled “New Planning for Information Technology Services”
used calendar information gained from the first spearphishing campaign. This phishing attempt
was successful in harvesting a handful of privileged accounts, but ANU IT staff detected the unusual
behaviour and were able to remove the new attack station from the network. At the time, however, this
activity was treated as an individual event, by ANU IT, rather than part of a broader campaign.

Prior to the loss of attack station two the actor was able to scan an Internet facing web server. This
formed the basis of a subsequent intrusion attempt in February 2019.

22 December 2018 – March 2019: C2 activity and second intrusion attempt

As noted above there was an intrusion attempt in February 2019 against an externally facing
webserver. This attack was ultimately unsuccessful but given the similarities in tradecraft used between
the November and February attacks, the latter was likely a further attempt by the same actor to regain
access to ESD. This activity also aligns to C2 activity seen throughout January and in early March,
which was the last known activity by the actor.

“MALWARE AND TRADECRAFT ANALYSIS”

The actor exhibited exceptional operational security during the campaign and left very little in the way
of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign. The exception
was attack station one which the actor lost control of on 30 November. At this point, the actor was
part way through its clean-up cycle and as such was not able to fully erase all traces. It is the forensic
analysis of these traces that form much of the content of this report. Analysis of attack station one is
still underway at the time of this report
The analysis of attack station one yielded several insights. The actor was able to, in several cases,
avoid detection by altering the signatures of more common malware used during the campaign. Also,
the malware and some tools were assembled inside the ANU network after a foothold had been
established. This meant that the downloaded individual components did not trigger the University’s
endpoint protection. There is also evidence of bespoke malware in the form of source code (compiled
within the network) used to gain access to ESD. The purpose of this code remains unknown, and no
forensic traces of it or the executable file which was compiled from the code have been found at the
time of this report. 
Other software used by the actor included network session capture and mapping tools, bespoke
clean-up, JavaScript and PowerShell scripts as well as a proxy tool. The actor downloaded several
types of virtualisation software before selecting one and downloaded disk images for Windows XP and
Kali Linux. There is little evidence to suggest much use of Kali Linux.
The first phishing email was designed to be interaction-less and likely used some form of scripting.
It is assumed the actor anticipated a high degree of security awareness on the part of the intended
recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible. 

The only line you need here is Unfortunately, a copy of this email was not recoverable, ignore the rest of that statement as theres nothing to back it up.

Subsequent phishing attachments were designed to harvest credentials and used similar scripts. The
user opened the attached Word document and the credentials were sent to the remote server. All the
attachments in the second, third and fourth spear-phishing cycles used the same technique with the
credentials sent to the active attack station instead of the internet. 

The word trick is probably DDE or something similar - also not new (https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)

Due to the operational security and clean-up operations of the actor, it has not been possible to retrieve
copies of the files exfiltrated from the network. In some cases, there was enough forensic and log
data to ascertain file sizes. However, because these files were compressed and likely to have been
encrypted, it is difficult to infer what specific data sets was taken from the affected systems. However,
based on log analysis and known data volumes it is highly likely that the actor took much less than the
19 years’ worth of data first noted at the time of the breach announcement.

Reading between the lines, ANU didn’t have SMB logging on their fileservers, so they’ve resorted to looking for where the files were staged for indications of what was nicked. The fact that they didn’t steal 19 years of records based on analysis isn’t exciting, other than being some kind of weasel word of ‘its not as bad as it could have been’

The actor’s use of a third-party tool to extract data directly from the underlying databases of our
administrative systems effectively bypassed application-level logging. Safeguards against this
happening again have been implemented.

However, reading this with a little less respect to the IR team - they’re saying that because the actor didn’t use the app attached to the database, they’ve bypassed logging, which is to say they’ve just dumped the database directly.

Analysis of school machine one, through which most of the data was taken, is ongoing. However,
this machine has been subject to a range of erasure and clean-up techniques, so it is not possible to
identify precisely what data was taken at the time of writing.

This is a disclaimer, which should be read as “Don’t expect more reporting on this, but we’re going to bill for a couple more weeks”.

Wrapup

So we’ve got a sophisticated actor which:

They used TOR though, so they’re obviously sophisticated.

In less snarkyness, good on ANU for releasing details about it, even though they’re fairly high level and it’s claiming to be super sophisticated (Where I put forward that it is not).