Technical Blogs

Decrypting A Cyber Breach

Hanna Mathai

By Sunil Sharma, Director Cyber Defense

2 min to read
Decrypting A Cyber Breach

The Help AG Incident Response team responded to multiple breaches in 2021. One of the most notable breaches was attempted by an Iran-linked threat actor.

In November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert highlighting ongoing malicious activity by an advanced persistence threat (APT) group associated with the government of Iran. The alert mentioned initial access leveraging Fortinet FortiOS and Microsoft Exchange ProxyShell vulnerabilities.

A client engaged Help AG to respond to a security breach. An Administrator at the client site noticed suspicious admin account usage and unauthorized access to user mailboxes. Help AG consultants identified exploitation of multiple Exchange ProxyShell vulnerabilities (CVE-2021-34473,CVE-2021-34523,CVE-2021-31207).

  1. After exploiting the vulnerabilities, the attacker uploaded various web shells to the Exchange server to stay connected to the environment, maintain persistence, and perform command and control functions.
  2. The attacker then uploaded a reverse proxy tool to establish a secure tunnel to the environment.
  3. Using the Remote Desktop Protocol (RDP), the attacker managed to connect to the Exchange server via the secure tunnel.
  4. The attacker then created a local Administrator account on the Exchange server, followed by attempts at lateral movement and profiling the systems in the environment.
The attacker
  • Used RDP for connectivity and the PsExec tool to perform remote command execution
  • Used the PsExec tool to create services to maintain persistence in the environment
  • Installed an SSH application on one of the systems to perform data exfiltration
  • Downloaded PsTools, a legitimate Microsoft toolset, and used it for further lateral movement
  • Used the Mimikatz credential dumping tool and the “pass-the-hash” technique to obtain access to the Domain Controller
  • Created various user accounts and added these accounts to the “Domain Admin” group
  • Installed another backdoor on multiple systems to control them remotely
  • Used the SSH application server to exfiltrate dumped credentials and other data to their command-and-control server
Analysis and Response

Help AG observed significant sophistication in the attack. Our consultant identified the source of infection and initial access techniques within the first 2 hours of engagement. We assisted the client in patching the vulnerable systems, blocking relevant IoCs on perimeter and endpoint devices, rapidly resetting the compromised credentials, and rebuilding systems to a “known good” state. In addition, we installed an Endpoint Detection and Response (EDR) solution to monitor the client environment to ensure that the rebuilt system was and remained free of compromise.

The attacker Tools, Technique, and Procedures (TTP) mapped to MITRE ATT&CK
Reconnaissance 

  • T1595 – Active Scanning
  • T1592 – Gather Victim Host Information

Execution

  • T1059 – Command and Script Interpreter
  • T1203 – Exploitation of Client Execution
Privilege Escalation
  • T1068 – Exploitation for Privilege Escalation
  • T1078 – Valid Accounts

Credential Access

  • T1003 – OS Credential Dumping

Lateral Movement

  • T1210 – Exploitation of Remote Services
  • T1570 – Lateral Tool Transfer
  • T1021 – Remote Services
Command and Control
  • T1071 – Application Layer Protocol
  • T1105 – Ingress Tool Transfer
  • T1572 – Protocol Tunneling
  • T1090 – Proxy
 

Initial Access

  • T1190 – Exploit Public-Facing Application

Persistence

  • T1098 – Account Manipulation
  • T1136 – Create Account
  • T1133 – External Remote Service
  • T1078 – Valid Accounts

Defense Evasion

  • T1548 – Abuse Elevation Control Mechanism
  • T1036 – Masquerading
  • T1027 – Obfuscated Files or Information
  • T1078 – Valid Accounts
Discovery
  • T1087 – Account Discovery
  • T1069 – Permission Groups Discovery

Collection

  • T1560 – Archive Collected Data
  • T1005 – Data from Local System
  • T1074 – Data Staged
Exfiltration
  • T1048 – Exfiltration Over Alternative Protocol

Share this article

title
Upcoming event

Help AG & Zscaler – Perimeter Re- Imagined with Zero Trust and AI

Help AG and Zscaler's exclusive event – Perimeter ...

  • Dubai