• Author / Uploaded
• edu maria

• Categories
• Malware
• Adobe Flash
• Seguridad y privacidad en línea
• La seguridad informática
• Explotar (Seguridad Informática)

Citation preview

CCNA Cybersecurity Operations Open University - Skills Assessment Introduction Working as the security analyst for ACME, you notice a number of events on the SGUIL dashboard. Your task is to analyze these events, learn more about them, and decide if they indicate malicious activity. You will have access to the Internet to discover more about the events. Security Onion is the only VM with Internet access in the Cybersecurity Operations virtual environment. You may use any reasonable research method at your disposal. The tasks set out in this assessment are designed to provide some guidance through the analysis process. You will practice and be assessed on the following skills: o

Evaluating Snort/SGUIL events.

o

Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for detailed event inspection.

o

Using independent research to obtain intelligence on a potential exploit.

Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ by Cisco and is used with permission. For each stage of this assessment, you must provide evidence - this may be a copy/paste of file/log information, a screenshot and a short single sentence explanation of how you find the evidence. You will decide what evidence is appropriate. There are 28 steps that must be completed - not all steps require evidence. You must download and edit this document.

Addressing Table The following addresses are preconfigured on the network devices. Addresses are provided for reference purposes:

Device

Interface

Network/Address

Description

eth0

192.168.0.1/24

Interface connected to the Internal Network

eth2

209.165.201.21/24

Interface connected to the External Networks/Internet

Security Onion VM

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 1 of 6

Skills Assessment

CCNA Cybersecurity Operations

Gathering Basic Information 1. Log into Security Onion VM (saved in the same location as this document) with username analyst and password cyberops.

2. Open a terminal window. Enter the sudo service nsm status command to verify that all the services and sensors are ready.

3. When the nsm service is ready, log into SGUIL with the username analyst and password cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.

4. In the SGUIL window, identify the group of events that are associated with exploit(s). This group of events are related to a single multi-part exploit. How many events were generated by the entire exploit?

How many events were generated by the entire exploit? 28 by the exploit In the SGUIL window, identify the group of events that are associated with exploit(s)

RED alerts: OSSEC - integrity checksum changed again (2nd time) : 8 red alerts (starting with 1.850 ID) OSSEC - integrity checksum changed again (3rd time) : 10 red alerts (starting with 1.525 ID) ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses: 1 red alert (3.786 ID) ET TROJAN Bedep SSL Cert: 2 red alerts (3.787-3.825 ID) ET CURRENT_EVENTS Angler EK Encoded Shellcode IE: 12 red alerts (starting with 3.772 ID) ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014: 28 red alerts (starting with 3.724 ID) ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST: 1 red alert (3.723 ID) ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct: 1 red alert (3.788 ID) ET POLICY External Timezone Check (earthtools.org): 1 red alert (3.784 ID) ET POLICY Outdated Flash Version M1: 1 red alert (3.722 ID) ET TROJAN Possible Bedep Connectivity Check(2): 1 red alert (3.785 ID) ET EXPLOIT VSFTPD Backdoor User Login Smiley: 4 red alerts (starting with 5.5840 ID)

ORANGE alerts: ET SCAN Potentials VNC Scan 5900-5920: 4 orange alerts (5.5836-5.5848, 7.5926-7.5938 ID) ET POLICY Suspicious inbound PostgreSQL port 5432: 2 orange alerts (5.5835-5.5851 ID) ET POLICY Suspicious inbound mySQL port 3306: 2 orange alerts (5.5834-5.5846 ID) ET POLICY Suspicious inbound OracleSQL port 1521: 2 orange alerts (5.5838-5.5847 ID) ET POLICY Suspicious inbound MSSQLSQL port 1433: 2 orange alerts (5.5837-5.5849 ID)

YELLOW alerts: OSSEC - Reverse lookup error (bad ISP or attack): 1 yellow alert (1.5301 ID) OSSEC - User login failed: 1 yellow alert (1.567 ID)

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 2 of 6

Skills Assessment

CCNA Cybersecurity Operations

5. According to SGUIL, when did the exploit begin? When did it end? Approximately how long did it take? Begins: 2017-09-07 15:31:15 Ends: 2017-09-07 15:31:35 Approximately how long did it take? some seconds

6. What is the IP address of the internal computer involved in the events? 192.168.0.12

7. What is the MAC address of the internal computer involved in the events? How did you find it? Mac Address: 00:1b:21:ca:fe:d7 How did you find it: Alert ID, right click, select Wireshark, check Ethernet II header

8. What are some of the Source IDs of the rules that fire when the exploit occurs? sid’s : 2014726, 2018442, 2019224, 2019488, 2020356, 2018954, 2021120, 2020491, 2018316, 2019645, 2019513 Where are the Source IDs from? If we check the box ‘Show Rule’ at the bottom right of SQUIL window, for any of the events associated with the exploit, we will be able to see the rule that triggered the event, at the box underneath.

9. Do the events look suspicious to you? Does it seem like the internal computer was infected or compromised? Briefly explain. Yes, the events are suspicious, the computer has been infected due to an outdated flash vulnerability

10. What is the operating system running on the internal computer in question? OS fingerprint: 192.168.0/12:50473 → Windows XP/2000 This can be found while clicking on Alert ID, Transcript

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 3 of 6

Skills Assessment

CCNA Cybersecurity Operations

Learn About the Exploit 11. According to Snort, what is the exploit kit (EK) in use? Angler EK

12. What is an exploit kit? It is a widespread malware distribution. Exploit kit is code/file or software that will take advantage of the operating system and software (browser-based) vulnerabilities. Exploit kits will automatically then exploit those vulnerabilities, using secret code running on the target computer, while user is normally browsing on the web. If this succeeds, then malware installation follows. An exploit kit is a server-based framework that uses exploits to take advantage of vulnerabilities in browser-related software applications to infect a client (a Windows desktop or laptop) without the user’s knowledge.

13. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit. Summarize your findings and record them here. Angler EK first appeared in 2013 and is one of the most notorious exploit kits. This is because it’s easy to use without the need for deep tech knowledge, anyone can get it, and can be programmed to perform a vast number of actions. Angler is used to install malware, collect confidential data, tie the infected system with a botnet and convert it to a zombie. Angler tries to evade detection at every infection stage, while it can deliver invisible malware infections.

14. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in SGUIL. Exploits will try to take advantage of web browser vulnerabilities, and our system is being attacked by Angler EK. Angler is attacking port 80. At the same time frame we are observing the attack taking place, from the events of the exploit, in SGUIL there are alerts about the ET TROJAN Possible Bedep Connectivity Check(2): 1 red alert (3.785 ID), establishing a session between local to remote remotely to port 80.

15. What are the major stages in exploit kits? Contact: Establish contact with host environment through a landing page. Redirect: Redirect to an alternative landing page and detect vulnerabilities in the host that can be exploited. Exploit: Carry out the exploit and spread malware. Infection: Infect host by executing the malware.

Determining the Source of the Malware 16. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses involved. The IP addresses involved are: 192.168.0.12, 93.114.64.118, 173.201.198.128, 192.99.198.158, 208.113.226.171, 209.126.97.209

17. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash Version M1”. The event refers to which host? What does that event imply? The event refers to the host 192.168.0.12, it implies that the host is using an older outdated version of Flash plugin. The host connects with TCP 80 Port of 93.114.64.118. When the browser

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 4 of 6

Skills Assessment

CCNA Cybersecurity Operations

to goes to http://www.earsurgery.org the Flash object on the website points to 93.114.64.118 (displayed as mail.chooseyourself.ro on Transcript, on HTML header adstairs.ro

18. According to SGUIL, what is the IP address of the host that appears to have delivered the exploit? ____________________________________________________________________________________

19. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the IP address of the host that appears to have delivered the exploit? ____________________________________________________________________________________

20. This exploit kit typically targets vulnerabilities in which three software applications? This EK targets vulnerabilities found on Adobe Flash player, JRE (Java Runtime Environment) and Microsoft Silverlight

21. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit? The outdated Flush plugin ____________________________________________________________________________________

22. What is the most common file type that is related to that vulnerable software? - adobe flash authoring file FLA - action script file AS - flash XML file XML - compiled flash file SWF ____________________________________________________________________________________

23. Use ELSA to gather more evidence to support the hypothesis that the host you identified above delivered the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to adjust the time frame accordingly. Were you able to find more evidence? If so, record your findings here. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

24. At this point you should know, with quite some level of certainty, whether the site listed discovered earlier delivered the malware. Record your conclusions below. 192.168.0.12, the internal host, was likely infected. It has an outdated version of the flash plugin which was noticed by the exploit kit. 192.168.0.12 was then led to download a malicious SWF (Flash file) from qwe.mvdunalterableairreport.net ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 5 of 6

Skills Assessment

CCNA Cybersecurity Operations

Analyze Details of the Exploit 25. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities and exfiltrate a list of them. Use ELSA to determine if the exploit kit in question used a landing page. If so, what is the URL and IP address of it? What is the evidence?

Hint: The first two SGUIL events contain many clues.

Landing page : lifeinsidetroit.com (173.201.198.128) server script name: 02024870e4644b68814aadfbb58a75bc.php extfiltrated data : e8bd3799338799332593b0b9caa1f426 full POST URI : POST/02024870e4644b68814aadfdbb58a75bc.php?q=e8bd3799ee8799332593b0b9caa1f426 The second new event in SGUIL implies that the compromised site allowed for a malicious Flash-based ad to be loaded from an ads site. This Flash-based ad is designed to scan the victim’s computer and exfiltrate data to the EK’s landing page. After the vulnerability information has been collected, the Flash-based advertisement submits it via to a PHP script hosted on lifeinsidedetroit.com, the landing page. The landing page processes the collected info and chooses the exploit according to the vulnerability that has been discovered. The exploit is then delivered to the client’s web browser. As seen earlier in this documents, the victim’s computer has an outdated version of Fkash. The exploit, hosted at qwe.mvdunalterableairreport.net, is then sent to the victim’s computer. Notice that exploit is designed to allow code execution only. The exploit also contains further malware, known by EK terminology as the payload. The execution of the payload is the end game of the EK ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

26. What is the domain name that delivered the exploit kit and malware payload? qwe.mvdunalterableairreport.net ___________________________________________________________________________________

27. What is the IP address that delivered the exploit kit and malware payload? 192.99.198.158 ___________________________________________________________________________________

28. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets as was done in a previous lab. What files or programs are you able to successfully export? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University

Page 6 of 6