Tuesday, August 25, 2015

Post #7 (Or "Indomitable Occulite Chimera... That Isn't Right?")

Well, it isn't good news. I dealt with somebody last week that had been breached, and not the usual "Oops! I opened a receipt from UPS and now we have been hit with cryptomalware!" type of breach. I am talking, "Hey, nice ports you have there. I see that they are open. I'm gonna go ahead and just let myself in." type of breach. I am going to share some information in a way that outlines what happened without giving away sensitive information.

The victim in this incident contacted us to let us know that they were suddenly missing files and that there was a ransom note left in their place. Immediately, my thought was some new form cryptomalware, because this is one of the typical explanations we here when someone has been hit with something akin to CryptoWall, CryptoLocker, etc. However, upon discussion, I actually found out that the files had been deleted from the victim's NAS device and, instead, they were replaced by a nice ransom note asking them to pay .35 BTC (or 91.24 USD at the time of this sentence having been written) or else the files would not be returned that they would be leaked to third parties. Obviously, the victim was distraught.

I am not going to share the specifics of my assignment on this incident, but more or less there were 3 goals in mind; restore the files if at all possible, find out how the attackers got in (subset: perform attribution if at all possible), and close the holes that may have let them in. We'll walk through these steps.

We lucked out on the first count. This particular NAS has a Network Recycle Bin feature; the would-be master thieves deleted the files off of the system, but they didn't empty the recycle bin, so it was trivial enough to copy the files over to an external HDD (I didn't want to restore them directly and overwrite any bytes I may need to recover later.) That task was done.

Next, we came to the task of determining attack/breach vector and, if at all possible, identifying the culprits. Not going into detail, but the device was way behind on firmware, used default credentials, and a laundry list of other shamefully obvious wide-open front doors; identifying the vector of attack/breach was not possible, especially considering my limited viewpoint and the absence of log files to examine. There was a ransom note, however, as stated previously. The ransom note was a file (trid couldn't identify it, but it opened in a text editor without issue) named "Want_your_files_back". The contents of the file were as follows:

"Your personal data/company data/passwords/website credentials etc. were infiltrated by a hacking group. We expect from you a exchange of 0.35 BTC ($100) to this address; 19USe9wCY42UhBUGMVKrPvoQhB5FfFcCkW After the payment. We will get your files back in place. If this does not happen; You won't get your files back, we will take action and exploit more and leak all the info to third party’s. You have been warned.

P.S; How to buy BTC? http://howtobuybitcoins.info/



The name PTSD does not readily tie to any known threat actors. Contents of the file and its MD5 hash did not turn up any results, either. I traced the Bitcoin address using http://blockchain.info, but it looks like no one has made any payments to this address as of yet. The attackers have either never been paid, or they are using unique addresses for each attack, if multiple attacks have even taken place. Attribution, at this point, fell to the wayside on the tier of importance. More on that in a bit, though.

We were able to resolve the readily apparent security issues with the device, which is outside the scope of this post, but I just wanted to speak to our addressing of objective #3. At this point files have been restored and the major security holes in the device have been closed, but I wanted to take this a step further for myself.

I haven't yet had the opportunity to do so, but I fired up Mandiant IOCe and began crafting an .IOC file for the ransom note. I included the file name, MD5, and select content strings inside the file all as a single "OR" operation. I ran Mandiant IOC Finder on a test system where I stashed the ransom note, and confirmed that the .IOC file found it. I am uploading it here, along with the original ransom note. Maybe someone will find it useful and we can eventually attribute some attacks to the people that are behind this incident.

Stay safe!

EDIT 11/10/2015-22:59 Eastern: Finally took the time to make a Yara rule for this threat actor. It was my first Yara rule, but it appears to be working fine.

No comments:

Post a Comment