Cybersecurity·

BTLO: The Report

You are working in a newly established SOC where still there is lot of work to do to make it a fully functional one...

#Attacks#SOC#Threat Intel

The Report

You are working in a newly established SOC where still there is lot of work to do to make it a fully functional one. As part of gathering intel you were assigned a task to study a threat report released in 2022 and suggest some useful outcomes for your SOC.

Investigative Environment

  • Hypervisor: VirtualBox
  • OS: REMnux (Linux Toolkit for Reverse Engineering and Malware Analysis)
  • Tools: Document Viewer

Technical Walkthrough

1. Name the supply chain attack related to Java logging library in the end of 2021 (Format: AttackNickname)

I searched for "supply chain attack" and found the answer.

2. Mention the MITRE Technique ID which effected more than 50% of the customers (Format: TXXXX)

I searched for "50%", got a heading of "Top Threats", then I searched for "top technique" and found it!

3. Submit the names of 2 vulnerabilities belonging to Exchange Servers (Format: VulnNickname, VulnNickname)

We're dealing with 2 vulnerabilities, so I searched for "Exchange Servers" and got 4 different results. Exchange Servers Vulnerability Detail I read the first one, which wasn't useful. I read the second one and saw a subheading for vulnerabilities. I checked the third and saw another subheading. The fourth one had no useful content, and that's when I realized the subheadings contain the answer.

4. Submit the CVE of the zero day vulnerability of a driver which led to RCE and gain SYSTEM privileges (Format: CVE-XXXX-XXXXX)

I searched for "RCE". There was no exact term like "RCE", just related terms, so I searched for the meaning of the word instead and found the answer.

5. Mention the 2 adversary groups that leverage SEO to gain initial access (Format: Group1, Group2)

I searched for "SEO", read it and found one group out of the two.

SEO Adversary Groups Detail

Then I searched for "initial access", saw a lot of results based on that search. I filtered it down to the ones related to the first group I found and the term "SEO", and I finally found the answer.

6. In the detection rule, what should be mentioned as parent process if we are looking for execution of malicious js files [Hint: Not CMD] (Format: ParentProcessName.exe)

I misinterpreted the question at first based on the use of the words "should be mentioned", but since it involves a js file, I searched for "js file". No results popped up. I tried "javascript file" and looked for a .exe process, then I found the answer.

7. Ransomware gangs started using affiliate model to gain initial access. Name the precursors used by affiliates of Conti ransomware group (Format: Affiliate1, Affiliate2, Affiliate3)

I searched for "ransomware group".

Ransomware Group Insights

If you read it very well you can see it matches what we are looking for. I just needed the third one, so I used the other 2 as a search term to get the last one and I found the answer.

8. The main target of coin miners was outdated software. Mention the 2 outdated software mentioned in the report (Format: Software1, Software2)

I searched for "outdated software", but no results. Then I tried "coin miners", which was also empty. I tried "miners" and got a lot of results including "coin miners" just that it's spelled "coinminers"! I quickly searched "coinminers", looked for the section where they talked about outdated software, and found the answer.

9. Name the ransomware group which threatened to conduct DDoS if they didn't pay ransom (Format: GroupName)

This was very straightforward, you should give it a try yourself.

10. What is the security measure we need to enable for RDP connections in order to safeguard from ransomware attacks? (Format: XXX)

Well, I just searched for exactly that!

and done

Success!

Thank you for reading, Stay tuned for more updates as I continue to expand my defensive capabilities!