This use case is a summary of the Blitz WarGames, which was organized during the TEHTRIS week in France.
We partnered with Whaller to provide a French sovereign platform to our players so that they could work together as teams all throughout the day.
About the event:
In a full remote exercise, a cyber warfare was simulated between a Red team (attackers) and a Blue team (defenders) during the day. The asynchronous nature of the exercise aimed at dedicating a full morning to the attackers (without interruption from the Red team) and allowing the Blue team to work on forensics investigation in the afternoon.
4 Red team players faced 7 Blue team players helped by the TEHTRIS Purple team on the 14th of June 2023.
Partnership with Whaller
To include players from different entities and ensure a smooth communication throughout the event, TEHTRIS partnered with Whaller, a French company which shares TEHTRIS’ ethics and values. Whaller was the first company to get the « Sovereign Solution » (Privacy Tech) label that certifies French software editors carrying about data protection.
We thank again our partner for this opportunity to play with them!
In the attackers’ shoes…
The Red team stumbles upon a message that was recently posted on the dark web and sees an opportunity to make money…
Calling for assistance!
Our blue team is alerted after the client noticed suspicious activities on the XDR Platform: as an incident response team, they are to investigate…
The infrastructure of the Blitz WarGames: the victim company’s network
The WebApp was set to a detection-only configuration, while the targeted Windows was set to remediation mode. This was to illustrate how configuration settings are vital while deploying cybersecurity tools on an infrastructure.
Unfolding the Blitz WarGames following the cyber kill chain
The Red team used several scanning tools to gather information to support further targeting, such as Nmap (Network Mapper), an open-source tool for network discovery that can be used to identify hosts in the network and the ports that are opened in the systems found, Fuzz Faster U Fool (FFUF), a web fuzzer, or Nikto, a popular web server vulnerability scanner that can find vulnerabilities and list the CVE associated of those vulnerabilities.
With nmap, they found 3 hosts with open ports.
Getting distracted… by honeypots!
These scans gave information on TEHTRIS Deceptive Response, a honeypot set up to distract attackers and act as an early alarm system for cybersecurity analysts. And it worked like a charm!
The Red team lost time investigating the honeypot, which strengthened the signals for the blue team : an access to a decoy should always be investigated.
The purple team finally intervened to guide them through the exercise:
Back to business!
Once back on track and focusing on the right host, the Red team found the version of the website:
… and found that it was vulnerable to CVE-2023-29809, a SQL injection vulnerability allowing attackers to execute arbitrary code.
Blue team’s perspective
On the Blue team’s side, the honeypots played their role perfectly and acted as an early alarm:
Network scanning by Nmap and Fuzz Faster U Fool, and webserver vulnerability scanner Nikto were detected by TEHTRIS NTA:
Initial Access (TA001)
Exploit of CVE-2023-29809
The Red team exploited the SQL injection vulnerability (T1190) using SQLMap (popular tool that automates the process of detecting and exploiting SQL injection).
This allowed them to gain access to the users table stored in the website’s database and access credentials…
… to establish a SSH connection on the victim’s Linux server.
Incident response team: where to start?
Remember that the Blue team was called to face an emergency from a third party: in this scenario, they do not know what the infrastructure is like and what potential vulnerabilities exist.
Therefore, they decided to check on the common attack to a web server such as SQL injection, cross-site scripting (XSS) vulnerability and Local File Intrusion (LFI).
An SQL injection was detected by TEHTRIS NTA.
The SSH connection is visible in TEHTRIS SIEM, giving the Blue team information on the user victorh through which the attackers gained a foothold on the server:
Discovery (TA0007) & Credential Access (TA0006)
Gaining information on the environment…
Once on the Linux server, the red team used LinPEAS to try and escalate privilege. Then, navigating on victorh’s session, the Red team found the file admin.zip in the path /home/webadmin/.admin/admin.zip.
They bruteforced the zip file to reveal admin.txt.
…Spotted by the Blue team
The Blue team found in the Raw Data of TEHTRIS NTA that some events indicated file transfers of a bash script called linpeas.sh using the utility wget on the port 8000.
TEHTRIS EDR raised alerts on the commandlines used by LinPEAS:
The Blue team saw that the users run the command group, probably to see if he belongs to the sudoers. The Blue team believed that the command find shows that victorh user does not have access to many folders of the system.
Then, the Blue team monitored some scp commands and cp commands to extract the file admin.zip to the attacker’s system.
Lateral movement (TA008) and Privilege Escalation (TA004) attempt
Targeting the Windows machine
Inside the admin.txt file, the Red team found credentials for a Windows machine (whose IP address had been identified prior with the nmap scan):
Once on the Windows, the Red team used Metasploit to escalate privilege in the hope of completing the mission. However, they could not go further.
Automatic remediation by TEHTRIS EPP
TEHTRIS EPP automatically killed Metasploit:
With TEHTRIS NTA, the Blue team spotted that the attackers used the Python module SimpleHTTP to transfer the file.
The Red team did not succeed in retrieving the secret Dark Soldier asked for!
| My first is a body part that is said to mirror the heart|
My second is a definite article (most frequently used)
My third is the number one in the country of tehtris
My fourth is in appreciation but not in association
My fifth is plural latin for words of wisdom
My last is french slang for money
The answer is what drives tehtris
Still, we learned here valuable lessons…
On the one hand, the first phase of the attack illustrated just how useful honeypots are. Acting like pre-alarms that result in no false positives, they are a considerable help for Blue teamers while identifying attackers. TEHTRIS set up a research program to monitor Internet background noise and identify trends among threat actors: find out more here.
On the other hand, the scenario shows the importance of correctly setting up cybersecurity tools depending on the environment. The methodology to fine tune one’s configuration to enhance the XDR’s remediation capabilities is of critical importance.
TEHTRIS solutions protect against different type of threats and plays an active role in keeping sensitive data safe. The variety of tools help monitor all types of IT networks, set-up according to different parameters and constraints, while reducing attack surface.
Feedback from the players
L’évènement était top! Hâte de voir le prochain event 🙂SOC Engineer – POST Group
(The event was great ! Can’t wait to see the next one :))
Hâte de participer au suivant 😉Cybersecurity Consultant – TEHTRIS
(Can’t wait to play in the next event ;))
Join us for the next WarGames
At TEHTRIS, we believe CTF-like events are both educational and informative. By impersonating threat actors and practicing investigation on a real attack, we can all benefit from each other’s expertise while having fun!
You are one of our partners or clients and you would like to participate in a WarGames exercise this year? Please contact us for more information!