ACME Anvils:

Final Report

(Recent Breach Slides)

Martian SOC Team:

Elez Topuzovic , Myra Rafalovich, Timothy Khoury

Ulrick Pimentel, and Taylor King

4/25/2021

Overview of Recent Breach

• Analyzed Logs from 3 Sources
• Brocade switch: Monitors network traffic
• Intrusion Detection System: Monitors for potentially malicious traffic
• Next Generation Firewall: Deep packet inspection (reveals the most information)
• Threat Actor
• Unknown: Supply chain, competitor, insider threat (unlikely)
• Characterized 13 Different Tactics and 8 Different Techniques (TTPs)

Timeline of Breach: December 2017

First Chain

Second Chain

Cyber Kill Chain Analysis

Recent Breach: First Chain of Events

​

• Limited Information on First 3 Stages
• Stage 4: Exploitation
• Remote shellcode, initiated Apache Header Injection (Initial Access)
• Spoofing workstation 10.0.0.15 (Exploitation)
• Cross-site scripting (Exploitation)
• NULL coding allows lateral directory movement (Lateral Movement)
• Buffer Overflow (Exploitation)
• Critical Linux system data exfiltration (Credentials)
• PHP coding language, and SQL Injection (Exploitation)
• Stage 5: Installation
• Malware Installation
• Brute Force
• Masquerading as updates
• HTTP proxy (Man-in-the-Middle)
• Stage 6: Command & Control
• Network Monitoring (Man-in-the-Middle)
• Backdoor thought to be created
• Stage 7: Action on the Objective
• Azure data exfiltrated

Recent Breach: Second Chain of Events

• Threat Actor Returns (Dec 17th)
• Stage 1a: Reconnaissance
• Network scanning (Reconnaissance)
• Detected vulnerable machines
• Stage 4a: Exploitation
• Used previously discovered exploits:
• CSS, PHP coding language, SQL injection, buffer overflow
• Stage 5a: Installation
• Used access to workstation & spoofed IP address
• Spread malware
• Stage 7a: Action on the Objective (Dec 26th)
• Same some successful tactics as initial breach:
• Buffer overflow, directory traversal
• Locally stored ACME data (Data Exfiltration)