Conference Response Incident Investigation CoRIIN 2019 in Lille

The 4th edition of the CoRI&IN 2019 conference took place in Lille (a city in North of France) on January 21, 2019. It was held one day before the FIC 2019 (Forum International of Cybersecurity) and organized by the “Expert Center against French CyberCriminality (CECyF)”.

This conference was dedicated to the techniques of incidents responding and forensics. The conference gathered experts of incident response community, CERTs, specialized investigators, legal experts, lawyer and IT security researchers.

During this day we were able to attend 9 forensics-oriented presentations. The presentation materials are available except for one (presentation #2 below) which remains confidential.

Below is a quick summary of each presentation in the order of the conference agenda.

 

[State of the Art] The rising of destructive malwares
Thomas Roccia, McAfee Security researcher, @fr0gger_
TLP: [WHITE]

Presentation of destructive malwares which have the capability to destruct data or even whole systems. During these recent years many campaigns were using these kind of malwares:
MIRAI (2016), TRITON (2017), NotPeya (2018), VPNFilter (2018), Shamoon v3 (2018)…
Those destructive malwares can be categorized as:

1. Wiping (leading to the deletion, data overwriting), such as VFEmail,
2. Encryption (to avoid possible data recovery), such as NotPetya
3. Anti-Forensics (deletion of event logs and backups)
4. Physical impact (sabotage, physical destruction of the system), such as Shamoon
5. DDoS (make a service unavailable), such as Mirai

These malwares must spread on as many systems as possible, and consequently are using the latest exploits in date. Attacker’s motivations can be financial, ideological, act of hacktivism…

To be fully prepared for these destructive malware campaigns, it is recommended:

• to improve the segmentation of the company's network (by identifying the network nodes that will be used to spread these attacks),
• to manage patch management using prioritized methods,
• to regularly perform backups and finally get prepared with an incident response plan.

 

[Threat Intelligence] Goblin Panda: China in Southeast Asia
Sébastien Larinier, Security researcher and CEO of Franco-Misp, @sebdraven
TLP: [AMBER]

No report on this presentation, following the speaker's request.

Additional links to Sébastien's blog (about investigations related to the "Goblin Panda" group):

• Goblin Panda targets Cambodia sharing capacities with another Chinese group hackers Temp Periscope
  (https://medium.com/@Sebdraven/goblin-panda-targets-cambodia-sharing-capacities-with-another-chinese-group-hackers-temp-periscope-7871382ffcc0)
• Goblin Panda against the Bears
  (https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4)
• Goblin Panda changes the dropper and reuses the old infrastructure
  (https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a)

 

[Forensics] AmCache Investigations
Blanche Lagny, ANSSI Security researcher, @moustik01
TLP: [WHITE]

AmCache is a Windows-specific database that logs metadata (file name, execution path and executable hash) about binaries run and installed programs on a system. The presentation highlighted the benefits of AmCache in Forensics investigations through different scenarios on different operating systems: Windows 7, 8 and 10. These scenarios highlighted the fact that AmCache stores different types of data according to these Windows systems. Using AmCache seems interesting in the context of a Forensic analysis where a malicious file has infected a system but the executable is no longer present on the machine. In this case, AmCache allows you to retrieve metadata related to this malware. However, it should be noted that different methods can be used to bypass AmCache logging, thus, allowing an attacker to run malwares without leaving any traces, even in AmCache.

Link: https://www.ssi.gouv.fr/en/publication/amcache-analysis/

 

[Feedbacks] Memcached or when your backbone is driving crazy
Sébastien Mériot, Head of CSIRT at OVH, @smeriot
TLP: [WHITE]

This presentation gives a feedback regarding a 1.35Tb/s intensity distributed denial-of-service attack against OVH which was successfully contained thanks to an early investigation conducted by OVH teams and the implementation of several security measures. This DDOS attack combines "amplification" (i.e. for a small-size request it implied a larger-size response from the server) and "reflection" (i.e. requests were made by an attacker impersonating his victim, the according response were then sent to the victim without any interaction from him) techniques. Here, the DDoS attack used insecure Memcached services listening on port 11211 and gave an amplification of the attack by a 5000 factor (for a quick comparison the SNMP service allows an amplification factor of 6, 40 for DNS, and 560 for NTP). To overcome and mitigate this attack, OVH teams decided to restrict traffic on the concerned UDP port, and asked customers who did set up insecure Memecached servers to deploy the application's hotfixes released, to no longer have this listening port open on Internet.

Link: https://www.ovh.com/fr/blog/13-tbps-mitiges-vac-retour-memcached/

 

[State of the Art] Electromagnetic and forensic attacks
José Lopes Esteves, ANSSI Security researcher, @lopessecurity
TLP: [WHITE]

This presentation covers a new type of attack that could been seen in a near future and that relies on electromagnetic radiations to carry out electromagnetic attacks. The aim is to identify these types of harmful electromagnetic waves in order to potentially reproduce these aggressions whose purpose is to destroy components. These electromagnetic attacks may then be used to destroy components, deteriorate radio-frequency links (interference) and lure sensors. However, detecting electromagnetic aggression is expensive: both for the attacker detection (using spectrum monitoring, the supervision of large frequency bands, detection of attacks whose consequences are unknown) but also for the targeted system detection (deployment of a supervision agent, the monitoring system which can also be attacked). An example of application to electromagnetic aggression was presented: how to detect electromagnetic attacks against drone? Drone logs are verbose and already provide indications of whether or not they have been attacked by some radiations. But the study found that it will be useful to add "Watermarks” in the logs, i.e. to insert "timestamp" markers in the drone's logs when it passes through a specific geographical zone. Using this Watermark will then give an indication of the location where the electromagnetic aggressions occurred.

 

[Feedbacks] AWS EC2 Forensics 101
Frédéric Baguelin, CERT Societe Generale, @udgover
TLP: [WHITE]

Feedbacks on a Forensic investigation related to data stored in the Amazon Cloud (AWS EC2). The presentation does not focus on the Forensic investigation itself, but rather on the collection of data from the cloud to local machines. The entire data here represent nearly 6.6TB. The different steps carried out were the following:

1. List all instances where data had to be collected
    
2. Perform data acquisition. The difficulties encountered were initially related to the "availability zones" in which the Amazon servers were located (for example, if the latter was located in Asia and could only be accessed by people sharing the same geographical zone, then a duplication of these data to another AWS EC2 server would first be made and then the data dump would be done).
    
3. For each server, it was then needed to do a snapshot into a new Amazon S3 server (200GB ~10min copy), to give the correct access rights, and if the data was encrypted, it was also necessary to give the rights to access to the key and make the decryption request.
    
4. Lastly, an instance for data acquisition (EWFAcquire tools on an Ubuntu machine) was deployed to finally allow the data to be retrieved and then transferred to the local machines within the company.

The lessons to be learned from this feedback on data stored in the Cloud are:

• nowadays, there are no simple tools available to dump hard disks from cloud systems (or at least not publically available from Amazon),
• performing a data dump from a Cloud to local machines is not free of charge, because the I/O flow has indeed a price. Here for 6.6TB of retrieved data, it cost approximately 500€. Another solution could also have been to perform Forensics directly in the Amazon Cloud by deploying a server to do the acquisitions and analysis, yet again this would not have been free of charge, and it was not complaint with the initial customer’s requirement (recovering the data locally).

 

[Forensics] The story of Greendale
Thomas Chopitea, DFIR Google Security engineer, @tomchop_
TLP: [WHITE]

This talk exposes a fictional scenario in which a university is victim of a phishing attack that has potentially infected students within the university. This scenario gives the opportunity to introduce various OpenSource tools developed by Google to perform a Forensics analysis.

• The first tool is "GRR", a Forensics Agent deployed remotely, allowing data (files or artefacts) to be collected on targeted machines,
• Plaso (formerly Log2time), used to recursively parse an entire file system to produce a timeline,
• Timesketch (which can be seen as a "grep" frontend), to get a visualization of the incident timeline.
• DfTimewolf, which is the tool that links GRR/Plaso/Timesketch together,
• The last tool introduced is Turbinia, which allows you to deploy, manage and execute Forensics analysis tools in the cloud.
  Link: https://www.youtube.com/watch?v=xVQ_OEqX1TY

 

[Forensics] Digital investigations on Active Directory using replication metadata
Léonard Savina, ANSSI Security researcher, @ldap389
TLP: [WHITE]

Presentation of the ADTimeline tool developed by ANSSI, allowing a Forensics analysis which relies on the information contained in the AD replication metadata. These metadata contain information such as its name, date of last modification, version... The developed tool allows you to select a directory to consider, generates its timeline by sorting the metadata in chronological order, and produces an output file in .csv format. The use of this tool can be done both in "online" or "offline" mode.

Link: https://www.ssi.gouv.fr/publication/investigation-numerique-sur-lannuaire-active-directory-avec-les-metadonnees-de-replication-outil-adtimeline/

 

[Feedbacks] iOS investigation feedbacks
Paul Rascagnères, Security researcher at Cisco Talos, @r00tbsd
TLP: [WHITE]

This last presentation summarized the different challenges faced by analysts during Forensics investigations on an iOS system. iOS is a very secure Unix system, made up of different layers without any direct access to the root filesystem. Everything is sandboxed, so that applications cannot read content from others. And the root of an iOS system is in read-only. During this presentation, we learnt that it is, in most cases, necessary to have jailbreaked an iOS system before being able to perform a memory dump of the system and therefore to start an investigation. However, there is an alternative called "Frida" which allows an analysis on a non-jailbreaked system. But this can be done only if the application has been previously installed on the concerned iOS system (which is not necessarily the case). If the iOS version is recent and therefore does not allow a jailbreak, the system is then "frozen" and the investigation is postponed until a new jailbreak is released for this specific version. The main tools used to investigate an iOS system are "IDA Pro" or "Hopper" to perform code analysis, and "Burp" for network analysis.