Attacks
Chronology of a Ransomware Attack
This chronology is a fictional characterization of an actual ransomware attack on some unsuspecting IT administrators with names and programs that have been changed to protect the innocent (or the unlucky).
Monday, December 7, 2020 – 18:35 (IT Crew)
Dave, Jack, Cathy and Rashid all work in the IT Department of a large Law Firm and are required to stay late daily, after all of the firm’s employees have left for the day, to administer systems and perform the daily backups of computer systems when they are not in use. This after-hours, unsupervised work period gives the IT crew the opportunity to play action/shooter, multi-player games over the company Local Area Network (LAN) while they wait for menial IT tasks to complete for the day. Their game of choice today is called “Solar Commando,” and they all downloaded the same “cracked” version of the game using BitTorrent and have been “fragging” each other over the network for the last hour.
Are you a Security PreSales Ninja?
Security Ninja Quiz
Quiz-summary
0 of 18 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
Information
Take this quiz and determine if you are a Security PreSales Ninja.
NOTE: this quiz has a 20 minute time limit to complete.
Enter your full name and email address in the results table to save to the leaderboard!
|
You must specify a text. |
|
|
You must specify an email address. |
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 18 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
| Average score |
|
| Your score |
|
Categories
- Not categorized 0%
- AAA Security 0%
- Attack Vectors 0%
- Data Protection 0%
- Network Security 0%
- Sales Engineering 0%
- Security Management 0%
- System Admin 0%
-
“” you have graduated and we consider you a Security PreSales Ninja – great work!
| Pos. | Name | Entered on | Points | Result |
|---|---|---|---|---|
| Table is loading | ||||
| No data available | ||||
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- Answered
- Review
-
Question 1 of 18
1. Question
What’s the major difference between Symmetric and Asymmetric encryption?
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 2 of 18
2. Question
If you are alerted by a DMZ IDS that an IIS buffer overflow attack was targeting your Apache web server, what should you do?
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 3 of 18
3. Question
You have an older server with a password-protected BIOS configuration. What are two ways you can get past this problem without knowing the BIOS password? Choose the best two answers…
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 4 of 18
4. Question
What shell command should you use on Linux to perform “root” privilege functions without knowing the “root” password?
Correct
Awesome! You know the basics of Linux security!
Incorrect
Sorry, you are not even close…
-
Question 5 of 18
5. Question
What is the key difference between a Network Intrusion Prevention System (NIPS) vs Network Intrusion Detection System (NIDS)?
Correct
Awesome! You know the difference between IDS and IPS!
Incorrect
Sorry, you are not even close…
-
Question 6 of 18
6. Question
Select the most effective method you would use to secure a WiFi network?
Correct
Awesome! You know the WiFi security basics!
Incorrect
Sorry, you are not even close…
-
Question 7 of 18
7. Question
Select the best answer that describes a “false-negative” as it relates to information security.
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 8 of 18
8. Question
If one attacker is trying to connect to a server with an excessive number of TCP packets, from a spoofed IP address, what is this attack commonly called?
Correct
Awesome! You know the basics of SYN flooding!
Incorrect
Sorry, you are not even close…
-
Question 9 of 18
9. Question
Match the SIEM product to the appropriate vendors below. Select the tile from the top and drag to the blank space next to each vendor:
Sort elements
- Qradar SIEM - was originally known as Q1 Labs before their acquisition.
- Enterprise Security Manager (ESM) - was originally known as NitroSecurity before their acquisition.
- ArcSight ESM - was founded in 2000 and acquired by this large company in 2010
- Security Analytics - was originally referred to as EnVision before they acquired NetWitness in 2011
-
IBM Security
-
McAfee
-
HP Enterprise Security Products
-
EMC / RSA
Correct
Awesome! You know the basic SIEM competitors!
Incorrect
Sorry, you are not even close…
-
Question 10 of 18
10. Question
The acronym “SIEM” translates to which of the following?
Correct
Awesome! Security Information & Event Management is correct!
Incorrect
Sorry, Security Information & Event Management was the correct answer.
-
Question 11 of 18
11. Question
What would you use to authenticate a Linux workstation on an Active Directory domain?
Correct
Awesome! You know the basics!
Incorrect
Sorry, SMB client or Samba was the correct answer.
-
Question 12 of 18
12. Question
An anonymous person calls your telephone and says they are from your credit card company and asks you to tell them your credit card number and expiry as a verification that they are speaking to the right person. What method of attack are they attempting?
Correct
Awesome! You know social engineering basics!
Incorrect
Sorry, you are not even close…
-
Question 13 of 18
13. Question
Scenario: your company top executive (CEO) alerts you that they have received an official looking email from the local law enforcement agency regarding a court subpoena directed at their full legal name and the email instructs them to click on a link and install special software to view the encrypted subpoena. Is this an attempted attack and, if so, what method of attack is this referred to?
Correct
Awesome! You know phishing basics!
Incorrect
Sorry, but you are close…
-
Question 14 of 18
14. Question
Scenario: An employee at a financial services company has been suspected of fraud by law enforcement and you have been consulted to perform the Forensic extraction of data from the user’s PC. Arrange the following tiles in the correct order based on each item’s volatility. List the items from most volatile (top) to least volatile (bottom).
-
Data in RAM / CPU cache, including recently used data, applications, system and network processes.
-
Swap files (aka paging files) stored on local disk drives
-
User and application data stored on local disk drives
-
Logs and personal files stored on remote systems
-
Archive media containing user backups
Correct
Awesome! You have a handle on forensic basics.
Incorrect
Sorry, you didn’t arrange the list correctly.
-
-
Question 15 of 18
15. Question
As a pre-sales engineer, the process of mastering your own solution before giving an effective product demonstration is referred to as the “Demo Pyramid”. During your “ramp-up” this process forms a series of layered stages, with each stage building upon the previous level. Sort the tiles below into the pyramid, in the order of beginner to mastery (lowest at the bottom, highest at the top):
-
Solution
-
Construction
-
Functional Explanation
-
Feature Explanation
-
Memorization & Recital
Correct
Well done! You show great skill in pre-sales…
Incorrect
Sorry, that’s not correct. You should read “Making the Technical Sale”…
-
-
Question 16 of 18
16. Question
Since Sales Engineers work closely with Sales Reps on a daily basis there is some basic sales terminology they must understand. Use the matrix below to sort the list of tiles and place them next the matching terms listed in the first column.
Sort elements
- This refers to the most popular tool that sales reps use to create opportunities, forecast closing dates and used for many other customer relationship management tasks.
- A method of calculating over achievement to increase the rate of pay for reps who exceed revenue targets.
- Usually a short term bonus (anywhere from one week out to a full quarter) designed to motivate sales reps with immediate payout.
- A tool usually developed by marketing that's used by the sales team to understand competition and helps qualify opportunities they are pursuing.
- A set amount of selling that a salesperson is expected to meet over a given time frame.
-
SFDC
-
Accelerators
-
SPIF(F)
-
SWOT
-
Quota
Correct
Excellent! You are proficient in sales terminology…
Incorrect
Sorry, you need to brush up on your sales terminology…
-
Question 17 of 18
17. Question
Within a large sales organization different teams provide valuable resources to complete the sale. Use the list of tiles below to best match the responsibilities of the various team members.
Sort elements
- Responsible for developing an account plan to try to secure a prospect as a customer, focus is on the financial and legal terms of the contract closing and manage the ongoing relationship with the customer.
- Provide technical overview of product architecture, functionality, data requirements, and integration with other enterprise applications.
- Often translate business objectives set for a product by Marketing or Sales into engineering requirements.
- Attempt to help the customer solve specific problems with a product after they have purchased through email or over the telephone.
- Top source of lead generation for the sales team and often performs their role remotely through virtual presentations and cold-calling prospective customers.
-
Regional Sales Representative
-
Pre-Sales Engineer
-
Product Management
-
Product Technical Support
-
Inside Sales Representative
Correct
Excellent! You show true proficiency in a sales organization.
Incorrect
Sorry, you need to better understand roles and responsibilities within a sales team.
-
Question 18 of 18
18. Question
Scenario: you are the lead Sales Engineer assisting three sales reps in a 3:1 ratio. All of the reps come to you at the same time with what they consider to be top priority tasks listed below. Read the task requests from each of the reps in this question and then choose which possible options you would use to assist the reps from the multiple choices below (HINT: more than one answer):
- REP #1: needs you to respond to an RFP with a closing date of one week away for a $20,000 opportunity set to close in the next quarter
- REP #2: needs you to create a custom demo for a prospect to be delivered in one week for a $15,000 opportunity set to close in the current quarter
- REP #3: needs you to go onsite and provide a one week Proof of Concept (POC) for a new prospect with no budget and no closing date
Correct
Wow! You have a strong time management and sense of sales priorities…
Incorrect
Sorry, that was not the answer we were looking for…
SCAM: Call from Computer Maintenance Department
This scam sucks and they seem to be getting out of control. Two years ago my Mom got scammed out of $300 on her credit card and we had to reimage her laptop after she had gotten a call from “Windows Tech Support” and, before checking with her son, the security guy, went ahead and let them remote to her laptop and enter her credit card information under the guise of helping rid her viruses. She got her money back from VISA and we reported to RCMP.
I get the calls often in the evenings and always someone with an Anglo-Saxon name with an obvious South Asian accent. I recently got a call from 1-989-686-3652 (reverse lookup shows Michigan, US) and here’s the dialog:
Aggressive South Asian Accent: “Sir, this is Mark from computer maintenance department and the computer is making errors and problems on the Internet!”
Me: “Oh, really. The computer?”
Aggressive South Asian Accent: “Do you have have a computer connected to the Internet?”
Me: “Yes, many. Which one is it?”
Aggressive South Asian Accent: “Many? How many PCs do you have?”
Me: “Sorry, I can’t tell you that. Tell me which one is causing the problem.”
Aggressive South Asian Accent: “Your PC is making big problems for us and you will get in trouble.”
Me: “Wow, we don’t want that to happen – which IP address or hostname are you referring to?”
Aggressive South Asian Accent: “Yes, that’s right so I can help you.”
Me: “Sir, you missed my question. Which IP address or hostname is causing you the problem?”
Aggressive South Asian Accent: “You know all your PC address on the Internet?”
Me: “Yes, I have an internal network connected through a range of NAT addresses on the Internet, I would know if the address is mine.”
Aggressive South Asian Accent: <CLICK> hung up…
Microsoft, RCMP, FBI and many other agencies are aware of the scam and have education and warnings that indicate “just hang up the phone” and I wouldn’t engage in baiting the perpetrator (the way I did) as these callers can get very aggressive and can go as far as death threats (as this British Columbia man found out here).
In Canada at least, you can report any suspicious calls to the Canadian Anti-Fraud Centre by calling 1-888-495-8501 or by going to antifraudcentre.ca. However, it seems the agencies are more focused on dealing with the millions of dollars that have be bilked from Canadians that fall victim to the scam.
Website Defacement – A Personal Account
My Website 12/12/12
It’s been a while since I had to put my SANS Incident Handling hat on or did root-cause analysis and Network Forensics on an actual attack this close to home. December 13th, 2011 marks the day that 144 websites mapped to the same IP address hosted by HostPapa were injected with a number of files that replaced their home pages with that of some script kiddy’s – website defacement on a large scale. Admittedly, netcerebral.com was one of the 144, as were two others, that I manage part-time.
Synopsis
The attacks appeared to originate from Kuwait (inconclusive) and when I traced the names of the attackers, their email addresses and the “Muslim Hackers” they were sending “GR33T5” to, it became evident that this was “bragging rights” under the shroud of “hactivism”. In fact, the hackers went as far as to list all 144 websites hacked at the same HostPapa IP address on www.zone-h.org, a pubic attribution of website defacements where hackers brag and place “mirrors” of the website defacements as proof of their misconduct.
The hackers jointly go by the alias of “7rb-team” and, according to zone-h.org, have successfully defaced 3,414 homepages since December 2nd, 2011 (and are currently still active with almost 100 defacements daily, in January 2012 alone).
Anatomy
Since HostPapa has not provided the access logs for the date of the attack (they had been requested but HostPapa doesn’t keep archives) we are left to assume the attack vector that was used to inject the PHP code into the websites. I have narrowed it down to either a SQL Injection or PHP URL Inclusion. The sites all had “wp__” ID tags on the WP core, no .htaccess files, out-dated WP PHP plugins and a number of other vulnerabilities, inherent to WP (themes are another possibility). I suspect the attackers used recon scanning to detect the open vulnerabilities on the site and then compromised the vulnerability to write files to the root of the virtual directory.
Once the PHP shell was injected, they connected remotely and ran the Syrian Shell which automated the creation of all “index.htm” files and downloaded all of the other artifacts that I found on the site.
Clean Up
The service provider detected the mass infection across the customer’s sites a day after the attacks and shut-down the sites. They opened a ticket and notified one of the billing contacts that the site had been shutdown and instructed us to backup the site so they could wipe it away and we could then manually restore the site. Fortunately, I had backups that I had done months prior to the attack but some of the newer posts were missing. The other issue is that, while I had backups of the site directories and MySQL for each, the attackers had injected files to the home root directory that needed to be cleaned up as well (directories such as /cgi-bin, /cpanel, etc were all infected).
I eventually decided to backup the entire site with all three domains, download and unzip them on my local PC, where I had Apache, PHP and MySQL running in a VM sandbox. I went through the painstaking task of removing 50+ occurrences of “index.htm” (the defacement page) and 5 instances of PHP shell kit code that had been injected in the root of the parent website. Next, I dropped all of the tables in two of the databases (the third site doesn’t use a DB) and restored from backup in MyPHPAdmin. Once the sites were functioning the way I wanted, I upgraded the WP core, updated all plugins and then installed WDS Security plugin, which found additional vulnerabilities, which I cleaned up on both sites.
The Evil Script
One other advantage of having the VM sandbox is that after I made a backup and export of the sanitized site, I reverted the VM snapshot back to when the site was infected and played around with the Syrian Shell (not recommended in a prod environment!) and could replicate what the attackers did once they had the PHP file uploaded to the site.
When you open up the code in an editor the first line of the code reads:
# syrian shell is a php evil script , please use it against Israel Only
Apparently the attackers didn’t read this line and showed no discrimination about who their targets were going to be.
The malicious script also comes with a GNU Public License disclaimer with more preamble about attacking Israel and then proceeds to allow the attacker to configure their own password for the shell.
The script then immediately starts to list privileged functions such as:
- Get Real IP Address
- Open Base Directory
- Base64 Encode/Decode
- Safe Mode (Read-Only)
- Search and Count a File Name (such as index.html)
- Suicide (aborts and deletes shell)
- CMD Shell (Win/Linux)
- Index Changer (supports multiple CMS tools)
- Get Passwords (reads /etc/passwd, domainalias and shadow files)
- System Info (runs netstat, arp, routes, ls, etc)
- MD5 Password Hashing
- Database Tools (Oracle, MS SQL, MySQL and PostGRES
Hardening
To be fully convinced that I was no longer at risk, I upgraded to the latest WP v3.3.1 on all sites, updated all plugins, disabled any that weren’t in use, created .htpasswd and .htaccess files and installed the IP Filter plugin to block a list of bad IP addresses and installed WDS Security on all sites (and corrected an y issues detected by WDS). I have since started to automate backups of the MySQL database and WP files so next time I get hacked, I can simply drop all the tables in the DB and restore from a backup.
I have definitely learned a valuable lesson in how vulnerable PHP/WP is and will stay on top of the site with updates, etc.
- Linux SecOps – Look Who’s Knocking July 19, 2021
- Calculating Peak EPS for Security Log Monitoring May 21, 2021
- Event Log Convergence = Business Intelligence April 18, 2021
- Chronology of a Ransomware Attack January 20, 2021
- SIEM Storage Calculator December 28, 2019
- AIO WP Security Firewall Log Hacks August 12, 2019
- Essential Firewall Rules for Internet Facing Firewalls July 23, 2019
- SIEM-as-a-Service: do the survey and let me know if you’re an early adopter… July 6, 2016
- Are you a Security PreSales Ninja? July 28, 2015
- SCAM: Call from Computer Maintenance Department July 22, 2015
- Mom’s Meals issues “Notice of Data Event”: What to know and what to do
- S3 Ep149: How many cryptographers does it take to change a light bulb?
- Using WinRAR? Be sure to patch against these code execution bugs…
- Smart light bulbs could give away your password secrets
- “Snakes in airplane mode” – what if your phone says it’s offline but isn’t?
- S3 Ep148: Remembering crypto heroes
- FBI warns about scams that lure you in as a mobile beta-tester
- “Grab hold and give it a wiggle” – ATM card skimming is still a thing
- Crimeware server used by NetWalker ransomware seized and shut down
- S3 Ep147: What if you type in your password during a meeting?