A Digital Recon Gone Wild - Part 1

A few weeks ago, while we began the digital recon for a project, we ran into a security issue that sent us on a wild chase and a full forensics analysis of the customer.

As usual we began with the classic OSINT run, followed by their digital posture assessment. We performed simple port scans on their IP ranges and identified possible systems of interest. Once we have a few systems to focus, we went deeper into them and ran some of our custom vulnerability analysis tools.
We discovered a possible way in on their SFTP server. They were using a very outdated version of vsftpd and E thought we could leverage this with an exploit.

After some searching we found an exploit for this particular version and we set to test it on our own servers. After E changed some of the code to allow for a shell directly into our listener as part of the payload of the exploit, we run the exploit on the server. A few minutes later, after the backdoor was installed and after a period of waiting (to avoid detection) we received the first shell back from the server. Based on the network information it was located on their DMZ. A stadard practice.

Once we had the shell, we began the standard lateral movement. We also installed other remote-access capable backdoors for redundancy. It was during the discovery of another server (a web server that apparently provided file access to the internal network) that we noticed that there were several non-standard ports open. We uploaded a small sniffer we created for the pentests and we captured several Mb of traffic. After downloading the pcap file we analyzed it and to our surprise we noticed unecrypted HTTP traffic with large chuncks of data being funneled to a server outside the company.

We stopped the Red Team assessment and we called the CISO of the company. We informed him of the findings. We met an hour later to discuss the options and to help his CERT people. After some discussions we changed roles: we became the Blue Team. We became the defenders and not the adversary. Several of us, including myself, are trainied in computer and network forensics. So with the help of their network administrator and security people we began investigating what happened. In the meantime, their team with some of our guys began to get information about the server that was getting the information extracted. They were also trying to figure out exactly what was being extracted.

After analysing a copy of the malware, we found that it was monitoring the servers in the DMZ for Microsoft Office files, PDF and other document formats. Any new document placed in one of the many directories the malware monitored it would be uploaded to the server outside the company via a simple HTTP POST request.

We kept the channel to the server open so the bad guys wouldn't notice that we discovered them, but we fed the malware some fake information.

In the meantime, E began preparing several weaponized Word and PDF documents. Essentially documents that can exploit vulnerabilities on the Adobe Reader and Microsoft Word programs. The hope was that maybe we can send them that and have a shell back to the attackers, or at the very minimum more information about where they were coming from.

Then we fed them the files.

Stay tuned for part 2.