Knock Knock

Case Summary

Forela Dev experienced a security incident in which attackers successfully infiltrated their network through a series of deliberate and coordinated actions. The intrusion began with a port-scanning activity, allowing the attackers to identify open services within the network. After detecting an open FTP service on port 21, they used a password spraying technique to compromise a valid account.

Upon gaining access to the FTP service, the attackers discovered two files containing information about a critical service running on port 24456. By leveraging a port-knocking technique, they successfully accessed this service and extracted information that led to the identification of a vulnerability in Forela Dev’s GitHub repository. Exploiting this vulnerability, the attackers obtained credentials for the network’s SSH service.

Using the compromised SSH credentials, the attackers gained further access to Forela Dev’s network and deployed a malicious ZIP file, potentially jeopardizing the network's integrity and security

Reconnaissance

On March 21, 2023, at 10:42:23, The security analyst detected a port scanning activity originating from an external IP address (3.109.209.43) targeting the Forela Dev server (172.31.39.46). Evidence of this activity was captured by Wireshark and saved in a Pcap file, which is presented in the image below:

Figure 1: Evidence for port scanning

The analysis indicates that the attackers identified five open ports on the Forela Dev network(21,22,3306,6379,8086). This activity can be detected by using the following Wireshark query: ip.dst == 3.109.209.43 and tcp.flags.syn == 1 and tcp.flags.ack == 1. This query identifies instances where the target network (172.31.39.46) has sent SYN-ACK packets to the malicious IP address (3.109.209.43), indicating an open port.

Figure 2: Detecting openning ports

Credential Access

Password Spraying

After identifying open ports on the Forela Dev network, the attacker executed a password spraying attack against the FTP service to gain initial access . By utilizing the Wireshark query _ws.col.protocol == "FTP" and ip.src==3.109.209.43, the security analyst could identify the password spraying activities within the pcap file.

Figure 3: Detecting Password Spraying

Eventually, the attacker successfully identified valid credentials for the FTP service ( user: tony.shephard, password: Summer2023!). With this account, attacker was able to access to FTP service within network. This activity will be shown in the picture below:

Figure 4: A Valid Account was found

Discovery

By analyzing the command history or captured traffic within the FTP session associated with username tony.shephard the security analyst identified that the attacker downloaded two files: .backup and fetch.sh.

Figure 5: FTP stream flow

The content of these two file were shown in the pictures below

Figure 6: .backup file

Figure 7: fetch.sh

Figure 6 suggests that the .backup file contains configuration details for a port knocking mechanism. Specifically, this configuration restricts access to port 24456. To gain access to this port, a user must sequentially connect to ports 29999, 50234, and 45087 in the exact order specified. This port knocking sequence acts as a hidden "knock" to unlock access to the restricted port

Lateral Movement

With the information and the credential (abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad) obtained from the .backup file, the attacker successfully connected to port 24456, which is another FTP service. This activity can be detected by examining the packet captures, specifically those exhibiting a sequential connection to ports 29999, 50234, and 45087, as shown in the image below.

Figure 8: Sequence ports for port knocking

Figure 9: Connection successful to port 24456

The investigation revealed that the attacker successfully accessed the SSH service using the credentials cyberjunkie:YHUIhnollouhdnoamjndlyvbl398782bapd. These credentials were discovered in an old commit within the Forela organization's GitHub repository.

Figure 10: SSH credential in github commit

Figure 11: SSH connection from malicious IP address

After accessed to SSH server, the attacker downloaded a malicious zip file name Ransomware2_Server.zip . This will be shown in the picture below

Figure 12: A malware was downloaded

Collection

Within the critical FTP service, the security analyst detected that the attacker accessed and downloaded 3 files

archived.sql

Figure 13: Content of archived.sql

reminder.txt

Figure 14: Content of reminder.txt

By extracting data from tcp stream 77938 and save it under .docx extension, we can see the content of the Done.docx

Figure 15: Raw Data from tcp stream 77938

Figure 16: Done.docx 's content

Indicators of Compromise

Malicious IP: 3.109.209.43 , 13.233.179.35

Malware: Ransomware2_Server.zip

Timeline Event

Time	Activity
21/03/2023 10:42:23	IP address 3.109.209.43 started performing ports scanning again the Forela Dev’s network
21/03/2023 10:49:43	The attacker used password spraying technique again the FTP service to find valid credentials
21/03/2023 10:51:04	The attacker successfully login to the FTP service with tony.shephard: Summer2023! Account
21/03/2023 10:52:03	The attacker accessed and downloaded 2 files in FTP service “.backup” and “fetch.sh”
21/03/2023 10:59:07	The attacker successfully login to the service on port 24456 by using portknocking technique and credential abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad
21/03/2023 10:59:07 – 11:10:21	The attacker accessed the following files within the service on port 24456: archived.sql, reminder.txt, Done.docx, and .reminder. They then transferred these files out of the network.
21/03/2023 11:42:13	The attacker gained access to SSH service on port 22 with credential that found on the Forela ‘s github page
21/03/2023 11:42:34	A malicious zip file name “Ransomware2_Server.zip” was dropped within internal network