Ore

Scenario

One of our technical partners are currently managing our AWS infrastructure. We requested the deployment of some technology into the cloud. The solution proposed was an EC2 instance hosting the Grafana application. Not too long after the EC2 was deployed the CPU usage ended up sitting at a continuous 98%+ for a process named "xmrig". Important Information Our organisation's office public facing IP is 86.5.206.121, upon the deployment of the application we carried out some basic vulnerability testing and maintenance.

Evidence

In this challenge, we will receive 2 folders:

Task 1: Which CVE lead to the initial compromise of the EC2?

To determine the CVE, we will check the version of the EC2 instance. This information can be found in the VERSION file under the /usr folder (path: /usr/share/grafana/VERSION).

Version of grafana

After finding the version, we will google search for the vulnebility

Searching for CVE ralated to grafana 8.2.0

Answer 1: CVE-2021-43798

Task 2: Please detail all malicious IP addresses used by the threat actor (TA) targeting our organisation.

Currently, we don't have much information about the attack, except for the discovery of CVE-2021-43798. I will take a closer look at the details of this CVE. According to this github page, the vulnerability allows users to view plugin assets through the /public/plugins/:pluginId endpoint. However, Grafana does not sanitize the user-provided path, which leads to a path traversal issue.

CVE-2021-43798 explaination

As you can see in the HTTP request, the attacker attempts to send a malicious URL to the server, which could lead to the exposure of the password file. I will search for the keyword ../../../../etc/passwd in the evidence to check if the attacker used this technique. If they did, we will identify the IP addresses that sent this URL to the server.

Powershell command script:


Get-ChildItem -Recurse -Path "<path-to-evidence>" | Select-String -Pattern "../../../../etc/passwd" | Out-File -FilePath "<path-to-save-result-file>"
/etc/passwd keyword filter result

We found two malicious IP addresses that performed the path traversal. However, the answer requires three IP addresses, so I will need to conduct further research.

By examining the .bash_history file (/usr/share/grafana/.bash_history), I found a sequence of suspicious commands executed on the server, which included a connection to the external IP address 44.204.18.94. Therefore, this will be the third IP address we are looking for.

Suspicious command lines

Answer 2: 44.204.18.94,95.181.232.32,195.80.150.137

Task 3: Which account to the TA utilise to authenticate to the host OS?

By examining the file ip-172-31-13-147-20221124-1501-lastlog.txt (/catscale_ip-172-31-13-147-20221124-1501/catscale_out/Logs), we can observe the login activities on this host. It's worth noting a suspicious login under the username 'grafana' at 11:32:22 on 23/11. This event is related to the malicious IP address from the previous task, 195.80.150.137.

Login activities

Answer 3: grafana

Task 4: Which file did the TA modify in order to escalate privileges and run the mining service as "root"?

Returning to the .bash_history file, we can see that the attacker attempted to edit and run a file named 'updater.sh'. However, we do not have the file's path at the moment. To find it, I will use PowerShell to search through all the evidence with the keyword updater.sh.


Get-ChildItem -Recurse -Path "<path-to-evidence>" | Select-String -Pattern "updater.sh" | Out-File -FilePath "<path-to-file-result>"

The results will be saved to a file. Upon checking the file, we will see that the keyword appears frequently in the system log file (/catscale_ip-172-31-13-147-20221124-1501/catscale_out/Logs/ip-172-31-13-147-20221124-1501-var-log/var/log/syslog:1597). The picture below shows the event where 'updater.sh' was executed in the root directory.

updater.sh's execution

Answer 4: /opt/automation/updater.sh

Task 5: Which program did the TA utilise to download the injector.sh script?

Using the same technique as in the previous tasks, we will search for the keyword 'injector.sh' across all the evidence using a PowerShell script.


Get-ChildItem -Recurse -Path "<path-to-evidence>" | Select-String -Pattern "injector.sh" | Out-File -FilePath "<path-to-file-result>"

After saving the results to a file, we will see an event that reveals the command line used to download injector.sh.

injection.sh downloaded

Answer 5: wget

Task 6: Where was the crypto mining binary & config file initially downloaded to?

After thoroughly searching the syslog file, I found an event that shows the command line used to download the crypto mining binary and config file. This search focused on the following keywords: the malicious IP address 44.204.18.94 and the suspicious process mentioned in the challenge description, 'xmrig'.

crypto mining binary & config file initially downloaded

Answer 6: /opt/automation/

Task 7: Which program did the TA utilise to download both the crypto mining binary & configuration file?

From the task above, we know the attacker used curl to download xmrig and config,json

Answer 7: curl

Task 8: We need to confirm the exact time the SOC team began artefact collection as this was not included in the report. They utilise the same public facing IP address as our system administrators in Lincoln.

As we know, the artifacts in this challenge were collected using a tool called CatScale. By reviewing the GitHub page, I realized that a script named Cat-Scale.sh is executed to start collecting the artifacts. Therefore, I will search for the keyword Cat-Scale.sh across the evidence.


Get-ChildItem -Recurse -Path "<path-to-evidence>" | Select-String -Pattern "Cat-Scale.sh" | Out-File -FilePath "<path-to-file-result>"
Time of SOC team began collecting artefact

Answer 8: 2022-11-24 15:01:00

Task 9: Please confirm the password left by the system administrator in some Grafana configuration files.

To complete this task, we need to locate the Grafana config file. It can be found at the following path: /usr/share/grafana/conf/defaults.ini.

defaults.in

Answer 9: f0rela96789!

Answer 10: What was the mining threads value set to when xmrig was initiated?

By searching for the keyword xmrig, the coin mining program, we will find the answer.

Answer 10: 0

Task 11: Our CISO is requesting additional details surrounding which mining pool this may have been utilising. Please confirm which (if any) mining pool this the TA utilised.

By reusing the result file from the 'xmrig' keyword search, I found the name of the mining pool.

mining pool

Answer 11: monero.herominers.com

Task 12: We couldn't locate the crypto mining binary and configuration file in the original download location. Where did the TA move them to on the file system?

After searching the syslog again, I observed an event that shows the command line used to move the crypto mining binary and config file to another location. This will be shown in the image below.

moving action of malicious file

Answer 12: /usr/share/.logstxt/

Task 13: We have been unable to forensically recover the "injector.sh" script for analysis. We believe the TA may have ran a command to prevent us doing recovering the file. What command did the TA run?

In the previous task, we searched for the keyword 'injector.sh.' Looking back at the search results, we can see the command line shred -u ./injector.sh. This command was used to delete the file after it was executed.

deleting event

Answer 13: shred -u ./injector.sh

Task 14: How often does the cronjob created by our IT admins run for the script modified by the TA?

The answer is located in this file catscale_ip-172-31-13-147-20221124-1501\catscale_out\Persistence\ip-172-31-13-147-20221124-1501-cron-tab-list.txt.The crontab will be shown below

malicious cronjob

Answer 14: daily - 08:30

PreviousProcNet

Last updated