Hackers attacked, among others, the state-owned company Vltava Basin early this April. The attack was described as large-scale and the company had to shut down (or hackers have shut down ☺) part of the systems and work to fix the systems.
When a large extent of attack occurs, I’m always curious about how it happened. I think that the company (especially IT administrators) could greatly benefit from the information about the execution of the attack – they would learn from the mistakes of others and improve the security of their networks. It would also put an end to all sorts of speculation.
However, the rules are strict, and investigators are not revealing information concerning the attacks. So I devoted some of my time to research and tried to find out whether Vltava Basin had any vulnerabilities in its publicly available systems. I then presented my own conclusions on my LinkedIn profile and corporate FB. You liked it and wanted me to discuss the process in more detail, so that you can do such quick research yourself next time. I’m happy to do so.
Firstly, I would like to share that OSINT (researching information from public sources) is not my strength. I still have a lot to learn. So I would be pleased if you could share your tips or procedures in the comments.
Likewise, although I was able to find a critical vulnerability in the Vltava Basin systems, utilizing which the attack could be carried out, it did not have to be the real vector of the attack. The attackers could have attacked differently.
OSINT: Where’s My Home? Or How To Identify Public IP Addresses Of The Vltava Basin
In the first step, I want to find out what public services (online services) the company operates. I’ll start by searching the company’s website to find out what domain the company uses. In this case, I quickly google “Vltava Basin” and get the website http://www.pvl.cz/en
Company websites are usually run on a third-party web hosting. I.e. the server does not belong to the company and if someone would break-in, the company’s internal network would not stop. That means we have to keep looking.
Now we could ask the DNS service who takes care of the pvl.cz email domain. Companies have used to manage mail servers themselves and had them located in the internal network (or DMZ). But I found out (digwebinterface.com), that pvl.cz has emails managed by Office 365 (most likely).
Fortunately, there are handy tools that can look up different DNS records within a domain. ☺ They often use more resources (DNS cache, web crawling, various leaks, or Certificate Transparency). Especially the „Certificate Transparency“ si very rich source. Any certificate that someone has issued via a public CA will appear here. These certificates contain the DNS names of the servers (simply put) for which they were issued. So it’s a great source of information. I recommend that you try to find information for your domain at Google Transparency Report. More in „Certificate Transparency: The Gift That Keeps Giving“ article.
We will use the DNSdumpster.com tool for this. If we look up the information about the pvl.cz domain, we get the following result:
We obtained the names of subdomains, their connections, assigned IP addresses, reverse DNS records, and sometimes some service headers. Now you’re probably wondering what to do with it?
OSINT: What services does the Vltava Basin offer the “world”?
Thanks to dnsdumpster.com, we now have a list of IP addresses that could belong to the Vltava Basin. Now we need to distinguish which IP addresses are interesting and which are not.
To do this, we could run NMAP and do our scan. However, there are two problems. Firstly, it may not be legal (but I’m not a lawyer ☺). Secondly, the (rather limiting) problem is that most services will not be currently available. They had to turn them off due to attack, remember? ☺
So we will turn to the services that will do this work for us, at Shodan.io and Binaryedge.io. Both scan the internet 24/7 and collect information about available services. They have both paid and free accounts. If you haven’t tried them yet, I recommend you do it.
We enter the IP addresses from the previous step into these services. In addition to the given IP addresses, I also look at secondary IP addresses. Larger companies often have a larger range of addresses (subnets) assigned to them. We can also try searching for text strings (such as “pvl.cz”).
We currently have a list of services running on the internal network as well as those available online.
OSINT: Which Service Has Failed?
We found a lot of services. Now we need to distinguish the interesting ones. Given that the attackers probably compromised the entire internal network, we are looking for a service whose breach could lead to such a consequence.
For example, at the “22.214.171.124” address, I came across the “MS4W – MapServer 4 Windows” service, which has about 50 different vulnerabilities. ☺
However, my favorite was the Microsoft Exchange server at “126.96.36.199 (gatemail.pvl.cz)”. A critical vulnerability was found in Microsoft Exchange this year, which allowed one to easily take control of the entire server. This vulnerability is labeled as CVE-2020-0688, there are exploits available and is actively abused „Multiple nation-state groups are hacking Microsoft Exchange servers“. What else could you wish for? ☺
Now, however, we would need to confirm whether the Vltava Basin used a vulnerable version of the MS Exchange. How to do that?
Microsoft itself will make our work easier. HTML code of the web interface (OWA) lists the version and patch level of the Exchange server. The actual server is probably unavailable, so we’ll have to make do with the information from the last scan from binaryedge.io.
The “clip” from the cache we see here shows that MS Exchange was in version 15.0.1293. Let’s take a look at „Exchange Server build numbers and release dates“ and what we find is “Exchange Server 2013 CU16”. It was released on March 21, 2017, and had support until about October 27, 2017 (see „Exchange 2013 Servicing Model“). So we already know that this MS Exchange version is vulnerable.
The cache was taken on March 12, 2020, at 3:12 our time (see the clip). The attack was allegedly carried out on April 7, 2020 (however, it probably took place during the night from April 6 to April 7). There is a gap of fewer than 4 weeks, during which administrators could update MS Exchange and we would not notice it. However, since MS Exchange has not been updated for over two years, likely, they did not update it even during that period
Pre-Exploitation And Post-Exploitation
If you’ve carefully read the information about the Exchange vulnerability, you know that we still need something else to exploit it. The missing ingredient is the credentials of at least one domain user with a mailbox. Where could the attackers get these?
One option is to use the already mentioned spear phishing. Yet another is to look into leaked credentials archive from various Internet services. For a company the size of the Vltava Basin, there is a decent probability that something would be found. I did a quick scan and found dozens of leaked credentials. Although these are older password leaks and some people may not even work in the Vltava Basin any more, all they need are valid credentials.
Controlling MS Exchange does not necessarily mean complete domain control (of the entire network). However, several “privilege escalation” techniques can be used to allow you to gain control of the entire domain utilizing the Exchange server (see Exchange-AD-Privesc).
So this is the way the attackers could have successfully compromised the Vltava Basin corporate network. However, only the attackers and investigators know if this was the way, or whether there was yet another one. ☺
Where To Source IT Security Information?
I am aware that keeping track of what is happening in the field of IT security is not easy. That is why I would like to share how I do it with you.
I follow several foreign websites every day. I use Feedly.com so I don’t have to visit them manually (RSS reader of some sort). I have created a list of monitored websites and I have all of them aggregated in one place on the website or in the mobile app. It saves me time and keeps things tidy. I usually read articles in the morning on the way to work. If you’re wondering what I’m following, I’ve exported my feed „Feedly – Security“ (you can import it under your account at (https://feedly.com/i/cortex).
I also recommend subscribing to the “updates” from the US „Cybersecurity and Infrastructure Security Agency“ (on the bottom of their site). You get a relatively good “threat intelligence” for free.
Speaking of external sources, our company has set up a Youtube channel PATRON-IT Academy [CZ]. We publish video tutorials with solutions to most frequently asked questions from our users regarding Office 365. The goal is to teach users something new (which will help them), save their employers´ funds, and our time dealing with “repetitive” tasks. Our last video „How To Set Up 2FA With Office 365“[CZ], which will be appreciated especially by administrators of medium and large companies when deploying multi-factor verification. Instead of training all of the colleagues in the company, they can send them this video, with which most people can set up the two-factor themselves.
Last but not least, I recommend following my blog,☺ category „security“ and „ransomware“. I share some quick news on LinkedIn (I would be honored if you add me). hacking demos and lectures can be found at YouTube Martin Haller.
You may still wonder why I think it was an attack via a publicly available service? Why wouldn´t spear phishing (by email) be possible? Of course, I’m not sure and this is just my “qualified guess“. Email phishing is less frequent. Even if they are successful, their impact is not so big (they only affect data and systems that are available to the “hacked” user).
As always, I will be happy for your feedback, comments, and tips on how to improve OSINT. ☺ Thank you.