BTLO - 'Haunted'

Introduction

The investigation Haunted is part of the Halloween 2024 event launched by Blue Team Labs Online (BTLO). Unlike fortnightly releases where there are usually 2 investigations released, 6 themed labs were unleashed.

As I came online shortly after release (18:00 UK local) and this investigation is rated as Easy I thought I might see how I did compared to others in terms of speed. It helped that I like the category Threat Intelligence, pulling together information and building a story is something I enjoy.

Anyone who isn't familiar with BTLO may want to read my post about training for security operations teams. Also if you're interested then my post about BTLO investigation tips & tricks might be of interest.

Scenario & initial information

The briefing for the investigation tells us that we work for a company, Haunted Company Inc, which has experienced a couple of cyber events. Our task is to figure out information about who was likely behind this, using information we are given and can gather ourselves.

On the presented desktop there are a small number of folders with files and tools.

• Investigation folder
  • README.txt
  • DecodeME.txt
  • Exiftool
  • OfficeMalScanner
• CyberChef

The first pieces of information are within the README.txt file.

Preparation

I fired up a new file in my normal note taking app (Silverbullet), and then read through the README.txt file. Made a mental note that there are several facts, and a website to visit.

Right after that I followed my normal routine:

• open CyberChef
• rename exiftool(k).exe to exiftool.exe
• open a command prompt and CD to the same folder as exiftool.exe

I dropped the contents of DecodeME.txt into the CyberChef input. The first thing to try was using the From Base64 recipe. This output what was clearly HTML code, a quick skim through and I could see javascript as well as various zip file references.

At that point the dog came in to tell me that she had finished her dinner. A bit of fuss and distraction later I decided to get on with the questions. A mistake by me, working the setup can be important especially in threat intelligence.

The questions

Question 1

The README file mentions:

• the year in the question relating to the "2017 GenX Breach"
• this came from the New York threat intelligence source
• regarding a Credit Reporting Agency

The answer format required 3 components and indicated the name of the company was two words.

Given the New York source this indicated US, and presumably a Credit Reporting Agency.

This led me to quickly run through some searches online to get the name, these are my search phrases and thinking:

• genx breach 2017
  "Lets use the obvious terms. Hmm, plenty about Equifax ..."
• genx solutions
  "Stab in the dark based on the last set of results."
• genx solutions 2017 breach
  "Lets try again with a bit more specificity. Nope, that didn't help."
• genx finance 2017 breach
  "Its a credit agency, lets try using common terms. The same Reddit result again."
• 2017 breach genx finance usa
  "One last go ..."

I then simply tried what I thought it was and found I was right.

However this was obviously the wrong way to get the answer. That said, I looked at question two and the threads connected in my head quickly so I moved on.

Question 2

Reading the intro to the scenario there are a number of threat actors included. Reviewing the common techniques used by them are exploiting weaknesses in systems, and having recently completed the CSOM course I have looked at these threat groups more.

Of course the words applications and vulnerability are in the question itself as well...

Question 3

At this point I knew I needed to dig more with the resources I had rather than relying on intuition and good OSINT. I went back to the info provided and realised I hadn't put in the decoded HTML to the website.

This instantly brought me the fun of the bats! The lag was almost unbearable, and clicking anything was a bit hit and miss. There was much moaning about this in Discord, I'm sure the SBT folks were having a good chuckle at our expense!

A bit of clicking later I got fed up and used developer tools to pull the URLs for the three zip files which I'd seen referenced in the decoded HTML. This of course included a relevant PDF with the name of the company for question 1.

Referring to the GenX financial breach summary PDF you can search for the number of days quite easily.

Question 4

It might take a little reading, but all the info needed is in the GenX financial breach PDF and you can pick out the relevant data. Pay attention to the answer format to know what fits, and remember you are looking for an application vulnerability relationship.

Question 5

Continuing with reviewing the PDF we find the additional details requested. The numeric value is simple enough to pick out, but the second part requires a little thought to be certain. When the investigation launched it took me a few re-reads because the question language wasn't super clear.

Question 6

Again the information is available in the PDF, keep picking out those details! Threat intelligence gathering requires good attention to the details and the ability to pick out key facts.

Question 7

As we continue to gather information this is building a picture. I already had in my head a threat actor group that I'd read about recently, and so I was looking for keywords that either supported or went against that theory.

Question 8

Having skimmed through the entire report, this answer was a logical conclusion item. Knowing your technical controls to help with reducing the metaphorical blast radius of an attacker in cyber defence will tell you this without the report, but it is confirmed at the end.

Question 9

You're guided by the question to go and look at the MITRE information on threat actor groups. Matching up against the answer template allows us to pick out the relevant group info when you include the information from the question (medical group, 2019)

At the time I didn't even notice that the information is included in the other available PDFs from the internal threat intel zip file! Let this be a reminder to check all the material you are provided in threat intel investigations.

Question 10

Switching to another threat actor, combined with the above answers, indicated that we are looking for a Chinese group. APT27 is mentioned in the introduction, and a quick MITRE check gives us more of the answer fairly easily. Again terminology and the answer format is important to put together.

Just like the question before, most of this is also included in the PDFs from the internal threat intel zip file.

Question 11

This one took me longer than I wanted. In fact I had to do a mental reset and order food!

Once I'd stepped away I came back and reviewed the decoded HTML, and after a bit of back and forth I realised I could get more from the actual intel tool itself as that was also exposed HTML.

Steps:

• View the haunted.html and decoded source code in the developer tools
• This reveals the location of passwords.zip and dp4.jpeg
• Download both the passwords.zip and dp4.jpeg
• Use exiftools on dp4.jpeg to extract the password from the title metadata field (youarehaunted!)
• Use this to open the password.txt file (hauntedfestival666)
• Gain access to the remaining IOC files.

A document with odd content in RTF format, and a webserver (ASPX) file. These indicate what the two answer components are. Good chance a phishing attack was used to conduct initial attack, its quite common after all. Then we've already had indicators that a web server has been infected given the Apache Struts vulnerability mentioned.

Question 12

Ok, we're looking for a Process Environment Block and there's the RTFScan available to us. With an RTF file as an artifact to investigate this was the obvious place to start.

I think the fact the output includes multiple "offset" values put some people off, I did have a quick skim of a Medium article about the PEB. This points to the fs:[30h] being relevant.

Question 13

Having already been asked in earlier questions about both APT27 and FIN7, but also China as country of interest in question 7 this just required some correlation via OSINT. Different names are often used for the same group by security organisations, so the answer format here was key to picking out the right one from MITRE.

Just like questions 9 and 10 this information was right there in the PDFs provided as well.

Question 14

At this point we know it was a web shell, which is a form of remote code execution - often abbreviated as RCE. Apache struts is the most likely application to have been exploited as well based on earlier information. I put this all together into a single search query for "apache struts cve rce"

Conclusion

I wasn't paying full attention to the Discord channel as I went through, especially as I got through the last few questions. So when I completed I was just pleased to have got through it reasonably quickly. What was a surprise was this...

FIRST-BLOOD ON Haunted! - Blue Team Labs Online

I have just got First-Blood on Haunted from Blue Team Labs Online! A gamified platform for cyber defenders to test and showcase their skills. Join for free at blueteamlabs.online/register

Blue Team Labs Online

Totally unexpected, and I suspect aided by the fact those who are more active and have greater skillset than me were distracted by / busy working at the Hard and Medium investigations.

Since then I think I've given hints and helped guide a number of people to find the answer for themselves. This has been great, because the community is coming together to help each other learn. The effect is that we all defend the world from criminals and their malicious actions better.

What is funny is that I had to get someone to guide me on the first question of the other Easy investigation released at the same time, Nonyx. Sometimes things are easy, sometimes they aren't.