Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman

Are your cloud
servers under
attack?

Brian Hileman
Creator / Owner @ DLPtest.com
Past Sales Engineer @ OverWatchID
Past Professional Services @ InteliSecure
2
Sales Engineer @

PRESENTATION TOPICS
1. Monitor Exit and Entry Points
2. Maintain Visibility and Control
3. Investigation
4. Recommendations
5. Q & A
3

LAYING THE GOUND WORK
4
Deployed
AWS Lab
Laid the
Bait
Installed
DG Agent

Monitor Exit and
Entry Points
5
1

MONITOR EXIT AND ENTRY POINTS
▰ RDP (Remote Desktop Protocol)
▻ Within AWS the default security setting will not allow incoming RDP traffic. The
suggested setting is to keep RDP locked down to specific IP Addresses.
▻ For convenience many people open RDP to all external IP Address.
▰ How widespread is open RDP ?
▻ There are over 3 million identified IP addresses with RDP available on the Internet,
900,000 of which are located in the United States.
▻ Source: https://www.darkreading.com/endpoint/the-risks-of-remote-desktop-access-are-
far-from-remote/a/d-id/1331820
6

HOW BAD COULD OPEN RDP BE?
Opened RDP for
10 Days and had
over 43,000
login attempts
7

WHO WAS TRYING TO LOG IN?
Top 5 IP Address
1. PT Pascal – Indonesia
2. A Small Orange – USA
3. Choopa – Netherlands
4. Sparky GmbH – Germany
5. Petersburg Internet Network –
Netherlands
8

EXTRA INDICATORS USER AND ENTITY BEHAVIOR
ANALYTICS (UEBA)
9

WHAT HAPPENS IF A WEAK PASSWORD IS USED?
▰ On the AWS Server with RDP now opened externally, I created a local
account called "admin" and set the password to "P@ssw0rd!”
▰ After the password was changed around noon, someone had compromised
the account within 9 Hours!
▰ Admin account was used 6 times from different IP Addresses over 4 days
10

Maintain Visibility
and Control
11
2

MAINTAIN VISIBILITY AND CONTROL
System Events
Based on what
happens outside of
user intervention.
Initiated at the OS
level.
User Events
Focus on what each
individual is actively
doing.
This includes
command line, copy
and paste, the use of
applications.
Data Events
File level including
moving files from one
location to another via
email, uploading or
downloading files, or
USB usage.
12

SYSTEM EVENTS
Review: Who and When
13

USER EVENTS
Review: Network Traffic
14

ADDITIONAL USER EVENTS
Found: Some rules started to
trigger, including some
Advanced Threat Alarms
15

APPLICATION REVIEW
Found: Applications were installed
16
Table Part 1 Table Part 2

REVIEW : TIMELINE OF EVENTS
17

SUSPICIOUS APPLICATIONS
Found 3 of the newly installed applications came back
as suspicious from VirusTotal
18

RECAP
▰ We have an AWS open to the internet
▰ Someone used the Admin account to gain access into the AWS server
▰ Someone installed Chrome and did some internet browsing
▰ The login events also show someone started using the Administrator account
▰ Someone installed 3 suspicious applications which are used for network scanning
▰ One item I didn’t share is that I am now locked out of my server since the person
using the Admin account changed all the passwords
19

STARTING THE INVESTIGATION
▰ Locked down RDP
▰ Regained access to the server using the DG agent to run a PowerShell script to
create a new admin account
▻ Reset all the passwords
▰ Pulled back the forensics
▻ Windows Event Logs
▻ MFT
▻ Registry
▻ Web History
21

DIVING INTO THE WEB HISTORY
22
Within the first hour of
using Chrome they went
to 120 different URLs,
so wasting no time

WELL MAYBE WASTING A LITTLE BIT OF TIME
23
Watched 2 YouTube Videos

WEB HISTORY DEEP DIVE
▰ Signs into zoosk.com using Twitter SSO reveals two accounts:
david101 and pickyman1954@gmail.com
▰ Signs into Gmail and elitesingles.com using salsadance1956@gmail.com
▰ Uses Google SSO to sign into LOVOO, C-Date, SeniorBlackPeopleMeet.com, Badoo,
BlackPeopleMeet.com
▰ Signs into Yahoo mail using mary.jo15@yahoo.com
▻ Web history also showed a password recovery for this account
▰ Chats with 148 people on Meetmindful.com
24

AND MORE WEB HISTORY
25
Signs into a seniorfriendfinder.com account that is open

AND EVEN MORE WEB HISTORY
26
Signs into Badoo.com which again shows the profile info

GOOGLE
27
Started with a Google search for “pickyman1954@gmail.com” and got a hit!
Re: pickyman1954@gmail.com
Postby firefly » Thu Dec 27, 2018 6:27 pm
Additional email addresses reported online for being
used in romance scams with stolen pictures from the
same gallery:
- Waynell3194@gmail.com
- dan.burdell@gmail.com, danburdell@gmail.com -
he was active on eHarmony.
There is a plethora of fake profile on various dating
sites using the same stolen pictures or stolen pictures
of the same person.

DRAWING A CONCLUSION
▰ Seems like strange activity for a server, but this points to “catfishing”
▻ The attacker is scamming a ton of woman via these online dating sites
▻ Email addresses and images found in web history all point to dating scams
▻ With the Mary Jo Yahoo account, they got her personal info including her phone
number and then leveraged it to get into her Yahoo email account
▰ But why use an AWS Server
▻ Clean IP Address
▻ Not from a VPN which some dating sites may block
28

Understanding Catfishing
▰ The term itself comes from Catfish, a 2010 movie that featured a man meeting a
woman online before growing concerned about her true identity
▰ Definition is a fake or stolen online identity created or used for the purposes
of beginning a deceptive relationship
▰ According to the FBI’s Internet Crime Complaint Center (IC3) romance scams result
in the highest amount of financial losses to victims when compared to other online
crimes
▻ In 2016, almost 15,000 complaints categorized as romance scams were
reported to IC3 (nearly 2,500 more than the previous year), and the losses
associated with those complaints exceeded $230 million
30

STRONG PASSWORDS
▰ Enforce strong passwords
▻ There are many applications that still use local accounts so make sure they have the
same requirements
▰ Password Dictionary
▻ If haveibeenpwned.com currently has a database of 551,509,767 passwords then so do
the bots that are running brute force attacks
▻ Run your users passwords against a database to make sure these passwords are not
being used
32

GOLDEN IMAGE
▰ Most cloud providers make it easy to create and maintain images
▻ The Amazon Machine Image service allows creation of reusable templates
every time you spin up an EC2 instance
▰ Deploying a standard golden image allows for custom security controls and
company applications to be installed, including security products
▻ Knowing what comes installed by default allows for differential reporting
33

OTHER RECOMMENDATIONS
▰ Keep RDP and SSH locked down
▰ Make sure that you are collecting events either with a third party tool or with cloud
monitoring tools
▰ Once an incident occurs make sure there is a response plan and third party tools
can help speed up gathering evidence
34

CLOSING REMARKS
▰ All that sensitive data that I loaded on the server was not touched
▻ Not all bad actors are trying to steal data
▻ In my case I got a scammer that just wanted a clean work space
▰ Next time I might try to make the lab look more like a valuable target
▻ I also took back control of my server pretty quickly, so it would have been
interesting to leave them alone longer to see what they would have tried next
35

36
THANKS!
Any Question?
You can find me at
https://www.linkedin.com/in/brianhileman/

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman

More Related Content

What's hot

Similar to Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman

More from EC-Council

Recently uploaded

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman