ElectricBreeze-1

https://app.hackthebox.com/sherlocks/ElectricBreeze-1

Sherlock Scenario

Your security team must always be up-to-date and aware of the threats targeting organizations in your industry. As you begin your journey as a Threat Intelligence Intern, equipped with some SOC experience, your manager has assigned you a task to test your research skills and how effectively you can leverage the MITRE ATT&CK framework. * Conduct thorough research on Volt Typhoon. * Use the MITRE ATT&CK framework to map adversary behavior and tactics into actionable insights. Impress your manager with your assessment, showcasing your passion for threat intelligence.

1

Based on MITRE's sources, since when has Volt Typhoon been active?

Our primary goal is to find the answer within the specific source they've pointed us to: the MITRE ATT&CK framework. The most reliable way to answer a question about a specific framework is to go directly to its official source. In this case, that's the MITRE ATT&CK website. The MITRE ATT&CK website has a search function. Since the question is about "Volt Typhoon," that's the keyword we'll use.

https://attack.mitre.org/groups/G1017/

The description on this page is very clear:

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam.

Based on MITRE's sources, Volt Typhoon has been active since at least 2021.

2

MITRE identifies two OS credential dumping techniques used by Volt Typhoon. One is LSASS Memory access (T1003.001). What is the Attack ID for the other technique?

On the Volt Typhoon page, we need to find the matrix or table that shows their associated techniques. By examining the "Techniques Used" matrix on the Volt Typhoon page, we can see the second method listed under OS Credential Dumping.

For a faster, scriptable approach, you can query MITRE's data directly. This is perfect for automation and advanced analysis.

1. Get the Group's JSON data: Use curl to download the ATT&CK layer for Volt Typhoon (G1017).

2. Filter with jq: Pipe the JSON output to jq, a command-line JSON processor, to filter for the specific technique.

command

curl -s "https://attack.mitre.org/groups/G1017/G1017-enterprise-layer.json" | jq '.techniques[] | select(.techniqueID | test("^T1003"))'

• curl -s ...: Silently fetches the data from the URL.

• jq '.techniques[] ...': Tells jq to look inside the "techniques" array.

• select(.techniqueID | test("^T1003")): Selects only those techniques whose ID starts with "T1003".

output

{
  "techniqueID": "T1003",
  "showSubtechniques": true
}
{
  "techniqueID": "T1003.001",
  "comment": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has attempted to access hashed credentials from the LSASS process memory space.(Citation: Microsoft Volt Typhoon May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)\n",
  "score": 1,
  "color": "#66b1ff",
  "showSubtechniques": true
}
{
  "techniqueID": "T1003.003",
  "comment": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has used ntds.util to create domain controller installation media containing usernames and password hashes.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)\n",
  "score": 1,
  "color": "#66b1ff",
  "showSubtechniques": true
}

Your output clearly shows the two sub-techniques: T1003.001 (LSASS Memory) and T1003.003 (NTDS), confirming the answer is correct.

3

Which database is targeted by the credential dumping technique mentioned earlier?

We identified the technique as T1003.003, which MITRE ATT&CK® defines as "OS Credential Dumping: NTDS". The answer is right there in the name of the technique itself. Our next step is to understand what "NTDS" refers to. A quick search for "NTDS" in the context of Windows and cybersecurity will give us a very clear answer.

"NTDS" stands for NT Directory Services. The technique targets the core database for Microsoft's Active Directory. This database is stored in a file called ntds.dit. This single file, located on a domain controller, is the crown jewel for attackers because it contains a wealth of information, most importantly:

• User account details for the entire domain.

• Password hashes for every user.

When an adversary like Volt Typhoon gets a copy of the ntds.dit file, they can take it offline and use tools to crack the password hashes. This can give them valid credentials, including those of high-privilege Domain Administrators, allowing them to gain complete control over the network.

The credential dumping technique T1003.003 specifically targets the Active Directory database, which is contained within the ntds.dit file on a domain controller.

4

Which registry hive is required by the threat actor to decrypt the targeted database?

An attacker can steal the ntds.dit file, but the password hashes within it are encrypted. To make them usable, the attacker needs the key that was used to encrypt them. This key is often referred to as the Boot Key or System Key.

That critical key is stored within the Windows Registry. Specifically, it resides in the SYSTEM registry hive. The physical file for this hive is located at C:\Windows\System32\config\SYSTEM. Therefore, for the attack to be successful, a threat actor must exfiltrate two files from the domain controller:

1. The Active Directory database: ntds.dit

2. The registry hive containing the key: SYSTEM

With both of these files, the attacker can go offline and use tools like Impacket's secretsdump.py or Mimikatz to extract the password hashes from the database for cracking or use in pass-the-hash attacks.

The threat actor requires the SYSTEM registry hive to decrypt the targeted ntds.dit database.

5

During the June 2024 campaign, an adversary was observed using a Zero-Day Exploitation targeting Versa Director. What is the name of the Software/Malware that was used?

We need to pivot from the general knowledge of the MITRE ATT&CK framework to specific, time-sensitive threat intelligence reporting.

1. Deconstruct the Request

   1. Timeframe: June 2024

   2. Target: Versa Director (a network management product)

   3. Attack Type: Zero-Day Exploitation

   4. Goal: Identify the name of the Software/Malware used by the adversary.

Our search queries need to be precise to find the right security advisories or blog posts. Good queries would be:

• "versa director" "zero day" after:2024-06-01 before:2024-06-30

• "versa director" after:2024-06-01 before:2024-06-30

The search results are very clear and point to a specific campaign. Here's what we can synthesize from the reports:

• The Vulnerability: Security researchers discovered a zero-day vulnerability in Versa Director. It has since been assigned CVE-2024-39717.

  • https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Volt%20Typhoon

  • https://blog.lumen.com/uncovering-the-versa-director-zero-day-exploitation/

  • https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

• The Attacker: The campaign has been attributed with moderate confidence to the Chinese state-sponsored group Volt Typhoon.

• The Malware: To exploit the vulnerability, the attackers deployed a sophisticated and custom-tailored Java web shell. The malware has two names associated with it:

  • Its internal name, found within the code, is "Director_tomcat_memShell".

  • The name given to it by the researchers at Black Lotus Labs is VersaMem.

By analyzing timely threat intelligence reports regarding the zero-day exploit (CVE-2024-39717), we can identify the specific tool used.

The software/malware used in the attack is a custom web shell named VersaMem.

6

According to the Server Software Component, what type of malware was observed?

The primary function of VersaMem is to give the attacker persistent, remote access to the compromised server. It runs in memory and listens for commands, effectively providing the attacker with a "shell" on the target machine through the web server.

A piece of malware with this functionality is known as a Web Shell. The malware's internal name, "Director_tomcat_memShell," further confirms this classification.

The type of malware observed was a Web Shell.

7

Where did the malware store captured credentials?

Let's look for Lumen's technical reports detailing the "CapturePassTransformer – Password Harvesting" section. The malware executes the following command: /bin/bash -c grep -q {encoded-creds} /tmp/.temp.data || echo {encoded-creds} /tmp/.temp.data. This command first checks if the encrypted and encoded credentials already exist in the file /tmp/.temp.data. If they do not, it appends them to that file.

The malware stored captured credentials in the /tmp/.temp.data file.

8

According to MITRE’s reference, a Lumen/Black Lotus Labs article (Taking The Crossroads: The Versa Director Zero-Day Exploitaiton.), what was the filename of the first malware version scanned on VirusTotal?

The VersaMem web shell is a sophisticated JAR web shell that was uploaded to VirusTotal on June 7, 2024, with the filename “VersaTest.png” and currently has zero anti-virus (AV) detections.

The filename of the malware uploaded to VirusTotal was VersaTest.png

9

What is the SHA256 hash of the file?

Every good threat intelligence report will have a dedicated section at the end titled "Indicators of Compromise" (IoCs) or a similar name. This is where they list the technical details like file hashes, IP addresses, and domain names associated with the attack.

https://github.com/blacklotuslabs/IOCs/blob/main/VersaMem_IOCs.txt

The Lumen/Black Lotus Labs report provides the SHA256 hash, which serves as a unique identifier for the VersaTest.png file. Finding this IoC is critical for detection and response.

VersaMem_IOCs.txt

Yara Rules 
rule VersaMem_JAR_Webshell { 
    strings: 
        $s1 = "org.apache.catalina.startup.Bootstrap" 
        $s2 = "com.versa.vnms.ui.TestMain" 
        $s3 = "/tmp/.java_pid" 
        $s4 = "CoreClassFileTransformer" 
        $s5 = "WriteTestTransformer" 
        $s6 = "CapturePassTransformer" 
        $s7 = "setUserPassword" 
        $s8 = "captureLoginPasswordCode" 
        $s9 = "com/versa/vnms/ui/services/impl/VersaAuthenticationServiceImpl" 
        $s10 = "org/apache/catalina/core/ApplicationFilterChain" 
        $s11 = "/tmp/.temp.data" 
        $s12 = "getInsertCode" 
        $s13 = "VersaMem" 
        $s14 = "Versa-Auth" 
  
    condition: 
        filesize < 5MB and 3 of them 
} 
 
IOCs 
VersaTest.png (VersaMem web shell): 
4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37 
  
Filepaths: 
/tmp/.temp.data

The SHA256 hash of the file is 4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37.

10

According to VirusTotal, what is the file type of the malware?

We have the file's SHA256 hash. This is the perfect piece of information to use for a lookup on VirusTotal, as it's unique to that specific file.

https://www.virustotal.com/gui/file/4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37/details

The search results confirm that VirusTotal identifies the file as a ZIP archive, because the JAR (Java Archive) format is built on the ZIP file format. More specifically, it is a Java Archive (JAR).

According to VirusTotal, the file type is Java Archive (JAR).

11

What is the 'Created by' value in the file's Manifest according to VirusTotal?

This requires us to dive deeper into the file's metadata as analyzed by VirusTotal. The MANIFEST.MF file in a JAR is a rich source of information about how it was built.

Manifest

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Created-By: Apache Maven 3.6.0
Built-By: versa
Build-Jdk: 11.0.19
Agent-Class: com.versa.vnms.ui.TestMain
Can-Redefine-Classes: true
Can-Retransform-Classes: true
Main-Class: com.versa.vnms.ui.TestMain
Premain-Class: com.versa.vnms.ui.TestMain

The 'Created by' value in the file's Manifest is Apache Maven 3.6.0.

12

What is the CVE identifier associated with this malware and vulnerability?

When a security vulnerability like this is discovered by researchers (in this case, Lumen's Black Lotus Labs), they report it to the software vendor (Versa Networks). A unique identifier is then requested from the CVE Program to track this specific vulnerability publicly. This identifier is the CVE number.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39717

The CVE identifier associated with this vulnerability is CVE-2024-39717.

13

According to the CISA document referenced by MITRE, what is the primary strategy Volt Typhoon uses for defense evasion?

The CISA document gives a very clear and direct answer in its first sentence on the topic.

Their actors primarily use LOTL for defense evasion [TA0005], which allows them to camouflage their malicious activity with typical system and network behavior...

https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf

According to the CISA document, the primary strategy Volt Typhoon uses for defense evasion is LOTL (Living off the Land).

14

In the CISA document, which file name is associated with the command potentially used to analyze logon patterns by Volt Typhoon?

To find this answer, we need to look in the appendix of the CISA document, which lists specific commands observed during incident response. In "Table 2: Volt Typhoon Observed Commands in PowerShell Console History", we find the exact command and its output file.

https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf

According to the CISA document, the file name associated with the command used to analyze logon patterns is C:\users\public\documents\user.dat.

This Sherlock challenge guided us from high-level adversary tracking using the MITRE ATT&CK framework to deep-diving into specific, time-sensitive OSINT about a zero-day vulnerability. We analyzed malware characteristics, extracted Indicators of Compromise, and parsed CISA advisories to understand the attacker's TTPs.