1. Overview

This challenge The Report involves analyzing a Red Canary’s 2022 Threat Detection Report to answer specific tasks about the what cyber threats are observed in late 2021 and early 2022.

BTLO challenge link: https://blueteamlabs.online/home/challenge/the-report-a6dd340dba

Tools used

  • A browser or PDF viewer to read the provided PDF report.

2. Analysis

The supply chain attack related to the Java logging library in late 2021 was Log4j:

T-2. Mention the MITRE Technique ID which effected more than 50% of the customers (Format: TXXXX)

The MITRE technique ID that affected more than 50% of customers was T1059 (known as Command and Scripting Interpreter):

T-3. Submit the names of 2 vulnerabilities belonging to Exchange Servers (Format: VulnNickname, VulnNickname)

The two vulns belonging to Exchange Servers were ProxyLogon and ProxyShell:

T-4. Submit the CVE of the zero day vulnerability of a driver which led to RCE and gain SYSTEM privileges (Format: CVE-XXXX-XXXXX)

The CVE for the zero-day vulnerability of a driver leading to RCE and SYSTEM privileges was CVE-2021-34527:

T-5. Mention the 2 adversary groups that leverage SEO to gain initial access (Format: Group1, Group2)

The two adversary groups leveraging SEO for initial access are Gootkit and Yellow Cockatoo:

T-6. In the detection rule, what should be mentioned as parent process if we are looking for execution of malicious js files [Hint: Not CMD] (Format: ParentProcessName.exe)

In the detection rule, the parent process for the execution of malicious .js files is wscript.exe:

T-7. Ransomware gangs started using affiliate model to gain initial access. Name the precursors used by affiliates of Conti ransomware group (Format: Affiliate1, Affiliate2, Afilliate3)

The precursors used by affiliates of the Conti ransomware group are Qbot, Bazar, and IcedID:

T-8. The main target of coin miners was outdated software. Mention the 2 outdated software mentioned in the report (Format: Software1, Software2)

The two outdated software main targets for coin miners were JBoss and WebLogic:

T-9. Name the ransomware group which threatened to conduct DDoS if they didn’t pay ransom (Format: GroupName)

The ransom group that threatened to conduct DDoS attacks if ransom was not paid was Fancy Lazarus:

T-10. What is the security measure we need to enable for RDP connections in order to safeguard from ransomware attacks? (Format: XXX)

The security measure to enable for RDP connections to safeguard from ransomware attacks is MFA:

3. SOC Flow

My steps taken to analyze the report against a standard SOC incident response lifecycle:

flowchart TD
    D[Open Red Canary 2022 Report]
    D --> E[Search Keywords e.g. Java Logging, Exchange, SEO]
    E --> F[Extract Specific Data Points]
    F --> G[Submit Answers]
    G --> E