Section 1 - KQL 101

I'll start by scoping out the organization.

Employees
| summarize count() by role

SolviSystems has 500 employees total, most being ICS Software Developers.

Section 2 - Someone's Knocking

There's an alert from SolviSystems' Web Application Firewall (WAF); someone seems to be attempting to compromise the company website.

{
   description: "DETECTION RULE TRIGGERED",
   severity: "HIGH",
   rule_description: "SUSPICIOUS TEXT IN HTTP REQUEST",
   data: https://www.solvisystems.com/feedback?message=</script>.
 <script>alert('xss')</script>
}

This is a pretty basic cross-site scripting attack; fortunately, besides the firewall alert the field the threat actors were trying to exploit sanitizes input. The attempted attack can be seen in our logs:

InboundNetworkEvents
| where url contains "alert"

The URL appears encoded in the logs; it's https://www.solvisystems.com/feedback?message=</script><script>alert('xss')</script>. The response code is 404 ("Page not Found") and shows that the attack was unsuccessful. The user agent shows that the attacker was running a version of Opera (Presto engine) under 64-bit Linux, using the X11 windowing system, and their IP address is 13.201.46.208. This attempted intrusion occurred on 2024-05-03 at 14:48:08 in the afternoon. Before investigating other possible intrusion attempts from this IP, I want to check if there are any domains or other IPs associated with these attackers.

PassiveDns
| where ip == "13.201.46.208"
| distinct domain

This IP is associated with a single domain: energy-trends4u.net. I checked for any other IPs with:

PassiveDns
| where ip == "13.201.46.208"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

Doing another recursive lookup doesn't unveil any other domains or IP addresses. In order to weed out more possible attacker IPs, I checked InboundNetworkEvents using the known user agent string.

InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"

The attackers engaged in reconnaissance over 28 days, starting on May 1st and ending on May 29th, looking up information on the proprietary DOCKS ICS system, from pricing and the FAQs to any known security vulnerabilities; they also examined our partners (Eskom, PowerGrid Tech, SecureICS, and Industrial Control Systems) and their products. From 2024-05-03 12:15:08 to 2024-05-03 14:48:08 (i.e. in the span of roughly 2 hours and 33 minutes) they performed nine attempts at compromising our website via basic web exploits, such as XSS and SQL injections.

1. https://www.solvisystems.com/products?name=' OR '1'='1
2. https://www.solvisystems.com/search?q='; DROP TABLE users; --
3. https://www.solvisystems.com/api/data?user_id=1 UNION SELECT 1, username, password FROM users
4. https://www.solvisystems.com/api/auth?username=admin'--
5. https://www.solvisystems.com/api/settings?setting=' OR 1=1--
6. https://www.solvisystems.com/products/details?id=1 AND 1=1
7. https://www.solvisystems.com/search/results?query=';EXEC xp_cmdshell 'dir';--
8. https://www.solvisystems.com/download?file=' UNION SELECT system_user, @@version, db_name()--
9. https://www.solvisystems.com/feedback?message=</script><script>alert('xss')</script>

There is evidence the attackers managed to access internal documentation and portals, such as sharepoint.solvisystems.com and devportal.solvisystems.com.

The source IP addresses are: 105.78.23.64,13.201.46.208, 56.6.30.190, and 98.117.26.236. Checking against PassiveDns once again:

InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain

Everything here screams "nefarious purposes". The attackers tried and failed to access via website exploits, and there's evidence that they successfully got access to internal systems. It's probably there were other attempts -- successful or otherwise -- to gain access to our systems. The following section will go in-depth on this matter.

Section 3 - Snail Mail

Phishing via email remains a popular and surprisingly effective attack vector to this day, so I pivot:

let bad_domains =
InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain;
Email
| where tostring(parse_url(link).Host) in (bad_domains)

There are 56 emails linking to any of the three malicious domains. Using more precise queries I can extract more specific information.

The subject lines are (ignoring duplicates due to forwarding FW: and replies RE:):

1. [EXTERNAL] Business Opportunity: Two major energy companies merging
2. [EXTERNAL] [!Critical!] New Market Challenges for Solvi Systems
3. [EXTERNAL] Energy Industry Trends 2024 for Solvi Systems
4. [EXTERNAL] [!!!] Recent Mergers and Acquisitions in the Energy Industry

The targets are given links to download documents related to the alleged subject:

1. Energy_Industry_Trends_2024_4_Solvi.docx
2. Recent_Mergers_and_Acquisitions_in_Energy_Industry.docx
3. Eco_Awareness_Update_2024.docx

The email addresses used by this campaign are:

1. news@eco-awareness-updates.net
2. energy_industry_news@protonmail.com
3. electric_updates@gmail.com

And the targeted users are:

let bad_domains =
InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain;
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| sort by role desc

Most targeted employees are either Customer Support Specialists or Sales Representatives, but worryingly enough, the Project Manager for Docks ICS, Docks Customer Success Manager, and DOCKS ICS Security Lead were also successfully targeted by this campaign. I used this query to confirm who did click the malicious links:

let bad_domains =
InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain;
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| distinct role, name, ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where tostring(parse_url(url).Host) in (bad_domains)
| sort by timestamp asc

Once again, the Project Manager for Docks ICS, Docks Customer Success Manager, and DOCKS ICS Security Lead all clicked on the links. Knowing that the threat actors were looking for information on the DOCKS ICS system and that they did not target any DOCKS ICS software developers, I figured that it would be best to focus on these three.

let bad_domains =
InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain;
let bad_files =
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| extend ["bad_files"] = tostring(parse_path(tostring(parse_url(link).Path)).Filename)
| distinct ["bad_files"];
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| where role has "docks"
| distinct username
| lookup FileCreationEvents on $left.username == $right.username
| sort by username, timestamp asc
| serialize
| extend payload = next(filename)
| where payload !in (bad_files)
| where filename in (bad_files) 

Note that the sha256 in the table above is for the .docx files, not ecobug.exe. Once opened, the documents drop said executable. Running a general query across the entire SolviSystems network shows that the file is located in 39 devices (38 distinct). Using a query such as

FileCreationEvents
| where filename == "ecobug.exe"
| summarize count() by hostname
| sort by count_

We can see that it got created twice on QP7A-MACHINE; if we look at the Employees table, it's Customer Support Specialist Virginia Hesse.

And if we check FileCreationEvents on her machine, we see there's an ecobug.exe with a different sha256 hash: 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3. For reference, these are all hashes associated with ecobug.exe and the amount of incidences across SolviSystems devices:

FileCreationEvents
| where filename == "ecobug.exe"
| summarize count() by filename, sha256

I'll examine what this mysterious ecobug.exe does in the following section.

Section 4 - EcoShock

Returning to studying what happens once the payload is dropped on the system, I tried the query:

let bad_domains =
InboundNetworkEvents
| where user_agent == "Opera/8.64.(X11; Linux x86_64; kok-IN) Presto/2.9.165 Version/10.00"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip
| distinct domain;
let bad_files =
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| extend ["bad_files"] = tostring(parse_path(tostring(parse_url(link).Path)).Filename)
| distinct ["bad_files"];
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| where role has "docks"
| distinct username
| lookup ProcessEvents on $left.username == $right.username
| sort by username, timestamp asc
| where timestamp >= datetime(2024-05-02 16:14:33.0000)
| where process_commandline !contains "SystemApps"
and process_commandline !contains "WindowsApps"
and process_commandline !contains "Spotify"
and process_commandline !contains "Teams"
and process_commandline !contains "Edge"

In all three devices (belonging to DOCKS ICS Security Lead Taylor Green, Project Manager for Docks ICS Jamie Lee and Docks Customer Success Manager Alexei Petrov) the payload executes and connects to IP 98.117.26.236 at port 1337. The attackers run a common set of discovery commands:

• netstat -an: [The -a flag] Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. [The -n flag] [d]isplays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names. [Microsoft Learn]
• ipconfig /all: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. [Microsoft Learn]
• net view: Used without parameters, net view displays a list of computers in your current domain. [Microsoft Learn] In the hospital's case, this likely means all computers on the network.
• systeminfo: Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards). [Microsoft Learn]

...Followed by creating a new user gu@rd!an with account password abc1toothree [sic] using net users /add; the threat actor then adds the user to the administrators localgroup, giving themselves administrator rights inside the system. They use a few other discovery commands:

• net share: Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer. [Microsoft Learn]
• net use: Used without parameters, net use retrieves a list of network connections. [Microsoft Learn]
• net use /PERSISTENT:YES: Controls the use of persistent network connections. [...] Yes saves all connections as they are made, and restores them at next logon. [Microsoft Learn]

After ensuring persistence, the threat actor browses through SolviSystems' internal folders, copying documentation related to the DOCKS ICS system and its software development cycle. They compress the data into the archive CollectedData.zip and upload it to api.eco-awareness-update.net/upload. Checking company-wide shows that no other employees had data exfiltrated nor were persistent connections set except for these three employees. Curiously, checking the NetworkFlow table shows that the most frequent connections were in the most irrelevant employees:

NetworkFlow
| where dest_ip == "98.117.26.236"
| summarize count() by src_ip
| lookup Employees on $left.src_ip == $right.ip_addr
| distinct role, name, src_ip, count_

Examining without summarize by count() shows that the connections were established every 24 hours on the dot. Across all devices there are 470 total connections made to this IP address, which resolves to news-on-industry.com.

Section 5 - A Shocking Ending

There is a lead I've sort of "held off" from investigating, and it's that the attackers accessed an internal development portal and the company's SharePoint (see [1]). As a reminder, they especifically accessed the following documents:

• Development lifecycle internal processes (https://devportal.solvisystems.com/development_lifecycle/internal_process.pdf)
• The directory containing the sprint reviews for the first quarter of 2024
• DOCKS architecture documents (https://sharepoint.solvisystems.com/docs/DOCKS_Architecture.pdf)
• DOCKS ICS integration manual (https://sharepoint.solvisystems.com/docs/DOCKS_Integration_Manual.pdf)
• The directory containing the software's update logs
• The directory containing security protocols

Some were accessed multiple times.

I must also consider the possibility that, with access to employee accounts and devices, the threat actors could've impersonated employees to obtain information from unwitting targets. I assumed they would exploit the fairly high-ranking employee accounts they already compromised and exfiltrated proprietary data from in order to extract information from lower-ranking employees and trusted peers.

ProcessEvents
| where process_commandline has "net use /PERSISTENT:YES"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname
| distinct email_addr
| lookup Email on $left.email_addr == $right.sender
| where timestamp between (datetime(2024-05-02 16:15:29.0000) .. datetime(2024-06-01))
and recipient endswith "solvisystems.com"

Indeed, using all three accounts the threat actors try asking nicely for the DOCKS ICS documentation and about vulnerabilities in the software between May 27th and May 28th, with varying degrees of urgency. Doing a lookup against the Employees table shows that the targets are all related to the development to the DOCKS ICS software, as detailed below:

ProcessEvents
| where process_commandline has "net use /PERSISTENT:YES"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname
| distinct email_addr
| lookup Email on $left.email_addr == $right.sender
| where timestamp between (datetime(2024-05-27 12:20:05.0000) .. datetime(2024-05-28 12:40:47.0000))
and recipient endswith "solvisystems.com"
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr

The targeted roles were vulnerability researchers and lead developers.

In conclusion: after doing some reconnaissance via SolviSystems' web presence, threat actors attempted to access sentitive, proprietary data by using common web exploits against SolviSystems' website; when this failed, they started a phishing campaign against various employees--most low-ranking such as Customer Support and Sales--and crucially managed to convince key staff related to the DOCKS ICS software to download and open malicious documents purpoting to be industry news; the documents dropped a payload that connected to an attacker-controlled server and enabled hands-on-keyboard access, which they exploited to download and exfiltrate proprietary data on the DOCKS ICS software, including details of its development cycle and its known vulnerabilities. They also used the compromised account to extract information off uncompromised employees, especifically DOCKS ICS vulnerability researchers and lead developers.

After this, the threat actors identified themselves in a popular social media website as "Guardians of Adamastor" -- alluded to with the account guard!@n they created on the compromised devices. They claim "big things are going to start happening" and especifically mention our industry partner Eskom (#holdEskomResponsible), which was one of the partners they looked up during the reconnaissance phase of their attack.