Section 1 - Maybe it's just a tadpole? 😢👀

A FramtidX employee informs us that their webpage has been hacked and defaced (MITRE T1491 [ATT&CK] [D3FEND]). The threat actor calls themselves "Shadow Truth" and make heavy use of frog imagery. Since their public-facing website was targeted, it would be a good idea to contact the person in charge of maintaining it.

Employees
| summarize count() by role

This query shows that there's a single Web Administrator; looking them up on the Employees table shows that they're named Anita Bath (email address anita_bath@framtidxdevcorp.com, IP address 10.10.0.8, username anbath and hostname MYZB-LAPTOP); crucially, Anita doesn't have multi-factor authentication enabled. After contacting her and discussing the matter, she insists she didn't have anything to do with the defacement "even if it looks like she did [it]."

While an insider threat is always possible, it's just as likely that her device(s) or account(s) were compromised by the threat actor; I'll take her at her word unless there's evidence to the contrary. Furthermore, the threat actor gave us their name; it's possible it'll show up among the processes executed on the Web Administrator's device.

Employees
| where role == "Web Administrator"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where process_commandline has "Shadow Truth"

Using the echo command, they overwrote the contents of index.html (the home page) with a simple HTML defacement message; the images are stored in the images directory on the Web Administrator's own device. They might've been downloaded off an attacker-controlled server. The images are frog_mall_meme1.jpg and frog_mall_meme2.jpg.

Employees
| where role == "Web Administrator"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where process_commandline contains "frog_mall_meme"

The images were downloaded shortly before the defacement; I check from where by querying OutboundNetworkEvents:

Employees
| where role == "Web Administrator"
| distinct ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where url contains "frog_mall_meme"

The threat actors might be related to the ones that compromised the Valdorian Times (see my investigation on the matter), given the domain the images were downloaded from: ronniesdankmemes.com, a clear reference to the Valdorian Times employee that got her personal data exfiltrated during said event.

A lookup for this hostname against PassiveDns doesn't reveal any IPs.

Since all sources point to Anita's computer being used, her password(s) must've been compromised at some point, perhaps stolen straight from her device.

Employees
| where role == "Web Administrator"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where process_commandline contains "password"

Indeed, the threat actors used Get-ChildItem to get a list of all files that contain the string password, recursively across subfolders. The next day, they used curl to exfiltrate a list of credentials, likely built off the files found using Get-ChildItem. The staging folder for these operations is Heartburn, located in the target's ProgramData; this was also the name of the staging folder used by the threat actors of the Azure Crest incident (see my investigation on the matter); they're either related or using the same malware packages. Looking for this directory or its path on the FileCreationEvents table doesn't return any hits, however.

The passwords were uploaded to newdevelopmentupdates.org; querying PassiveDns does reveal two distinct IP addresses this time:

PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip
//2 ips

Running a recursive lookup to find any other domains reveals:

PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
//2 domains

With these domains and IP addresses I can investigate how Anita was compromised, and if anyone else was also targeted (as part of a larger campaign). I checked if any employees received emails containing these domains using:

let bad_domains =
PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain; //2 domains
Email
| where tostring(parse_url(link).Host) in (bad_domains)

A total of 6 distinct employees were targeted (Jennifer Owens was targeted twice for reasons unknown); the emails received had alarming subject lines, came from what should be a trusted source (Developer Alex Johnson), and all attached URLs lead to fake login pages to steal credentials. The targeted employees (incl. Alex Johnson) are:

let bad_domains =
PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain; //2 domains
let T =
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct sender, recipient;
T
| project ["employee_list"] = sender
| union (T | project ["employee_list"] = recipient)
| distinct employee_list
| lookup Employees on $left.employee_list == $right.email_addr

Per summarize count() by role, a developer, CEO and web administrator each were targeted, along with two chief architects and two sales representatives. Anita Bath was among the targeted, as the sole web developer; note that most don't have MFA enabled; Anita Bath doesn't have it, but Alex Johnson--who evidently was compromised--does have it enabled. To confirm who clicked the links, I use this query:

let bad_domains =
PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain; //2 domains
let T =
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct sender, recipient;
T
| project ["employee_list"] = sender
| union (T | project ["employee_list"] = recipient)
| distinct employee_list
| lookup Employees on $left.employee_list == $right.email_addr
| distinct role, name, ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where tostring(parse_url(url).Host) in (bad_domains)

All of them did, unfortunately; all of them entered their credentials. Interestingly, there are no signs of Alex Johnson having ever clicked a link affiliated with Shadow Truth--perhaps he was targeted in a different manner. Before I investigate further, I first confirm what accounts were accessed by the threat actors using:

let bad_ips =
PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip; //2 ips
AuthenticationEvents
| where src_ip in (bad_ips)

The threat actor successfully logged into all targeted user's accounts; 7 days before sending the phishing emails, they successfully logged into Alex Johnson's account.

Section 2 - KQL 101 📚

(This section was a simple refresher on KQL basics.)

Section 3 - Alright it’s definitely an angry frog or two 🥵😨

Erik Bjorn, the chief architect, informed me that the page to access internal plans was defaced and that he'll try to contact the other chief architect, Sofia Lindgren, who is currently on vacation--apparently, the architectural plans for FramtidX's latest project went missing. I must note that both Erik and Sofia had their accounts compromised by the threat actor (see [9] above). As I had previously uncovered (see [8]), the Chief Architects' received phishing emails informing of alleged "architecture plan changes". Much like Anita Bath's phishing email, the subject line was tailored to their particular role in the company (chief architects and web developer, respectively); clearly, they did their research before the attack. To search for any signs of recon on FramtidX's webpage, I use:

let bad_ips =
PassiveDns
| where domain == "newdevelopmentupdates.org"
| distinct ip; //2 ips
InboundNetworkEvents
| where src_ip in (bad_ips)

There are quite a lot of results; the first batch of queries--dating to 2024-06-20--are all about looking for controversies regarding FramtidX's activities, including damage against local frog populations, alleged shady deals, alleged offshore accounts, alleged briberies, any whistleblower incidents, etcetera. They also looked for ways to contact FramtidX's IT staff, if there exists a public-facing employee email directory, how to contact developers, if there are any public-facing internal document repositories, IT infrastructure details, any existing backdoors in FramtidX's IT infrastructure, etcetera. They also browsed the "about us" and specific employee pages, such as CEO Johanna Karlsson's, current and historic projects, press releases, the careers page, an article about FramtidX's IT team, etcetera.

The next day, they accessed internal directories containing emails, documents, architectural plans, and IT architecture. Interestingly, the refferers for these accesses include popular social media websites, OpenAI, common search engines, and services such as valdoriantimes.com, valdorianjobs.com and findevilcorps.net; the most frequent external refferer is valdorianjobs.com, followed by linkedin.com. At this time, they had access to Developer Alex Johnson's account; before following on that, I'd like to confirm what--if anything--the threat actor did on the chief architects' devices.

Employees
| where role =~ "chief architect"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where timestamp >= datetime(2024-06-27 10:35:54.0000) //when Erik got compromised (Sofia was shortly after)
and process_commandline !contains ("WindowsApps")
and process_commandline !contains ("SystemApps")
| sort by hostname, timestamp asc 

On both their devices, the threat actors deleted the file SuperImportantMallProjectArchitecturalPlans.docx and replaced it with a dummy file originally named fake_plans.docx; they renamed it the same as the original file. If there were no backups in place, the file has been lost; this is an example of data manipulation [MITRE ATT&CK].

Last but not least, the CEO, Johanna Karlsson was also compromised--certainly a valuable target for Shadow Truth, whom specifically looked for information on her during their recon (see [12])--I will take the time to explore what they could've done inside her mailbox and devices in the next section.

Section 4 - Nope, it’s a full on frognado!!!! 🐸🌪️😱

As seen in [9], CEO Johanna Karlsson was among the FramtidX employees targeted by a spearphishing campaign that used Developer Alex Johnson's email account, thus bypassing any security measures meant to protect against suspicious external emails. Prompted with an allegedly urgent security update and given a link to a fake login page, Johanna Karlsson had her credentials compromised on 2024-06-26 at 14:34:22 in the afternoon; on 2024-06-27 at 12:40:59 in the afternoon, the threat actors--using IP address 239.72.6.38--successfully logged into Johanna's computer. To check what they could've done on it, I use:

Employees
| where role =~ "ceo"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where timestamp >= datetime(2024-06-27 12:40:59.0000) //when Johanna got compromised
and process_commandline !contains ("WindowsApps")
and process_commandline !contains ("SystemApps")

The threat actors recursively seek any and all .eml (email file format, follows RFC 822) and .msg (Microsoft Outlook's proprietary email format) files in Johanna's email backups; the found emails are then copied to the StolenEmails staging folder and compressed into the StolenEmails.zip archive; all .eml files specifically are compressed into a series of archives containing 10 emails each. The full command is pasted below for clarity:

$emails = Get-ChildItem -Path C:\\Users\\jokarlsson\\Documents\\q\\*.eml;
$chunks = [System.Collections.Generic.List[System.Collections.Generic.List[System.IO.FileInfo]]]::new();
$chunkSize = 10;
for ($i = 0; $i -lt $emails.Count; $i += $chunkSize) {
  $chunks.Add($emails[$i..($i + $chunkSize - 1)]);
}
foreach ($chunk in $chunks) {
  $chunk | Compress-Archive -DestinationPath "C:\\Users\\jokarlsson\\Documents\\Chunk$($chunks.IndexOf($chunk)).zip";
}

Since there are no hints of the threat actors using more sophisticated methods, such as exfiltrating the files directly via cURL or similar software, it's possible they used Johanna's email account. First, I'll check what emails might've been exfiltrated from Johanna's backups, given the threat actor's interests (regarding environmental conservation, alleged financial and political corruption, etcetera.):

Employees
| where role =~ "ceo"
| distinct email_addr
| lookup Email on $left.email_addr == $right.sender

Evidently, the threat actors found sensitive, controversial information regarding FramtidX's latest development project. Given their hacktivist nature and that they did not ask for a ransom (for example), it's possible these emails were leaked to an interested third party.

Searching for emails sent by Johanna Karlsson (johanna_karlsson@framtidxdevcorp.com) doesn't lead to any hints, and neither does checking the rest of the compromised employees (see [9] for a list of said employees). Perhaps there is some sort of internal email address(es) not associated to FramtidX employees (i.e. not firstname_lastname@framtidxdevcorp.com) that the threat actors' could've also used and that shared credentials with one (or more) of the compromised employee credentials. To check for this, I use:

let employee_emails =
Employees
| distinct email_addr;
Email
| where sender endswith "framtidxdevcorp.com"
and timestamp >= datetime(2024-06-27 12:40:59.0000)
and recipient !endswith "framtidxdevcorp.com"
and sender !in (employee_emails)
| distinct sender

And to check what, if anything, these addresses could've sent to non-FramtidX persons, I used:

let employee_emails =
Employees
| distinct email_addr;
Email
| where sender endswith "framtidxdevcorp.com"
and timestamp >= datetime(2024-06-27 12:40:59.0000) //threat actor logs into CEO device
and recipient !endswith "framtidxdevcorp.com"
and sender !in (employee_emails)
| distinct sender
| lookup Email on $left.sender == $right.sender
| where recipient !endswith "framtidxdevcorp.com"
and timestamp >= datetime(2024-07-06 14:00:56.0000) //first command run on CEO's device

Omitted from the results above are emails sent by server_admin@framtidxdevcorp.com, which turned out to be irrelevant. However, the address ceo@framtidxdevcorp.com--which very likely shared credentials with Johanna Karlsson's regular account--was used to send (multiple times, in duplicate) the email chunks (likely to avoid detection and/or bypass email attachment size limits). The threat actors sent the email chunks to themselves (htuortwodahs@yopmail.com), but sent the singular StolenEmails.zip directly to the Valdorian Times' Editorial Director Nene Leaks (nene.leaks@valdoriantimes.com).

The final loose end is Developer Alex Johnson; there are no hints that he was compromised in some way--he did not get any phishing emails before "he" compromised "his" coworkers, there are no signs of malware or otherwise suspicious software on his computer, etc.--and he was the latest, newest hire in FramtidX Corp., starting employment on 2024-05-01--not even two months before this spate of spearphishing attacks. "His" account activity is also odd; the earliest log-in to his corporate account is on 2024-06-16 with IP address 23.179.138.125 (not found anywhere else in FramtidX's logs), the external IP addresses associated with the threat actor (see [6]), and various internal IP addresses that correspond to "him" (10.10.0.2) and compromised FramtidX Corp. employees, starting on 2024-06-20 (and preceding their respective compromises): Marie Doty (10.10.0.69); Sofia Lindgren (10.10.0.18); Anita Bath (10.10.0.8); Erik Bjorn (10.10.0.3); and Jennifer Owens (10.10.0.72). No other employee has this pattern, having a single internal IP address (10.10.X.X) and one or two external IP addresses at most.

This points to Alex Johnson being a sockpuppet or an internal threat, though it might be the former as the threat actor's recon included FramtidX's careers page and hiring process (see [12]).

The threat actors targeted the two chief architects, the CEO and the webmaster; in order to accomplish their goal of impeding the construction of the mall--as discussed with and blessed by Valdoria Mayor Erik Stevens--they defaced the website, destroyed the plans, accessed the CEO's mailbox and leaked sensitive emails to the press.