Forage Virtual Experience - Telstra Cyberattack
Date: 8/27/2024
Who is Telstra?
Before starting the simulation, I actually had to look up Telstra as I wasn’t familiar with this company. Telstra is a large telecomm company based in Australia with similar offerings to AT&T. With that information, I started the simulation and was immediately provided with some background information:
Task 1
I was also given references, a log file, and an email template to work from.
I’ve heard of Spring4Shell elsewhere in learning about CVEs, but I definitely needed the provided references to be able to complete this task. I learned that Spring4Shell (CVE-2022-22965) is a zero-day RCE vulnerability and requires specific conditions: JDK 9+, Apache Tomcat, WAR file format, spring-webmvr or spring-webflux dependencies, and Spring Framework 5.3.17 or ealier (for those using the 5.3 framwork).
With the necessary background information on the vulnerability, my first task was to write up an email to the affected team letting them know we identified the reason for the service disruption, the critical nature of the incident, and what is being done to fix the issue. Identifying the details of the incident and the affected team was done by looking through the provided firewall and infrastructure document.
This information gave me what I needed to write up a quick professional email to our team concerning this incident. I was not aware of where this simulation was going, so this email with the patch information doesn’t exactly match up well with the other tasks.
With that email sent, Task 1 was complete. In the Incident Response Lifecycle, this step (and part of step 2) would be grouped together as Detection and Analysis, so we still have some more analysis to do before we can move onto Containment, Eradication, and Recovery.
Task 2
Upon further analysis of the incident, we can determine steps to take to cut-off the immediate threat. I know the patch wasn’t available at this time when Spring4Shell was first discovered, but I felt like I could work it into the email as though it was being developed and we just had to triage the situation while a permanent solution was in development. I decided to implement a firewall rule to block “/tomcatwar.jsp” from being used as a client request path.
My solution turned out to be a little overkill though. The simulation also provided “ideal” responses for each task and I should have specified to block traffic based on the request path AND certain headers, which would have been a more targeted approach as opposed to my blanket rule.
Task 3
For the third task, I was to use Python to develop a firewall rule and test that rule using a simulated environment on my computer. I haven’t used Python in this way before and so I unsure how long this would take me, but I knew I would make it happen. Thankfully, the task gave a basic template to run the http server and test attack program (though Microsoft Defender did not like me downloading that zip file) and Python has awesome resources online.
After some research and plenty of trial and error, I came up with the following code:
And the results from the attack run…
My code was successful. Yay! However, like mentioned previously, there was a better way. The below code was provided after completing the task. You can see that they define a list of bad headers, then if a client requests the “/tomcatwar.jsp” path, the loop runs to determine if any of the bad headers are a match before blocking the traffic. They also used a 403 error code instead of 401 like I did.
Task 4
Task 4 corresponds to step 4 in the NIST Incident Response Lifecycle. We perform a Postmortem or Lessons learned exercise to break down the various steps of response process, further analyze the situation and determine if any changes need to be made to the organization’s infrastructure or employed frameworks.
For this task, I was given a template, which was helpful, but the details took a while to write out by myself.
Here is the “ideal response” provided by the module once completed:
Final Thoughts
I really enjoyed this module. It challended me and made me feel more confident in my ability to learn new things and navigate the cybersecurity space. I can’t wait to tackle other modules on Forage.