Information Technology & Telecommunications ACS Cyber Intrusion - CAT 1 Forensic Findings Report Version 1.1 29 OCTOBER, 2014 Authored By: DoITT Security Operations Center - DSOCCLASSIFICATION - SENSITIVE Document Management Version Details Version Date V0.6 v2 | a va 10/13/2014 =a [=a vA 10/13/2014 zz) VAL voCLASSIFICATION - SENSITIVE TABLE OF CONTENTS DOCUMENT MANAGEMENT. EXECUTIVE OVERVIEW SCOPE .. INVESTIGATIVE FINDINGS. ‘SYSTEM PROFILE [ACS THREAT MODEL ~ ATTACKER'S METHODOLOGY [ACS THREAT MODEL - ANATOMY OF THE ATTACK. FORENSIC ACQUISITION FORENSIC ANALYSIS.. DEFINITION - POSITIVE FINDING: DEFINITION - NEGATIVE FINDINGS ‘TIMELINE ~ SUCCESSFUL INTRUSION! POSITIVE FINDINGS. IDENTIFIED SYSTEM VULNERABILITIES .. ORACLE FORMS AND REPORTS ... PUBLICLY AVAILABLE ANALYSIS OF| {JSP WEB SHELL OVERVIEW — REMOTE ACCESS TOOL (RAT) ATTACKER USAGE OF THE| SUMMARY ANALYSIS OF [ATTACKER HS ~ INVESTIGATIVE FOCUS.. ATTACKER #5 ~ STOLEN CREDENTAILS (KEY MAPS) ATTACKER #5 [ATTACKER #5 ~ DATABASE LOG ANALYSIS. DATA DEFINITION LANGUAGE (DDL) ANALYSIS.... DATA MANIPULATION LANGUAGE (DML) ANALYSIS.. NEGATIVE FINDINGS ‘conctusior [ACS AGENCY RESPONSE TEAM (ART) RECOMMENDATIONS... THREAT DRIVEN SECURITY ~ INDICATORS OF COMPROMISE (10C). LIST OF FIGURES FIGURE 1. ACS SYSTEM PROFILE - HIGH LEVEL ARCHITECTURE a 6 FIGURE 2. COMPROMISED COMPUTER ~ INVESTIGATIVE FOCUS OF THIS REPORT nso 6 FIGURE 3. COMPROMISED COMPUTER - DISK CONFIGURATION LAYOUT- RAID... - 6 FIGURE 4 ATTACKERS MET00010c% TT 7 seed FIGURE 5, ANATOMY OF THE ACS ATTACK = SUCC ocean FIGURE 6. FORENSIC ACQUISITION ~ HARD DRIVE RECOGNITION PROFILES snore FIGURE 7, MOUNTED FILE SYSTEM ~ ACS POOLS - /APP1 & /APP2.cnonnensnnn on “10 FIGURE 8, REGRESSIVE TIMELINE ~ SUCCESSFUL INTRUSIONS. 7 ned FIGURE 9 EXPLOITATION CODE ANALYSIS enn a FIGURE 10, SKAMPLE OF WEAPON LEVERAGED IN THE ACS INTRUSION oovsernvevenon- 16 FIGURE 11. ATTACKER PRESENCE IN THE WEB SERVER LOGS