The project describes how a security analyst in the Security Operations Center responds, mitigates, analyzes a malware attack and handles incident postmortem.
Cybersecurity | Incident Triage | Detection & Response | Research | Communication | Data Analysis | Teamwork | Network Analysis | Problem solving | Python | Solution Architecture | Design Thinking | Incident Reflection | Root Cause Analysis | Risk | Compliance | Strategy | Governance | Security Engineering
- Python Language
- Windows 11 (21H2)
This first step is to triage incoming threats and respond appropriately to the affected departments. This is done by reviewing the firewall logs to determine which applications and infrastructures have been impacted. This involves determining the severity of the threat and whether it is affecting critical services and operations of the company. By prioritizing the threats the appropriate urgency is allocated to the threat. An email is drafted to the affected team to alert them and begin incidence response. The time of occurrence is clearly stated in the mail to better track events by the team. The mail will ensure that the team is aware of the ongoing incident and is prepared for mitigation advice. In this incident, the affected application was the Spring Framework being used by the company.
The next step was to dig more into the threat and mitigate it. Public information on CVE revealed that, according to VMware, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).
A review of the SIEM logs shows a spike in the events right after 14:00.
The firewall logs also shows a bypass action by client /tomcatwar.jsp through the unsecured protocol HTTP usning various network IPs from and external network.
To mitigate the threat an email is sent to the Network team to change firewall rules and block some protocols.
Below is also the python rule to mitigate the attack. Disclaimer: The below python code was provided by the forage after review as my code was incorrect.
from http.server import BaseHTTPRequestHandler, HTTPServer
host = "localhost" port = 8000
def block_request(self): self.send_error(403, "Request blocked due to firewall")
def handle_request(self): # List of bad headers from the proof of concept payload bad_headers = { "suffix": "%>//", "c1": "Runtime", "c2": "<%", "DNT": "1", "Content-Type": "application/x-www-form-urlencoded", }
bad_header_keys = bad_headers.keys()
# If a request is on the Spring Framework path
if self.path == "/tomcatwar.jsp":
# Iterate through bad headers
for bad_header_key in bad_header_keys:
# If we find a bad header that matches the malicious payload
if bad_header_key in self.headers and self.headers[bad_header_key] == bad_headers[bad_header_key]:
# Block request and throw 403 error
return block_request(self)
# Return successful response
self.send_response(200)
self.send_header("content-type", "application/json")
self.end_headers()
self.wfile.write({ "success": True })
class ServerHandler(BaseHTTPRequestHandler): def do_GET(self): handle_request(self)
def do_POST(self):
handle_request(self)
if name == "main":
server = HTTPServer((host, port), ServerHandler)
print("[+] Firewall Server")
print("[+] HTTP Web Server running on: %s:%s" % (host, port))
try:
server.serve_forever()
except KeyboardInterrupt:
pass
server.server_close()
print("[+] Server terminated. Exiting...")
exit(0)
An Incident Report or Postmoterm was recoreded for future discussions and improvements.
