CYBER FORENSIC PROGRAM

1. Case study on network attack

Overview
On February 24th, 2022, the day of Russia’s invasion into Ukraine, a cyberattack disrupted
broadband satellite internet access. This attack disabled modems that communicate with Viasat
Inc's KA-SAT satellite network, which supplies internet access to tens of thousands of people in
Ukraine and Europe. Researchers from SentinelLabs believe that the attack was the result of a new
strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems
and routers. Viasat agreed with this assessment, and in a later statement said they believed the
purpose of the attack was to interrupt service rather than to access data or systems. The United
State's assessed “...that Russia launched cyber attacks in late February against commercial satellite
communications networks to disrupt Ukrainian command and control during the invasion, and those
actions had spillover impacts into other European countries.
Impact
As the attack impacted telecommunications systems, it did not just have the potential to threaten
government or military objects, but rather it also impacted the civilian population and civilian objects
both in Ukraine and beyond when they experienced a loss of internet access and possible
disruptions to systems in the energy sector. Some reported that their internet access was offline for
more than two weeks. The attack on Viasat also impacted a major German energy company who
lost remote monitoring access to over 5,800 wind turbines, and in France nearly 9,000 subscribers
of a satellite internet service provider experienced an internet outage. In addition, around a third of
40,000 subscribers of another satellite internet service provider in Europe (Germany, France,
Hungary, Greece, Italy, Poland) were affected. Overall, this attack impacted several thousand
customers located in Ukraine and tens of thousands of other fixed broadband customers across
Europe.
Attribution
A first technical attribution was conducted and publicly disclosed by SentinelLabs at the end of
March 2022, as they found that AcidRain presented developmental similarities with a 2018
VPNFilter campaign previously attributed to the Russian government. Months later, on May 10, the
EU and the Five Eyes governments consisting of the United States, United Kingdom, Australia, New
Zealand, and Canada, released public statements attributing AcidRain to the Russian military
intelligence (GRU) and linking it to multiple families of destructive wiper malware, including
WhisperGate, targeted on the Ukrainian government and private sector networks. Further specific
national statements aligning with this attribution were made by the ministries of foreign affairs of
Estonia, Denmark, Ireland, the Netherlands, Norway, Austria, Germany, Czechia, Italy, Finland,
Romania, Poland, and France.

Web - https://academy.cyberheals.com/ibby_master_program
Phone - +91 63851 81109
2. Case study on wifi attack

ABSTRACT
Mobile devices regularly broadcast WiFi probe requests in order to discover available proximal WiFi
access points for connection. A probe request, sent automatically in the active scanning mode,
consisting of the MAC address of the device expresses an advertisement of its presence. A real-
time wireless sniffing system is able to sense WiFi packets and analyse wireless traffic. This
provides an opportunity to obtain insights into the interaction between the humans carrying the
mobile devices and the environment. Susceptibility to loss of the wireless data transmission is an
important limitation on this idea, and this is complicated by the lack of a standard specification for
real deployment of WiFi sniffers. In this paper, we present an experimental analysis of sniffing
performance under different wireless environments using offthe-shelf products. Our objective is to
identify the possible factors including channel settings and access point configurations that affect
sniffing behaviours and performances, thereby enabling the design of a protocol for a WiFi sniffing
system under the optimal monitoring strategy in a real deployment. Our preliminary results show
that four main factors affect the sniffing performance: the number of access points and their
corresponding operating channels, the signal strength of the access point and the number of
devices in the vicinity. In terms of a real field deployment, we propose assignment of one sniffing
device to each specific sub-region based on the local access point signal strength and coverage
area and fixing the monitoring channel belongs to the local strongest access point.

DISCUSSION
• MAC randomization. Most of the mobile devices perform MAC randomization as a privacy-
preserving feature in active discovery mode; discussion of this is beyond the scope of this paper. In
this work, we make reasonable assumption that most of the devices are connected to the WiFi
network in each of the working and living environments (i.e. university and home) and this will
always result in revelation of the real MAC address in the probe request packets. Therefore MAC
randomization is expected to have very little impact on the analytic results in this paper.
• During the tests, it has been observed that some devices do not send direct probes under default
factory settings. Moreover, some advanced home routers will automatically adjust their transmission
channels based on current channel occupancy and interference, rather than remain on a fixed
channel. As for the tests conducted in a house, we manually set the channels to avoid interference
from other APs in the neighbourhood on the same channels. VOLUME 8, 2020 129233 Y. Li et al.:
Case Study of WiFi Sniffing Performance Evaluation Nonetheless, under the channel allocation
regime at 2.4GHz, there are only three non-overlapping channels, so interference is likely
regardless in our results.
• We have demonstrated the possible factors that affect the number of received probe data based
on the data collected in a relatively simple home wireless environment where the AP configurations
are simple. Because of lack of knowledge of the wireless environment in the neighbourhood, we can
only investigate the data based on what is known about the environment, for example, number of
devices, connection status and phone activity. As for the dynamic environment in an enterprise
WLAN deployment (such as university network), those factors also impact the sniffing performance.
However, the situation is more complicated, we believe there are other factors such as channel
capacity and link quality that affect the overall sniffing performance. For example, commercial WiFi
APs normally support automatic detection of surrounding interference and apply a radio calibration
algorithm that allows dynamic channel selection and power adjustment to minimize such kinds of
interference [39]. In addition, most of the client devices are mobile, typically being carried around by
humans walking around, so that seamless roaming between APs should be taken into
consideration. Moreover, client roaming decision is subject to vendor-specific configurations,
including the signal strength, communication quality, error rate and missing probes etc. Therefore, it
is suggested to automatically adjust the sniffing channels according to the WiFi AP configurations.

Web - https://academy.cyberheals.com/ibby_master_program
Phone - +91 63851 81109
CONCLUSION
In this paper, we have investigated the performance of WiFi sniffers under different channel
configurations using off-theshelf products in different wireless scenarios. We conduct the ANOVA to
statistically analyse the sniffing impacts between channels. We also further investigate the probing
behaviours over not-in-proximity channels which exhibits a large number of probes with randomized
MAC addresses. This research proposes a WiFi sniffer protocol using the optimal monitoring
channel. We have demonstrated that the number of received probe packets are affected by a range
of factors, among which the number of APs and their corresponding operating channels, the signal
strength of the AP and the number of devices in the vicinity play significant roles. In a real
deployment, it is suggested to assign one sniffer as close as possible to the AP in each sub-area
and fix the monitor channel to be the one that the local strongest AP operates on.

3. Case study on web attack

Equifax data breach
Summary
The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638,
was discovered in Apache Struts, an open source development framework for creating
enterprise Java applications that Equifax, along with thousands of other websites, uses. If
attackers sent HTTP requests with malicious code tucked into the content-type header, Struts
could be tricked into executing that code, and potentially opening up the system Struts was
running on to further intrusion. On March 7, the Apache Software Foundation released a patch
for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to any
affected systems, but the employee who should have done so didn’t. Equifax’s IT department
ran a series of scans that were supposed to identify unpatched systems on March 15; there
were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans
seemed to have not worked, and none of the vulnerable systems were flagged or patched.

How the attack happened

The company was initially hacked via a consumer complaint web portal, with the attackers using
a widely known vulnerability that should have been patched but, due to failures in Equifax’s
internal processes, wasn’t. The attackers were able to move from the web portal to other servers
because the systems weren’t adequately segmented from one another, and they were able to
find usernames and passwords stored in plain text that then allowed them to access still further
systems. The attackers pulled data out of the network in encrypted form undetected for months
because Equifax had crucially failed to renew an encryption certificate on one of their internal
security tools. Equifax did not publicize the breach until more than a month after they discovered
it had happened; stock sales by top executives around this time gave rise to accusations of
insider trading.

Web - https://academy.cyberheals.com/ibby_master_program
Phone - +91 63851 81109
 Impact

Equifax specifically traffics in personal data, and so the information that was compromised and
spirited away by the attackers was quite in-depth and covered a huge number of people. It
potentially affected 143 million people — more than 40 percent of the population of the United
States — whose names, addresses, dates of birth, Social Security numbers, and drivers’ licenses
numbers were exposed. A small subset of the records — on the order of about 200,000 — also
included credit card numbers; this group probably consisted of people who had paid Equifax directly in
order to order to see their own credit report.

This last factor is somewhat ironic, as the people concerned enough about their credit score to pay
Equifax to look at it also had the most personal data stolen, which could lead to fraud that would
then damage their credit score. But a funny thing happened as the nation braced itself for the wave
of identity theft and fraud that seemed inevitable after this breach: it never happened. And that has
everything to do with the identity of the attackers.

Conclusion

 Get the basics right. No network is invulnerable. But Equifax was breached because it failed to
patch a basic vulnerability, despite having procedures in place to make sure such patches were
applied promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected
to renew a security certificate. Equifax had spent millions on security gear, but it was poorly
implemented and managed.

 Silos are defensible. Once the attackers were inside the perimeter, they were able to move from
machine to machine and database to database. If they had been restricted to a single machine,
the damage would’ve been much less.

 Data governance is key — especially if data is your business. Equifax’s databases could’ve
been stingier in giving up their contents. For instance, users should only be given access to
database content on a “need to know basis”; giving general access to any “trusted” users means
that an attacker can seize control of those user accounts and run wild. And systems need to keep
an eye out for weird behavior; the attackers executed up to 9,000 database queries very rapidly,
which should’ve been a red flag.

Web - https://academy.cyberheals.com/ibby_master_program
Phone - +91 63851 81109