# AIG Insurance {% tabs %} {% tab title="Snippet" %} * Completed a job simulation involving the role of a cybersecurity generalist, specializing in cybersecurity. * Completed a cybersecurity threat analysis simulation for the Cyber Defense Unit, staying updated on CISA publications. * Researched and understood reported vulnerabilities, showcasing analytical skills in cybersecurity. * Drafted a clear and concise email to guide teams on vulnerability remediation. * Utilized Python skills to write a script for ethical hacking, avoiding ransom payments by bruteforcing decryption keys. {% endtab %} {% tab title="Skills" %} * Communication * Cybersecurity * Data Analysis * Design Thinking * **Problem Solving** * **Python** * Research * Security Advisory * Security Engineering * **Software Development** * Solution Architecture * Strategy * **Vulnerability Triage** {% endtab %} {% tab title="Task 1" %} **Background information** You are an **Information Security Analyst** in the Cyber & Information Security Team. A common task and responsibility of information security analysts is to stay on top of emerging vulnerabilities to make sure that the company can remediate them before an attacker can exploit them. In this task, you will be asked to review some recent publications from the Cybersecurity & Infrastructure Security Agency (CISA). The Cybersecurity & Infrastructure Security Agency (CISA) is an Agency that has the goal of reducing the nation’s exposure to [cyber](https://www.theforage.com/virtual-experience/2ZFnEGEDKTQMtEv9C/aig/cybersecurity-ku1i/www.google.com) security threats and risks. After reviewing the publications, you will then need to draft an email to inform the relevant infrastructure owner at AIG of the seriousness of the vulnerability that has been reported. {% endtab %} {% tab title="Task 2" %} **Background information** Your advisory email in the last task was great. It provided context to the affected teams on what the vulnerability was, and how to remediate it. Unfortunately, an attacker was able to exploit the vulnerability on the affected server and began installing a ransomware virus. Luckily, the Incident Detection & Response team was able to prevent the ransomware virus from completely installing, so it only managed to encrypt one zip file. Internally, the Chief Information Security Officer does not want to pay the ransom, because there isn’t any guarantee that the decryption key will be provided or that the attackers won’t strike again in the future. Instead, we would like you to bruteforce the decryption key. Based on the attacker’s sloppiness, we don’t expect this to be a complicated encryption key, because they used copy-pasted payloads and immediately tried to use ransomware instead of moving around laterally on the network. {% endtab %} {% endtabs %} ## Task 1 - Responding to a zero-day vulnerability The CISA has recently published the following two advisories: 1. The [first advisory (Log4j)](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a), outlines a serious vulnerability in one of the world’s most popular logging software. 2. The [second advisory](https://www.cisa.gov/news/2022/02/09/cisa-fbi-nsa-and-international-partners-issue-advisory-ransomware-trends-2021) explores how ransomware has been increasing and is becoming professionalized - a concern for a large company like AIG. Your task is to respond to the Apache Log4j zero-day vulnerability that was released to the public by advising affected teams of the vulnerability. **First,** conduct your research on the vulnerability using the “CISA Advisory" resources provided above as a starting point. **Next,** analyze the “Infrastructure List” below to find out which infrastructure may be affected by the vulnerability, and which team has ownership. | **Product Team** | **Product Name** | **Team Lead** | **Services Installed** | | ------------------- | --------------------------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | IT | Workstation Management System | Jane Doe () |

OpenSSH
dnsmasq
lighttpd

| | Product Development | Product Development Staging Environment | John Doe () |

Dovecot pop3d
Apache httpd
Log4j
Dovecot imapd
MiniServ

| | Marketing | Marketing Analytics Server | Joe Schmoe () |

Microsoft ftpd
Indy httpd
Microsoft Windows RPC
Microsoft Windows netbios-ssn
Microsoft Windows Server 2008 R2 - 2012 microsoft ds

| | HR | Human Resource Information System | Joe Bloggs () |

OpenSSH
Apache httpd
rpcbind2-4

|
Email **From:** AIG Cyber & Information Security Team\ **To:** John Doe <>\ **Subject:** Security Advisory concerning Ransomware Exploitation of Log4j Vulnerabilities\ —\ **Body:**\ Hello John,\ \ AIG Cyber & Information Security Team would like to inform you of critical vulnerabilities in Apache Log4j, as outlined by CISA, that may expose our infrastructure to ransomware attacks. **Risk/Impact**:\ Ransomware actors are actively exploiting vulnerabilities in Log4j (CVE-2021-44228, CVE-2021-45046, etc.) to gain unauthorized access to systems. Successful exploitation can allow attackers to take control of affected systems, leading to data encryption, operational disruptions, and potential data exfiltration. This poses a high risk of downtime, financial loss, and reputational damage. **Method of Exploitation**:\ Attackers exploit Log4j vulnerabilities by sending specially crafted requests to vulnerable systems. This allows remote code execution (RCE), enabling ransomware actors to deliver payloads or gain administrative control of targeted environments. **Remediation**: * Immediately update all instances of Log4j to the latest patched versions. * Use available web application firewall (WAF) rules to block malicious requests. * Monitor for any indicators of compromise (IoCs) related to Log4j exploitation. * Implement network segmentation and restrict internet-facing services to mitigate exposure. Please ensure these steps are actioned promptly to reduce the risk of ransomware. For any questions or further guidance, don’t hesitate to reach out to us.\ Kind regards, AIG Cyber & Information Security Team
## Task 2 - (Technical) Bypassing ransomware ```python from zipfile import ZipFile, BadZipFile import sys # Method to attempt extraction of the zip file with the given password def attempt_extract(zf_handle, password): try: zf_handle.extractall(pwd=password.strip()) # Passwords need to be bytes in Python 3 print(f"[+] Password found: {password.decode('utf-8')}") return True except (RuntimeError, BadZipFile): # Handles wrong password or invalid zip file issues return False def main(): print("[+] Beginning brute force attack") # Open the zip file try: with ZipFile('enc.zip') as zf: # Open the rockyou.txt file containing the list of passwords with open('rockyou.txt', 'rb') as f: for password in f: password = password.strip() # Remove any extra whitespace or newline characters if attempt_extract(zf, password): print("[+] Password successfully extracted!") return # Exit after successful extraction else: print(f"[-] Attempt failed with password: {password.decode('utf-8')}") except FileNotFoundError: print("[-] The enc.zip or rockyou.txt file was not found. Please ensure they are in the same directory.") except Exception as e: print(f"[-] An error occurred: {e}") print("[+] Password not found in the list") if __name__ == "__main__": main() ```