AIG Insurance

Snippet

• Completed a job simulation involving the role of a cybersecurity generalist, specializing in cybersecurity.

• Completed a cybersecurity threat analysis simulation for the Cyber Defense Unit, staying updated on CISA publications.

• Researched and understood reported vulnerabilities, showcasing analytical skills in cybersecurity.

• Drafted a clear and concise email to guide teams on vulnerability remediation.

• Utilized Python skills to write a script for ethical hacking, avoiding ransom payments by bruteforcing decryption keys.

Skills

• Communication

• Cybersecurity

• Data Analysis

• Design Thinking

• Problem Solving

• Python

• Research

• Security Advisory

• Security Engineering

• Software Development

• Solution Architecture

• Strategy

• Vulnerability Triage

Task 1

Background information

You are an Information Security Analyst in the Cyber & Information Security Team.

A common task and responsibility of information security analysts is to stay on top of emerging vulnerabilities to make sure that the company can remediate them before an attacker can exploit them.

In this task, you will be asked to review some recent publications from the Cybersecurity & Infrastructure Security Agency (CISA). The Cybersecurity & Infrastructure Security Agency (CISA) is an Agency that has the goal of reducing the nation’s exposure to cyber security threats and risks.

After reviewing the publications, you will then need to draft an email to inform the relevant infrastructure owner at AIG of the seriousness of the vulnerability that has been reported.

Task 2

Background information

Your advisory email in the last task was great. It provided context to the affected teams on what the vulnerability was, and how to remediate it.

Unfortunately, an attacker was able to exploit the vulnerability on the affected server and began installing a ransomware virus. Luckily, the Incident Detection & Response team was able to prevent the ransomware virus from completely installing, so it only managed to encrypt one zip file.

Internally, the Chief Information Security Officer does not want to pay the ransom, because there isn’t any guarantee that the decryption key will be provided or that the attackers won’t strike again in the future.

Instead, we would like you to bruteforce the decryption key. Based on the attacker’s sloppiness, we don’t expect this to be a complicated encryption key, because they used copy-pasted payloads and immediately tried to use ransomware instead of moving around laterally on the network.

Task 1 - Responding to a zero-day vulnerability

The CISA has recently published the following two advisories:

1. The first advisory (Log4j), outlines a serious vulnerability in one of the world’s most popular logging software.

2. The second advisory explores how ransomware has been increasing and is becoming professionalized - a concern for a large company like AIG.

Your task is to respond to the Apache Log4j zero-day vulnerability that was released to the public by advising affected teams of the vulnerability.

First, conduct your research on the vulnerability using the “CISA Advisory" resources provided above as a starting point.

Next, analyze the “Infrastructure List” below to find out which infrastructure may be affected by the vulnerability, and which team has ownership.

Product Team	Product Name	Team Lead	Services Installed
IT	Workstation Management System	Jane Doe (tech@email.com)	OpenSSH dnsmasq lighttpd
Product Development	Product Development Staging Environment	John Doe (product@email.com)	Dovecot pop3d Apache httpd Log4j Dovecot imapd MiniServ
Marketing	Marketing Analytics Server	Joe Schmoe (marketing@email.com)	Microsoft ftpd Indy httpd Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Server 2008 R2 - 2012 microsoft ds
HR	Human Resource Information System	Joe Bloggs (hr@email.com)	OpenSSH Apache httpd rpcbind2-4

Email

From: AIG Cyber & Information Security Team To: John Doe <product@email.com> Subject: Security Advisory concerning Ransomware Exploitation of Log4j Vulnerabilities — Body: Hello John, AIG Cyber & Information Security Team would like to inform you of critical vulnerabilities in Apache Log4j, as outlined by CISA, that may expose our infrastructure to ransomware attacks.

Risk/Impact: Ransomware actors are actively exploiting vulnerabilities in Log4j (CVE-2021-44228, CVE-2021-45046, etc.) to gain unauthorized access to systems. Successful exploitation can allow attackers to take control of affected systems, leading to data encryption, operational disruptions, and potential data exfiltration. This poses a high risk of downtime, financial loss, and reputational damage.

Method of Exploitation: Attackers exploit Log4j vulnerabilities by sending specially crafted requests to vulnerable systems. This allows remote code execution (RCE), enabling ransomware actors to deliver payloads or gain administrative control of targeted environments.

Remediation:

• Immediately update all instances of Log4j to the latest patched versions.

• Use available web application firewall (WAF) rules to block malicious requests.

• Monitor for any indicators of compromise (IoCs) related to Log4j exploitation.

• Implement network segmentation and restrict internet-facing services to mitigate exposure.

Please ensure these steps are actioned promptly to reduce the risk of ransomware. For any questions or further guidance, don’t hesitate to reach out to us.

Kind regards,

AIG Cyber & Information Security Team

Task 2 - (Technical) Bypassing ransomware

from zipfile import ZipFile, BadZipFile
import sys

# Method to attempt extraction of the zip file with the given password
def attempt_extract(zf_handle, password):
   try:
       zf_handle.extractall(pwd=password.strip())  # Passwords need to be bytes in Python 3
       print(f"[+] Password found: {password.decode('utf-8')}")
       return True
   except (RuntimeError, BadZipFile):  # Handles wrong password or invalid zip file issues
       return False

def main():
   print("[+] Beginning brute force attack")
   
   # Open the zip file
   try:
       with ZipFile('enc.zip') as zf:
           # Open the rockyou.txt file containing the list of passwords
           with open('rockyou.txt', 'rb') as f:
               for password in f:
                   password = password.strip()  # Remove any extra whitespace or newline characters
                   if attempt_extract(zf, password):
                       print("[+] Password successfully extracted!")
                       return  # Exit after successful extraction
                   else:
                       print(f"[-] Attempt failed with password: {password.decode('utf-8')}")
   except FileNotFoundError:
       print("[-] The enc.zip or rockyou.txt file was not found. Please ensure they are in the same directory.")
   except Exception as e:
       print(f"[-] An error occurred: {e}")

   print("[+] Password not found in the list")

if __name__ == "__main__":
   main()