Wednesday, May 6, 2015

Compute Cloud Engine Security


One of our bigger clients uses google compute engine as a services. And then they resell the service as a managed service.

They came to us and told us that they suspect one of the servers they own is now a command and control server. And that the entire IP block for that provider has been black listed and is affecting the MX record for the mail servers.

So this is the problem:

1.       The clients need the services back ASAP.

2.       The Client is a service provider to another provider (2 x kill chain).

3.       The Client is very good with services and networking (but no security Skill).

4.       All of this is in the CLOUD. That is run by google.

5.       The legal issues with this and the forensics of this problem require at least 4 organizations, Google, The direct client that contacted us. The secondary client that is 0Wned.  And last but not so obvious the users, IT staff that might have been 0wned

So first thing we do we ask for some variables:

1.       IP address.

2.       Domain names.

3.       Credentials to access inside virtual machines and main google Compute Engine.

4.       List of users with direct access to all of the above.

We get one of the security engineers to look at it. And within 1 hour he identifies the problem.

He is like oh ……. Just look at the logs …..

We are: what logs ….

The google compute logs.

We are: what is a google compute logs.

It shows someone logging in at strange time and then doing strange things.

 

 

In short, after a longer investigation, someone was able to hijack one of the admin’s Gmail account from the owned client that has admin access to that VM instance. He then was able to start a new server with no one being aware.

The server was a 2012 R2 server that is a standard google compute engine. Then the hacker changed the firewall and allowed VPN services via PPTP( we suspect this was the command and control channel(C2)).

Conclusion

We changed the password and recover question for the 0Wned user. We then removed the VM instance Server. Then we had to buy a new set of static IP and point all the DNS information to the NEW IP ranges.

At the end all clients are happy. The C2 hack came from a known TK domain name that is known for malware.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)