Browse Live Discover and Response Queries by Category
Under Review

Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

 REVIEWED by Sophos 

Hello all

The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks.  Although this served as a general wanring to everyone, the Australia Cyber Security Center (ACSC) published a TLP:WHITE notification for what's now known as the Copy-Paste Compromise.  Within it is an extensive listing of all the TTPs being used by adversaries in an attempt to gain unauthorised access into Australia businesses and networks.

ACSC released a set of IoCs to be partricularly mindful of and to conduct a threat hunt to esnure these have not been witnessed acorss your systems.

https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

As a result of this notification and the impact it potentially has, here's a specific Live Query to enumerate these IoCs.

NOTE: The timing for the query has been constrained to only hours, as such please expand the time frame as required, up to 90 days for each.

The query although pasted below, will be updated at the following location: https://github.com/autoexec-bat/Live_Discover_Queries/blob/master/ACSC_2020008

 

/* Housekeeping Prior to start - prevents sequential execution from failing */
DROP TABLE acsc2020008;

-- Create temp table with necessary columns
CREATE TABLE acsc2020008 (domain text, earl text, ipaddy text, SHA text, file text);
INSERT INTO acsc2020008 (domain,earl,ipaddy,SHA,file) VALUES ('domain','earl','ipaddy','SHA','file');

/* -- Search Sophos DNS journal over the last 90 days for domain IOCs */
UPDATE acsc2020008 SET domain = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_dns_journal WHERE (
name like '%mailguardonline.net%' OR
name like '%cybersecuritiesinc.net%')
AND time > STRFTIME('%s','NOW','-2 days'));

/* -- Search Sophos URL journal over the last 2 days for URL IOCs */
UPDATE acsc2020008 SET earl = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_url_journal WHERE (
url like '%api.onedrive.com/.../content%' OR
url like '%www.dropbox.com/.../Thesis Information to be referenced from.ppt' OR
url like '%uceaf62bf364381a378c816b41ba.dl.dropboxusercontent.com/.../file' OR
url like '%login.contact.cybersecuritiesinc.net/%' OR
url like '%login.microsoftonline.com/.../authorize user.read mail.readwrite&state=EmERFnNRcD2DbezEvK245MXBEokQh6&response_mode=form_post%' OR
url like '%www.mailguardonline.net/.../callback%')
AND time > STRFTIME('%s','NOW','-2 days'));

/* -- Search Sophos ip journal over the last 2 days for ip connect IOCs */
UPDATE acsc2020008 SET ipaddy = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_ip_journal WHERE (
destination = '104.156.233.219' OR
destination = '131.153.16.198' OR
destination = '134.209.97.239' OR
destination = '138.197.204.4' OR
destination = '139.59.90.114' OR
destination = '144.202.85.4' OR
destination = '154.16.136.100' OR
destination = '159.203.29.101' OR
destination = '167.172.36.95' OR
destination = '172.86.75.49' OR
destination = '172.86.75.7' OR
destination = '172.86.75.86' OR
destination = '176.10.99.200' OR
destination = '193.187.173.38' OR
destination = '194.36.191.227' OR
destination = '194.71.130.113' OR
destination = '198.255.66.27' OR
destination = '206.189.180.4' OR
destination = '206.189.98.83' OR
destination = '23.129.64.156' OR
destination = '23.228.74.58' OR
destination = '31.214.157.153' OR
destination = '43.231.77.218' OR
destination = '45.125.192.221' OR
destination = '45.153.231.121' OR
destination = '45.63.41.207' OR
destination = '5.188.37.38' OR
destination = '5.8.8.9' OR
destination = '54.78.227.17' OR
destination = '79.134.235.87' OR
destination = '79.134.235.89' OR
destination = '81.194.38.139' OR
destination = '92.38.188.85' OR
destination = '94.103.95.25' OR
destination = '139.99.237.34' OR
destination = '193.187.173.38' OR
destinationPort = '6666' OR
destinationPort = '6667' OR
destinationPort = '6668' OR
destinationPort = '6669' OR
destinationPort = '6670' OR
destinationPort = '6671' OR
destinationPort = '6672' OR
destinationPort = '6673' OR
destinationPort = '6674' OR
destinationPort = '6675')
AND time > STRFTIME('%s','NOW','-2 days'));


/* -- Search Sophos file hash journal over the last 2 days for SHA IOCs */
UPDATE acsc2020008 SET SHA = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_file_hash_journal WHERE (
sha256 = 'b094a8616804fbd5ff21b9c8153622eca7909b9f35251579ba383e16de11c0ed' OR
sha256 = '0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036' OR
sha256 = 'e84badc0eeacf3bf3a9e562662f05ebf05ab19196b740566a4e72a469460a55d')
AND time > STRFTIME('%s','NOW','-2 days'));

/* -- Search Sophos file journal over the last 2 hours for file IOCs being created */
UPDATE acsc2020008 SET file = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_file_journal WHERE (
pathname like '%ccc.dll%' OR
pathname like '%jp.exe%' OR
pathname like '%Potato.dll%' OR
pathname like '%tmdbglog.dll%' OR
pathname like '%ROAMING\Microsoft\Word\STARTUP\Template.dotm%' OR
pathname like '%Logs\PerfLogs%' OR
pathname like '%ProgramData\.Lookup%')
AND time > STRFTIME('%s','NOW','-2 hours'));

/* -- Compile results and make display more friendly */
SELECT
CASE domain
WHEN '0' THEN 'Domain IOC NOT present'
WHEN '1' THEN 'Domain IOC IS present'
ELSE 'Error'
END AS 'Domain IOC present',
CASE earl
WHEN '0' THEN 'URL IOC NOT present'
WHEN '1' THEN 'URL IOC IS present'
ELSE 'Error'
END AS 'URL IOC present',
CASE ipaddy
WHEN '0' THEN 'IP or Port IOC NOT present'
WHEN '1' THEN 'IP or PORT IOC IS present'
ELSE 'Error'
END AS 'IP and PORT IOC present',
CASE SHA
WHEN '0' THEN 'SHA IOC NOT present'
WHEN '1' THEN 'SHA IOC IS present'
ELSE 'Error'
END AS 'SHA IOC present',
CASE file
WHEN '0' THEN 'File IOC NOT present'
WHEN '1' THEN 'File IOC IS present'
ELSE 'Error'
END AS 'File IOC present'
FROM acsc2020008 where (domain = '1' OR earl = '1' OR ipaddy ='1' OR SHA = '1' OR file = '1');

/* -- Clean up temp table */
DROP TABLE acsc2020008;

 

Cheers

Azz

AzRoN
  • I changed the query to avoid having to create a table.  Creating tables will require the create and drop table SQL syntax as If Exists is not supported.  This uses a WITH statement to build the virtual list of IOCs.  I also added a variable to allow the admin to select the number of hours back they want to check for. $$Hours to look back$$   ---------------------- /* Build the list of IOCs from the article */ WITH acsc2020008 (attribution, Conviction, method, ioc, notes) AS (    VALUES    /*****************************************************************************************\    | The Australian Federal Government recently issued a warning to all Australian's that    |    | we're under an increasing number of cyber attacks. Although this served as a general    |    | warning to everyone, the Australia Cyber Security Center (ACSC) published a TLP:WHITE   |    | notification for what's now known as the Copy-Paste Compromise. Within it is an         |    | extensive listing of all the TTPs being used by adversaries in an attempt to gain       |    | unauthorised access into Australia businesses and networks.                             |    |                                                                                         |    | ACSC released a set of IoCs to be partricularly mindful of and to conduct a threat hunt |    | to esnure these have not been witnessed across your systems.                            |    |                                                                                         |    | www.cyber.gov.au/.../advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks    |                                                                                         |    | As a result of this notification and the impact it potentially has, here's a specific   |    | Live Query to enumerate these IoCs.                                                     |    \*****************************************************************************************/    /******************************************************************************************\    | Domains |    \******************************************************************************************/    ('ACSC2020008', 'Non-deterministic', 'domain_name', '%mailguardonline.net%', ''),    ('ACSC2020008', 'Non-deterministic', 'domain_name', '%%cybersecuritiesinc.net%', ''),    /******************************************************************************************\    | URLS |    \******************************************************************************************/    ('ACSC2020008', 'NON-deterministic', 'URL', '%api.onedrive.com/.../content%', ''),    ('ACSC2020008', 'NON-deterministic', 'URL', '%www.dropbox.com/.../Thesis Information to be referenced from.ppt', ''),    ('ACSC2020008', 'Deterministic', 'URL', '%uceaf62bf364381a378c816b41ba.dl.dropboxusercontent.com/.../file', ''),    ('ACSC2020008', 'NON-deterministic', 'URL', '%login.contact.cybersecuritiesinc.net/%', ''),    ('ACSC2020008', 'Deterministic', 'URL', '%login.microsoftonline.com/.../authorize user.read mail.readwrite&state=EmERFnNRcD2DbezEvK245MXBEokQh6&response_mode=form_post%', ''),    ('ACSC2020008', 'NON-deterministic', 'URL', '%www.mailguardonline.net/.../callback%', ''),    /******************************************************************************************\    | IP_addrs |    \******************************************************************************************/    ('ACSC2020008', 'Non-Deterministic', 'IP', '104.156.233.219', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '131.153.16.198', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '134.209.97.239', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '138.197.204.4', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '139.59.90.114', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '144.202.85.4', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '154.16.136.100', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '159.203.29.101', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '167.172.36.95', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '172.86.75.49', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '172.86.75.7', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '172.86.75.86', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '176.10.99.200', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '193.187.173.38', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '194.36.191.227', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '194.71.130.113', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '198.255.66.27', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '206.189.180.4', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '206.189.98.83', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '23.129.64.156', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '23.228.74.58', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '31.214.157.153', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '43.231.77.218', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '45.125.192.221', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '45.153.231.121', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '45.63.41.207', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '5.188.37.38', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '5.8.8.9', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '54.78.227.17', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '79.134.235.87', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '79.134.235.89', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '81.194.38.139', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '92.38.188.85', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '94.103.95.25', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '139.99.237.34', ''),    ('ACSC2020008', 'Non-Deterministic', 'IP', '193.187.173.38', ''),    /******************************************************************************************\    | ports |    \******************************************************************************************/    ('ACSC2020008', 'Non-Deterministic', 'Port', '6666', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6666', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6667', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6668', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6669', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6670', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6671', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6672', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6673', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6674', ''),    ('ACSC2020008', 'Non-Deterministic', 'Port', '6675', ''),    /******************************************************************************************\    | SHA256 |    \******************************************************************************************/    ('ACSC2020008', 'Deterministic', 'sha256', 'b094a8616804fbd5ff21b9c8153622eca7909b9f35251579ba383e16de11c0ed', ''),    ('ACSC2020008', 'Deterministic', 'sha256', '0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036', ''),    ('ACSC2020008', 'Deterministic', 'sha256', 'e84badc0eeacf3bf3a9e562662f05ebf05ab19196b740566a4e72a469460a55d', ''),    /******************************************************************************************\    | pathname |    \******************************************************************************************/    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%ccc.dll%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%jp.exe%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%Potato.dll%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%tmbglog.dll%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%ROAMING\Microsoft\Word\STARTUP\Template.dotm%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%Logs\PerfLogs%', ''),    ('ACSC2020008', 'Non-Deterministic', 'pathname', '%ProgramData\.Lookup%', '')    )    /**********************************************************************\    | The admin may want to search a large amount of data in the tables so |    | split time into 20 min chunks given the number hours specified |    \**********************************************************************/ , for(x) AS (    VALUES ( ( SELECT CAST (strftime ('%s', 'now','-$$Hours to look back$$ hours') AS INT) ) )    UNION ALL    SELECT x+1200 FROM for WHERE x '%s', 'now') AS INT))    ) /****************************************************************************\ | Check for matching domain or URL info seen in the specified lookback period| \****************************************************************************/ SELECT    CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,    ioc.attribution,    ioc.Conviction,    spa.subject,    spa.SophosPID,    CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,    spa.action,    spa.object,    spa.url,    ioc.method,    ioc.ioc,    ioc.notes FROM for    LEFT JOIN acsc2020008 ioc ON ioc.method IN('domain_name', 'url')    LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Url','Network') AND spa.time >= for.x and spa.time = for.x and spa.time = for.x and spa.time = for.x and spa.time = for.x and spa.time
Unfiltered HTML