In 2023, Cisco disclosed information about the active exploitation of a critical vulnerability in its software that allowed a remote, unauthenticated attacker to gain access to internet-facing network devices and create a local user account. This initial access paved the way for a privilege escalation vulnerability disclosed around the same time that would eventually lead to a full compromise of the system.
The first vulnerability received a CVSS score of 10.0 CRITICAL. The flag is the CVE identifier for that vulnerability.
This is an easy, we just need to search for specific keyword like "2023", "cisco", "rce", "cvss 10" then we will have this CVE-2023-20198 which is an answer of this challenge
CVE-2023-20198
A certain long-cultivated cyber espionage tool deployed by Center 16 of the FSB used to be developed under a different name at its onset. What was it?
This one is a little bit tricky here, first we need to search for "Center 16 of the FSB" which will lead us to this article
Even though malware deployed by Center 16 is called "Snake" but there are other names too and this article already telling us that in early versions, this malware was called an Uroboros which is an answer of this challenge
Uroburos
This state-sponsored APT has been known for its cyber-espionage and disruptive operations that target defense, telecom and critical infrastructure primarily in the US. The group is believed to have surfaced in 2021.
One of the APT's hallmark TTPs is living off the land to blend into target environments. One of its most unique TTPs is proxying operational traffic through compromised VPSs and SOHO network devices so as to obscure the true origin of the activity.
Name the APT!
There are so many APT groups that targeted US in 2021 so we will have to find for any activities that remotely closed to their unique TTPs and according to MITRE ATT&CK, Volt Typhoon is the most fitting one is this scenario hence the answer of this challenge
Volt Typhoon
Goodcorp recently suffered a data breach. The nature of the breach and the sophisticated tactics observed suggest the threat actor is likely an APT. The Incident Response team collected the following from its investigation:
Ok. it seems like we have a lot to unpack here but the most interesting one of them is C2 proxy known as XTunnel so I searched for this software on MITRE which landed me with only 1 APT group
even through we found a name of an APT (APT28) but it has many associated group under this name so we have find out other sources to land us with just 1 name
And that name is Fancy Bear, securityweek got me covered here
Fancy Bear
Aerocorp, a subsidiary of Goodcorp, recently suffered a massive data breach by a sophisticated actor. Can you identify the group responsible?
Name the APT!
We did not need to find anything, just search hash of a binary that forensics recovered on VirusTotal and go to Community to get an answer
TEMP.Periscope
