Threat Hunter Olympics: Solution #2
Event #2: Dancing on Ice
There’s a lot to get excited about at the Winter Olympics. I personally find the figure skating competitions fascinating—the extensions and other unbelievable feats of strength and control displayed while on two thin, chrome-plated blades is awe-striking.
This challenge was inspired by some analysis we’d done of third-party extensions to the Chrome browser. The puzzle was set up to include a bunch of browser traffic (primarily via TLS) to various pages within the official Winter Olympics site. As you likely noted by the size of the packet capture (~90MB), the goal here was to make participants take a high-level approach to finding what was interesting inside. The joke about one’s head spinning when looking at too many packets was also meant to nudge you to a higher-level approach.
Starting with the overall traffic breakdown, you may have noticed that nearly all the communication is via TCP, and that of the application-layer communication, the majority is via SSL. However, there is a notably small amount of HTTP communication to catch your eye.
When changing the filter to look at only SSL or HTTP traffic, the conversations view is extremely helpful. Below, we’re sorted by conversation starting time, which helps us to understand how different communications match temporally with one another. Interestingly, we see a big gap in starting time between traffic going to akamaiedge[.]net (which is where the Olympics sites we are visiting are hosted) and that following the Games. Taking a closer look at the traffic after the time gap, you’ll see that there is a small amount of HTTP traffic to a very interesting domain—pastebin[.]com!
Filtering to this HTTP traffic shows some extremely interesting behavior—a POST using some sort of API.
Digging into this session shows that there’s actually data being transmitted in this POST, including a message to help solve the puzzle!
However, the message is actually a hint to take a closer look at this session. Figuring out the name of the author that created this extension isn’t 100% straightforward, and requires more sleuthing. More thorough analysis of the session shows that there’s a Chrome extension being used to transmit the data!
The extension isn’t named here, though, so additional steps are needed to discover the author’s name. Getting to the final answer for this puzzle can happen in a number of ways, but taking the 32-byte string (hmdndbgnknnelnfjiehmllanaljnejmg) and searching for it using Google will lead you to the solution.
How About If You Had Awake?
Using Awake, Dancing on Ice would be clear as day! Pastebin is a notable domain on this network, and it’s a notable artifact for this device (almost all of the traffic to Pastebin comes from this one system, as you can see from the EntityIQ profile).
Once we use Awake’s QueryIQ check out the activities communicating with pastebin[.]com, it becomes clearer still!
I hope you enjoyed the second challenge. Stay tuned for the solution to Part 3 of the 2018 Awake Threat Hunter Olympics, which will be posted here soon.
Principal Threat Researcher
Dig Deeper with These Resources
Real World Incidents Detected and Stopped by Awake
Organizations across industries use Awake every day to identify and stop modern threats from both internal and…
EMA Top 3 Report and Decision Guide for Security Analytics
This Enterprise Management Associates (EMA) report identifies the leading priorities organizations face with resolving challenges and meeting…