Tường thuật diễn tập ACID 2016

By | 9:04 am | 27/09/2016

ASEAN CERT Incident Drill (ACID) là chương trình diễn tập xử lý sự cố về an toàn thông tin quốc tế hàng năm của tổ chức ứng cứu sự cố máy tính khu vực Đông Nam Á.


Các công cụ cần chuẩn bị cho đợt diễn tập năm 2016


Các phase diễn tập:

Phase 01:

Hi SaverioOnline,

SingCERT has been informed that your online shopping site [hxxp://Saverio0nline.com] has been defaced. Please see the screen shot below.


Dear CERT,

We are keeping you in the loop to seek your assistance in this incident and for further investigation. In addition, we discovered that the defaced website is hosted by a web hosting company [hxxp://Bigdaddy.com].

Please exercise due caution with your investigation process and take the necessary actions in consultation with your client(s).


Tạm dịch:

SingCert đang có thông tin rằng  site  [hxxp://Saverio0nline.com]  đang bị deface và họ thấy website đang được host tại [hxxp://Bigdaddy.com]

Hãy đưa ra một số cách khắc phục.

Mọi người đang đưa ra cách giải quyết phase 1


Phase 02:

Dear Sir/Madam,

Thank you for contacting Saverio-Online regarding the website defacement.

My name is Roy JING and  I am the IT Manager for Saverio-Online.

My team has looked into the incident and has removed the defaced website. However, my management is deeply concerned on how the defacement happened which we do not have the expertise to investigate further. As such, I like to seek your help to investigate and advise how we should prevent such defacement incidents from happening again.

Please feel free to contact me in any way that I can help you.


Tạm dịch:

Roy JiNG là IT Manager của Saverio-Online. Team của Roy JING đã loại bỏ website bị deface, tuy nhiên, họ không có kinh nghiệm trong vấn đề này và họ muốn biết tại sao website lại bị defaced và làm cách nào để có thể ngăn chặn tình trạng deface xảy ra lần nữa.


Phase 03:

Dear Sir/Madam,

This is Roy JING.

Thank you for helping SaverioOnline with this incident.

As requested, these are the evidence that we have gathered to assist in your investigation. They can be accessed from the following URL:

  1. Nmap of server https://s3-ap-southeast-1.amazonaws.com/acid2016/Nmap_Server_3.txt
  2. Web server “www” folder https://s3-ap-southeast-1.amazonaws.com/acid2016/www_3.zip

We look forward to you sharing your investigation findings with us, specifically on the following questions that my management has:

1)      Who are the attackers?

2)      What vulnerabilities existed in the defaced website?

3)      What did the attacker do?

4)      What was the attacker’s intent?

Please feel free to contact me in any way that I can help you.


Phase 04:

Dear Sir/Madam,

Thank you for informing SingCERT on the successful take down of the defaced website. It was definitely an exciting time to have worked with your team closely in resolving this incident and prevented further members of the public from becoming victims.

As part of the information exchange to foster closer collaboration in cross-border cyber incidents such as this, can I seek you to share your incident response process of taking down such malicious websites in your country?

In return, SingCERT will also hope to share with you on our process so as to further improve our effectiveness and efficiency in handling such cases together in the future.

We look forward to your favourable reply, thanks.


Phase 05:

Dear CERT,

I have received a suspicious email which I like to report and seek your kind assistance to advise what I should do next. It is from my company’s CEO but I know for sure that I am not supposed to be receiving any emails from her at this time of the night.

I have double clicked on the attached file at 12pm (noon), but nothing happened.

I have attached the email for your further investigation and advice.

  1. Pcap File captured https://s3-ap-southeast-1.amazonaws.com/acid2016/ACID_Network_5.pcap
  2. Email attachment https://s3-ap-southeast-1.amazonaws.com/acid2016/Assignment_5.7z
  3. Email Screen Shot https://s3-ap-southeast-1.amazonaws.com/acid2016/Email+Screen+Shot_5.jpg
  4. Email Header https://s3-ap-southeast-1.amazonaws.com/acid2016/Emailheader_5.txt

For your advice, please.

Best regards,

Mr Arthur Jin Ai Kao

A Concerned Member of the Public


Phase 06:

Dear CERT,

I have received an email from Saverio0nline.com, as a loyal customer I double clicked on the attachment without much consideration. But once I have clicked on the email attachment I could not accessed my computer and there is a letter of sorts that keep appearing on my computer screen asking me to pay a ransom which I do not know what it means. I have very important files in this computer as I need to send them to my boss tonight.

I have attached the note and the email header for your reference.

  1. Email Header https://s3-ap-southeast-1.amazonaws.com/acid2016/Emailheader_6.txt
  2. Malicious file (password is “infected”)https://s3-ap-southeast-1.amazonaws.com/acid2016/Promotion.exe_6.7z
  3. Screen Capture https://s3-ap-southeast-1.amazonaws.com/acid2016/ScreenCapture_6.jpg

Can you advise me what needs to be done to get my files back? I want to pay the ransom but I do not know how. Do you think paying the ransom is a good idea?

For your quick advice, please.

Best regards,

Mr Paul Jin Jia Lat

A Super Desperate Citizen L


Phase 07:

Dear Sir/Madam,

I am the IT manager of Company JiaBaBuay Pte Ltd and one of our staff has also recently got infected by ransomware from an email sent by Saverio0nline.com. When I googled for help on ransomware infection, I chanced upon a SingCERT ransomware advisory at their website as attached below:


Would you be able to point me to another ransomware advisory which I can use for further reference? Or perhaps some advice on how I can educate my staff to be more alert and help them from being affected by ransomware?

Looking forward to your favourable reply.

I have attached the email header for your reference.

  1. Email Header https://s3-ap-southeast-1.amazonaws.com/acid2016/Emailheader_7.txt
  2. Malicious file (password is “infected”)https://s3-ap-southeast-1.amazonaws.com/acid2016/Promotion.exe_6.7z
  3. Screen Capture https://s3-ap-southeast-1.amazonaws.com/acid2016/ScreenCapture_6.jpg

Best regards,

Mr Robert Bo Ho Kang

An inquisitive Individual seeking for promotion J


Phase 08:

Dear Sir/Madam,

 As a following measure from the previous incident, I have been monitoring our servers closely for any anomalies. The SQL server is having very high CPU utilization rate.

 Attached is the logs file from the SQL server. Are you able to advise on the anomalies?

 1.       SQL Server Log https://s3-ap-southeast-1.amazonaws.com/acid2016/sql_server_logs_8.txt

 Looking forward to your favourable reply.

 Best regards,

Mr Roy JING Xiao Onn

IT Manager