More about PDNS incident 2024 (The Indonesia National Data Center)

00:00

good morning this is Bud Froman

00:04

bu uh as I promised before I'm going to

00:08

talk about the recent

00:12

2024 Indonesia's uh National Data Center

00:17

incident or

00:19

inesia data

00:21

National Samara temporary don't know why

00:25

temporary uh my presentation material is

00:27

going to be in basa Indonesia the text

00:29

is in BAS Indonesia but I'm going to

00:31

talk in English let me switch to my

00:35

presentation okay so so

00:39

uh uh disclaimer plus disclaimer I am

00:42

not involved uh as part of the design

00:45

implementation of operational of uh and

00:48

our investigation of this so I got all

00:51

the uh information from many sources any

00:56

sources and I'm trying to uh deduce

00:58

based on those sources but those

01:00

information uh okay let me get my face

01:03

here on the screen

01:06

wait okay so let's

01:09

continue okay uh let's start with the uh

01:13

uh chronology uh of the the incident on

01:18

June 20th

01:20

um the pdns 2 this is apparently there

01:25

is more than one so this is the uh data

01:28

center temporary Data Center c number

01:30

two I'll get back on that but anyway

01:35

um uh at 400 a.m. in the morning on the

01:38

20th uh June

01:40

2024 immigrations they could not access

01:44

their uh services in Indonesia now these

01:47

days everything is um electronic so if

01:51

you go to airports I mean airports

01:53

basically in Jakarta sarata for example

01:57

there's an auto gate you can go through

01:59

this auto gate using you know electronic

02:01

system we put the passport scan it and

02:03

then it goes through it didn't work at

02:05

the same time the

02:07

applications um where you have to go

02:10

through this immigration it didn't work

02:12

so they

02:13

contacted uh Pat data National contacted

02:17

uh the National Data Center why they

02:20

could not access their services or their

02:22

servers and

02:25

apparently there was a problem and after

02:28

that other applications or other

02:30

institution or organizations that that

02:33

are using these Services they also uh

02:36

noticed that they could not uh access

02:38

their services here is example of u a

02:42

list partial list of uh applications or

02:45

organizations that um could not access

02:48

the arip uh National the archive

02:51

National Archive the electronic uh what

02:54

do you call it uh procurement system and

02:57

so on and so on and even I heard that

02:59

there is is uh an application for uh new

03:02

students uh University's requirement

03:04

that did not work so anyway what

03:07

happened was that the uh the uh data

03:12

center uh owned by com info the ministry

03:15

of communication and information and

03:17

hosted by uh Telcom

03:19

Sigma was hit by uh ransomware from a

03:23

brain chipper or brain ciper um depends

03:27

on your pronunciation um brain chipper

03:31

uh group and the ransomware is

03:33

apparently A variation of log bit 3.0

03:37

now uh let's talk about the National

03:39

Data Center first I have no idea how it

03:43

works because again I was not part of

03:45

the design and so on and so forth so

03:47

apparently there are uh three uh not

03:50

three uh two data centers and one backup

03:53

cold backup system uh the one that got

03:55

hit is in the one that uh in Sara this

03:58

is actually PDN

04:00

S2 um and then there there is also PDN

04:03

S1 question mark there is uh it is in

04:07

sarpong another another uh City and is

04:11

managed by it is managed by lintas Arta

04:14

another company and they're supposed to

04:15

be a cold backup in batam we'll talk

04:18

about this uh backup sites later on okay

04:22

so

04:23

anyway

04:25

uh they found out that they were hit by

04:30

ransomware okay now the service the pdns

04:34

service uh the the original idea long

04:37

long time ago that the uh government

04:40

services so this is government service

04:42

this is a service for government

04:45

organizations uh they they used to have

04:47

a collocation meaning all these

04:50

organizations government institutions

04:52

they can have their own machines and

04:54

they uh bring their machines to uh data

04:57

centers um organized by uh Ministry of

05:00

communication and information but these

05:02

days you don't need a physical servers

05:04

so you get virtual machines so

05:07

everything is actually visual machines

05:10

VM now the VM itself uh from what I

05:13

heard is uh based on VMware the one at

05:16

least the one in pdns 2 uh was or is by

05:21

VMware now uh which I'm I'm not really

05:24

sure which part of the VMware uh that

05:27

got hit so here here's there's kind of a

05:30

a topology uh or kind of an architector

05:34

of virtual machines so we have a

05:37

hardware instead of one instead of one

05:40

system uh sorry instead of many many

05:43

servers see hundreds or 200 servers um

05:48

which is very very very cumbersome to

05:50

minutes uh today we have a cloud system

05:53

we have whereby you have like a big

05:56

Hardware not big in terms of not not

05:58

even the size right in in terms of the

06:01

capacity and capability so you have a

06:03

big hardware and on top of that you put

06:05

an a host OS be that you know Linux or

06:09

Windows it doesn't really matter and

06:11

then on top of that you have this

06:12

hypervisor now this hypervisor is the

06:15

one that you know VMR has you can have

06:18

other Technologies uh other than VMR you

06:21

can have open stack spr smoks what else

06:25

um but basically there are many uh

06:27

hypervisors uh supervisor

06:30

implementations now on top of this you

06:32

have gas os's uh you have virtual

06:35

machines basically you can install you

06:37

know um Linux Debian Santos red hat or

06:40

whatever you you can also install

06:42

Windows so you can have many virtual

06:46

machines it depend uh it's it is uh

06:50

basically uh sorry hang on a second yeah

06:53

yeah I need coffee basically on top of

06:56

this hypervisor you can have many

06:59

virtual machines you can have you can

07:01

install as many as you uh like it

07:05

depends on the capability of the

07:08

hardware so you can have two 5 10 11

07:11

200s or whatever um um even thousands

07:15

but I if if thousands perhaps you can

07:18

have more than one uh Hardware like

07:21

physical machines so anyway you can have

07:23

virtual machines on top of the this so

07:26

this is one architecture but since the

07:29

this host o OS is not doing anything um

07:32

basically the hardware is just running

07:34

hypervisor right so there's no need to

07:36

have this host OS so you can take this

07:39

host OS out you can have an architecture

07:42

something something like this this is uh

07:45

called bare metal so you have the

07:47

hardware the bare metal and then on top

07:49

of that you put hypervisor and then

07:51

that's it so you manage the hyper fer to

07:54

some kind of software or web Bas

07:57

application or you know um what whatever

08:00

means but basically you uh manage these

08:04

VMS on top of this hypervisor okay so uh

08:09

going back to the case I don't know

08:11

whether the one that that got hit hit uh

08:15

was it the hypervisor or the VMS because

08:20

are the institution the government

08:22

institution institutions they have

08:24

access only to these FMS so they were

08:28

given

08:29

several VMS one two what have you so

08:32

yeah they have access to these VMS but

08:35

they do not have access to the

08:38

hypervisor now my opinion based on the U

08:42

uh news the uh the ransomware actually

08:46

hit the

08:48

hypervisor now uh before that before

08:52

that uh there was a news saying that on

08:56

uh June 17th like 3 days before that

08:59

there is a an event a security event

09:02

that a Windows Defender um Windows

09:05

Defender uh this is like an antivirus

09:07

antimalware

09:09

application was disabled my question is

09:13

how and which part assuming this

09:16

hypervisor is there right the hypervisor

09:19

is there

09:21

um uh my assumption is that the Windows

09:24

Defender is actually part of this

09:26

hypervisor so somebody actually uh went

09:29

inside this hypervisor and disabled the

09:32

uh Windows Defender and then uh

09:34

injected uh the ransomware if the

09:37

Windows Defender the one that you know

09:40

uh got

09:43

deactivated was this VM so the attacker

09:47

mainly um had access to the VM the

09:51

attacker did not have access to the

09:52

hyper viser so maybe just

09:55

one organization or one institution that

09:58

got hit by and somewhere but not the

10:00

whole uh data uh the pdns so because of

10:05

uh the

10:07

incident happened to the whole pdns so

10:09

my assumption my assumption is uh the

10:13

hypervisor the one that got hit so so

10:16

that's that right so that's the the the

10:18

the now because of that because of that

10:22

so this is for those who are not

10:24

familiar with ransomware uh because of

10:26

that because everything uh ransomware

10:28

basically what uh it does is um the

10:31

ransomware encrypts the hypervisor so

10:34

you don't have access to the hypervisor

10:37

because if you want to access it you

10:39

need password to open it you need

10:41

password to decrypt it because of this

10:44

hypervisor is in encrypted format those

10:47

guas osses they could not run on top of

10:50

this uh hypervisor so basically you need

10:54

keys

10:56

okay now in terms of uh the results uh

11:00

the effect uh how much money or if you

11:04

have some kind of

11:06

calculation

11:07

um how much can uh kind of

11:11

uh how big is the incident caused by by

11:14

this um I don't have the data okay so I

11:17

don't have data in terms of business

11:19

process I don't have the data now now

11:22

about the keys um and this one I uh uh

11:26

read several uh post things and one of

11:31

one of the uh posts by johannas uh he

11:35

actually uh look in uh went and looked

11:38

into this uh situation and he actually

11:40

refers engineered uh some part of this

11:43

uh encryption and the hypervisor was

11:46

encrypted with babuk encryption so with

11:49

babuk encryption I read somewhere that

11:51

babuk uh is an

11:54

encryption bab somewhere is encrypted by

11:57

AES 256 so this is more like a private

12:00

key crypto system but from what I

12:02

understand from johannas U uh post it

12:05

was encrypted with ECC curve

12:10

25519 so ECC is a public key crypto

12:13

system it's bit different um I I have to

12:17

believe that

12:19

uh the the the the incident um the the

12:23

the sorry the encryption that was used

12:27

is this one easy one this easy now how

12:32

how did the uh the hypervisor got hit

12:36

now I I I read say from sample uh from

12:39

Sentinel one from the the uh kind of the

12:42

the web page here it says babuk

12:45

ransomware is typically spread through

12:47

fing emails with malicious attachment or

12:50

links malicious downloads software

12:53

vulnerabilities and remote desktop

12:55

protocol connection so going back to the

12:58

architecture

13:00

okay if we and I should have uh describ

13:03

the the the the this diagram with that

13:06

text okay uh

13:08

if the attacker went from uh a malicious

13:13

email so somebody's reading email on top

13:16

of

13:16

this and I think that's not the case

13:19

because there's no email application

13:21

there's nobody actually log in here and

13:23

work here so that was not the case feing

13:27

download that was not the case unless

13:29

somebody's downloading something and

13:30

install it in the hypervisor that was

13:33

not the case in my opinion uh so there

13:35

were only two things um the things which

13:40

is okay remote desktop or some software

13:43

vulnerability so somebody actually had

13:46

access to the hypervisor through Network

13:49

and exploit some kind of

13:51

vulnerabilities uh if that's the case

13:53

then there's a bad design in terms of uh

13:56

the network because you're not supposed

13:57

to have access to the hypervisor

14:00

directly usually it's behind some kind

14:02

of firewall

14:04

jump um you know uh jump machine or jump

14:08

host or something like that or uh

14:10

through remote DOA protocol so there has

14:13

some kind of web based application and

14:16

the web based application or the

14:18

application that uh manages uh

14:21

hypervisor was taken over that's also

14:24

possible because I don't know what

14:26

happens um uh these two

14:29

they might be the problem now uh this is

14:33

about the encryption on the hypervisor

14:35

in terms of the VM itself uh and from

14:38

the blog posts that I uh read uh the VM

14:41

was encrypted with log bit A variation

14:43

of loog bit and I

14:46

add sorry um lock pit what lock pit uh

14:51

ransomware and the encryption I have no

14:54

idea is it salsa 20 or whatever but this

14:57

is just

14:59

uh uh

15:01

um like uh my guess my guess um I'm more

15:06

concerned about the hypervisor because

15:08

probably that's the one uh that is U you

15:11

know the main cause so about the uh the

15:14

VMR axi oh okay VMware esxi this is the

15:18

hypervisor by VMware on top of bare

15:22

metal so

15:24

apparently uh this was known like a year

15:28

ago

15:29

okay the the babuk itself uh the babuk

15:32

uh

15:33

encryption um itself um was leaking in

15:38

2021 so some people actually

15:40

investigated how an organized ransomware

15:43

works now uh early

15:47

2021 Sentinel laps the one that I got uh

15:51

you know like the one that I read the

15:53

block post this is Sentinel one sorry

15:55

Sentinel lab it's one of one of

15:57

companies that I were actually

15:59

monitoring this Sentinel one observe an

16:02

increase in VMware esxi ransomware based

16:05

on babuk so this was known in

16:08

2023 now if this is the case then

16:11

somebody should update the software

16:14

create a better sop because they uh they

16:17

should have known that this is a target

16:20

okay so now you got hit by a ransomware

16:25

what is the

16:26

response how come it took uh uh them

16:29

like four five s days uh even right

16:33

right now they're they're still trying

16:35

to to to resolve this case why didn't

16:38

they switch from the DC to the DRC from

16:41

pdns 2 switch to pdns

16:44

one I don't know why why didn't they

16:47

switch okay uh we got hit by rans

16:49

someware stop the DC and switch to DRC

16:53

right maybe one the DRC itself also got

16:57

hit by ransomware so the main the DC the

16:59

main one the disaster recovery Central

17:01

also got here

17:03

maybe I but I did not hear any respond

17:06

about that two this is what I heard the

17:09

technology behind uh DC and DRC they're

17:13

different um The One is using um VM and

17:18

the other one is using open stack that's

17:21

that was um that was the reason maybe

17:25

that was the reason because they're

17:27

different in technology so it is

17:29

difficult to synchronize back up and

17:32

restore maybe maybe that's the case the

17:34

third one there was no DRC or maybe in

17:38

the process of building if that's the

17:41

case I think it's you know I to me it's

17:44

unbelievable you're running a production

17:45

system with a backup system uh and this

17:48

is like a production system being used

17:50

all over Indonesia uh it's

17:53

just you know this is kind of the weird

17:57

case in my opinion that's that's why you

17:59

know um I I talked to some friends and

18:01

they also got confused because this is

18:04

this is supposed to be like Ani not Ani

18:06

right this supposed to have like sorry

18:10

this is laziness in my opinion this is

18:13

laziness pardon my

18:15

language so that was uh the first

18:18

question and then the second question

18:20

why didn't you uh resume from uh a back

18:24

up uh restore so basically you got hit

18:27

by ransomware okay now you reinstall

18:30

everything and then um restore from

18:34

backups now there's another story

18:36

apparently backups were not

18:40

done in fact many of the VMS or the

18:43

institutions they don't have a backup

18:45

system so this is uh kind of strange as

18:50

a provider of a cloud system you should

18:52

have back up you know your client so

18:54

that's one thing and the second uh each

18:57

individual VMS uh each individual VM

19:00

they're supposed to have to have backups

19:04

so if I'm running say I I I am an

19:07

organization say if

19:08

I'm Ministry of uh so such and such and

19:12

such I should have back up my own backup

19:15

right even though I am I'm running on a

19:17

cloud say the cloud by uh pdns or A

19:22

Cloud by a us Google Azure or Alibaba or

19:27

whatever you I should should have my own

19:30

backup yeah because I because that's my

19:33

system I have I have to have my backup

19:35

so again this is a problem and this is

19:39

one of the biggest U lesson learned okay

19:43

now this is what uh it gets strange uh

19:47

stranger and stranger and stranger kind

19:50

of weird weirder and weirder and we on J

19:54

on July 2nd on July 2nd uh there was an

19:58

a posting here from uh Ministry

20:02

communication sorry I need coffee uh

20:05

Minister Ministry of communication and

20:08

information com info so it's easier to

20:11

say it in Bess com info from com info uh

20:15

there was a a posting uh that says the

20:19

attacker they sent an apology a public

20:23

statement apologizing um for for the

20:26

attack and they're willing to give give

20:29

the uh key or keys back

20:33

without any payment you for free

20:37

basically they still have you know we

20:38

leave a Monero wallet for donation if

20:41

you still want to send us money fine

20:43

we'll accept them but you don't have to

20:45

pay so this is kind of strange usually

20:48

uh rans of whereare groups they don't

20:52

really care about what they're doing

20:54

okay so this is kind of now they said

20:58

they're going to give you Keys now the

21:00

problem is this first can the key

21:04

actually opens the

21:06

encryption meaning the key can the key

21:09

decrypts what uh what have been done

21:12

okay

21:14

so friends some people tried this and

21:18

they kind of uh created uh an encrypted

21:21

version and use uh the key to open it

21:24

can you open it yes apparently the key

21:26

can open confirm now second

21:29

is there a Trojan or another ransomware

21:32

or whatever Mal software embedded in

21:34

this key uh application key decryption

21:36

uh

21:38

application ah this is a question and

21:41

some people went through and refers

21:42

engineered the key and they said no um a

21:48

higher

21:50

possibility uh there is no Tren or R

21:54

someware embedded or malware embedded in

21:56

the uh application or key that was given

21:59

okay so that's uh the key to open the

22:04

hypervisor so if you open the hypervisor

22:07

everything is up and normal back to on

22:10

the 20th or before that okay so

22:13

everything um is supposed to be there

22:16

now the VMS uh the VMS on top of this H

22:21

this

22:22

hypervisor are they also encrypted from

22:25

what I understand some of them were

22:27

encrypted but using different kind of

22:30

keys um maybe not all but some of them

22:33

or maybe all I have no idea because uh

22:37

right now we're discussing the

22:38

hypervisor right okay so what uh what

22:42

come info offered is they reinstall

22:45

everything they restarted the hypervisor

22:48

and they restarted the VMS and it's

22:51

supposed to uh install again the VMS uh

22:55

after kind of hardening your own VM and

22:59

Hyper was Harden okay I'm going to skip

23:02

this part okay

23:03

now I I don't have a a a timeline uh

23:07

this is in the uh in progress I should

23:09

have cre created timeline here like from

23:12

17 19 20th and so on and so on up to

23:15

July 4 up to now I have no idea what's

23:18

going on right now um whether they're

23:20

running uh running it based on a v

23:24

hypervisor or configuration that was

23:27

decrypted using the key or whether

23:29

they're running it uh using a fresh

23:32

install of hypervisor and all these

23:34

fresh install of the VMS I don't know

23:37

what's going on these days okay now

23:38

there's another issue uh that says um

23:41

that says um uh the uh the server or the

23:46

data uh the National Data Center was

23:48

being accessed using a weak passwort uh

23:52

this was not true uh this was one of the

23:56

VMS yes uh one of the VMS um I think

24:00

this one is B

24:02

bpkp uh their machine uh was managed by

24:06

weak password so that is possible but

24:08

only for one VM or one institution not

24:11

the whole hypervisor so this was kind of

24:14

the the title was missing okay

24:16

concluding remarks okay what are the

24:18

lessons learn through this process and I

24:23

you know I I haven't heard people talk

24:24

about this I know uh they have done

24:27

forensic um

24:30

to you know foric to investigate the

24:33

incident I know that the forensic report

24:35

or reports are not available for uh

24:39

public consumption man that's that's

24:41

understandable but lesson learn lesson

24:43

learn I think we we have to talk about

24:45

lesson learn because this is important

24:48

because this is important because

24:49

otherwise we're going to get hit the

24:51

same thing again now many things are not

24:54

clear still to me how the Intruder got

24:57

in the first time you know the got in

24:59

and then disabled the Windows Defender

25:01

and so on and so forth uh uh yeah this

25:05

this is uh to me uh one of the biggest

25:08

mystery uh we should have learned from

25:11

that so that others can learn from our

25:14

mistakes because this is expensive so

25:17

this is a kind of lessons that are

25:19

expensive okay now

25:23

um about talcom Sigma um they uh talcom

25:27

Sigma uh host

25:29

other providers sorry other service

25:31

providers not only government

25:33

institutions and these are the clients

25:36

that other clients are not hit or were

25:38

not hit and are not hit by uh ransomware

25:41

so so this is not reflecting telom cell

25:46

Sigma

25:47

uh credibility in my opinion this is my

25:50

personal opinion I'm not paid by tcom

25:53

Sigma and so on but this is just you

25:55

know one of the their clients got hit so

25:58

so this is specific to the pdns not to

26:04

the uh you know the whole cloud system

26:07

so that's that I guess uh it's already

26:09

too long I um as this is what I uh you

26:13

know I promise earlier okay okay so

26:16

that's that uh I have delivered my

26:19

promise

26:21

uh it's not as good as I want it but I

26:27

I'm busy I just got got home last night

26:29

so you know it's one of those hectic

26:31

days I could not make the uh video

26:35

earlier because I was on the road you

26:37

know it's what's difficult I don't have

26:39

access to my configuration my uh uh disc

26:42

is full and so on and so forth and so

26:44

work my apology so I guess

26:47

uh um this is it I need to uh work now

26:52

and go back to my world okay stay safe

26:56

stay healthy bye