ICL: America’s Cyber Cup – Quarterfinals are Over! Bring on the Semis!

Confetti littered the air. Children cheered, adults swooned, and the world eagerly awaited the competitors as they walked down the… Right, this is a virtual competition, not the Super Bowl. Well, let’s bring it back a bit then. As more than half the teams participating in the ICL were eliminated following qualifiers, 40 teams scheduled their quarterfinals round, eagerly awaiting incidents, the contents of which they did not know. 

And so, without much fanfare and very few crowds, our cyber warrior competitors logged into their virtual machines and began the defense of the provided virtual network. What awaited them they did not know, but they had just two hours to detect malicious behavior, investigate the network, and stop any malicious activity taking place there. Evidence was uploaded and logged to be evaluated by Cyberbit’s automated judge. Mitigation activities were detected by state-of-the-art network sensors. Quiz questions were answered. Point totals were added. Now only 20 teams remain. 

…But what did our competitors experience? 

Meet the Coin Miner – Difficulty Level, Intermediate

As competitors logged into their machines, they began to familiarize themselves with their new environment. The environment contained more 60 components including simulated internet, a DMZ, web segment, DB segment, Server segment, etc. Once they had become familiar enough, they opened their Splunk Enterprise Security SIEM and began their investigation. Immediately it became apparently to the competitors that there were bursts of network traffic being routed to a blacklisted IP. They checked logs to find the source around the given timeframe of the alert. 

Competitors were tasked with investigating the suspicious activity, ultimately discovering the source of the traffic, a malicious significantly reducing CPU resources available on the machine, and a scheduled task sending hashed information to the attacker’s command and control server. Along the way, each team was tasked with investigating the spread of the malware, the communication between servers, and had the opportunity to decode encryptions to discover the purpose of the malicious script. Once these activities had been discovered and investigated, each team was tasked with stopping the malicious activity and returning the network to it’s properly functioning status. 

Unfortunately, we can’t give all the secrets away as the Coin Miner scenario is now available for any Cyberbit trainee to train with and we don’t want to ruin the surprise for them. 

Why Coin Miner? 

With cryptocurrency on the rise, the race to “mine” new coins is heating up and resources are expensive and scarce. Coin Miners, typically associated with cybercriminal operations, can be used to steal resources which are then dedicated to mining activity for the cybercriminal. As a result, machines slow down significantly causing interruption to business and operational activities. Since coin miners do not result in the leakage of data or defacement of digital property and machines can still run with the malware running, they are deemed to be a lower level priority alert.  

However, recent campaigns from nation-state actor BISMUTH have caused many organizations to rethink this prioritization. From July to August 2020, BISMUTH deployed the Monero coin miners in attacks targeting the private sector as well as government institutions in both France and Vietnam. Using a coin miner was unexpected but consistent with the group’s behavior: blend in wherever possible. The coin miner allowed BISMUTH to blend in with other “commodity” malware, evading detection and providing analysts with a distraction that gave BISMUTH the time to focus on credential theft.  

What did we learn about our competitors? 

The ICL: America’s Cyber Cup has a simple mission: find the best defensive cyber team in the Americas. To accomplish this task, we are providing a different level simulation for each round. While Coin Miner is a simple simulation, the techniques we are asking qualified teams to perform will be used throughout the rest of the competition. To find the best cyber team we must test a variety of skills and knowledge, ranging from the simple SIEM alert investigation to advanced Linux investigations across multiple machines. 

In the Coin Miner scenario, we tested our teams basic Windows forensic techniques. We saw how they used different Windows tools including Process Explorer and WMI as well as their ability to correct the fixes on an infected machine. As we move on to the semifinals, scenarios will become more complex. While I wish I could give some hint of what’s to come, I cannot. But since I want to, I will leave you with on thing… the semifinals attack has happened before, around 2017. 

Good luck to all competitors and we’ll see you in the next round! 

Semifinals Standings 

The quarterfinals saw certain teams stand out (shout out to Hudson’s Bay Company for topping the power rankings and Grace Hopper Has a Posse for the fastest perfect score!) and certain teams’ flounder. Seven teams had perfect scores: Grace Hopper Has A Posse, PNC, City of Calgary, Game of Thone’s, Hudson’s Bay Company, Rock, Scissor, or Exploit, and team Perseverance and currently lead the pack. However, we did see quite a few goose eggs as well with 6 teams scoring nil. The average score in the quarterfinals was a 48.69 and the median score was a 46. Gone Phishing managed to just sneak into the semifinals and will look to improve their performance in the next round! See the full rankings here.