MINAF is (again) in trouble! The World Happiness strategy, a United Nations project to spread happiness worlwide, has been published in CotillaLeaks with evidence that it has been stolen from the team of María José Feliz, MINAF's General Manager of Celebrations.

Such a data breach can cause significant damage to MINAF, so it is essential to find out how the attackers got hold of this information and plug the security hole.

Basic info

MINAF, as all of Spain public administration sector, has undergone a massive overhaul of its IT systems (spearheaded mainly by its Digital Transformation initiative). All its endpoints are Windows 10 based, with monthly full patch deployment and daily updated antivirus. Servers are almost in its totality migrated to Windows 2016 Server, also fully patched and with a solid backup strategy. There is an IDS/network monitoring system deployed (Suricata/Bro combo), and a Sysmon+ELK SIEM is in its testing phase. Best security practices are followed, and MINAF was ENS (Esquema Nacional de Seguridad, Spanish main security standard for public administration) certified this year

In addition, as part of the AGE's digital transformation initiatives, MINAF is spearheading a pilot project moving part of its infrastructure to the cloud, in this case to O365. The staff of the Directorate General of Festivities has received a training course and are testing working fully online with mail, instant messaging and file sharing. Within the DG of Festivities we can find the following users:

  • María José Feliz - General Manager of Celebrations
  • Pepe Contento - Assistant General Manager (María Feliz)
  • Franchesco Fiestas - Assistant General Manager (María Feliz)
  • José María Regocijo - Secretary General Manager (María Feliz)
  • Marta Regocijo - Head of Saint Festivisties (Francisco Fiestas)
  • Simon Farra - Head of Pubs (Francisco Fiestas)
  • Marcos Cachondo - Head of Culture and Entertainment (José María Regocijo)
  • Martin Alborozo - Head of General Servicies (José María Regocijo)
  • Julian Juerga - Senior Auditor of Pubs (Simón Farra)
  • Antonio Jarana - Junior Auditor of Pubs (Simón Farra)
  • Juan ContraGolpe - Culture and Entertainment specialist (Marcos Cachondo)
  • Pedro Jubilo - Data Analyst (Marcos Cachondo)
  • Dolores Jolgorio - Quality technician (Martin Alborozo)
  • Ramon Campechano - Senior Accountant (Martin Alborozo)
  • Angela de la Guarda - MINAF CISO (and acting CIO)
  • Inocencio Crédulo - MINAF Junior IT
  • John Joy - Visiting civil servant from European Happiness Commision (Martin Alborozo)
  • Teresa Zurda - State attorney general

Evidences

MINAF CISO gives you these evidences:

MINAF-PC7.zip : Maria José Feliz triage data
MINAF-PC7-users.zip : María José Feliz C:\Users Folder
O365_data.zip : O365 Data

Here you have the hashes for all the collected evidence: hashes.txt

[Note0]: Triage data has been acquired with CyLR.
[Note1]: The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).
[Note2]: Any evidence you find before 11/11/2019 11:11:11 UTC must be discarded because it's not related to our case.
[Note3]: All the data in MINAF's O365 is (clearly) made-up, and should be taken with a little humour. Under no circumstance this info should be taken as an attack to MINAF (inexistent) civil servants or to Spain's civil servants, which are viewed with high respect.


Your mission

... should you choose to accept it, its to answer all the challenges and find the truth about this incident. Have the attackers compromised María José's computer, or can roam through MINAF's O365 data undetected? Help MINAF guess how the attackers got their hands on the World Happiness!

Made by

This challenge has been made by Antonio Sanz (@antoniosanzalc), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support. Play, learn, share & have fun!