Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

FAUXTRIBUTION?

with 6 comments

kim-jong-un

Well here we are… It’s the beginning of the cyber wars my friends. POTUS came out on stage and said that we would have a “proportionate response” to the hacking of Sony and that in fact the US believes that it was in fact Kim Jong Un who was behind this whole thing. Yup, time to muster the cyber troops and attack their infrastructure!

*chortle*

So yeah, let’s take a step back here and ponder the FBI statement today on colonel mustard in the study with the laptop before we go PEW PEW PEW ok?

FBI Statement:

Update on Sony Investigation

Washington, D.C. December 19, 2014
  • FBI National Press Office (202) 324-3691

Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the “Guardians of Peace” claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.

The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.

After discovering the intrusion into its network, SPE requested the FBI’s assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.

The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.

Parsing the language:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

The language of this report is loose and very much like an FBI statement would be when they are not so sure. Remember that the FBI did not originally link all of this to DPRK. Now though, with the same data as we all had before they are definitively tentatively saying “It’s DPRK” which makes people like me mental. So let’s look at these IP’s that were hard coded into the malware and take the idea to task that they are assets that ONLY the DPRK could use or has used and how that very idea has so much cognitive dissonance where “evidence” is concerned. Especially evidence where a nation state is going to “respond proportionally” to another for actions they claim they perpetrated.

The key here is to pay attention to the GEO-IP stuff they are using:

A summary of the C2 IP addresses:

IP Address Country Port Filename
203.131.222.102 Thailand 8080 Diskpartmg16.exe
igfxtrayex.exe
igfxtpers.exe
217.96.33.164 Poland 8000 Diskpartmg16.exe
igfxtrayex.exe
88.53.215.64 Italy 8000 Diskpartmg16.exe
igfxtrayex.exe
200.87.126.116 Bolivia 8000 File 7
58.185.154.99 Singapore 8080 File 7
212.31.102.100 Cypress 8080 File 7
208.105.226.235 United States igfxtpers.exe

 

See now all of these IP’s could be used by just about anyone. They are not in country at the DPRK and they are not on Chinese soil either. In fact here is the dope on each one:

Thailand: 203.131.222.102: Thailand port 8080 is a proxy:

203.131.222.102 - 203.131.222.102 203.131.222.102 203.131.222.0/23 Proxy-registered route object THAMMASAT Thammasat University 2 Phrachan Road, Phranakorn, Bangkok 10200, Thailand AS37992 THAMMASAT-BORDER-AS Thammasat University Thailand

It has also been seen as a very dirty player in SPAM and other nefarious actions.. Not just DPRK/CN APT Activities

thailandSo really, this one could be used by anyone and everyone.

Poland: 217.96.33.164 8080:

217.96.33.164 - 217.96.33.164 217.96.33.164 217.96.0.0/16 TPNET INTER-PARTS INTER-PARTS IMPORT EKSPORT WALDEMAR BACLAWSKI UL. JARZEBINOWA 4 11-034 STAWIGUDA AS5617 TPNET Orange Polska Spolka Akcyjna Olsztyn, Poland

polandPoland too is known to be dirty and used for SPAM and malware C&C’s as well. Many different groups are using this and it too is a proxy. So once again, this does not prove out solidly that this is DPRK. It could in fact be anyone who is in the know about it’s being there and use. Many of these addresses are on sites all over the web for use in this and other capacities.

polandproxy

In fact here is a site that has the password to the system (Chinese)

Italy 88.53.215.64 8000

88.53.215.64 - 88.53.215.64 88.53.215.64 88-53-215-64.WDSL.NEOMEDIA.IT 88.52.0.0/15 INTERBUSINESS IT-INTERBUSINESS-20050930 Telecom Italia S.p.a. AS3269 ASN-IBSNAZ Telecom Italia S.p.a. Italy

ItalyOnce again, Italy has the same issue. It is a known dirty address/system and has been used for SPAM and Malware C&C’s before. This does not mean that it is in fact solely under the control of DPRK.

Italyproxy

Site listing the proxy as available and the qualities of the anonymity

Here’s another listing: http://dogdev.net/Proxy/IT

Bolivia 200.87.126.116 8000

200.87.126.116 - 200.87.126.116 200.87.126.116 200.87.112.0/20 200.87.126.0/24 This is a DiViNetworks customer route-object which is being exported under this origin AS6568 (origin AS). This route object was created because no existing route object with the same origin was found. Please contact support@divinetworks.com if you have any questions regarding this object. BO-ESEN-LACNIC Entel S.A. – EntelNet AS6568 ENTEL-SA-BOLIVIA ENTEL S.A. BOLIVIA La Paz, Bolivia

bolivia

boliviaproxy

Here’s a listing from 2012 on the Bolivian proxy (blackhat forum)

Another listing: http://www.vipsocks24.com/2012/01/20-01-12-l1l2-anonymous-proxies-list.html

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-20 05:15 EST
Nmap scan report for 200.87.126.116
Host is up (0.17s latency).
Not shown: 92 closed ports
PORT      STATE    SERVICE      VERSION
80/tcp    open     http         Apache httpd 2.2.3 ((Win32))
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1720/tcp  filtered H.323/Q.931
5800/tcp  open     vnc-http     RealVNC 4.0 (resolution: 400×250; VNC TCP port: 5900) (remote auth bypass)
5900/tcp  open     vnc          RealVNC Personal (protocol 4.0)
10000/tcp open     http         GeoVision GeoHttpServer for webcams

Singapore 58.185.154.99 8080

58.185.154.99 - 58.185.154.99 58.185.154.99 58.185.128.0/17 Singapore Telecommunications Ltd SINGNET-SG SingNet Pte Ltd 2 Stirling Road #03-00 Queenstown Exchange Singapore 148943 AS3758 SINGNET SINGNET Singapore, Singapore

singapore

singaporeproxy

Singapore Proxy on offer online

TEXT

Cyprus 212.31.102.100 8080

212.31.102.100 - 212.31.102.100 212.31.102.100 NB5-100.STATIC.CYTANET.COM.CY 212.31.96.0/20 212.31.100.0/22 Proxy-registered route object CYTANET PROVIDER Local Registry AS6866 CYTA-NETWORK Cyprus Telecommunications A Cyprus

cypress

TEXT

USA 208.105.226.235 (no port listed)

208.105.226.235 - 208.105.226.235 208.105.226.235 RRCS-208-105-226-235.NYS.BIZ.RR.COM 208.105.128.0/17 RR-Route RCNY AS11351 RoadRunner RR-Binghamton-Rochester Syracuse, United States

USA

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-19 21:13 EST
Nmap scan report for rrcs-208-105-226-235.nys.biz.rr.com (208.105.226.235)
Host is up (0.070s latency).
Not shown: 94 filtered ports
PORT     STATE  SERVICE
135/tcp  open   msrpc
443/tcp  open   https
3128/tcp closed squid-http <— OOOOH A PROXY GO FIGURE
5000/tcp open   upnp
5800/tcp open   vnc-http
5900/tcp open   vnc

This one seems to be a communications company in NY. An Nmap shows that there is a VNC session on here. Likely a compromised box. I wonder if anyone has looked at this.. It is still up so the FBI has not seized it.

Conclusions:

At the end of the day, if these are all the IP’s that the US is using as evidence that DPRK carried out this attack I think it is pretty weak as evidence goes. The majority of these systems are proxies and known to be such and the others are weak systems that have likely been compromised for use in this attack and maybe others because hackers share a lot of these C&C boxes. They do so to muddy the waters so to speak, the more groups using them the more confusion can be sewn.

The machine in NY is interesting in that it is still online. I would have thought that the authorities would want to take that into evidence but there it is, still online. Maybe they are still getting round to that… Or maybe they are just happy to make the pronouncement that it was DPRK and leave it be. I personally think that all of these systems together do not lead me or anyone using logic to believe that these are known infrastructures for DPRK unit 128.

Even if the likes of Crowdstrike and others may claim that DPRK has been known to use the same tactics or things like them or any other vague adjectives about the data that they have seen in the past none of it is anything that would be considered evidence in court. It is all considered circumstantial and that evidence is inadmissible. So, the US is going to base a theoretical response on a nation state level, as I said above, on circumstantial evidence?

Now that’s statecraft… Of course I remember a time a while back when we all were told that Iraq had massive WMD stocks and was in kahoots with Al Qaeda. In fact it was a SLAM DUNK according to the then CIA director.

Of course you all know how that all ended.

UPDATE:

After a nights sleep I woke up this morning thinking about all this yet again. I just wanted to add to this article the idea that similar code and tactics also do not an actor make as well. Remember that all of this could lead to a cold war if not a warmer war with actors like DPRK and we are going to hang our hats on “similarities” This just does not bode well for anyone.

There is a thing in intelligence called “cognitive bias” and I fear that our intelligence agencies fall prey to this a lot as it is. However, where the information and network warfare comes into play it is even worse. This is because it’s such a slippery subject not only on a technical level, but also because it is so easy to obfuscate means, methods, and actions with technology today. Another aphorism in the IC is that of being “lost in the forest of shadows” which means that nothing is clear and it is easy to be confused. Well, this is the same thing.

Like I said on Twitter last night, I can see my way to saying that DPRK was behind this. I can use Occams Razor to apply the logic of who had motive, look at their actions on the face of it, and say “most likely” it is them. However, would I want to go to war over that? Look at the people out there like Dave Aitel screaming that we need to go to cyber war and drop logic bombs in their infrastructure over this. Over a hack and destruction of data along with a healthy dose of schadenfreude over what.. Hollywood?

Come one!

It’s time for this community (INFOSEC) to really teach these people about what it is to be BLUE TEAM as well as sell them 0day. I am sorry, but we need to be better and so far we are just a bunch of warring parties looking for attention and the almighty dollar. We are in a perilous time because of people like Aitel and his ilk as well as the people who will blindly follow them because they are cyber warriors or thought leaders and know no better. If this keeps escalating, and it will, then we will see attacks by non state and state actors that will just be for anarchy’s sake.

I wrote earlier this month about the “Laughing Man Effect” with regard to the SONY incident as it was unfolding. This attack mimicked the LulzSec attack on HB Gary. It seems we did not learn from this. They too had some bad practices going on that lead to their compromise and utter destruction. In fact Sabu and the LulzSec crew were nicer to HB Gary than the attackers in the Sony case. At least they did not raze their network altogether. Though HB Gary Federal went down in flames due to the attack.

The Chinese say “May you live in interesting times” and that is not meant to be a pleasant thing. I fear that pandora’s box just opened up a little more with yesterdays pronouncement on shaky evidence. Unless the IC has more information that is solid to point the finger at DPRK for this I just can’t get behind any kind of response, proportional or otherwise. What really needs to happen is that Sony get’s their shit together once they re-constitute their network and really have a working security model. Not the utter crap they had before but something that will actually mandate that personal information and IP be protected at least moderately.

This week I spoke with someone in the IC who does actual information warfare. In talking to him over the week I saw his frustration grow to the point that he put in his papers to separate. He plans on just going into teaching. Why? Because he said that all of this talk, this call to action over Sony was just so ridiculous that it would be hard for him to carry out an order of attack on this “evidence” His answer was to retire to teaching.

That about sums it up with me too of late. I look at the Twitter and the news feeds and see just marketing, hype, and fauxtribution… And it will be to our collective doom.

Let me leave you with a visual representation of how this all feels…

K.

Written by Krypt3ia

2014/12/20 at 02:36

Posted in SONY

SONY HACK: Winners and Losers

with 3 comments

Sony-Hack

What a difference a few hours off Twitter can make… Since last night the US government has made it known that they feel they have enough “evidence” to say that DPRK and Kim Jong Un were behind the hack on Sony. So far, all that I have seen personally posted online and in the news that counts as “evidence” has been inferential and certainly not worth spit in a court of law, never mind even in a mock court taking place in a 5th grade classroom!

Instead we have Sony playing the “poor us” card, the IR service (Mandiant) saying nothing, and the internet and social media on fire with comments on how this is either just utter buffoonery at a nation state level or hue and cries for response against DPRK for this “Act of WAR!”

*hangs head*

ERMEGERD we are doomed aren’t we….

So I came up with this little list of the winners and losers for you all.

Winners:

  • Whoever hacked Sony (Interview not being shown and fear being sown)
  • Sony (Poor SONY it was advanced! We’re bleeding money! POTUS SAVE US!)
  • Armchair CYBER WAR experts (Holy fuck Dave Aitel selling CYBER WARRRRRR)
  • CYBER CHICKEN HAWKS (HOLY FUCK! DAVE AITEL SELLING CYBER WARRRRR!)
  • Anyone with an agenda against DPRK
  • Anyone looking to sell attribution services (Mandiant/FireEye/Crowdstrike)
  • APT Appliance manufacturers (Mandiant/FireEye/Crowdstrike)
  • Kevin Mandia (Apologist email of the CENTURY)
  • GOP (Whoever you are.. Well played)
  • Every person, entity, or group from here on who decides to do the same thing in similar ways (keep an eye on this one)
  • Fucksticks like Dave Aitel (ERMEGERD)
  • THE LAWYERS! GIGGITY MO MONEY MO MONEY MO MONEY!

Losers:

  • All of us who are sane (It’s knee jerk time people, put on your helmets)
  • Sanity (what little we had as a nation and a people post 9/11 and the torture reports)
  • Any of us who have a clue about hacking and the world of network security (I am sure we will all be drinking soon at Shmoo)
  • Our national reputation (Once again, post Torture report there wasn’t much left but now.. oy)
  • Serious discussion of actual network and information warfare (RidT/Robert M Lee etc) (poor bastards)
  • Freedom of expression due to fear of reprisals due to veiled threats of 9/11 *1000 attacks (Just mention 9/11 and shit happens!)
  • Insurance companies that offer cyber insurance (I sincerely hope you guys fight this one with Sony)
  • The concept of “sophistication” in hacking of targets (We already had a problem here.. Now it’s been completely abdicated as a notion seriously)

So yeah, the nation is now at CYBER WAR with DPRK over some company that pays a lot in lobbyist bribes… I mean fee’s… No.. Bribes… To the government because they have an agenda. (MPAA/SOPA/PIPA etc) A company that totally abdicated it’s responsibilities concerning the security of it’s data and that of everyone it works with mind you. That part of the story seems to be lost in all the sabre rattling of late though.

PAY NO ATTENTION TO THE NAKED MAN BEHIND THE CURTAIN!

Good god… This is a pile of fecal vomitus.

K.

Written by Krypt3ia

2014/12/18 at 11:18

Posted in SONY

So.. What about those Japanese IP addresses in the SONY Hack Anyway?

with 9 comments

00-top

Just a little note in the derpstorm (another post to follow on that after this one) that I wanted to drop on you all. See, I mentioned this in one of my first posts on the Sony Hack but it has gone little noticed. In the malware samples of Destover-C on Virus Total you can see in the strings a huge list of IP addresses that belong to someone in Japan… I reckoned that they were in fact Sony addresses because they track down to a location in Japan where Sony HQ is and I left it at that. I had made my comments on how Japan and Korea just don’t get along and that they have a long history of unhappy relations, and thus a keyboard map, if taken on face value, might have relevance in this way.

Well, later on someone who shall remain un-named contacted me and thanked me for my post and the information in it. The reason? They said that they worked for Sony and had been told NOTHING. My post actually gave them more information than the actual corporation that they worked for within their own security and networking space! Sadly, this seems to be the M. O. of Sony and I took that piece of info as truth because really this person had nothing to lie about here.

and life went on…

Destover-C connections looking for NetBIOS connections

  • 43.130.141.100:139
  • 43.130.141.100:445
  • 43.130.141.101:139
  • 43.130.141.101:445
  • 43.130.141.102:139
  • 43.130.141.102:445
  • 43.130.141.103:139
  • 43.130.141.103:445
  • 43.130.141.105:139
  • 43.130.141.105:445
  • 43.130.141.107:139
  • 43.130.141.107:445
  • 43.130.141.108:139
  • 43.130.141.108:445
  • 43.130.141.109:139
  • 43.130.141.109:445
  • 43.130.141.115:139
  • 43.130.141.115:445
  • 43.130.141.11:139
  • 43.130.141.11:445
  • 43.130.141.124:139
  • 43.130.141.124:445
  • 43.130.141.125:139
  • 43.130.141.125:445
  • 43.130.141.13:139
  • 43.130.141.13:445
  • 43.130.141.14:445
  • 43.130.141.20:139
  • 43.130.141.20:445
  • 43.130.141.21:139
  • 43.130.141.21:445
  • 43.130.141.22:139
  • 43.130.141.22:445
  • 43.130.141.23:139
  • 43.130.141.23:445
  • 43.130.141.24:139
  • 43.130.141.24:445
  • 43.130.141.28:139
  • 43.130.141.28:445
  • 43.130.141.30:445
  • 43.130.141.42:139
  • 43.130.141.42:445
  • 43.130.141.71:139
  • 43.130.141.71:445
  • 43.130.141.72:139
  • 43.130.141.72:445
  • 43.130.141.74:139
  • 43.130.141.74:445
  • 43.130.141.75:139
  • 43.130.141.75:445
  • 43.130.141.76:139
  • 43.130.141.76:445
  • 43.130.141.77:139
  • 43.130.141.77:445
  • 43.130.141.78:139
  • 43.130.141.78:445
  • 43.130.141.79:139
  • 43.130.141.79:445
  • 43.130.141.80:139
  • 43.130.141.80:445
  • 43.130.141.83:139
  • 43.130.141.83:445
  • 43.130.141.84:139
  • 43.130.141.84:445
  • 43.130.141.85:139
  • 43.130.141.85:445
  • 43.130.141.86:139
  • 43.130.141.86:445
  • 43.130.141.87:139
  • 43.130.141.87:445
  • 43.130.141.88:139
  • 43.130.141.88:445
  • 43.130.141.90:139
  • 43.130.141.90:445
  • 43.130.141.92:139
  • 43.130.141.92:445
  • 43.130.141.93:139
  • 43.130.141.93:445
  • 43.130.141.94:139
  • 43.130.141.94:445
  • 43.130.141.98:139
  • 43.130.141.98:445
  • 43.130.141.99:445

This morning, as I sit with coffee at 5am, awake because I looked at twitter and ERMEGERD DPRK DID IT is all over the place I just thought I would share. See, there is more going on here than Wolf Blitzer can… Well.. Blitz! All of this, all of the fallout that I will write about next just covers over the fact that much more has gone on and we have not heard anything about.

What happened in Japan?

Do we really think that just SPE was hit? I mean they are connected as a company to the parent which is in Japan right?

What about Germany?

What about all the subsidiaries? Won’t they too have to re-create their networks?

What great fuckery there is going on.

Wake the fuck up people.

K.

Written by Krypt3ia

2014/12/18 at 10:38

Posted in SONY

Threat Intelligence: The Blame Game

with 2 comments

maximus-decimus-meridius_02

//BEGIN MANIFESTO

Lately I have been sitting and thinking about TI and Attribution as well as the state of the state as the year comes to a close. I sit, I ponder, and then I get all kinds of rage filled with the shit I see happening out there. So, after a particular sit down I had over the weekend I decided to post this manifesto on the Internet’s front door. For what it’s worth I am not trying to be a so called “thought leader” here as much as I have just had fucking enough of the insanity and would like to see a little sense shoved down everyone’s collective cyber throats.

Open wide kids! Uncle bastard has a few words for you!

Threat Intelligence:

What is Threat Intelligence? Well, ask random people and you will get random answers. Ask vendors and you will get super buzz wordy speak offering many APT’s and IOC’s and TTP’s along with a host of other jargon. The reality is that Threat Intelligence has been co-opted as an idea from the military (one again in our business like so many other things) and kluged into our business process in IT and Security.

Strictly speaking though, threat intelligence should be informatics that can be used to determine the threat to your environment. It is most of the time data in the form of IP’s, ports, protocols, and actions that are being seen in the wild being used against other companies, governments, and people. As such it can be useful if you are a like entity or you have the same vulnerabilities that are being leveraged. You can take that feed of data and put in firewall rules to block C&C’s etc to prevent them being used on you. Along with this, you should be getting informatics on patches that are available for 0day’s being used as well as perhaps the types of information the hackers are targeting most often.

With all of this data one can formulate a plan and put in some rules in your own environment to perhaps detect or prevent it happening on your digital soil. Unfortunately though, much of the time the feeds and “intelligence” being sold to companies is just data. The company may lack the comprehension levels needed to understand the data or “intelligence” because they lack a person or group to analyse it all and rationalize it for their organization. This is where much of the fail happens in our business where Threat Intelligence is concerned if you ask me. Companies pay a lot of money for a data feed and then they fail to leverage it. It is also a fail on the part of the companies selling TI because they often just sell you the feed and pretty shiny reports on APT actors because they are cool and leave the end user struggling with the meanings. I mean, it’s an extra fee for comprehension right? So we have a fundamental failure on the part of the business to serve the clients in my opinion.

Attribution:

Ah yes, attribution, the word itself sends a shiver of fuckery up and down the spine. This is the hook that all TI firms are selling their shit on. Detecting attacks and then attributing them to sophisticated actors. All of these firms are the new cool right? Seems like every month we see a new and shiny report dumped on the internet alleging that some or other group of APT actors is hacking up a storm and stealing things. This may in fact be the case, that there are actors out there stealing shit left and right, but the attribution thing? Well, that is notional at best. I have to say though lately I have been surprised to see some of these reports start to use the words “may be” which is a good thing. You see, attribution is a lot like guessing you are holding a tree trunk while blind while in fact is is an elephant’s trunk.

Attribution should be in my opinion removed from the equation altogether from these threat intelligence firms business cycle. Here’s what they should do;

  1. Determine what the actor is doing and how
  2. To whom
  3. Then report on those actions and how to stop them by their modus operadi (C&C’s TTP’s IOC’s Hashes etc)

That’s it. That is all they should be doing. By colouring it with all the Spy vs. Spy shit they may think that they are super cool but in reality they are just muddying the waters for anyone trying to do real work. All of these swank reports on bad guys is just marketing and a certain desire to sell shit to the government. The regular Joe in the trenches working in security, it does nothing for.

So cut it out. I have little hope that will happen though.

Oh and one last word on attribution… It’s never that easy. Let’s see us go to war over your attribution…

Intelligence Cycle:

Back in 2013 I did a presentation on the intelligence cycle at BsidesLV. I would like to point you all at it again and once again say take a look. My premise is that any company that is looking to perform Threat Intelligence needs to not just have a feed without a real person or group who can analyse the data and report back to the company on the threats. If you strip out all the attribution crapola you may or may not have useful information depending on your position. The crux of the matter is comprehending what is being given to you and using that information to make better security decisions in your environment.

All too often now it’s all just shiny blinky appliances, reports, and language from so called thought leaders and vendors while Rome burns. If you are going to be serious about doing threat intelligence drop all the “ain’t it cool” crap and get down to brass tacks about securing your environment by knowing your weaknesses. You do this by leveraging threat intelligence where you can and introspection and action on where your environment has weaknesses.

K.

The Threat Intelligence Cycle

//END MANIFESTO

Written by Krypt3ia

2014/12/15 at 15:11

GLOBAL THREAT INTELLIGENCE REPORT: NOVEMBER 2014

leave a comment »

Executive Summary:

In the month of November 2014 two stories made the news that have direct corollaries to many corporations. These two stories center on actor’s modus operandi and their targeting of companies, individuals, and infrastructure in vary particular ways.

The first actor/incident is SONY and their alleged attacker the GOP (Guardians of Peace) Sony was hacked by unknown person(s) and approximately 111tb (Terabytes) of information taken from their networks and systems. The data began to be leaked on the internet via Bit-torrent and other sites in blocks of 1 gig to 100 gig per release.

The second attack/actor is being called FIN/4 and they are an unknown group that has been targeting corporations’ executives via Phishing. FIN/4 is looking for M&A information that they can steal to play the market with or have inside information for other companies to use by selling it to them. FIN/4 has been detected attacking Big Pharma looking for insider information primarily but has also been seen attacking other types of companies such as holding companies in search of information they desire.

Global Threats:

Sony Hack (GOP): Destructive Hacking and Malware

The Sony Corporation was hacked over an indeterminate time within the last year and was tipped to the fact on or about November 24th – 25th of 2014 by the attackers. A group or person, calling themselves “The GoP” or Guardians of Peace released malware on the Sony network that then changed the login screens of all machines to a picture of a skeleton and a threat (see below)

Once the malware was delivered and triggered the screens of PC’s were changed to the image and a wiper utility went into action destroying the MBR (Master Boot Record) thus damaging the operating system and all data on the drive.

The attack on Sony should be a warning to all companies and entities with networking infrastructures. This attack seems to have been carried out by an insider (likely an IT person) with intimate knowledge of their network and where data lives. The malware itself had been hard coded with server DNS names within Sony’s network as well so this was a very targeted attack.

The attack on Sony has been in the news quite a bit and the full extent of the hack and the repercussions has yet to be fully determined. In the case of Sony stock it has taken a hit and has been up and down with the news stories and releases of information by the GOP online. Reputation wise the company has taken a great hit and in fact may be in jeopardy because other companies and banks are not wanting to loan them funds or work with them as thousands of records online already from Sony show that they were not taking due diligence with PII and PCI data internally. The majority of documents were unencrypted as well as those with passwords had the actual passwords in a file with the documents or built into the documents file name itself.

Observations:

The attack on Sony was most likely an insider attack and as such is one of the hardest types of attacks to protect against. However, since the release of data from Sony has been on the internet it has come to light that the following glaring issues existed that led to their devastating compromise;

  • Sony did not have adequate staff working in information security and had in fact been heavily relying on contractors which were transient in nature

  • Sony had not been using encryption on files for PII or PCI

DATASECFull employee lists with SSN’s not encrypted and not passworded

  • Sony had not fully instituted complex passwords on systems and files

PASSINFILENAME

Password in the file name itself

    • Examples: s0ny123 (lotus notes user pass)

    • Notes password II: password

    • AD login: 163erie (Less than 8 chars)

    • Passwords were re-used for user in this case with corporate AMEX account as well.

  • Attackers were able to exfiltrate 111 terabytes of information. This exfil likely happened on local external drives but could have been done over the network over time. IF this was carried out over the network then Sony either could not see the immense amount of data being siphoned or they ignored it. Internal intelligence and telemetry is a key to stopping exfiltration of corporate data.

  • This attack and exfil of data so thoroughly compromised Sony that they had to shut down their network completely and have employees only use pencils and paper for work.

Assessment:

This attack on Sony was motivated (most likely) not by nation state actors upset about a movie, but instead by how Sony treated some employee(s) somewhere in their view. The GOP in their communications keeps talking about how Sony is a bad corporation and it treats its people poorly. No matter the motives and the actors however, the important things to learn from this attack are the following things;

  1. Insider attacks are the greatest risk to any organization

  2. Lax security policies and processes for securing data on drives with proper passwords and encryption led to complete compromise of corporate and employee data from this attack. Were the files encrypted and properly password protected this may have been mitigated.

  3. Any corporation could fall victim to the same type of attack.

  4. The malware used, contrary to the news cycle. Is not new and not exotic. MBR wipers have been around since 1998. It is easy to re-work malware (reverse engineer) to be undetectable to the antivirus utilities and thus not be seen.

What corporations need to take away from this incident is that it can happen to anyone. It can especially happen to a company not paying attention to internal data, systems, and traffic. A secondary concern that companies all should have is that now that this attack has happened, it will give others ideas and potentially open the door to more like this in the future as a means of hacktivism or revenge. A second and more important takeaway should be the following;

“It’s not important who attacked you after the fact. It’s important to discover and remediate the compromise through proper incident response and then fix the problems that allowed for the compromise to happen in the first place”

While threat intelligence is an important tool in the security arsenal, the focus on the who and not so much on the why and how has been in the news and the focus of Sony at least in the media sphere. A recent memo from the founder of Mandiant, the company carrying out the DFIR on Sony in this incident and leaked, alludes to the fact that this attack was “unprecedented and unstoppable” This language and this memo is a disservice to the industry and allows for companies to believe that by having lax security controls and the illusion of nation state actors, one can have the blame for a major incident removed from the company whose atmosphere allowed the attack.

As shown above the data was out in the open and efforts to protect data like PII and PCI were just not taken. Of course an insider attack is hard to foil but at this time it is speculative whether or not it was an insider even with the GOP bulletins saying that it was in fact the case. As well, in the case of Sony there is a long history of over 20 hacks on them that succeeded in the past, and thus it seems that not only are they a big target, but also an easy one because they seem to have not been able to secure their environment well enough to stop attacks whatsoever. Given all of these factors it should be evident that any corporation should look at the data coming out of Sony to study just what went wrong and attempt to not be the next company to fall prey to this.

Finally, this attack on Sony should be a lesson for everyone in that now that this has happened, and utterly destroyed the capacity of a company others in the future will use it as a model for their own attacks. The notion is now out there in the open and in reality I guess one could call this the realization of the “Fire Sale” as seen in the movies. This is a turning point in information warfare and protection that everyone should take heed of and attempt to be ready for. While there may be no magic bullet to stop these types of attacks from happening there are certainly means at the disposal of corporations and security groups to at least attempt to detect and stop such attacks. Specifically there should be means to detect large data transfers within the network as well as going out of the domain itself.

FIN4: Spear Phishing and Stock Manipulation

FIN/4 is the name that Cylance has given to the group of actors using “Spear Phishing” to attack corporations email systems to steal corporate information. The information that these attackers are leveraging though is all to do with M&A’s and other insider information that the adversary wants to use or sell as intelligence for stock trades.

What makes the FIN/4 different is this focus only on M&A or insider data. They only go after OWA or other email systems and do not hack any further into the networks. This type of activity nets them what they want and does not lead to their being discovered as easily. Through password dumps and email trails these attackers are able to compromise systems and data they require and then go quiet while auditing all the information passing through those systems.

Assessment:

FIN/4 is a new twist on an old idea. This actor set is as yet new and it is unclear whether or not it is nation state or other. However their pattern of attacks should be something that every company should pay attention to whether they are actively traded on the stock market or not. This type of attack set is low and slow and nets quite a bit of data from common end user frailties. The introduction of malware or just the compromise of accounts can lead to the full compromise of a company just as much as is evidenced in the Sony attack above.

Download Document HERE

Written by Krypt3ia

2014/12/09 at 19:58

SONY: The Laughing Man Effect

with one comment

Laughing_Man_by_thooley

Preface:

In the past I have written about “The Ghost In The Shell” referring to current incidents online and the future of network warfare. I mostly wrote about the anime show’s prescience with regard to the fact that many of us in the business of computer security it seems gravitated to it because of those very scenarios in the first place and a certain cool factor to them. Of course all of that was science fiction and it could not happen in the real world could it?

Well, once upon a time the idea of a plane flying in the air or a submarine for that matter were pure SCIFI and now we take them for granted. So it is too with some of the ideas put forth by G.I.T.S. where online culture and warfare are concerned. If you are not familiar with the G.I.T.S. franchise I suggest you go to Amazon or Hulu and watch them all. If you are familiar with them, then you might have the same “Ah ha!” reaction that I did watching the evolving story of the Sony hack.

SONY HACK

So to catch you all up, Sony it seems got hacked. Not just hacked, but utterly hacked, penetrated, compromised, whatever adjective you would rather use all of them applies here. Suffice to say that Sony was taken down in such a way that absolutely nothing electronic should be trusted within its environment whether it be a router, switch, desktop, laptop, server down to USB sticks. The hackers had complete control over what seems to be all of their infrastructure and for an indeterminate amount of time.

The adversary, once gaining access began to plunder all of Sony’s secrets, ex-filtrating them out of their networks to the tune of one hundred and eleven terabytes of data. This is an astounding amount of data to take and one has to wonder just how they got it out of there. I mean, did they move it on TB drives? Did they FTP that out? What? You also have to wonder just how long that would take if they were being sneaky about it. It also begs the question of whether or not the attackers had to be sneaky at all because perhaps Sony had not learned it’s lessons from previous attacks and just was not watching traffic at all to see the immense amounts of data leaving their domain.

It gets worse though for Sony… If that were even conceivable to many. The adversary then inserted a special feature to the malware they were using to compromise systems with to destroy the MBR section of hard drives on systems that were infected. This poison pill was then activated when the attackers were done to perform the coup de grâce that would take Sony down hard. As it was described the malware changed the login screen for all the users and then the game was on. Sony knew something was up and then systems went BOOM. Or did they? I am not too sure on this fact because I have not seen much out of Sony as to what happened next.

The net effect here is that Sony cannot trust anything and anyone potentially within their walls and had to shut down their whole network. They handed people pens and pencils and continued working as best they could as they called in Mandiant to perform the incident response for them. Meanwhile, the adversary had made contact with Sony either with the screen change (see below) or other means to say that they had that 111tb of data and laid out terms of what they wanted to not let it out on the net. That was around Nov 24 and it’s now December 6th. Since then there has been two data drops by a group calling themselves the GOP (Guardians of Peace) One drop was small, around a gig and the next was 27 gig. Within those files were found great swaths of Sony data that included numerous SSN’s and personal data for people who worked with or for Sony. In short, it’s a nightmare for all involved really.

Then things got… Weird.

Suddenly Variety (the Hollywood trade rag) was reporting that Sony thought that their adversary was in fact the DPRK and Kim Jong Un. Why? Because Sony was going to release a film that KJU did not appreciate. That film is called “The Interview” and it’s a comedy whose premise is that two Hollywood types are invited to DPRK to interview KJU and are asked “humorously” to whack KJU by the CIA.

Eh.. It could be funny. I really don’t think it would have nor will be but that’s just me. I am not a big fan of the two major stars of the film and of late Hollywood has mostly been the suck anyway, but yeah I digress…

So yeah, Variety is reporting that DPRK hacked Sony and with Mandiant being signed on HOLY CHINA! We all in INFOSEC began popping the popcorn and waiting on Tao to start talking about where DPRK touched him. It was and is still, rather unreal. The modus operandi for some of the hacking does match what DPRK has done before with wiper malware, or shall I say “has been attributed to have done before” and attribution as you all know is hard. However, the data kinda looked like maybe it was possible but with the lens of time it seems less likely that it was a nation state actor especially if the reason for the attack was in fact over this movie.

Since the advent of the DPRK theory, this whole story has just become a media frenzy about “CYBER CYBER CYBER WAR PEARL HARBOR BE AFRAID!!” The reality though seems to be a bit different from the popular media fallderall in that the GOP has all along said that this attack was in response to Sony’s bad practices and they needed to be taken down for them.

The Laughing Man Effect

This is the juncture where the Ghost In The Shell comes in and a certain arc in the story line from the Standalone Complex. If you are a fan you might remember the series of episodes concerning “The Laughing Man” In these episodes we are introduced to a hacker who appears from nowhere and begins a campaign of attacks against corporations for their misdeeds. In particular one company that was colluding in surveillance and stock manipulation but I will leave all that to you to watch.

What happens though is that The Laughing Man takes on the corporation and through hacking exposes them for what they had done as well as effects their bottom line greatly financially as well as damaging their reputation. It was the spectacular nature of the hack though, on live TV in this future Japan that got others completely obsessed with the Laughing Man and what he had done. If you have not seen the series there is a box set of just the episodes that concern the Laughing Man you can watch.

The story line though sparked with me because it showed the great asymmetric power of this kind of warfare that could be carried out by one person. One person with the skill sets to do it, could affect the bottom line of a company at a distance as well as anonymously. This is a powerful thought and one that in today’s society is much more of a reality than ever before and it is precisely because of technology. This idea I personally now call “The Laughing Man Effect” and in tandem with meme’s could spell real trouble for the world today. We have seen this already taking place with Anonymous and their various wars against injustice or just for the lulz as we saw in LulzSec. In fact, I would claim that HB Gary would have been the first instance of the Laughing Man Effect and it just took the Sony incident for it to solidify in my head.

Memetics

Now consider the meme. Meme’s are ideas or images that catch fire with people and are passed on rather like cognitive malware. Anonymous was a meme as well as means of creating and delivering meme’s on the internet. Born of the 4chan boards where meme’s are born every second, some dying on the vine while others catching fire, Anonymous caught on once they went after Scientology. The reality is that Anonymous lit this fire and now GOP has taken up the notion ostensibly and acted upon their personal desires of retribution much like Anon’s did on Scientology.

If the GOP is in fact a real group or person with an agenda to destroy Sony then I believe that their idea has come from Anonymous(s) successes. I also think that if they do really exist as a group then they have learned from Anonymous successes and failures. So far GOP has been pretty cagey with their use of dead drop email accounts and the use of various servers around the globe to send email to reporters. Which, if they are not caught right away, will give them more power of the meme as the David who slew Goliath.

In the end, I believe this to be just the meme taking root in the collective unconscious spurred on by the likes of Anonymous, Snowden, Wikileaks, and the Occupy movements. We live in a time where the small can in fact easily take down the big with technologies that we all use and often times do not secure properly. In the case of Sony it seems that they neglected a lot and got burned badly by doing so. If that is the case then who’s to say when the next big corporation is taken down by another person or persons with an axe to grind or a valid grievance?

The meme is catching and the Laughing Man Effect may be a real concern for the governments and corporations of the world. The more flashy and catchy or perhaps just downright motivational the more chance that others will follow. This is the nature of the meme and it’s ability to propagate so quickly and effectively in our hyper connected world. If you just look at all the media coverage of the Sony incident and then look at all the armchair detection going on around it you can see how this one too has sparked the collective imagination and curiosity.

Future State Electronic Warfare

So here it is. What some have been fearing and perhaps not getting across well enough is coming to pass. In our connected world it is easy to take things down and burn them. I the case of Sony they will come back sure. If you look at their stock the last few days as revelations surfaced, their prices took a dive but then went back up. Perhaps the real world just doesn’t understand the ramifications of what has happened here. However, the fact remains that Sony was completely decimated on a technical level to start. This is an important point that should be thought about.

That Sony was likely hit by an insider is highly probable. Was that insider sent in or actively recruited? Are they someone who just did this because they felt abused? I guess time will tell on these questions but insider attacks have always been a problem and they won’t go away. How do you really protect against that without making life harder for end users? Much more, how do you protect against insider attacks without alienating workers as they are watched every second of the day as they work to insure they aren’t setting off an attack? It’s a vicious cycle really.

Alternatively, how can any company expect to defeat a determined attacker anyway? The dreaded APT’s have had it easy and still do to a large extent but even after we all have learned our lessons, it will still always be a surety that a determined attacker will get you in the end. With that knowledge then what do you do? Do you just accept that fact like something akin to the AA credo of “Grant me the serenity to accept the things I cannot change” or do you fight harder? It is a never ending battle.

What Sony can teach us though now is that the idea of this kind of warfare is out there. Ordinary people are feeling empowered to take on corporations and governments with the aid of the very technologies they use to carry on daily business. Technologies that are now commonplace and we cannot do without. This is a scary thing to many in power and it’s been made all the scarier when things like the Sony hack happens so utterly and completely well.

Welcome to the future of online/electronic asymmetric warfare kids.

K.

 

Written by Krypt3ia

2014/12/06 at 22:49

SONY HACK: THE REVENGE OF THE UN! (No Not Really)

with one comment

kim-jong-un

SONY PWN3D!

On November 25th 2014 Sony acknowledged that they had been hacked. Since then a group calling itself the GOP has been leaking Sony data online a gig at a time to start and now at a rate of 27 gig in one dump. According to the hackers they have about 111 tb (Terabytes) of Sony data that they plan on dumping if Sony did not capitulate to demands that they had transmitted to the company. It seems that since the dump of the 27 gig of very proprietary data, the case can be made that GOP did not get their way and Sony did not capitulate to whatever their demands may have been. The scope of the data being released though shows just how well owned Sony was but the whole incident just creates many more questions around how this happened, who did it, why, and where Sony can go next.

GOP (Guardians of Peace)

The GOP or Guardians of Peace alleges that it is a group somewhat like Anonymous that has been working toward human rights and other equality issues, which is kind of vague but then again their email responses (which seem to have been copy and pasted to numerous media outlets) have been pretty stilted and come off as maybe just a façade for other motives. To date, there is no evidence online of there ever being a GOP other than various groups of online Star Wars gamers who play a group of Jedi Knights with the same Nome de Guerre. So this looks to be either a “new” group or perhaps more so, just a smoke screen for other actor(s) who performed this attack against Sony. An attack that given the amount of data and some confirmation from the alleged group, took a year to perform.

SONY1

SONY7

Note the stylometry that implies a non English as a first language speaker/writer

It does seem to be the goal though of this attacker set to really destroy Sony as much as they possibly can. If you look at the data being dumped and the complete compromise to their collected networking infrastructure, it will become apparent that this attack not only will take a lot of time to fix on the network side, but also to repair Sony’s financial and reputation  as well. After all, who is going to trust Sony with loans or want to do Hollywood deals when the data of those paying in or making those deals with could also be at risk from another attack like this in the future should Sony not learn from their mistakes?

It remains to be seen just what the alleged GOP is really all about but at this time I am going to say that from what I have seen in emails and actions, their goals never were to get a deal out of Sony. Instead I surmise that they just wanted to hit them and hit them hard for whatever reasons they have personally. As stated in the email above, they have an axe to grind and they claim that they helped disgruntled individual(s) to carry off this hack. Could this be the case? Sure. However, I am not going to say anything is irrefutable in this debacle.

Physical Security & Insider Attacks

GOP claims from the start that they had someone on the inside who got them in and that Sony’s physical security was non existent. I personally have talked to people who have intimated the same thing about the lack of physical security at the Sony offices in recent past. It seems to some, that post the other attacks on Sony the corporation doubled down on tools but not so much on people with talent to protect the network. While doing this Sony also just did not think one bit about the physical security needed to protect their computer networks and thus it was easy for the attackers to carry off this hack.

While malware was inserted into the networks at Sony, I have yet to see a real bit of intelligence on how it got there and when. Was it inserted physically from a USB into an email? Was it a phish from outside? No one will know until Mandiant releases anything IF that ever happens. Given the nature of all of this and Sony I suspect we will all be asking questions for a good long time. However, once the systems were compromised just how was the 111 tb of data ex-filtrated from Sony? That is a lot of data to be pushing through a pipe and if they in fact did this over a year I can see maybe a slower approach but jeez! Where do you store it all after you get it anyway? Is it distributed at a gig a piece somewhere in the cloud? On personal tb USB drives? Was it in fact carried out that way over a period of time as well so as to not be seen in netflow? I guess we may never know. In the end though it seems that Sony got caught with it’s pants around it’s ankles where insider threats are concerned and this has been what others have been saying of late post this attack.

Malware

Interestingly the malware though seems to have started a fire-storm of theories and accusations (more of which I cover below) but the gist of the tinfoil theories begins with the wiper malware found at Sony. The malware seems to be a variant of the type that a group called DarkSeoul used on South Korean banks last year. This fact though does not make it a lock on it being the same actor though and this will bear much on the section below as well. However, let’s look at the details we have now. The malware once inserted into the systems looses a trojan dropper and downloads more fun for the exploitation to move on.

Malware Analysis Sources:

https://malwr.com/analysis/M2VjNDE4NzQ3NzgwNDVmNjk4YTY5ODBjZDA3NDMxNDk/

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Destover-C/detailed-analysis.aspx

The last link there shows the malware with the same MD5 listed by the FBI as being the malware found at Sony. It attempts to connect to shares on numerous IP addresses in Japan (see below) at what seems to be a Sony facility.

SONY2

FBI FLASH for SONY Malware/Wiper

SONY6

The Japanese hosts as well as the C&C’s listed by FBI

SONY5

One more C&C not mentioned usually

SONY4

 

Two more C&C’s in strings from malwr.com 12/3/2014

SONY3Japanese IP’s from sample 12/3/2014

 

SONY8

“Berlin” user offering proxies in 2012 with one of the C&C’s listed

SONY9Bolivian C&C default page for cargo company on IP

SONY10

Latest iteration of the malware sig is beaconing to the following IP in NY

SONY11Destover-A named by Sophos

SONY12

Sony Music Div is in location of the IP’s in Japan seen in Malware hosts

SONY13

Destover-C variant of the malware wiper (SOPHOS)

Destover-C connections

  • 172.21.40.161:139
  • 172.21.40.161:445
  • 43.130.141.100:139
  • 43.130.141.100:445
  • 43.130.141.101:139
  • 43.130.141.101:445
  • 43.130.141.102:139
  • 43.130.141.102:445
  • 43.130.141.103:139
  • 43.130.141.103:445
  • 43.130.141.105:139
  • 43.130.141.105:445
  • 43.130.141.107:139
  • 43.130.141.107:445
  • 43.130.141.108:139
  • 43.130.141.108:445
  • 43.130.141.109:139
  • 43.130.141.109:445
  • 43.130.141.115:139
  • 43.130.141.115:445
  • 43.130.141.11:139
  • 43.130.141.11:445
  • 43.130.141.124:139
  • 43.130.141.124:445
  • 43.130.141.125:139
  • 43.130.141.125:445
  • 43.130.141.13:139
  • 43.130.141.13:445
  • 43.130.141.14:445
  • 43.130.141.20:139
  • 43.130.141.20:445
  • 43.130.141.21:139
  • 43.130.141.21:445
  • 43.130.141.22:139
  • 43.130.141.22:445
  • 43.130.141.23:139
  • 43.130.141.23:445
  • 43.130.141.24:139
  • 43.130.141.24:445
  • 43.130.141.28:139
  • 43.130.141.28:445
  • 43.130.141.30:445
  • 43.130.141.42:139
  • 43.130.141.42:445
  • 43.130.141.71:139
  • 43.130.141.71:445
  • 43.130.141.72:139
  • 43.130.141.72:445
  • 43.130.141.74:139
  • 43.130.141.74:445
  • 43.130.141.75:139
  • 43.130.141.75:445
  • 43.130.141.76:139
  • 43.130.141.76:445
  • 43.130.141.77:139
  • 43.130.141.77:445
  • 43.130.141.78:139
  • 43.130.141.78:445
  • 43.130.141.79:139
  • 43.130.141.79:445
  • 43.130.141.80:139
  • 43.130.141.80:445
  • 43.130.141.83:139
  • 43.130.141.83:445
  • 43.130.141.84:139
  • 43.130.141.84:445
  • 43.130.141.85:139
  • 43.130.141.85:445
  • 43.130.141.86:139
  • 43.130.141.86:445
  • 43.130.141.87:139
  • 43.130.141.87:445
  • 43.130.141.88:139
  • 43.130.141.88:445
  • 43.130.141.90:139
  • 43.130.141.90:445
  • 43.130.141.92:139
  • 43.130.141.92:445
  • 43.130.141.93:139
  • 43.130.141.93:445
  • 43.130.141.94:139
  • 43.130.141.94:445
  • 43.130.141.98:139
  • 43.130.141.98:445
  • 43.130.141.99:445

Addresses in SOPHOS sample that the malware was looking for shares on in Japan

SNORT SIG: alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:”ET TROJAN Sony Breach Wiper Callout”; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:2;)

Summary of Data:

Overall the malware attempts to map shares as well as connect to C&C’s in a host of different countries for updates and exfil. Could the Japanese IP’s mean that this was a source of this malware in their networks to start? If so, the idea of a Korean language set on the malware might make more sense as there is a HUGE Korean dissident population in Japan. This too would also make sense if a Korean actor was acting out on what they considered “equal rights” and other beef’s with a Japanese conglomerate. Why? Well one has to know Japanese politics and their issues with Koreans. It is well known that Koreans are considered second class citizens in Japan so maybe this is a motivation? Has anyone taken the time to think this one out? Mandiant? Anyone? Helllooooo? Say, you guys do know that Japan is close to South Korea right? Map anyone?

Ok so anyway, the malware does it’s thing and the rape and pillage of Sony goes on… Maybe for a year undetected.

DPRK WTF?

Speaking of Koreans… Enter the theories about DPRK and Kim Jun Un. So about a day or two after the Sony breach was in the news I saw the first mention of DPRK as the attacker. Where might you ask? Well, in VARIETY of all places. This struck me as really really odd that it would be in Variety you see this but hey, it’s Hollywood right? Since then the news media, spurred on by the likes of RE/Code have been perpetuating the idea that the DPRK tasked it’s CYBER Army (128) to attack Sony and deal it a death blow! *snerk* This of course came without any real backup data from the hack, no evidence, nothing but suppositions and innuendo. Why would DPRK hack Sony? Well, OBVIOUSLY KJU doesn’t want anyone to see “The Interview”, a movie about two reporters asked to kill KJU. Did I mention that this was a comedy?

Well anyway, now the media has gone FULL GAGA over this and Re/Code has made it even worse with their false reporting from alleged “inside sources” that it was MOST DEFINITELY DPRK!

Derp.

Nothing so far other than a language setting on the malware, a malware that likely has been online in places for download since 2013, has been the main attribution point thus far.

HELL SON! THAT’S A SLAM DUNK IN THREAT INTELLIGENCE!

Not.

One just has to hang their head here.. Or maybe more to the point just hit it against the desk until the pain dies down. While one can see KJU doing such a thing because he is “the cray cray” I doubt that the time frame here for the exfil of 111tb of data fits. That’s my take on this anyway. I would also like to say that this all lacks some finesse and that DPRK has been learning from China about the cyber wars so really… Meh.

Lemon-Aide from Cyber Lemons

At the end of the day though the whole “DPRK DID IT!” thing seems more to me like people just jumping to conclusions over keyboard and language settings that is pretty ill thought out and full of cognitive bias. I had one creeping thought though since the Variety piece and that was how well a PR person might think the scenario could be used to pimp a new film. Just go with this for a bit and let it marinate in your brain. If you were a Sony PR guy/girl and you had a horrible hack after DPRK complained about your new movie where you kill the premiere wouldn’t you say “Gee, maybe we could at least use this to get people interested in the film!”

Ponder that. I mean.. It’s Hollywood! We have seen some spectacularly bad ideas come out of there more and more over the years! So why not? Make cyber lemon-aide from the hack. Some of you are rolling your eyes I am sure but hey, it’s just as much a valid theory as the whole DPRK hacked Sony dialogue ain’t it? Let’s see the returns on the film when it gets released after all this hoo ha eh?

Time will tell if we ever find out who did this… In the meantime get your popcorn kids!

K.

Written by Krypt3ia

2014/12/04 at 18:15

Posted in Uncategorized

Follow

Get every new post delivered to your Inbox.

Join 149 other followers