(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Equifax and Musicians

leave a comment »

Screenshot from Zerohedge


So here’s my thing; It isn’t about the fact she was a music major and had two degrees in that. What it is really all about is the fact that she had no discernible security experience in the time she was working in the position or before to make her qualified to handle the job. THIS IS THE ISSUE PEOPLE! It is not about that she had a degree in nothing to do with security. So please stop all the 140 character bullshit and get it through your thick heads that even if you have a degree in IT this does not make you qualified necessarily to handle a job in information security ok?

Now that the CSO’s and CISO’s linkedin pages are redacted you can’t see much of anything but before they took them down I looked and neither had the requisite experience that would make me consider them for a position as an executive in charge of insuring that the security of the company and more importantly, the security of the clients data was in capable hands. Look. let’s face it you can say that the exec is just there as an advocate or to manage Trust me though, if they have no experience in the arena either they listen to their guys in the field and implicitly trust them and advocate or they just are compliance monkeys of the worst order.

I have lived it and I have seen it throughout my career in security. So please stop all the fuckery about “I have a degree in animal science and woe is me I am unfit for security!”


If you have a degree or not, you have to have put in the hours of study and actually doing the things! If you haven’t then you are out of your depth and bad things will happen.

Just look at Equifax.


Written by Krypt3ia

2017/09/20 at 15:14


The CYBER Wars

leave a comment »

We met in an old, drab, and odd Russian eatery cum bar this year. A matronly Russian woman made us order things from the menu as a young girl sang Russian kulturny songs on a cheap sound system in the back corner. I had come to talk to someone in the IC about “Cyber War” and hoped that our mutual experiences could give me an insight or direction for this post. After sitting with this person for about an hour I had to go but in that time I had several revelations from our discourse. This post is the culmination of that conversation and my further ruminations about the current state of “cyber warfare”

Firstly, the conversation that we had was very roundabout, going back to the dawn of the ARPANET and other systems but all the while with a bent on economics. This kind of threw me for a bit but I listened further and within that long and winding road two things became clear from this IC warriors career. All cyber war is really Information Warfare, and second that all information warfare has an economic component. These things had not really occurred to me in the past but the revelation made me think differently about all of it. Thinking about the economics certainly easily led to all the Chinese hacking and theft of IP surely, but on a macro scale all warfare has its economic drivers right? Someone wants the things you have or they want to stop you from getting those things to others. So the motivation is always there in some way on a nation state level and all of the techniques used in information war or hacking can be used to great effect on these problems.

Once I had some time to think about all that I had heard I started to contemplate everything that had taken place over the last election and what is still happening today. It became clear to me today that my convictions on “cyber” war were the same as they always had been but with some caveats. Primarily for me is the notion that “cyber” war is really just information warfare. It is even still information warfare when something physically is caused to blow up or eat itself like the centrifuges in Natanz back in 2011. Information warfare since then though has been escalated with the active measures by the GRU and SVR (KGB) that took place in our last election cycle. Clearly it was information being used to manipulate the populace and their opinions. The hacking or “cyber” as many like to call it was just a component, an element of this and it was the information that was a key to this. The net effect here is that once again I put it to you all, the “cyber” war doesn’t exist, it is all just information war using hacking and code as a force multiplier.

What you all need to worry about now is the use of technology to manipulate just like the active measures campaign did in 2016. The revelations on Facebook’s being used by Russia to manipulate public opinion is just one instance and a more nuanced approach needs to be applied to information warfare henceforth. I see articles every day now asking how do we fight this kind of warfare and honestly I see no easy way to do so. People are easily led and much more so now that the electronic media is so prevalent and easily manipulated by ad buy’s, hacks, and open source troll accounts. That people now have their digital bubbles cum echo chambers makes it even worse with their cognitive dissonance at eleven. Honestly, much of the time lately I feel like Joshua and have decided not to play the game at all and go dark.

Maybe you should too.


Written by Krypt3ia

2017/09/14 at 13:02

Posted in CyberWar


with 3 comments

Trawling the darknet as one does, I came across this little simple page this morning. It claims to be the real EQUIFAX hackers, unlike the last darknet site that was soon taken down by morons. I have looked at all the data on the pages (see screen shots below) and have come to the conclusion that whoever this is they too had access to Equifax. As this is an evolving nightmare I thought it prudent to do a quick write up on this site and let you all know. These actors are offering a crowd source solution to the whole database for the same amount as the fake site the other day (600btc) but also are offering single records as well as 1,000,000 entries for 4 bitcoins or 56 ETC for the same amount of records.

This time the actors actually give you samples, a taste, as they say on the street as bona fides…


These samples are what makes me think that this actor had access. I know for a fact that as the ongoing arguments take place online over what the compromise consisted of (what attack worked) that I personally saw a tweet from an alleged Russian actor claiming to have shell access on one of their servers online. This later was proven out to have ADMIN/ADMIN as the log and pass which is just horrid security, or should I say lack thereof? Anyway, you can see above that those records seem legit as do the screen shots of the access to the systems using real internal server names etc.

An onion scan of the site turns up no real vulnerabilities…

The bitcoin wallet shows no activity as yet.


In the process of watching this a change has been made to a small point of data that leads me to believe that this is a fake. Someone pointed out that the data for Bill Gates address was incorrect. Since then it has changed…

Oopsies… State : WA


Screenshot from 2017-09-14 14-16-55


Screenshot from 2017-09-14 14-07-43


A new story has surfaced online that makes the claim that the site creators have access to Equifax and there are other screen shots. I am still concerned with the changes to the data seen here but for what it’s worth here’s the link to the story.

Written by Krypt3ia

2017/09/14 at 11:38

Posted in Uncategorized

Voicemail Phish: Cerber Ransomware

leave a comment »

Yesterday a new phish went around in an email ostensibly concerning a voicemail that the user was to collect. The hyperlink though lead to a .js load on a php site that then downloaded Cerber/locky ransomware on the unsuspecting users. In the case of the org I had hands on with the email was a spoof that alleged to come from an inside system and thus bypassed some protections they had. After the email went wide and was picked up on I began to do the reversal and the tracking of the C2’s etc. This post is the post mortum of all my research on the malware and the infrastructure they used to send them as well as infect systems. I have seen others out on Twitter talking about this campaign so I thought I would expand outside of the malware events I had direct access to and did some ancillary searches. These searches led me to other campaigns within the same grouping but using a few other C2’s etc.


Obfuscated .js file

Onion site used for the bitcoin ransome (as of yesterday 0 coins in the wallet)

Searches in Google for remnants in the malware that show other iterations by the same actors

Basically the conclusion is that the campaign is by an actor that has been at it since 2016 at least. In the searches of snippets from the reverse on the malware and the obfuscated .js file gives one the picture of the activity by the same folks. The darknet site also shows that it has been around since February 2017 but when you start looking at analogous malware samples with the same characteristics the picture emerges of a the same malware or the same coder/user adding certain characteristics (callouts and infrastructures) that lead to a single actor or group. This included infrastructures that did not work and mistakes by the campaigns actors that in some cases caused the malware not to work.

All in all nothing too exciting but it was prolific enough that I thought maybe people would want a more fuller accounting of malware files and C2’s to put into their respective protection schemes.

Have fun!



Reversals: EXE euskull.exe .js file .js file .js file

URL IN STRINGS COMMON: torproje_.or9


C2’s and Hashes: 3c288ad1347d21125d18c43f968636620be2ac662bcae6cc381947981a0c5d11 4cdc0e6cd4c8d020b1d90c49352c9f4e7b279248b6a851cad6dd6f600b55920f hxxp://autoecolejeanluc. com/ hxxp://autoecolejeanluc. com/876tYU6tg8e hxxp://autoecolejeanluc. com/876tyu6tg8e hxxp://autoecolejeanluc. com/voice.html hxxp://culturando. org/ hxxp://culturando. org/b/095635ecd85.html hxxp://culturando. org/circuit.php hxxp://culturando. org/ixixuak.exe 17db7e6bb5b643fdc4bdb2c3ba7bc55784cf37932d818c30ad58316e5e998b5c 9f641227b8e5e176b29630376a125949b22389b07253b664a44371642f1dc400 aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0 hxxp://homecarpetshopping. com/ hxxtp://homecarpetshopping. com/bxxomjv.exe hxxp://homecarpetshopping. com/bxxomjv.exe/ homecarpetshopping. com 9f641227b8e5e176b29630376a125949b22389b07253b664a44371642f1dc400 aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0 hxxp:// kdivrdr.exe hxxp:// aa36ae501dd09617500a6b38de7917dc5c7313fffb2841bcfdcafa9d567621f0 hxxp:// qteglbq.exe 02b872d1dcecf27fac5a7d760127a1e22764bc361e85223c2a74827490ac9b12 0da6f47613c59ca378f05b364e85375f3be9661a04473094f322c349d614efce 25656e541e1a24b63f2758f7781e1ab6f22e1332f6ac22160ca84476643e0ebd 2c2c23e58d9d84635da8a3e7a7d881464e39b208d98a90300d9f31d12016140f 599c7e31f84a5bf8ae68102fa5aa3a9732eb402e8f85741903c2c4cbd94e93c5 66ff05dc0f390437146f43df667c7efc3f42399dd8c54da710f3bfd2438ad61d 6c54773163b77efa77a388c60ac5ab7785dc70f06821ccc0cdac4a29671a5b97 9bf96825a5e92d652da3bd0edb489aa7762259f541e3435ca10e964a54022aba 9c5e5c164f81b25c85e972f1289da5173b26f308bac21d1d57e5e7d66663118d c02b573b2f8f481cb03887958be795af1cffc61db97b81770cd4230413e01dda de33eb2ede37bc3977c77575d19ccc37319b5ce7e729aa155bcd5a7728618310 f11eb844dfad8688bc487e978ab083c3f4beecb8d7a405d2fd60f2508ec1078f 4a80b395e3719d863a7083d66afa4d2d838ed3d5617570715cd610030d2b3493 99b1f708a95dbe35d75ee56397fc29f0d3d30a3bf58c3424ba2ddb7ccc3fa506 ca77337ab82b7d8d1aa041510baf7c4a90b1654337fd20836320129f8caf5224 f98e07a6c106033db3ed7d0725ac1cf02b269ca7803b4cf083bae9deb6d33b4c hxxp://ndsiportal. info/ hxxp://ndsiportal. info/invoicing.php hxxp://ndsiportal. info/msg.php hxxp://ndsiportal. info/p66/gfykjh.exe hxxp://paulcruse. com/ hxxp://paulcruse. com/jnxuqah.exe mail.paulcruse. com www. paulcruse. com

Written by Krypt3ia

2017/09/07 at 17:44

Posted in Malware

Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…

leave a comment »

A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.

I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?

*shakes head*

You fools…

Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.


Received: from ( [])

As you can see there are porn like sites in there…

The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:



So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:

13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions




It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;

So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…

Yay internet!


Written by Krypt3ia

2017/09/01 at 11:51

Posted in Extortion, Phishing

Inspire 17 Train Derail Operations

leave a comment »


Inspire is back trying to “inspire” the jihadi’s after taking a forced hiatus after many of the AQAP magazine’s creators got whacked by some raptor hellfire missiles. The latest installment is a call for those would be “lone wolves” in the USA to take up arms against our trains it seems. As usual from Inspire we have the normal calls to jihad using their interpretations of the Koran to push the agenda of radical terrorism. The long winded screeds on the rationalization of killing civilians is just that, long winded, and overall does not conform to anything but their own desires to kill and maim anyone who does not believe as they do. Honestly, I think if Saladin came back from the dead and saw this shit he would be bitch slapping them all the way back to Medina but here we are today again dealing with AQAP and AQ as Da’esh’s alleged caliphate crumbles and the movement dies a slow death.

To be honest the actions of those who claimed to be with Da’esh here in the States were to me just mentally unstable persons who needed an outlet to feel important and not impotent, so they went on rampages. Da’esh has never had the reach in the states that they seem to have had for a brief time in Europe but now they are marginalized enough to say that they are not a serious mass casualty threat in the way that AQ and AQAP still is. As terrorist groups go AQ and it’s subs has a far better grasp of OPSEC and operations as well as money and capabilities that we should still be worrying about. With this issue of Inspire not only do we see that they have re-constituted their graphics department but also that they also see the power vacuum that is taking place as Da’esh declines and becomes more marginalized.

Not only are they seeing their opportunity, they are also kind of calling out Da’esh as well in this issue for stealing their ideas down to the fact that Da’esh whole cloth plagiarized their magazine format and ideas for their own with the Dabiq knockoff’s they pimped over the years. It is amusing to watch as AQAP calls out Da’esh with the graphic above and chides them over failed operations as well as calling into doubt the operators choices like that of Sideeq (Orlando) for going after only “one” group. Basically they spent some time on the graphic to slap Zarqawi’s monsters for their lack of righteousness and operational planning. All in all it is just a slap fight between the overly pedantic AQ org with Ayman as their leader and Da’esh, with their Schrodinger’s Imam Baghdadi. The problem is that the precepts of both of their movements are advocating this open source jihad that AQAP invented, something that is now even being used by the white supremacists in actions like those in Charlottesville VA this last weekend.

This the new old problem that we always have been facing but never seem to be able to grapple with on how to stop. These magazines are passed out online and end up in many places including for anyone to grab. I got this one from <REDACTED> when it came out over the weekend but seriously, the genie is out of the bottle with this stuff. With this latest iteration though, the AQAP has given a lot of thought to honing their exhortations to open source jihad with a simple yet effective attack and vector; trains. The choice of trains is kind of a change for the AQ set in that for the most part they have advocated going directly for people and places where they congregate in the past. Now, with train attacks they can maximize damage and buzz with events that could not only cause deaths but mass deaths as well as huge news coverage.

Train attacks to me always remind me of T.E. Lawrence and the attacks he and the Arabs carried out on Turkish trains in WWI. These actions really did help stop Turkey from retaining power in the region during the war using asymmetric destruction of trains and tracks to damage or halt the supply chain for the Turks. In this modern scheme put forth by AQAP, they have moved the bar lower in many ways by not calling on their lone wolves to create and use explosives as much as use a tool to derail the trains in hopes of a 1970’s car flip explosion kind of thing. I have to say though, were they able to carry off the attack that they direct their followers to perform it could be rather messy depending on the train and it’s load.

The device the OSJ is proposing is a tool that the railroads have themselves but may be harder to acquire so these guys have plans to make your own in your mom’s kitchen (old joke) Anyway, the device is called a derailer, a simple piece of metal that attaches to the tracks. It’s function is simple enough, it raises and diverts the wheels off the track and boom, derailment. This has been used as a stopgap for runaway trains I hear and other functions that I do not care to go Google up right now. In this case though the Inspire folks want their minions to use it to derail trains off of high cliffs or into buildings from what they allude to in the magazine. Of course their solution to making one seems a bit too low tek DIY and might just smash into bits as the train hits it from what I am looking at.

I will not go into detail on the fabrication of the device they present to the lone wolves but suffice to say that I believe the percentage of success from this thing are low in my opinion. Perhaps if they had access to a serious 3D printer and some strong plastic maybe but not what they have laid out in this issue. However, I could be wrong and others out there may do their own mods to the fabrication process to make something more sturdy. If the thing works then it could be problematic and we could see some derailments come to pass. So yeah, the tech may work and the magazine spends some more time after the fabrication phase into the planning and carrying out of the attack phase with targeting advice that includes quite a bit of open sourced information on the railroads in the USA.

Recently at BlackHat myself and Kodor talked about OSINT being used to attack infrastructure by targeting leaked documentation and information. Well, it seems that the Inspire folks have the same idea here. In laying out the attack scenarios they give up some key points on the railroads, their weak spots, and the collateral damage from various scenarios of attack using the derailer. They also allude (as you can see from the picture above) that the attack is easier to hide and harder to detect if done properly. Honestly I think that last bit will be easy to see, I mean are they expected to run into the derailment and grab their tool back? One would assume too that unless you do a real job of it, one would leave forensically viable evidence in the device too so it could be tracked back to the culprit(s).

Frankly I should think that the DHS and other groups have a copy of this open on their desktops too right about now and working up some TLP’s for the railroads and authorities. I hope that is the case because this one is easy enough for the usual lone wolf jihobbyist to try at home and not blow themselves up without much effort. The question for me now is where will these guys try this? The exhortations are to do so with the most flare to cause the most fear. Honestly if they wanted to just be a pain in the ass and mess with the supply chain they could go out anywhere in the wilds where tracks are and pull this off. I guess time will tell but a recent link sent to me at least has this idea in the forefront of the minds of the security wonks for railroads.

Let’s hope they take this Inspire’s scenarios as seriously.


Written by Krypt3ia

2017/08/15 at 16:52

Posted in AQ, AQAP, Inspire

Flash Drives for Freedom

leave a comment »

At Defcon the one highlight of the con for me was seeing Flashdrives for Freedom having a booth in the vendor area. If you have not heard of them before, they are a group that is infiltrating news, movies, and messages into the hermit kingdom by passing USB’s from China over the river. The information reaching the general populace in DPRK is a fundamental means of attempting to bring some freedom, at least of information and thought, to the North Korean populace who only have the propaganda machine of Un constantly pressuring them into utter compliance.

Some of you may be asking yourselves; “Wait, they have computers that can use USB?” The answer to that is yes, some do, but many more have phones that can take USB (many asian phones have USB ports as well as micro USB) in addition to media players that can handle USB and play videos of varying types. So yes, if you send a drive these people can then turn that into a means of getting real news and information from the free world to North Korea. If we can get more USB’s to Flashdrives for Freedom, that means more data can be infiltrated which in turn means that more people in the North can get the truth.

In turn, if more people have a feed of information then perhaps more of them can in turn pass that along to others there …And if more people pass that on …Well, maybe some change can happen there right? At the very least given everything that is happening RIGHT NOW would it not make more sense to get as much information to the North Koreans as we can? So please, go through your junk drawers and pull out all those old USB sticks and micro drives and send them to by going to their page and following the instructions there.

I know you wanna.

If for no other reason than to poke ol’ Un in the eye right?

Go on… Empty that drawer of USB’s

Dr. K.

Written by Krypt3ia

2017/08/09 at 12:57

Posted in PSA