Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Shadow Brokers: Scylla Hacking Store

leave a comment »

 

Welp, I found the darknet site for the ShadowBrokers new monthly dumps service this morning. The site’s proper name according to the masthead is Scylla Hacking Store, which if you Google up Scylla Hacking you locate a tool and a preso by two Columbians from DC20 called “Scylla, because there is no patch for human stupidity” which make me wonder if this site name is a double entender on perhaps the tool being used to hack the NSA as well as the cut line of “There is no patch for human stupidity”, which implies that it was something really stupid that led to this compromise of the NSA. Of course that is all supposition on my part but the more I look at this site and the attitudes of the Shadow Brokers I tend to think I am onto something there, I mean, they aren’t that subtle right?

The site requires you to create a login and uses the proper security protocols as passwords go, BUT, as you are on the darknet the one thing that makes you think is that they require Java to do business with the site and that is a no no in the darkwebs. So I temporarily allowed the site and created an account so I could have a look around. The site has more than a few sections selling their wares and those include now APT exploits not only from the US but it seems from other countries and actors like Cozy Bear, using the Crowdstrike terminology for Russian actors. They have the old favorites too from FuzzBunch payloads and sources as well as DoS tools and other goodies for sale, so it seems we are now seeing all the things they have that may or may not have come from their hacking of the NSA?

When you create an account the site generates a bitcoin wallet for you and then you have to transfer funds to it for transactions, it is literally their wallet and you are gaining points or credits to buy the exploits you want. I checked the wallet and there is in fact a zero balance so perhaps they are generating them on the fly or this wallet is in use by the brokers as the sole one? In any case, they have come through as promised before that they would create the dumps service and now they are using the bitcoin once again as their means to an end.

Overall it seems that whoever is behind this not only has NSA’s trove but also a bunch of other exploits, tools, 0day, etc. They are in the market for making money this time and they are carrying it all out in the darknet.

So, is this Russia or is this DPRK?

Who needs money?

I know a guy…

Maybe….

Honestly though, for the longest time this group has to me, seemed to be GRU/FSB fuckery but now with this whole money making scheme I am not so sure anymore. Of course it could be RU just fucking with everyone and making it look like maybe it is ol’ Un. I mean with the fake written Asian dialect it is easy to see that someone is trying to make it look like it’s Lil Kim and his Funky Bunch …Meh, it’s all just games anyway. We live in interesting times though. I guess I should just now look forward to another group of hackers to try to crowd source funds to send them the bitcoins for these sploits huh?

Derp.

K.

Written by Krypt3ia

2017/06/22 at 14:25

Posted in Shadowbrokers

Asymmetric Propaganda Warfare & Network Warfare

leave a comment »

Why is it that the military just can’t grasp that on the net you can’t just use a sledge hammer to make things go away? It seems they finally have gotten a taste of reality in the war against Da’esh with their cyber weaponry hitting their targets only for the Da’eshbags to re-constitute from backups and new domains bought cheaply. I for one have been saying that it is pointless to just DoS them offline or fuck with them in hopes they would go away for many a year, guess now they might get it after their failures.

Ya see kids, it is not about big cyber booms and these guys go away and unless you are using some super software that pops GPS coords into a Raptor’s telemetry and launch a hellfire, you are pretty much gonna be shit outta luck in making a big difference here. Now the prosecution of the war itself may be benefited by such tools (if they exist) but when you see things like the text from the NYT’s article you see that even the administration just fundamentally did not get it. The NSA is a SPY agency and that is their charter, so asking them to dismantle portable networks that are easily re-constituted with new off the shelf hardware and software bespeaks a fundamental lack of understanding about the technology.

So here’s my advice to all you cyber warriors; Use the technologies that SPIES use to gather intelligence and then pass that intel to the HUMINT folks. Hell, for that matter have a two way connection here and use the tech to watch them, interact with them, and then use the information to make kinetic retaliation possible. You know what made AQAP’s propaganda machine slow down? It was when we blew their propaganda team off the face of the earth. In essence kill them. End them. Use the technology to get at them and end them. Stop it with all this whiz bang idiocy thinking you can take them offline and have them not come back in a day or so with a backed up copy of their shitty jihadi boards.

Just one man’s opinion, but you don’t need a sledge hammer to put a thumb tack in the wall.

There are no quick fixes here.

Just sayin.

K.

Written by Krypt3ia

2017/06/15 at 18:08

Posted in Uncategorized

Reality: Spearphishing Campaigns and Election Systems

leave a comment »

 

So Bloomberg has a story out today concerning allegations that the hack on the election was larger than first admitted to by authorities and the leak of a document by Reality Winner. This of course started the Twitterati to start making noises and got me to thinking about the whole thing. People have been asking about whether or not the hack was successful and to what end would the hacks be if they were successful or not. I myself have held the idea that the success or failure of the hacks isn’t as important as the notion that the systems had been tainted by hacking or manipulation. As you all may remember there were news stories of how the hackers attacked the systems before the elections before Reality dropped her document on the Intercept and then promptly went to jail for her stellarly bad OPSEC. Those stories seem to have been largely forgotten by the general populace but not so much with the IC given the snips of the document given to the Intercept. The snips show how the adversaries used common phishing exploits to “spearphish” the users at particular companies in a credential harvesting operation. Once I really took a close look at these though I began to question some things and thought maybe you all should too.

Why doesn’t the NSA know whether or not the attacks were successful?

So yeah, why doesn’t the NSA know whether or not things worked for the adversaries attacking these systems? Were there no forensics? Were the NSA not allowed to see anything? One begins to wonder why all this is in the report marked TS and such. Of course something in the markings also says “To US” so would this imply that the data came from FIVEEYE to the us? Once you begin to ponder all these things you start down the dark path of the game of shadows and we don’t need that. All of this said though, once again, the document here is showing only that they know attacks happened but they have no evidence of the attacks working and to what extent.

Why is that?

Where are the C2’s and other IOC’s?

Given that we don’t have the information on whether or not these attacks worked, then I guess it is a foregone conclusion to ask for, ya know, evidence right? Well I am gonna ask anyway, where is the evidence of the attacks other than the email address given in the report? No C2’s no infrastructures outlined. Are they in another compartment somewhere? In fact Reality had made mention of another document in her jailhouse tapes so are these bits in there? Without these one cannot conclude much of anything as to the adversary we are dealing with. After all, you all in the business know that these kinds of phishing attacks are quite common. How many of you blue team folks who read me have seen these same kinds of Google Drive/WP/PHP sites that harvest creds then pass you to the site you wanted?

This is not advanced

This is not uncommon

This is not a lock on any adversary in particular

Yet here they are saying it was the GRU… Why? What other evidence do they have? HUMINT? SIGINT? None of this is mentioned in what we have been given by the Intercept.

Why is this all marked TS if there is no real sources and methods here to burn?

Back to the whole TS/FVEY/ORCON alphabet soup, why is this being held so closely? Now, I have my own particular bent here that I have written about in the past which goes something like this;

  • We don’t want to admit the hacks happened because if we did it would cast doubt on the election
  • If we admit they happened people will doubt the system and it will erode the democracy
  • If we admit they happened AND they actually got in and they manipulated the system… Well… HOLY SHIT there’s goes the election system and the democracy
  • If we admit it happened and it worked then how much trust would there be in the government anymore?

In fact in articles circulating today, and I think it was in the Bloomberg piece, the case was made by President Obama that they would not want to admit to a hack for these very reasons…

So, there is that huh? If the scope of the hack is proven then it will in fact have the effects above and it would give Putin the satisfaction that his goals of active measures are still bearing him smelly fruit. I can then see them wanting to keep all of this stuff super secret couldn’t you? I guess Reality, though an idiot, perhaps had the same feeling and decided to do this in some warped view on trying to get rid of the current president. Another reason may be, and this is a tenuous one, that all of this is now part of the investigation into Russian meddling that the Congress is carrying out. I doubt that is the reason though. I really think it is just the IC being the IC and that the government has a reason to keep this all secret because it would erode things further where the government and our system of elections are concerned.

GRU or Patriot Hackers? (A Team versus B Team)

Alrighty, now we get on to the whole whodunnit thing. The documents sure do say that it is the GRU but like I said they don’t give you enough proof to do anything in a court of law for sure. While I was pondering this I had a flash on what Pooty said recently about “patriot hackers” and how the NSA document here alludes to klunky attacks. Like I said above, these phishing exploits are not uncommon. I see these every god damned day so it is really a measure of how well they were put together and whether or not escalation and pivoting happened to show another kind of actor here. Oh, and yeah, that information is conveniently not in the report here and once again, the NSA does not know if the attacks succeeded.

Think about that.

Then they go on to say it was Russia.

Ok, so maybe, just maybe it was Russia but it was the patriotic hacker B team eh? What if Pooty was telling a truth there and we all just scoffed and moved on? Given what the documents say I can see that maybe some talented amateurs or a B team decided to carry out a moonlighting operation to amplify things. Hey crazier things have happened right? What I am saying is open your minds to the idea that this was not the GRU but other actors like cyber patriots who may have gotten in but then failed to really do damage to the systems.

Maybe.

Without ya know like evidence though… Meep Meep.

Conclusion:

Welp, the cat is out of the bag NSA. It’s time to fess up. I think you and the government need to start producing evidence, forensic evidence, or GTFO. If the election data was hacked and manipulated then let us all know and then FUCKING FIX THE SYSTEMS AND MAKE THEM CRITICAL FUCKING INFRASTRUCTURE!

Dr. K.

Written by Krypt3ia

2017/06/13 at 16:31

WANNACRY: PATIENT ZERO AND MALWARE EPIDEMIOLOGY

leave a comment »

Continuing on the hot topic of the month I had some thoughts about WannaCry’s infection vector and heat maps that I have been seeing all over the place. I wanted to see who patient zero may be and having played many a game of Pandemic, I thought maybe this approach might yield something of use. In looking online I found only two heat maps that give a timeline that shows what may be patient zero’s location(s) but in doing this research I cam to the conclusion that this may be impossible without the help of all of the AV vendors out there. When trying to ascertain who may be patient and country zero for this malware it becomes apparent that you have to rely on various vendors who may or may not have seen the malware with their products. So far I have Malwarebytes timeline and Symantec. Now, given that Symantec has a larger market share I will go with them for the base assessment of patient zero on Wannacry but if the other vendors want to kick on and give a timeline for each of their products seeing infections I would welcome the data.

Since Wannacry traversed the net via SMB attacks (ETERNALBLUE and DOUBLE PULSAR) it may be possible to see just who was infected first and just maybe, get a lock on where that SMB connection came from. This might help the investigations into who did this at least nominally because one would assume the adversary used a proxy box or some other obfuscation to launch the initial attack… Unless, they are inept n00bs that is, so maybe something could come of this line of investigation. Anyway, the best timeline(s) I saw were Malwarebytes and Symantec as I said above. Here are the findings of those two companies telemetry;

Malwarebytes has the first infection in Russia.

Symantec see’s the first infection vector in Thailand.

Which is correct? Are either of them right? I am not able to be sure but, given at least the market share of Symantec both legally and illegally, I would be looking to Thailand as the potential patient zero here. Now, in talking to people on Twitter about this someone (@Tinkersec) notes that there is IP space in Thailand that starts with 1.0.128.0-1.0.255.255 1.1.128.0-1.1.255.255 so there is the possibility according to his theory, that a scripted scan looking for 445 open on the internet could have just hit on those addresses because the script started scanning at say 1.1.1.1 (or 0.0.0.0) to 255.255.255.255 which I can grok. Either way, if Thailand was patient Zero, and that IP space for Thailand Chiang Rai Tot Public Company Limited, an telco in Thailand.

This line of thought is quite possible and I like it (thanks Tink!) it would explain the rando Thailand hit as the first infections started to show up. Now, how though would this work if not for some scripted mass-scan? Well, someone would either have to be phished on a very small targeted scale to start this or the malware was physically implanted in a network and set free. So far I am not seeing too much talk about how this thing all started so I would like to put all this out there as a possible explanation as to the how. I am not aiming at the who because right now it is a festival of attribution out there and my opinion of that is low. The how is more important and in fact could lead to the who if the gumshoe work is done properly.

Still, I would like more data… Anyone from said AV vendors care to speak up?

K.

EDIT: Someone just mentioned passive DNS too on the killswitch site. Say, anyone in the DNS world wanna stop talking about Trumps servers and weigh in on Wannacry telemetry?

Written by Krypt3ia

2017/05/24 at 12:48

Posted in EPIDEMIOLOGY, Malware

ATTRIBUTION GAMES: LAZARUS, SHADOWBROKERS, BLOFELD.

with one comment

The Game:

I figured since everyone else is playing the ATTRIBUTION GAMES over Wannacrypt0r that I would get in on the action and give it my own personal spin. The big difference here is that I am not selling any of you anything so if you read this post it is all about not buying my shiny new machine learning, next gen machine that goes PING! Nope, I just thought I would put a few words down to stop the insanity so to speak that I already see in the eyes of those $VENDOR’s out there about to hit SEND on their latest salvo of shenanigans concerning the Wannacry event of last week.

That’s right, I am already calling shenanigans!

Right so this game here is a red team on the idea that Wannacry was either an APT Nation State actor (either LAZ or SHADOW) or a criminal gang who will be represented by Ernst Stavro Blofeld. Once this is all said and done I hope that some sanity will ensue and more to the point, some elaborate death will be planned out, set into motion, and then foiled by James Bond…

Wait… what?

Let’s begin… DOMINATION OF THE WORLD….. Let’s just list the indicators and possible motivations all kinds of bulletized shall we?

THE LAZARUS GROUP (UNIT 180):

  • LAZARUS code snippets found in WANNACRY samples
  • LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
  • LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
  • LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS
  • LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
  • LAZARUS aka UNIT 180 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
  • LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

SHADOWBROKERS (GRU):

  • SHADOWBROKERS made no money on their auction and posted a long pissy diatribe about it after the incident reached critical media frenzy
  • SHADOWBROKERS had the code already and then needed to CRIB some of the ETERNALBLUE/FUZZBUNCH NSA code ganked from RiskSense because they lack the ability to make the shit work themselves… Which they then re-coded in C…  Huh?
  • SHADOWBROKERS want to just sow mayhem with WANNACRY and continue the massive schadenfreude that the NSA is feeling from their theft (*cough MOLE HUNT cough*) but once again, they had to STEAL that code snippet to make it work… Or, is that just another poke at the US? A diversion? A red herring so to speak? Hmmmm….
  • SHADOWBROKERS re-used or re-purposed old malware WANNACRYPT0R and threw in some code snippets from LAZARUS GROUP TTP’s to muddy the waters and have EVERYONE pointing their collective fingers at the Hermit Nation because WHY THE FUCK NOT HUH!? This would sow more FUD and gee, isn’t that the playbook chapter like 3 in ACTIVE MEASURES komrade?

ERNST STAVRO BLOFELD:

  • ERNST has a well known volcano lair and upkeep is rather steep in this global market so ransomware is the way to go baby!
  • ERNST is a Devil may care kind of guy and wants to sprinkle clues for both RUSSIAN and DPRK actors here to cause all kinds of mayhem while he sits and strokes his cat while the bitcoins amass.
  • ERNST is a gangster and his coders, well, sometimes they suck so they stole the ETERNALBLUE snippets but then they couldn’t make that work UNTIL they coded it all in C so.. yeah..
  • ERNST is a nihilist at heart so he just slapped this shit together and then made sure that there was a killswitch in there as a safety valve, I mean, look at how many times he tried to kill Bond but always missed by that much!

Well there you have it. I have gamed it all out for you. Who do you think dunnit? If you look at all of these players and their motivations along with the superior threat intel evidence we have out there that the attribution firms are selling…

OBVIOUSLY IT’S ALL OF THEM! THEY ARE WORKING TOGETHER PEOPLE! IT’S THE NEW SPECTRE! CAN’T YOU ALL SEE THAT WITH THE PLETHORA OF EVIDENCE WE HAVE! COME ON!

*breathe…..**

Ok ok ok… See what I did there? I am making a point with humor.

IT DOESN’T FUCKING MATTER WHO DID IT!

PATCH YOUR SHIT.

DO THE THINGS.

STOP.

Dr. K.

Written by Krypt3ia

2017/05/23 at 20:04

Posted in ATTRIBUTION, Cyber

WannaCrypt0r Roundup

leave a comment »

So last weekend and this week have been fun times in INFOSEC am I right or am I right? When Wannacry started making the rounds on Twitter I knew pretty much then and there I just likely lost my weekend to the derp of yet another ransomware distro. Luckily for me though, I forced my org to “do the things” on patching etc where the Shadowbrokers dump was concerned. So at the end of the day we came through the weekend unscathed by WannaCry yay me! However, in looking at the Twitter feed and Hyrbid/VT pages I began to worry that soon enough this malware would come at us all not just by worming through the net but also from phish waves. Today was the first day I have seen someone trying to at least possibly send a phish wave using a popped box in Egypt with the WannaCry.exe for download so hang on kids, you may well be seeing this as well and if you have not patched your shit and have old 2003/Xp your days may get to be like the end times that others around the globe have had since last Friday.

In the meantime though, I began looking at all the malware C2’s and exploits and notice a couple things. First off I kept seeing two IP addresses tied to the IPC$ in the binary/memory of the malware. I began to look for these addresses and while I surmised the 192.168 address was a off the shelf home router, the other maybe was something else. After some searches I came to the conclusion that this was another non routable address but that it may belong to an org or another off the shelf router of some kind.

With a little more looking I had thought that I had come up with the answer. It was some default IP scheme for a GSM gateway or some internal network somewhere in the world like China (found an F-5 with that scheme) but then I hit upon one last hit that suddenly appeared from a blog post by ZeroSum0X0. The post on Github was 6 days ago and that places it before the malware started to make the rounds. One day before the malware started burning through NHS I think if the reports are right from the news. Now this really has piqued my interest because if this IP and system belong to the blog poster or who they work with, then maybe the exploit was cribbed by the malware cabal to use EternalBlue. The poster (ZeroSum) seems to work for Rapid7 and Rapid7 was working on deploying the code for EternalBlue for Metasploit.

I reached out to ZeroSum on Twitter but nothing back so far. Coincidentally the code for the EternalBlue exploit was deployed this afternoon (as of this writing about an hour ago) to Metasploit. Now, the question I have is about this IP/System call that is in all the malware out there. Was this IP/system in the original binary that was pulled apart by ZeroSum from EternalBlue or was this an internal system that was being used to make the code work in some way? That it is directly in the post and that is a day before the great conflagration, I have to wonder. I would love for someone at R7 or Zero to let me know what the deal is with this. I mean, did someone steal the exploit code from you guys and deploy it after you got it working or, was this in the binary already? This is kind of a keystone to many questions concerning who may have created and deployed this malware as I see it.

The argument goes like this….

  1. The WannaCry campaign was carried out by criminals looking to score big money
  2. The WannaCry campaign was carried out by nation state actors (Lazarus Group/DPRK? Russia?)
  • Well, if it was just a criminal gang then did they reverse the binary and make this thing work? If they did then is that an internal IP that they used and forgot to sanitize from the code?
  • Well, if the nation state actors who potentially stole the exploits in the first place had to steal the actual working exploit from R7 then just how good are these guys anyway? It seems that there have been some other mistakes in coding as well that lead to snafoo’s with the bitcoin wallets as well so…

You see where I am going with this right?

Now, I had said from the beginning that this attack did not feel like it was about the money and the low numbers in the wallets kind of bears that out in my mind. However, there are some inconsistencies here and that IP/System in there makes me wonder some more especially when I see the same string in the code tied to R7’s work that was released today. If the code did in fact get cribbed from ZeroSum and by proxy R7 that does not bode well in the PR department for companies that do this kind of work (metasploit etc pentest tool vendors and creators) does it? It is kind of akin to leaving that hand grenade in front of the toddler right?

So, if R7/ZeroSum could respond to this little factoid it would be great. All of this also may bear some significance on the attempts at attribution that are flying about the news and Twittersphere right now where this attack is concerned. Frankly this all could have been much much worse had the coders thought to make domains that could not possibly be on the internet as kill switches. Kinda like this one I think (see below) that has been making the rounds in Hybrid and VT.

No kill switch and no way to sinkhole it would be a lot more devastating right? Of course the whole thing about the killswitch being there in the first place has a lot of people wondering. Then, there is the whole shadowbrokers foolery with the post last night they made. They are now claiming to have much more and will parse it all out in coming months…

Interesting times…

Ok.. Off to the deck for sun.

K.

UPDATE!

Well, I made some connections and had a chance to DM with someone from R7. For the record ZeroSum does not work for R7 he works for another company but is a contributor to Metasploit. R7 as of yesterday was trying to get a hold of ZeroSum to ask how that IP with IPC$ got in there and where it came from in the first place. As of this writing I have not heard back from them.

Tuesday when I posted this I connected with ZeroSum and he said someone else would email me….

I have no email.

In the interim the page that I located the IPC$ code snippet is no longer there. The page has been redacted. It also turns out that Malware Unicorn made a comment about the malware seeming to have been using Metasploit framework code for deployment of the exploit (DoublePulsar) and has since redacted that page as well…

Screenshot from 2017-05-18 16-00-52

So here’s my thing… Was the code snippet taken before the malware was launched and kluged into the wannacry malware to make it work? Was that code taken from the Zerosum git page on the day before or before that and then implemented by the wannacry authors? This would seem to be something logical given the hints I have seen with regard to that IPC$ and non route-able IP address. Was this an IP inside the networks where this code was being tested and perfected?

In essence, did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild?

I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief. No one is saying much of anything other than R7 saying they are looking into it (which I know they are in reality) so I believe them.

So, it’s either this code and the telemetry from it were in an original sample of the malware that maybe ZeroSum had BEFORE the outbreak and was reversing to use to make the git posts and get the metasploit deployment working or this code maybe was cribbed by the malware creators and used to global effect.

Which is it?

Of course all of this also paints a new picture on attribution right? If LAZARUS is the culprit (a theory I do not ascribe to) then why  would they hang around this git to grab code? These guys should have had the time to fully reverse this stuff and make it workable for them. It is my opinion either there is EPIC obfuscation going on here to make it look as though it is LAZARUS or that LAZARUS is deliberately trying to look inept and throw investigators off the trail. This information though, if true and can be verified might lead to some more breadcrumbs.

I look forward to some more light on this.

K.

UPDATE II: Response from RiskSense

Response:

The Metasploit module for the EternalBlue vulnerability was developed by community contributors, zerosum0x0 and JennaMagius, security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the video from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

Here’s a summary of context and the technical details:

–          On April 27th, JennaMagius created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. That recording was subsequently posted at https://github.com/rapid7/metasploit-framework/issues/8269#issuecomment-297862571. The recording included an IP that was used as a lab target of the original exploits.

–          Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using “2048” for the tree and user IDs, and the server has no idea what the client is talking about.

–          On April 30th, JennaMagius published a script that slightly enhanced that replay by substituting in the server provided TreeIDs and UserIDs. This code was subsequently posted at https://github.com/RiskSense-Ops/MS17-010/commit/9ddfe7e79256a9d386f0b488c38f5048a2dfd083

–          Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Written by Krypt3ia

2017/05/16 at 18:23

Posted in Malware

Blackberry Forward of Emails and Excuses for Firing the FBI Director

leave a comment »

Given the events yesterday I am feeling like unburdening a little bit on the subject of the emails being forwarded by Huma Abedeen to the laptop at home in the custody of Anthony (Carlos Danger) Weiner. One of the reasons for Comey’s firing ostensibly was about his mis-statements over the emails being sent to the Weiner laptop that he opened the can of worms on and helped lose the election for Hillary (not the only reason people!) as they say. The fact of the matter is now everyone is saying that Huma’s emails were auto backed up and that the term “sending” them is a misnomer in a way because the then director had said she was forwarding them for printing out by Anthony or her at home. Let me stop you all right there and say there is no difference. The intent of forwarding the emails or backing them up to an email address accessed by or directed to that personal laptop is the key here. Someone had to set that up right? It was something that did not evolve by itself and just came into being!

The issue here is the semantics of language and perhaps comprehension of how things work in the cyber. Comey made a mistake in wording but the basis of the argument stands. Why was she forwarding or backing up all data to that laptop or account outside of the government systems appropriate for this series of email? This is the question you all should be asking and once again it was against protocol and yes there were emails in there that later were deemed to contain classified information. This makes it an issue and it was something that needed to be looked at. Now, as to how it was announced, well that is a judgement call on the part of the director and perhaps a bad one. I honestly listened to his testimony and saw both sides of the issue as well and there was no good answer here.

Now though the director has been fired in a most unceremonious way and all of this smells bad with regard to the RussiaGate investigation and abuse of power. Let’s not allow Trump to skew this one thing amongst all the others into a reason for his firing a direct threat to his presidency. The real truth is that Huma was sending email to a non secure site/system and that was the crux of the issue. Director Comey’s description of this incident has little do to in my opinion with his summary dismissal of the director.

K.

Written by Krypt3ia

2017/05/10 at 13:05

Posted in .gov, FUCKERY