Archive for July 2014
Unified Threat Intelligence Report
Overall the month of July 2014 has been fraught with new malware campaigns against various entities and this has been the trending since approximately 2010. Malware today is the pivot point for attacks and these campaigns are initiated with emails (phishing) as well as other attacks. The Facebook cross site scripting attack that engages the user to go out of their way to compromise themselves is indicative of where the trend is going and shows how important user education is to malware prevention. As the adversaries grow in number and become more sophisticated in their practices (i.e. crimeware taking on more APT like characteristics) and the re-use of domains between actors it is increasingly apparent that the front line is not only technologies like SIEM and AntiVirus, but also the end users themselves.
Additionally, as the activities of nation state actors continue so too do the operations by hacktivists like SEA (Syrian Electronic Army) and countless other individuals and collectives that will use the same tactics and tools as well. Suffice to say that this is not going away soon and in fact will instead increase geometrically as various countries become more wired across the globe and allow for easy access to the net for these activities. This report is a generalist approach to data that has been in the news cycle within the month of July 2014 but deliberately selected to give a melange of stories that should be considered by any CSO, CISO, or others within domains trying to protect their assets. This is not directed data however, and this is an important part of the intelligence cycle that must be taken into account when reporting to executives. Thus I have placed this report in .odt form on this page for you to download and to add data for your own environment to use in enlightening your staff as to your own metrics on attacks and other activities that affect you directly.
- One in five businesses have been hit by Advanced Persistent Threats Global Threats
- Anonymous’: OP ISRAEL attacks Israel over Gaza
- Russian malware infiltrated the Nasdaq servers in 2010
- Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations
- A critical Android vulnerability lets malware compromise most devices and apps
- Facebook suffers a “self” XSS Attack that tricks users into exploiting themselves
- A look at the Android FBI Lock Malware (Ransomware)
- ‘Operation Emmental’ A malware campaign targeting banks across Europe
- Goodwill is Investigating a Possible theft of credit card data
- Nigerian 419 email scammers shift to malware and hacking
- Malware hidden in Chinese inventory scanners targeted logistics, shipping firms in the US and other places
- Manic malware Mayhem spreads through Linux and FreeBSD webservers on the internet
- China: The Pirpi phishing attacks on 7/21/2014
- China: Hacking attacks on NRC National Research Council (Canada)
- Syria/SEA (Syrian Electronic Army) spreads false Rumors of Israel nuclear Leak on Twitter
A recent study of polled participants showed that one in five businesses have been hit with APT attacks. This means that nation state actors such as China have attempted and potentially successfully compromised their systems and ex-filtrated data. What follows are some stats from the polling:
- Approximately 92 per cent of respondents believe that the use of a social networking site increases the likelihood of a successful APT attack, which could prove a threat to a large proportion of businesses.
- 88 per cent think that ‘bring your own device’ combines with rooting or jail breaking by the owner make a successful APT attack more likely.
- Over two thirds of people think that it is only a matter of time before their enterprise is targeted.
- However, despite this, the majority of respondents believe that they are prepared to detect, respond to and stop an APT attack.
- The most common technical control used to protect against these are antivirus and anti-malware, which over 90 percent reported using. This was followed by network technologies such as firewalls, then network segregation.
- Under 30 per cent reported using anti-malware controls on mobile devices.
- Around 96 per cent of the respondents are somewhat familiar of what an APT is, which is more than was reported last year.
- They define an APT as an adversary that “possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objective by using multiple attack vendors”. This could come in a variety of formats, and some suggest that it is geared towards the aim of political espionage.
- “They often use the same attack vectors that traditional threats leverage, but they also leverage different attack methodologies and have different characteristics than traditional threats,” the report said.
- APT attacks are not arcane and solely targeting Defense Base corporations.
- The general consensus is that everyone will eventually be targeted in some way
- Generally people do not think that they are properly prepared for these attacks
- That social media access is a key to compromise
- AV products are the main defense against APT campaigns but under 30% have AV on mobile assets
While APT activities have been in the news it is still important to note that not everyone knows what an APT is never mind how they operate. Many still do not consider APT a threat because they have the perception that their environments are not of importance to the Chinese and others. This is a misapprehension that must be corrected. There is always the possibility that your environment may be a target for data that you hold or access that you have leading to another target more sought after. It is important that more within the field of security understand how APT works and separate the hype from the reality.
Anonymous announced last month that they would be attacking Israeli systems to protest their attacks in Gaza and the troubles ongoing in the area. This stemmed from the abduction and beating of youths in the area that now have blown up into all out missile wars between Hamas/Palestine and Israel. The hackers managed to deface many government pages as well as leak user names and passwords to systems.
Overall this type of activity is questionable as to its merit for or against war. In the grander scope of things these attacks do not stop the hostilities between parties or ameliorate much else other than the sense of accomplishment on the part of the Anon’s out there taking part in it all.
The flip side of this is that any action against a corporation of government that is successful will lead to financial loss as well as perceptions of vulnerability for said company or government systems. This is the essence of asymmetric warfare.
In 2010 the NSA, CIA, FBI, and other agencies learned that the NASDAQ Stock Exchange had been hacked by a Russian individual and malware was placed within their core servers. The malware was a form of logic bomb that could potentially stop trading on Wall Street and thus cause a cascade effect in the global economy.
This incursion into the NASDAQ network shows how one actor can potentially have a mass effect on the local (US) and global economy should his attacks have been carried out. The malware was designed to erase data and lock users out of systems. This would have had a detrimental effect not only in downtime but also in confidence in the stock exchange as well as the economy in general. These types of “Supply Chain” and FInancial attacks will be on the uptick in the future as adversaries work toward global implications of their actions as well as Nation State actors like China who foresee these types of attacks as a necessary tool within the 5th domain.
Microsoft moved to take down the NO-IP dynamic Domain system in an effort to short circuit cybercriminal and APT activities. The service allowed for quick and anonymous creation of dynamic domains that these actors would use as command and control servers for malware. This particular takedown affected a great number of malware systems.
In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:
Turla/Snake/Uroburos, including Epic
HackingTeam RCS customers
This takedown shows the ecology of many of the malware campaigns out there today. They tend to use the same C&C infrastructures that Crimeware inhabits and thus at times it can be hard to determine who the actors truly are. In the case of the Flame and MiniFlame servers this action will be taking out a significant amount of APT activity which may in fact be Israeli in origin. As the actors become more adept at their prosecution of warfare in cyberspace so too will the disinformation and psychological warfare capabilities and actions increase. As a means of knocking out large swaths of C&C Microsoft is taking more solid action by taking the systems down as opposed to watching them as others might do. This is an ongoing discussion within the community as to whether it is better to just remove their access rather than watch them and use that information later within intelligence circles.
This attack leverages user’s interest in hacking into “anyone’s” Facebook account. The gist of this attack is the task of fooling the user to input code into their browser that will then exploit the end users account and allow access to it by the attacker.
This exploit works on a premise based in social engineering and psychology. Humans have a penchant for wanting to know unknown things or to be slightly “bad” and thus this attack works. By fooling users into exploiting their own accounts this attack falls more within the social engineering area than anything else.
The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device.
The core problem is that Android fails to validate public key infrastructure certificate chains for app digital signatures. According to Google’s documentation, Android applications must be signed in order to be installed on the OS, but the digital certificate used to sign them does not need to be issued by a digital certificate authority.
The analysis of this vulnerability is that no system or hardware should be considered to be absolutely “secure” The reason for this is not only that there may be inherent flaws in the systems creation and upkeep but also from end user abuses or misconfiguration.
Secondarily, if you run a BYOD program then Android may be more vulnerable to attack than you may have thought previously. Even with software means to protect your data the system itself could be compromised due to the way it was created.
A new ransomeware scam has been found in the wild by Sophos. This malware masquerades as a FLASH player update/application which then encrypts your phone and ransoms you with the picture shown above. Once you click proceed, the system then presents you with a way to pay a “fine” (see below)
This malware is tricky in that it ostensibly offers something that Android does not have now (i.e. access to Flash) so this tricks many people into installing it in the first place. The malware then takes over the phone and is hard to get rid of.
The final analysis though is that these types of malware and extortion schemes are becoming more commonplace and thus end users should be more aware of these tactics and how to deal with them. In the case of this malware the payment scheme does not mean that they will be able to rid themselves of the malware.
Operation Emmental attacks are spread using phishing emails which masquerade as being sent from a reputed online retailers. These emails contain malware-infested links which users are prompted to click. If victims click on the link, the malware gets downloaded to users’ computers/mobile devices.
The Emmental malware manipulates the configuration of host systems, and automatically vanishes from the system, which makes it undetectable. The DNS settings of the host computer are manipulated to synchronise with an external server (operated by the cyber-criminals).
Emmental malware then loads rogue SSL root certificates within host systems. These certificates are designed to trust the external server controlled by hackers and thereby eliminate security prompts.
This malware creates in effect, a “Man in the Middle” attack and then tricks users into thinking they have a secure session with their site of choice. This attack is even more dangerous because it cleans up after itself and is hard to detect until it’s too late.
The upshot here is that end users should be aware of how to check links in emails before clicking on them and be aware of phishing attacks through regular security education.
It seems that the Nigerians have learned that their tactics are losing ground and they have to move on to bigger and better things. It stands to reason that as things become more point and click and the media gives attention to the big losses by malware at large corporations that the 419’ers will get in the game as well. I expect that the phishing emails will have the same tell tale flaws but people will still click on them and infect their machines with malware. All in all this is just another player in a saturated vector that we all need to pay attention to.
Be on the lookout for the usual types of emails but instead of asking for someone to wire something those will instead be links to malware. As these guys get more savvy we all will need to keep an eye out for their phishing emails. On a threat scale these guys aren’t high just yet.
Historically the Nigerian scammers have been using emails and phone calls to steal money from unsuspecting people. Recently though they have moved into the world of phishing and hacking using phish emails to send people malware. Once the malware has been installed the 419 scammers are acting just like other criminal actors and stealing personal data and passwords. These they then use to steal money or create fake identities for their own purposes.
The 419 scammers are finally getting into the modern world of malware because people have been catching on to their usual routines as well as spam filters are stopping their emails. The scammers then had to change their tactics in order to continue their work and their revenue streams.
This is a natural evolution really but it shows just how effective these tactics are and how easily they can be picked up by people like these.
Financial and business information was stolen from several shipping and logistics firms by sophisticated malware hiding in inventory scanners manufactured by a Chinese company. The supply chain attack, dubbed “Zombie Zero,” was identified by security researchers from TrapX, a cybersecurity firm in San Mateo, California, who wrote about it in a report released Thursday.
TrapX hasn’t named the Chinese manufacturer, but said that the malware was implanted in physical scanners shipped to customers, as well as in the Windows XP Embedded firmware available for download on the manufacturer’s website.
This is what is known as a “supply chain attack” and it means that an attacker has managed to attack your supply chain either by stopping it or changing its capacity in some way. These attacks can be devastating to a company where time and flow of product is essential to the business operations. This also can be seen in the light of supply chains such as military and other chains that could be broken to affect warfare in the favor of an attacker.
Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches.
Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, discovered the malware targeting *nix servers. They traced transmissions from compromised computers to two command and control (C&C) servers. So far they have found 1,400 machines that have fallen to the code, with potentially thousands more to come.
This malware is novel in a couple of important ways. First off it is on UNIX using a common vulnerability and secondly it is a botnet that is also leveraging those systems infected to compromise other systems. UNIX and Linux are the underpinnings of the internet so if this malware infects systems as rapidly as predicted this could be a real juggernaut.
It is recommended that all UNIX systems facing the internet should be looked at and assessed for the vulnerability that allows for this malware to load and add the systems to the botnet.
A phishing attack was launched on 7/21/2014 that leveraged a new 0day and had a very short window of opportunity. The attack has been dubbed Pirpi or Gothic Panda (by Crowdstrike) and is now over. Detection of the attack was quick and the duration of the emails and the hacking was approximately three days.
Data and Sample Email:
Subject: Outstanding Invoice
Part of the email body:
Our records show that you have an outstanding balance dating back to January. Your January invoice was for $445.00 and we have yet to receive this payment. Please find a copy of the invoice enclosed.
If this amount has already been paid, please disregard this notice,and let us know that in this link. Otherwise, please forward us the amount owed in full by Aguest 1st. As our contract indicates, we begin charging 5% interest for any outstanding balances after 30 days.
Malware C&C Details:
The links led to resources at hazarhaliyikama[.]com. All emails linked to this domain with a pseudo-random URL paths just like the earlier spam runs from late April. Each recipient was given a unique URI. Examples below….
A “highly sophisticated Chinese state-sponsored actor” recently managed to hack into the computer systems at Canada’s National Research Council, according to Canada’s chief information officer, Corinne Charette. The attack was discovered by Communications Security Establishment Canada.
In a statement released Tuesday, Charette, confirmed that while the NRC’s computers operate outside those of the government of Canada as a whole, the council’s IT system has been “isolated” to ensure no other departments are compromised.
Chinese APT (2PLA People’s Liberation Army) has been active for some time now attacking defense base and other companies. However, of late they have changed tactics and added think tanks and other governmental bodies that suit their intelligence needs. In the case of the Canadian NRC (National Research Council) China seems to be looking for intelligence concerning matters of state with regard to Canada. This is an important pivot and shows that no group is beyond the interest of the Chinese state.
Hacker outfit the Syrian Electronic Army (SEA cracked the Israel’s Defence Forces (IDF) Twitter account where it posted a fake warning of a possible nuclear leak due to rocket strikes.
The group posted under the IDF (@IDFSpokesperson) account of a “possible nuclear leak in the region after two rockets hit [the] Dimona nuclear facility” which triggered a brief panic among some of the account’s 215,000 followers.
The SEA published a screenshot showing it gained access to the IDF’s Hootsuite dashboard, a Twitter client that manages public tweets and private direct messages. Israel’s defense force later apologized for the erroneous and alarmist tweet advising users it was compromised and would “combat terror on all fronts including the cyber dimension”.
The importance of attacks like these is the use of disinformation and the open forum of Twitter. In this case it was a panic after such news (disinfo) was placed on the account’s timeline. However, in another case last year the same actors placed information that the White-house had been attacked and that President Obama had been hurt. Once that news had been placed on the Twitter stream the stock market went down and panic ensued. These types of attacks can be powerful against companies as well and could cause financial and reputational loss. It is thus important to consider social media accounts as needing extra security attention as they can be breached and misused in these ways.
DOWNLOAD-ABLE ODT FILE HERE
APPENDIX A: LINKS
Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information
I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.
Technology and OPSEC:
So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?
Consider these things before you begin your super sekret affair online…
- Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
- Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
- Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
- The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
- Can you trust the supply chain of the TAILS instance you downloaded to start with?
- Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
- Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
- Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?
All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.
The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?
There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.
Nation State Surveillance and YOU:
So you have decided to read on.. Gut gut…
OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?
So let’s consider some other things outside of the technical 0day and hackery bullshit.
POSIT: The technology is already owned and there is nothing you can do about it.
CONSEQUENCE: All your communications even encrypted by these means are compromised
RESULT: Nothing you do or say should be trusted to be secure
So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.
Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.
It’s Moscow Rules:
- Assume nothing.
- Murphy is right.
- Never go against your gut; it is your operational antenna.
- Don’t look back; you are never completely alone.
- Everyone is potentially under opposition control.
- Go with the flow, blend in.
- Vary your pattern and stay within your cover.
- Any operation can be aborted. If it feels wrong, it is wrong.
- Maintain a natural pace.
- Lull them into a sense of complacency.
- Build in opportunity, but use it sparingly.
- Float like a butterfly, sting like a bee.
- Don’t harass the opposition.
- There is no limit to a human being’s ability to rationalize the truth.
- Pick the time and place for action.
- Keep your options open.
- Once is an accident. Twice is coincidence. Three times is an enemy action.
- Don’t attract attention, even by being too careful
So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…
Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.
Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:
- Trust cannot be implicit in technology or people
- Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
- Understand the adversary, their motives, their techniques, and their weaknesses
- If you use a technology be sure that you are it’s master
- Secrets are secret (First rule of Fight Club) keep them that way
- COMPARTMENT THE EVERYTHING!
- Layer your encryption techniques and if possible use a OTP
- Go read up on TSCM
- Go read up on Counter-Surveillance techniques
- If they can’t get at you technically they will send in assets to get close to you
- If they can’t get assets close to you they will use your friends
- If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)
I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.
This last weekend was HOPE X held by the 2600 at the usual crumbling and fetid Hotel Pennsylvania. This go around I decided to attend because of the promise of all the talks surrounding the nation state surveillance today and a virtual visit from the Snowman himself. I booked my room at the Penn (I know.. bad idea really) and went in on Friday for the three days. What I got from attendance mostly was a sense of how crappy the Penn is again as well as how rough edged and lackluster the HOPE conferences have been over time. I also got to see my Twitter feed load up on hate for the con alongside the political tweets for and against it as well.
I left the con on Sunday morning with the final feeling being “Meh” Of course this could be said about most con’s for me now anyway. I said it on Twitter and I will repeat it here for you all.
“HOPE X = MORAL FAGS / DEFCON = Drink and then drink some more #hallwaycon”
That about sums up my feelings about conferences of late. Hope though was rather terrible.
So back to the whole politicizing of the con. 2600 has always been more political so you kind of have to expect that. However, this year after the Snowden revelations and the actual visit by Snowden via Skype one was left with a sense of impotence due to the conferences lack of cohesion. It’s true that the nation states of the world are spying on us all. The NSA is drift netting all of the data on the networks it can and saving it for a rainy day. Abuses are happening and governments are lying but even after Snowden’s discussion with Ellseburg I was left with a sense that nothing said was empowering.
Snowden exhorted the hackers to rise up and create better software and crypto which to me is something we all have been saying all along in the security community right? I mean if not saying make better crypto then we have been at least saying “USE IT!” right? Overall though, nothing really new came out of this discussion other than the usual cognitive re-assertions that Snowden did what was right and that we are all now living in a surveillance state. While I agree with this assessment for the most part I also did not feel at all energized by this talk.
Overall I was not impressed by much at Hope and would agree with many who say it is a crappy con. Some may say though it is what you make of it. In that vein I will say that the Veal I had in Little Italy was fantastic but the restaurant failed on the seconds of bread. No, really, the Veal was a highlight. The conference did not teach me anything new and interesting and the venue really did not lend itself to any kind of flow for traffic so it was harder to attend anything you wanted to because you just could not get there. In fact my most prevalent thought each day was “FUCK I HOPE THERE ISN’T A FIRE! CUZ WE ARE ALL GONNA DIE!” That hotel needs to be torn down and something else built there… Seriously.
So on goes the politics of hacking… I personally believe things need to be done but generally I did not feel that this con did anything in the way of inspiring anything in me but a low level of “get me the fuck outta here”
Video of BsidesLV: HERE
It seems not a day goes by without some new Panda or Kitten or other supercilious named actor come from the FireEye’s, Mandiant’s and the Crowdstrikes of the world. This morning a new “campaign” was announced by Symantec and backstopped by FireEye (saffron rose) and Crowdstrike (flying kitten) ..This one though has malware being named “Mysayad” because they “think” the writing and the changes show a tie in back to the flying saffron rose kitten. After reading the alert from Symantec and doing a little digging myself my head nearly exploded once again. Why? Well, because the attribution was weak and contained a lot of supposition.
I have railed about his before and in fact I did a presentation on the whole issue at BsidesLV a while back.. (see above links) My issue is why bother with the attribution anyway? Are these companies actually helping their clients with these details or not? Are they in fact digging into the whole picture of the actor and what they are looking for with the client who may be the target? Not so much that I have seen. You get a report with all the sexy sexy buzzwords and lingo and that’s it. No real help in dealing with the clients issues and it makes me have a headache.
So here ya go.. My presentation and my ideas on how it should all work. Take this and think about what you are getting as a client of these companies. Those of you working at the companies I am railing against should also perhaps think a moment or two on just what is the efficacy of what you are all doing. Are you in fact a new arm of law enforcement? I only ask because the only ones really interested in this data and can make it actionable are LE or the IC so who are you really selling to here?
Just my beef…
Recent news shows that an arrest has been made in a Chinese industrial espionage campaign that started around 2009 and resulted in larger dumps of data being taken from Boeing as well as other defense base aligned companies. Stephen Su aka Stephen Subin aka Su Bin was arrested in Canada after an affidavit was put in by the FBI giving evidence that SuBin and two others had broken into Boeing and other companies stealing data on the C-17 as well as F22 Raptor and JSF projects.
While the affidavit says a lot in a roundabout way on what the FBI considered evidence for the arrest there is a gap in just how the FBI came upon this guy and his co-conspirators in the first place. There is no mention of what tip may have led the FBI to obtain the email records of SuBin at Gmail and Hotmail as well as it seems the emails of the UC1 and UC2 at Gmail as well. Perhaps the data came from something like Xkeyscore or PRISM? I don’t think that that is likely but one has to ask the question anyway.
Aside from that lack of genesis for the FBI investigation the affidavit is quite detailed as to the back and forth with the UC’s and SuBin. There are file names and screen shots of data that was passed back and forth as well as email addresses and snippets of the emails themselves. Of more note though is a timeline and a operational details that SuBin and his team were using in order to carry off the espionage and this is very interesting. SuBin and the team were taking a more hybrid approach to the industrial espionage that we commonly don’t get to see or hear about in the current throes of APT madness.
This case of espionage is different from the usual APT stories you hear today on the news. The reason for this is that the players here may or may not have ties back to those directorates and groups that APT come from. Or, they may not. The affidavit is unclear (perhaps deliberately so) on the two UC’s connections to any of the APT activities we have all heard about but they do use the same techniques that we have heard being used by APT actors.
What is different though is the use of human assets (i.e. SuBin) as a targeter for the hackers to hone in on specific files and architectures/companies/people. This is where this becomes more of a classic MSS (Ministry of State Security) operation than the ongoing attacks we have been seeing in the news since APT became a household term. Now, whether or not SuBin is actually a trained agent or just an asset is the sixty four thousand dollar question in my book. There are allegations in the affidavit that to me, looks like he could be either. Su talks about making money on the data he has been helping to steal which makes him look like a freelancer. Meanwhile there are other aspects that make it seem more like he is a true asset for MSS. I am still not quite sure myself and perhaps someday we will hear more on this from the FBI.
A common thread in much of the MSS’ (中华人民共和国国家安全部) playbook for industrial espionage is the use of human sources that are either naturalized citizens of another country. (i.e. Americans or in this case one who was about to be Canadian) In the case of SuBin, he had his own company in China that worked with wiring in airframes. This is a perfect cutout for the MSS to get an asset with access to Western companies that may be doing business with them. In the case of Lode-Tech (Su’s company) there was evidence from the 2009 documents (emails) that showed that his company was sharing space with Boeing at an expo which likely began this whole espionage exploit.
Now another fact that seems to emerge from the affidavit is that these guys were just using Gmail and other systems that are not the most secure. I do know that in some cases the APT also use these email systems but these guys seem to be pretty open with their exchanges back and forth. This to me means that they were not professional’s for the most part. I can come down on both sides here as well after having seen some of the flagrant OPSEC failures on the part of APT in the past. Generally though my feeling is that these guys were a little too loose with their OPSEC to be professional MSS operators and may in fact all have been contractors.
On the other hand though these guys had some tradecraft that they were following and these likely worked pretty well. In the image below you can see how they were hand carrying some data to Macao and Hong Kong in order to bypass certain “diplomatic issues” as they say. Additionally, the surveillance portion (which is the first time this has come up with the APT type of activity) has ever been mentioned. In the case of SuBin, he had access to Boeing itself (an assumption as none is directly mentioned in the affidavit) via his company ostensibly and thus had a presence that a hacker is lacking in remote APT activities.
So you can see how this is a hybrid operation and something we don’t often get to see. Could this be the new paradigm in industrial espionage? Frankly this is something I would have thought was going on all along given what I know of Chinese espionage as well as having done assessments in the past that included a physical attack portion. By synergizing the APT hacking with MSS old school tradecraft these guys were pretty successful (65 gig of targeted data from Boeing alone) and maximized insider knowledge of what to look for with technical hacking exploits. If you think about it how many companies do business with China? Now ponder how much access those companies may have to networks and people in those companies… Yeah.
These are tried and true practices on the part of the MSS as well as other intelligence agencies the world over so we have to pay attention to this stuff as well as worry about the common phishing emails that come in waves as well. Overall I think that the US needs to be a bit more self aware of all of these types of activities and methods to protect their environments but to do so I imagine will be a tough sell to most corporations.
Advanced Persistent Espionage:
What this all means is the following; “Industrial espionage doesn’t just mean APT phishing emails blindly coming at you. It also means that there may be actual people and companies that you are working with that are actively gathering your data for sale as well” Another recent incident involves Pratt & Whitney with a naturalized American Iranian who stole a lot of physical documents as well as seemingly had emailed data out of their environment to Iran as part of a sale. You have to remember it’s not just all electrons boys and girls.
However, the hybridization of the methods of APT and traditional tradecraft is just beginning. I think that the Chinese have seen the light so to speak and will start to leverage these things more as the US continues to put pressure on them concerning APT attacks. The MSS will get more and more cautious and work smarter as they continue to be persistent in their espionage activities. The Russians are already pretty good at this and they leverage both now. It’s time I guess that the Chinese have decided to look to their Russian friends and steal a bit from their playbook as well.
Bitcoins for Jihad Isn’t New
A recent article that is making the rounds is decrying a new paradigm for jihad in that @abualbawi is calling for funding through Bitcoin and Darkwallet. I was sent the article and I took a look at the PDF that *was* located on this guy’s site but overall this is not as interesting or scary as the media would like to make it out to be. Why isn’t it scary you ask? Well, primarily because having been in the world of monitoring these jihobbyists I don’t find on average that they are that tech savvy. In fact, I haven’t seen a really tech savvy one since Irahbi007 back in the day but that is just my opinion.. *by the way he wasn’t a mental genius either*
This type of fund raising has been going on for some time in the Darknet *to what end I am not really sure* but as you will see below actual funds were transfered in the darknet to that wallet and taken out circa 2012 and recently more has been added. Of course to date, the above Darknet site (pictured at top of page) is the ONLY one of it’s kind that I am aware of but this would not preclude others passing bitcoins in the background to send to certain players in the global jihad. So this pdf and the rationalization for the use of kuffar technologies is in fact new and novel really for Abu and his pals at ISIS I will give them that.
It also seems that Abu is trying to horn in on the old and tired “Jihadi Magazine” with his AL-KHALIFA but hey, a jihadi media mogul has to start somewhere right? Interestingly Abu has decided to remove the bitcoin pdf from his galley but I luckily got it before it was gone. The notion though that Abu has in mind is that there is no real way to de-anonymize a Bitcoin transaction and, well, that isn’t completely true. So yeah, it may be tough but you also have to factor in bad OPSEC on the part of the players as well as possible technical attacks against the system that could in fact let the other guy know who you are.
… By the way.. Abu, umm it is Abu right? Or is it Bobihnd? You guys seem to have the same UID for Twitter and talk to the same people… Perhaps I am just not caffeinated enough. Nope nope nope.. I was not caffeinated enough. There is telling tidbits that they are one in the same or close but I cannot prove this out.. Yet.
Anywho… Back to the issue of Bitcoin, Darkwallet’s, and anonymity. I expect that you guys will have some large hurdles here to get the funds flowing for your caliphate. I just can’t imagine Al-Baghdadi being all over this either. He doesn’t strike as a real “techie” ya know? I could however see the likes of the House of Saud maybe tossing some money at some GPU time but really, this is an untenable posit for funding your jihad Abu. I mean how many Western jihobbyists are going to rent bot time to mine or mine these things at home just to give to you and yours?
The First Attempt On The Darknet Did Raise Money
On the other hand… The site I mentioned in the Darknet? Yeah as you can see above they had about 1200 bucks in there at one point. You have to notice though it wasn’t a lot of bitcoins but instead it was the inflation that was happening at the boom time that gave it the bump. Of course they cashed that shit out toot sweet and I suspect bought a nice Macbook Air, not an AK-47 or a ticket to Syria. So yeah, the idea is not new mainstream media and so far it has not made a huge amount of money so it should not be a booga booga booga news headline mmmkay? Nothing to see here.. Move along…
Next I will cover the hullabaloo over ISIS/AQ using TAILS OMG!