(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for September 2014


leave a comment »


Hey kids!

I just thought I would drop this stock email for you all to use to splain to your execs the problem of SHELLSHOCK and that it is IMPORTANT! I tried to wordsmith for the exec set in here and the links go right to pertinent blog posts and the CVE from NIST. Just a heads up I just saw that F5 BIG-IP is also in fact vulnerable to this attack so WHEEEEE!

Smoke em if you got em…


UPDATE: Looks like SUID attack may be possible too…

Screenshot from 2014-09-25 08:09:17

Email Text:


There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting or html for example. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. This is an important vulnerability that could lead to larger compromise of our environment!

The short answer here about this vuln is that if you are vulnerable an attacker can use random code to have your system spit out data that you don’t want available such as etc password files etc.

Needless to say this is of a HIGH importance and rates a 10 on the NIST scale!

How to test for this vulnerability:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

If you get “busted“ back you are in fact vulnerable.


REMEDIATIONS: Red Hat recommendations

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. ~Troy Hunt

Another concern here is this.. Other appliances that are at risk;

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either. ~Troy Hunt

Another option is to remove BASH and replace it with something else;

“Other more drastic options include replacing Bash with an alternate shell implementation or cordoning off at-risk systems, both of which could have far-reaching ramifications and are unlikely to be decisions taken lightly. But that’s probably going to be the nature of this bug for many people – hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” ~Troy Hunt



Basically there is no means to do so effectively unless perhaps you are capturing all packets…

This can be hard to determine if there’s no logging of the attack vectors (there often won’t be if it’s passed by HTTP request header or POST body), but it’s more likely to be caught than with Heartbleed when short of full on pcaps, the heartbeat payloads would not normally have been logged anywhere. ~Troy Hunt

The real problem here is that this exploit set is still being worked out because it’s kinda modular. What I mean is that if you can get random code to work then you can place exploit code in there and get 0day to complete the job. So this is an evolving threat and MUST be taken seriously. Mitigation strategies should be worked out in the environment and all due diligence should be followed on keeping up with the intelligence on this vulnerability and what is being seen in the wild.

Written by Krypt3ia

2014/09/25 at 11:14

DISINFORMATION and PSYOPS: Corporate, Government, and Personal

leave a comment »

Screenshot from 2014-09-24 10:23:47

The Panopticon and Testbed


Recent stories online have got me to thinking again about the internet and it’s effects on just about everything. Specifically though of late the idea of how the internet is being used in efforts of control and observation of course have been at the forefront of my mind. Since the revelations of “Snowman” came out just about everyone has had to face the facts that I and many others were saying all along, primarily this; “The internet is a massive and accessible form of control” We are living digitally in a panopticon.

For a long time after the revelation that the MAE West was split and a NARUS STA6400 was placed inline, I have been saying that we all were being surveiled in a driftnet approach to intelligence collection. Some considered me a tinfoil hatter but the reality is that the government has long been using the net as a means of intelligence gathering. Now though there has been a paradigm shift from not only using the internet as a means of surveillance but also as a means of control over the populace.


Screenshot from 2014-09-24 10:27:46

One way of controlling a populace is with the use of disinformation. What got me thinking about this though today was an article about how the recent online threats made by alleged hackers against Emma Watson turns out to maybe be a marketing stunt. Evidently a site was set up with a countdown to the release of nudes like those recently dropped by hackers in the “Fappening” The twist here is that in the end the site was just a shill to manipulate people by clickbaiting them and then using that traffic to make money possibly off of ads. There may be other designs behind this site and hoax but it sets a precedent that people should be paying attention to.

In the world of APT (Advanced Persistent Threats) and SE (Social Engineering) this is a common tactic. You bait the user with something that they just have to see and get them to click on something to infect themselves whether that be a file or a website or a link to one. This particular incident is in fact a form of disinformation just like the tweets coming out of ISIS/L trying to scare people into actions or behaviours. In this case the behaviour or action served the purposes of the creators to potentially make quite a bit of money from traffic to a particular site. In other instances this can lead to the compromise of corporations, governments, and end users to steal data such as confidential information or credit cards.

On a grander scheme though you can see the geopolitical actions of disinformation at play with every nation that has available internet access. If you look at the twitter streams and pages of Russia you can see manipulation going on in such cases as the last ill fated Malaysian airliner that was shot from the sky. In fact, the Russians have a very active online Trolling campaign that they use to manipulate people that sometimes is poor enough to just see right through. In other instances the information that is being used is not so easily determined to be skewed or false.

Now consider the whole debate over climate change. Take a look at the “Climategate” incident as well as all of the players involved both government and corporate that have had their hands in the manipulation of public opinion. It’s not just governmental and not just criminal but now a common practice of corporations and I would say has been so since the invention of Advertising and the primacy of Madison Avenue. I suggest you all go watch Mad Men again but not just to watch the unspooling of Don Draper’s life but how the advertising business works.


Screenshot from 2014-09-24 10:31:21

PSYOPS on the other hand were more military in origin but then the age of Advertising came along again and started using their precepts as well. In the case of PSYOPS online they are often used by military and government but never count the corporate entities out of the game. Recently it came to light that Facebook carried out some manipulation of it’s users in a program that wanted to see just how much they could change their moods. This experiment was also alleged to be affiliated with the military as well due to funding so you can start to see how it’s a win/win for Zuck right? Manipulate your user base to get them to be pliant and click on ads all the while being a potential pawn in a larger war for hearts and minds for the military?

As I mentioned above this type of warfare is being carried out on Twitter by the likes of ISIS/L as well as the USA. In the case of the US they are trying to troll ISIS and their possible base into “Turning Away” from radical jihad. With both of these cases you can see just how ISIS does this a lot better than the US. However, I would then point you to the chickenhawks all on Fox and other news sources decrying that ISIS is a fundamental threat to the US. Unless you pay attention and do the due diligence reading you may miss that the Pentagon says that ISIS is not as much of a threat to the US (via terrorism) than the current Khorasan group that is an AQ offshoot.

It’s easy to lose the truth between all of the shouting here online and off. Just how much is PSYOP to get a groundswell of support from the likes of the populace and their representatives in Congress is anybodies guess. I for one though think that there is a lot of this going on but too many people focus on the governmental and should start thinking about corporations that now feel empowered to carry out these kinds of campaigns because they have the money and the will to do so.

*cough BIG TOBACCO and OIL cough*


The New (old) Dystopia:

So what it all comes down to for me is that we all need to be more mindful of this kind of manipulation. Remember too that it was the likes of HB Gary that were offering platforms to automatically manipulate people via social media for intelligence gathering as well as other desired effects. The dystopia kids isn’t just from surveillance but also PSYOPS and DISINFORMATION that manipulates people into actions desired by those carrying them out. In the case of the 4chan hating alleged hackers of Emma Watson’s pictures? Well, I am sure there’s a bank account somewhere with more money in it. I also can assume that there are some people having a real laugh about it as well. What’s more, these people also are feeling very smug because they got all of you to click on a link and do the work for them.

Just remember to vet what you read kids and be mindful that the internet is an open forum to manipulate you as well as your traffic.


Written by Krypt3ia

2014/09/24 at 15:54

Posted in Disinformation, PsyOPS

This Ain’t Cowboy BeBop Ya Know…

with one comment



Last week I read a story in Wired about the Bitcoin Jesus Roger Ver’s tribulations and his response to hacking and bitcoin theft. It seems that Roger’s old email account at Hotmail got pwn3d and the attacker then stole some of his bitcoins. Roger had correspondences with the miscreant online and tried to get his bitcoins back but to no avail. It seems that this ersatz hacker is quite the sociopath at heart.

Anyway, Roger got mad as all Jesus’ will do in front of the money lenders or the golden calf and decided to go on his own to find and punish these hackers. He invented his own bounty program! Yes, you heard that right kids. Roger is offering about 20K in bitcoins for information that leads to the arrest and prosecution of the hacker that took his bitcoins. He has had just enough! So the the nets he went and began posting his wanted posters online for a few cases. In his case though he has a particular foe that he is offering some information about to start all you cowboys off with.


Savaged is one of the alleged identities that Roger has had contact with and believes to be involved in the coin-napping case of his as well as perhaps the Satoshi Nakamoto email hack. Savaged though was the one talking to Roger as you can see in the above linked pastebin conversation on Skype so I went with this one to look into a bit more closely. I know what you are thinking there after that last statement.. You’re thinking I am fancying myself a cowboy right? Well, hey 20k is nothing to sneeze at but no, no I am not in the end and I will explain why down further in this post.



So Roger had a conversation with someone calling themselves “Savaged” it turns out that once you start the Google and Maltego Fu on this cat you start to see a pattern and it is one I have seen before. See Savaged is one of those Xbox gamer derpheads who started life teabagging his enemies in gameplay and then decided to move on to petty acts of pseudo hacking. What I mean by pseudo hacking is that they go and jack someone’s game ID’s to start by social engineering or password guessing. Once they have had their fill of that they move on to breaking into email accts like Hotmail.

If you ever get the chance to review all of these gamehead’s chats online don’t. Save yourselves because insanity will ensue after reading the completely grammatically incorrect and incoherent drivel out of these teens. It really causes brain damage and I had to stop myself after about a half an hour of looking. The upshot though is that in these conversations you get to peek into the semi private lives of teens on the internets. Part bravado, part ineptitude, and all Lord of the Flies. I just have to ask myself where are these kids parents?

Anyway, you can see lots and lots of their messing about in the following links:

Conversations and Histories: <—- NOTE: Derpy here is messing around and knows FAMEDGOD ya know, of the SONY DOS and Lizard crew fame? Yeah.. Derpy.

Alleged DOX:


Finished hitting your head against the desk yet?…

So here’s my thing with these skidz.. They are an annoyance and not much more. Sure, someone jacked Rogers accts and then stole his bitcoins but it’s also kinda Roger’s fault for not securing those accts right? I mean 2FA now is easier to get but then again if it was a vuln in the validation process for lost passwords etc well that’s hotmail’s fault no matter what Apple says about iCloud’s hack right? *poke poke*

The upshot is that all these kids are just unmanageable fucktards who get away with all kinds of shit because they are “youthful offenders” and the cops are usually 5 steps behind the times in how the internets work. After dealing with them in the past and looking at this crew here I can give you a basic rundown of how the operate;

They do anything they want because they can. Mostly because they have Sociopathic behavior due to Disinhibition Syndrome

These kids just are pathological most of the time and it seems since like Joseph Campbell pointed out many years ago, we lack rights of passage that have meaning anymore as well as today’s parents seem to be disengaged. Of course I am no Cyber Psychiatrist *snerk* The reality is though that you can approach these kids reasonably and still get bitten, kinda like Roger does in that conversation linked above.

Until such time as the cops and the law catch up with the crimes being committed by these kids (SWAT-ing, jacking, petty online thefts) and put a stop to it they will just continue on and eventually move on to other more onerous crimes down the line as they get older and more tech savvy. This is my sad assessment of it all and for this and other reasons I will outline below I have decided to not be a Cowboy and try to collect a bounty on these bounty heads.


Roger, buddy, pal, give up on this pipe dream of bounties and maybe go for more a letter of marque instead. You are relying on cops who may not care and unless these crimes are federal you aren’t going to get much play from the law. Even if I or others were able to cobble together enough information to warrant a warrant for the FBI I seriously doubt they would move on anything and here’s why.

  • Attribution is hard
  • Proof is hard to get unless you seize their systems and PROVE hands on terminals
  • DOX just won’t cut it and that is about all you will have with cowboy’s out there… Well, unless they hack these guys and then you have a whole taint issue…

No Roger, I think if you really want action you are much better off going to the darknets and hiring yourself a leg breaker. Well, in this case really just a hand breaker. If you were to get the dox and feel assured that your target was in fact your target then just have their hands broken. No hands to type, no hacky hacky your shit right? I know some of you out there are like


Well, it’s the truth right? I mean these little shit’s wont learn unless they are either incarcerated in jail, in a mental facility, or maybe, just maybe sitting in front of a keyboard with broken hands and wrists because they done fucked up. Now am I really saying that you Roger should hire some mechanic to whack these kids? Well, no, that would be bad of me. However, I think my point comes across pretty well in the farcical scenario right?


Simple enough?


Written by Krypt3ia

2014/09/20 at 15:05

Digital Jihad: The Great Irhabi Cyber War That Won’t Be.

leave a comment »


Screenshot from 2014-09-12 10:03:12


Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK


The Great Cyber Jihad

Since Junaid Hussain escaped over the border to the new lands of jihad (aka Syria) he has been vocal on Twitter showing off his great cyber manhood in classic irhabi bloviating online. That Junaid made some inroads by hacking into the prime minister’s email address at Gmail only lends him dubious credit to his hacking skills  to a person involved in the security field. This however is not how the great unwashed within the media and certain quarters of the government and the military seem to perceive the threat posed by Junaid today now that he is an ISIL irhabi.

Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK

The above text came from just one of the spate of recent reports on the great “Cyber Jihad” that is being touted to come from the likes of Junaid and ISIS/L as they attempt to expand their reach from the Middle East globally. This ls.particular commentary makes the bile rise within my gut on so many levels though. But that kind of pales in comparison to the one right below…

“We’re in a pre-9/11 moment with cyber,” John Carlin, assistant attorney in charge of the Justice Department’s National Security Division, warned at a July conference in Aspen. “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction as they can to our infrastructure.” 


PRE-9/11 OMG!!! Look you fuckwit if that were the case then China would have already put us out of our misery really. For that matter some half assed pot sodden kid who happened to hack into our grid would have taken us down years ago. There is just no need for this posturing and certainly above all coming from someone without a clue in their head about how things really work in the world of computer security. This kind of scare tactic aimed at getting people to respond in fear to allow for the government to do anything in the name of protecting us is vile.

Meanwhile you have other players such as the one below making statements of “ALL OUT CYBER WAR” while commenting on Anonymous’ operation against ISIS. I laughed and I laughed and I laughed until I just wanted to cry at the sheer stupidity of it all. Look, Anonymous can’t get their shit together enough to be both leaderless and effective so really, how much of an “ALL OUT CYBER WAR” can there be there huh? Do you even know what a cyber war really means? Cyber warfare is both digital and kinetic in it’s purest form and what kinetics did Anonymous really carry out in this operation to DoS ISIS offline?

Lemme give you a clue… None.

“Anonymous announced late last week a full scale cyber war against the Islamic State (Operation Ice ISIS), intended to attack ISIS supporters using social media for propaganda purposes”

~Fortuna’s Corner

So aside from the bloviating and the scare tactics coming out of ISIS itself we also have our responses from the government and the media with all their so called experts on cyber war and jihad. There is a lot of wankery going on here but finally this guy makes a little sense in the middle of his post on this mess…

ISIS’s main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions, as well as victory parades, as part of developing deterrence and creating an illusion of force in excess of the organization’s actual strength. The essence of its online activity, however, is broader. It enables its supporters to obtain operational information, including training in preparing explosives and car bombs, and religious rulings legitimizing massacres in regions under ISIS control. In tandem, it distributes indoctrination materials, such as a maagzine called Dabiq: The Return of Khilafah, which focuses mainly on topics relating to formation of the new Islamic state headed by ISIS leader Abu Bakr al-Baghdadi. However, ISIS’s technological expertise is not the only factor. Perhaps the public, which is revolted by the organization’s deeds but closely follows these clips and photos as a kind of reality show, is contributing a great deal to the organization’s popularity.

~Fortuna’s Corner

Yes, there it is.. ISIS has been carrying out a PROPAGANDA war primarily and with that comes from PSYOPS as well. This is the first true set of statements I have seen to date over this whole debacle. Ok, they are waging a propaganda war and a recruitment drive for sure but really, a cyber caliphate? I mean to date I have not seen this show up verbatim anywhere on the boards or on twitter so who’s leaping logic here? Seems to me that there’s a sucker born every minute and about 99% of them want to go into journalism nowadays.

A propaganda war using Twitter does not a cyber war make.

Cyber Warfare and Jihad

So let’s chat about the realities here about the capabilities of the Irhabi (ISIS/L or AQ or SEA) in a context of what we have seen so far. What have we seen you ask? Well, DoS, some data thievery, some malware use and phishing, but generally nothing spectacularly scary. Certainly nothing on the level of a nation state actor like China has been seen out of any of the loose groups that claim some jihadi notions online to date. So where do we get all this BOOGA BOOGA over the likes of Junaid Hussain and ISIS taking down our grids and things?


Yeah, there’s no there there. I am sorry but even if ISIS/L used it’s monies that it has stolen over the last months to set up a “cyber team” they still would be LIGHT YEARS behind the likes of China.. Hell they would even be way behind Iran for that matter so really, there is nothing to fear here. Never mind that many of these guys like Junaid are working in countries that are actively being bombed and shooting is happening so really, how much longer does Juny have anyway before he gets a Hellfile missile up his ass?

Truly the cyber jihad is a non starter for me and it should be for you too. On the other end of that equation though is the fact that they are actively recruiting and getting their message out using social media and this is a problem. Now don’t get me wrong, it is not a clear and present danger kind of thing because really, 100 Americans out of how many people seeing their online drivel have actually left the country to go to jihad pretty much gives a sense of the threat. You have to be pretty unbalanced to want to do this shit to start with so if you get up and leave the country to join up you are a truly unbalanced person to start. One so easily swayed by the propaganda wing of ISIS needs help and what they will certainly get is a bullet instead while fighting. Even ISISL really doesn’t care about the Takfiri, you see kids, they are just bodies to be used… Nothing more. They may call you brother but under their breath they call you fodder.

Much Ado About Nothing

The reality is that ISIS is more a conventional force than anything else. They are not as well planned as AQ and they tend to be one dimensional thinkers. I will admit that their propaganda war has been interesting to watch but I don’t see that it is an existential threat. In fact, I concur with the assessment that AQ is still the real player here who can strike at the US and had a better track record thus far. Surely if ISIS continues to carry out the propaganda war they may garner more recruits but I just don’t see them being that inspirational to get lone wolves to activate/radicalize. I certainly don’t see them being able to put teams together to hack our infrastructure and take us down either. In fact I am not a proponent of that line of thinking anyway as a great threat. Our systems are too complex and fragmented to allow for such a spectacular attack.

So please news media… STFU.


Written by Krypt3ia

2014/09/12 at 15:31

GLOBAL Threat Intelligence Report AUGUST 2014

with one comment

GLOBAL Threat Intelligence Report – AUGUST 2014

Executive Summary

Globally August 2014 was much of the same as we have seen in the previous months. The norm today is to see large corporations admit that they have been hacked and lost data, malware is consistently being released in the wild, and personal data has been stolen and is for sale in the darknet. This report covers the following stories that can be seen as indicative of what is happening in the world today and could affect your organization. These incidents should be looked at as potentially happening in your environment and as such any mitigations that would have prevented these from happening should be implemented in your network.

This month’s global threat indicators are:

  • JP Morgan hacked and data manipulated
  • Traffic lights are easily hacked and manipulated
  • SONY was DD0S’d again
  • Hacking victims become targets of the federal government
  • CHS Medical loses patient data to an alleged APT attack
  • The Nuclear Regulatory Committee was hacked and data stolen by nation state actors
  • A study of Black POS and Backoff POS malware
  • Carbon Grabber hits EU auto makers
  • Poisoned Hurricane APT malware uses Hurricane Electric
  • Taiwan claims to be the testing ground for Chinese APT attacks

Global Threats

JP Morgan Hacked Allegedly by Russia

JP Morgan lost gigabytes of sensitive data during a mid-August cyberattack that also targeted other top U.S. banks, according to sources familiar with the investigation of the hacking.


The attack was carried out by actors alleged to be from Russia and there is talk of state sponsorship. As the investigation goes on nothing much has been released about the malware (if any) used nor the names of the possible players involved. However, if this attack was carried out by a nation state backed actor it is a paradigm shift for the US and corporations in general.
The purpose of this attack seems to have been to manipulate funds within the bank for certain accounts and not for criminal purposes common to hacking of this type. The attack was quiet and thorough which speaks to the nation state backing and also may in fact be a message from Russia over sanctions by the US. This type of attack would be a new chapter in the hacking going on to date in that it would be a nation state able to manipulate the US markets through attacks on banking infrastructure.

Hacking Traffic Lights and Infrastructure

“Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” writes the research team led by computer scientist J. Alex Halderman.
“With the appropriate hardware and a little effort, [a hacker] can execute a denial of service attack to cripple the flow of traffic in a city, cause congestion at intersections by modifying light timings, or even take control of the lights and give herself clear passage through intersections,” according to the researchers’ findings.


While this type of attack has been portrayed in movies for quite some time it is now a reality and a potential security nightmare for the country. Attacking infrastructure like the traffic systems could be a prelude to larger kinetic attacks on the country or localized to a specific target area. One has to consider that this is just one step in a larger direction toward attacks on infrastructures that could be used by terrorists or criminals for other purposes. Being that this hack was carried off by a small team with a nominal amount of capital used to do it, this should be a concern for the country.

Sony PSN DD0S and Lizard Squad

Sony was attacked with a DD0S (Distributed Denial of Service) that took their systems offline for hours. The attackers call themselves the “Lizard Squad” and to date they are still at large. The group also was able to obtain information about a Sony exec flying on a commercial airline that they then used to phone in a bomb threat concerning that executive and flight.


Lizard Squad generally seems to be a bunch of kids and the real author of the DD0S on Sony was another actor altogether. FamedGod is another entity online who claims that he was the one who attacked Sony and he did so because they are still not secure even after they were hacked in 2013. FamedGod posted some information that seems to lend credence to his being the arbiter of this attack on Sony and does have a valid point about the insecurity of the Sony networks still post their hack in 2013 which leaked user details including credit cards that had been improperly stored by Sony on their network.
In the final analysis however, it is a truism that DD0S is not going away and can be aimed at any system at the whim of any kid with the money to pay for a botnet. This should be the real takeaway and all corporations should have some mitigation in place to protect their presence online from DD0S.

Hacking Victims Become Federal Targets

What do you do if you’re a company that gets hacked, and the Federal Trade Commission treats you like a criminal? That was the quandary facing Wyndham Hotels after the FTC claimed a data security breach gave it the right to supervise the company’s IT department. Thus began the latest episode of the Obama Administrations’s habit of using vague laws to justify regulatory schemes that Congress never intended. More than 40 companies have already acquiesced to the FTC’s data security overreach—often small companies without the means to fight—but Wyndham to its credit is pushing back.


As hacking incidents increase within large corporations and they get reported it is likely that the government will look to sanction companies that are not in compliance with security best practices. In the Wyndham case, it seems that the FTC feels obliged to regulate the activities of the network and security teams at the hacked company in order to insure best practices are followed. This of course is a new and troubling occurrence but not unforeseen as the government tries to regulate the security space.
This is a heads up for all companies that may handle PII, PCI, or HIPAA data should a compromise occur and lawsuits ensue. The government may want in as well on the remediation and oversight of the security and operations of the company.

CHS Hospital Systems Hacked and Leaked Patient Data

Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers. Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years or was merely referred there by an outside doctor is affected.

Malware sigs for what was used in CHS


While not much has been put out through the media there are certain areas where data has been released on the malware involved in this hack. The following links below are for samples sent to before they shut down. Both of these show the same type of malware used and the hashes match for the family APT-18 was using.


The CHS hack has allegedly been pinned on a Chinese APT (Advanced Persistent Threat) known to the community as APT-18. However, the modus operandi of APT-18 does not fit well with what was stolen from CHS. Additionally, there is evidence that the CHS networks had many issues that allowed for numerous other types of infections to be ongoing within it’s confines that allowed for easy access for hackers. Instances of “Code Red” and other malware from many years ago has been seen beaconing from their IP space.
Whether or not the APT were involved though, the networks there were in a poor state specifically with regard to patching. As is common with Medical networks they are often not patched well because of the antiquated programs that run on them and disallow for proper patching. Overall the assessment here is that the network and their security practices were sub best practices and thus allowed for easy access to patient records even with HIPAA regulations.

Nuclear Regulatory Commission Hacked

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation. One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general reportNextgov obtained through an open-records request. The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”


The NRC hack is common to the type of APT activities we have seen in the news over the last few years. In this case the NRC was phished with emails containing links to a Google Drive spread sheet that infected their systems with malware. This is a common attack today and should be covered in any respectable security awareness program but often still is the key to hackers getting into systems. Had the users checked the links to start or had thought better of logging into a site to verify an account then the compromise may not have happened at all.
All users should be aware of what phishing looks like and the tactics that the phishers use to trick people into compromise. In this case this is a nation state actor (likely China) and is par for the course today.


Backoff POS and BlackPOS

The “Backoff” POS (Point Of Sale) malware is a new version of skimming software that was used in a recent attack on the SuperValu grocery chain. This malware get’s it’s name from the word “backoff” in the code. BlackPOS is another malware that was created by the Rescator/Lampeduza network for their attacks on Target and now Home Depot. This also get’s it’s name from code snippets and the actual name being used on the Russian hacking/carding boards that sell it and the data that has been stolen.


These types of malware are common to this type of crime today because in the US we do not have the “chip and pin” technology that would prevent this attack from succeeding. Both of these pieces of malware have been bespoke for the crews that are using them and attack the actual interfaces for the POS device. When a card is scanned by the POS this malware scrapes the memory of the machine and captures the card numbers and the pin during the transaction. It then sends that data to an aggregator (compromised machines in the network) for exfiltration to servers usually in the Baltics.
Given that this type of attack now has leaked millions of cards (including a new Home Depot leak ongoing today) we can expect that retailers and banks in the US will soon be looking to upgrade the infrastructure here to a chip and pin system to stop this from happening. Banks in the US are already feeling the pinch from these attacks and are pushing behind the scenes for these changes.
Addendum: It has been reported by the FBI that as many as 1000 companies may in fact be compromised with these types of malware and actively being used to steal credit and debit cards.

Carbon Grabber Hits Automotive Industry

Europe’s automotive supply chain is being targeted by a malware campaign connected to the increasingly popular Carbon Grabber crimeware kit, researchers at Symantec have warned. At first glance, what Symantec uncovered earlier this month when investigating a spam campaign spreading malicious attachments looks relatively innocuous, one of dozens of such incidents security firms pick up on in any given month.
The giveaway that there is more to this one is the unusual level of targeting which aims more than half of all spam at the at the car rental, insurance, commercial transport, and second-hand commercial and agricultural vehicle sales sectors in Germany, The Netherlands, Italy and to a lesser extent, the UK


The Carbon Grabber is a part of a larger supply chain attack and may be the work of a nation state actor. The initial attack gets the user to install software that in turn starts to mine data within their corporate network. Black Carbon then steals credentials and sends them to a C&C server. This attack is ongoing and more may come from this in the near future. However, this is a common 2 stage attack against companies in order to steal their secrets with the primary attack coming from a phishing campaign. The novelty here is that it is using spam campaigns and directed targeting (cars and rentals) to obtain their objectives.

APT Activities

Poisoned Hurricane

“We found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service.

Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” ~Fireeye


The use of Hurricane Electric’s loose network has long been a staple for malware and APT activities. The fact that you could use their permissive DNS services only added to the ability of malware campaigns to effectively obfuscate their attacks and to exfiltrate data more easily. It is important as a company or security group to monitor your DNS traffic to insure that you are not compromised and beaconing traffic to bad actors and thus losing your data.

Taiwan: Testing Ground for China’s APT


Taiwan has made a claim that they are the firing test ground for China’s APT activities.  This would make sense from the standpoint that now Taiwan is under Chinese control (for the most part but is still called Free Taiwan by many) If indeed the case, then the malware and hacking techniques could be possibly seen being tested in Taiwan and thus perhaps an intelligence boon for the US and other countries were we to be able to see that traffic as it happens.

Editable DOC file for DOWNLOAD to use for your organization

Written by Krypt3ia

2014/09/11 at 21:25

Posted in Threat Intel