Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for January 2015

Threat Intelligence Report – December/January 2014/2015

with 2 comments

photo

Threat Intelligence Report – December/January 2014/2015

Contents

Executive Summary:

In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.

This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.

Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.

The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.

In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.

Global Threats:

The Sony Hack & New Norms in Intrusions

The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.

In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.

This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.

Assessment:

The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.

The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.

Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.

Reading Material:

http://www.usatoday.com/story/tech/2015/01/21/davos-world-economic-forum-cisco-hacking/22108665/

https://firstlook.org/theintercept/2014/12/24/fbi-warning/

http://www.cnbc.com/id/102351695

http://wvtf.org/post/sony-hack-highlights-global-underground-market-malware

The Government Response to Sony

As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.

The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.

Assessment:

The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.

Reading Material:

http://gizmodo.com/obama-wants-hacking-to-be-a-form-of-racketeering-1679328607

http://www.huffingtonpost.com/2015/01/20/obama-hackers_n_6511700.html

http://www.ibtimes.com/obama-says-stricter-cybersecurity-laws-needed-combat-hackers-his-state-union-speech-1789336

Chaotic Actors: Lizard Squad

The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.

These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.

At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.

Assessment:

The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.

This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.

It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.

Reading Material:

http://www.gamespot.com/articles/psn-and-xbox-live-xmas-hackers-are-hacked/1100-6424778/

http://www.thebitbag.com/lizard-squad-hacker-identified-arrested-lizard-squad-client-details-leaked/108334

Skeleton Key Malware: Bypassing Domain Admin

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”

CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/

Assessment:

This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;

The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.

However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.

Reading Material:

http://www.zdnet.com/article/skeleton-key-malware-bypasses-authentication-on-corporate-networks/

https://threatpost.com/skeleton-key-malware-opens-door-to-espionage/110433

http://www.scmagazineuk.com/skeleton-key-malware-used-to-attack-global-hq-in-london/article/392432/

Internal Telemetry & Alerts

IDS Alerts

Phishing Attacks

Malware Trends

Log Correlation

Full report for download HERE: Report

Written by Krypt3ia

2015/01/21 at 21:00

DDoS Will Not Stop Daesh or AQ or AQAP

leave a comment »

irhabi 123

Anonymous Hackers Target Jihadist Twitter Accounts And Websites: Nine Down

Hackers ‘disable extremist website’

Charlie Hebdo: How ‘hacktivists’ and cyber-jihadis will wage a digital war

hyperbole

I have another word though for it all..

“Fuckery”

Ok, I have said this before and I guess it is time for me to say it again as all I see in the news today is hyperbolic bullshit about how Anon’s took down a jihadist site. For the record the site in question was the lowest of the low hanging fruit. It has been pwn3d three ways to Sunday and is mostly full of other agent provocateurs looking to hook themselves a stupid jihobbyist anyway. So really, what has Anon done by taking this site out of all the sites out there down?

Squat.

Look, if you guys want to do something of worth then you use all your doxing powers to locate all these fuckers online in these forums and pass it to the authorities ok? Failing that what you are only doing is managing to garner headlines by lackluster reporters looking for a story that will give them page clicks is all. It will mean fuck all to the jihad, the GWOT, and most of all it will NOT stop another attack by those loon wolf enough to do it. It’s a simple equation kids and I know you want to feel like you are doing something, which I laud you for, but do it smartly would you?

The same thing goes for the Twitter accounts. I tried to do this too and I was actually taking the time to single out the big players. You get them banned and they just come right back. However, when you DOX them with their real information they tend to get popped by authorities. So why not take the time and do some real work on stopping these fuckheads?

You all can be better than this. Evaluate the ops.. Is it for you or is it for the greater good?

Do some research: https://krypt3ia.wordpress.com/category/internet-jihad/

K.

Written by Krypt3ia

2015/01/12 at 16:53

Posted in jihad

I guess I am a “SONY Truther” are you?

leave a comment »

B6yt87uCEAAB2nD

Hoodie can be made on http://www.zazzle.com if so inclined.

The Evidence is Where?

Right, well James Comey (FBI) came out yesterday at a conference in NYC with what he might think is definitive proof that North Korea attacked and destroyed Sony digitally. Of course the reality is when you really look at what he said once again you are left saying “Uhh what?” In an article on the Daily Beast which I have captioned below Comey says that the proof that DPRK did it was in the form of IP addresses only DPRK has access to and uses. Sure, fine, I will buy that. So show me the logs and the IP addresses please?

In a speech to a cybersecurity conference in New York, Comey took the unusual step of revealing previously classified intelligence that he says shows North Korea is to blame.

The new information consisited of Internet protocol addresses that Comey said are “exclusively used” by North Korea. Comey did not specify what those addresses are. The FBI’s case to date has hinged partly on Internet addresses it says were used in previous attacks by North Korea, and numerous experts have pointed out that hackers routinely use different addresses to mask their true location.

Comey’s new evidence struck some experts as inconclusive. “Short of the government disclosing the actual IP addresses, and those being in the netblock range of those known to be associated with North Korea or used by North Korea-backed actors, I simply can’t jump on the North Korea bandwagon,” Stuart McClure, the president and founder of cybersecurity company Cylance, told The Daily Beast. “We need more evidence.”

~ The Daily Beast

It gets better though, in Comey’s diatribe on this he goes on to talk about spear phishing emails that went to the CEO of SPE previously in September of last year that “may” have been pre-cursors to the attack that finally played out. This is of course very likely as a start of an attack and I can buy into that as I have seen the Chinese and others do the same thing. Hell, I have done the same thing on penetration tests!

FBI Director James Comey said on Wednesday that investigators have found spear-phishing emails that were sent to Sony employees as late as September. Such emails were the “likely vector” that the hackers used to get inside the company’s network, Comey said, from which they stole and deleted large amounts of data, including business emails and employee salaries.

So yes there are emails and they are spear phishing, which are likely to be in the dump that GOP put out when they dumped Lynton’s email spools (go check kids!) that we can look at the headers of. Perhaps that is what Comey want’s us all to do? I am not sure, in fact I really don’t care for Comey all that much as all I have seen out of him is dire hyperbole. Anyway he goes on from there to talk about the IP addresses that the government allegedly has;

In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy. Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using… were exclusively used by the North Koreans.

They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.

Wait, he is basing this all off of the emails and pastes? I have the emails and I saw no DPRK addresses in those headers from Yopmail and the servers in the EU. So where are these headers you are speaking of James? Do you have emails that we are not aware of? If so just please say so. Alternatively, does the government in fact have the logs from Pastebin on these posts where the alleged IP’s show up? If so, once again, show them. Show me the subpoena’s and show me the logs. Why not? I mean you guys aren’t prosecuting this in a court anywhere are you? You should be able to drop those dox on us all to prove your case right? If not why not? Please explain a bit more would you?

Like I have said many times already I can believe it was the work of DPRK or actors paid by them but really, give me a little substantiating information to go with it or just tell me everything is classified and HUMINT where I will  have nowhere to go. Instead you keep offering hollow statements of facts that just don’t really add up. It should not be this hard really. You are reacting as a nation against another nation with evidence that is what exactly? This is my big problem here with the cyberwars, we go to war footing on what? Supposition much? If the GOP fucked up and used their straight IP’s to do things and you are telling us that then show us the data. Give us an IP address within the two /24’s that they have and be done with it.

Truthers and Discrediting Language

As if the whole debacle wasn’t bad enough with a coy government we now have self serving talking heads like Tao (Bejtlich) now labelling anyone who wants to at least have a modicum of proof to be presented to the American people as “Truthers” See quote  below from Mr. Bait-Lick

“I don’t expect anything the FBI says will persuade Sony truthers,” Richard Bejtlich, the chief security strategist for cyber security company FireEye, told The Daily Beast. “The issue has more to do with truthers’ lack of trust in government, law enforcement, and the intelligence community. Whatever the FBI says, the truthers will create alternative hypotheses that try to challenge the ‘official story.’ Resistance to authority is embedded in the culture of much of the ‘hacker community,’ and reaction to the government’s stance on Sony attribution is just the latest example.”

~Richard Bejtlich

Firstly, FUCK YOU Richard.

Secondly, FUCK YOU Richard.

Thirdly, What the hell? Does questioning things for actual data to be presented cut into your business model? Oh yeah, right, it does Mr. Mandiant rah rah. How many times have I heard that you and yours have turned out shitty reports with bad attribution in the past as well? I am sorry if I don’t want to just believe you Richard, or your company, or for that matter the government when they fail to provide any data that is of merit. Maybe that’s just me but now you want to make myself and anyone who might question your findings as nutbags with a common colloquial today for an Alex Jones Tinfoil Hatter?

FUCK. YOU.

If asking for evidence is so crazy in this time of extra judicial searches and over prosecution of crimes that involve hacking is so crazy then why do we even bother with the law in the first place Richard? All of us asking the questions have legitimate rights to beg the questions as well as the ability to be experts in the field. See, it’s not just you Dick that can look at logs and perform incident response. Some of us also do it for a living daily, we aren’t just titular heads of large IR firms.

Reasonable Doubt

Reasonable doubt is that thing we use in the law to say that you have to prove beyond one that someone is guilty. Of course this isn’t a case where we will be taking DPRK to court unless Sony wants to. Nope, this is statecraft and warfare. Unfortunately we have many cyber chicken hawks out there as well as corporate bodies that will make OODLES of money as well as consolidate power if this all goes hot cyber right? All we have seen lately is how this was the first shot in the cyber war and that we need to respond. Well, as a citizen I would like to see some proof before we go starting cyber wars. Of course that is a little cart before the horse now since Stuxnet right?

With a populace that has been shown to have been lied to by the government, where excesses have happened infringing on rights and doing things in our name that perhaps we don’t want them to, I think it is important that we are at least get some evidence. Assurances are just not enough in my book as they move forward in prosecuting statecraft and perhaps even military action albeit cyber actions when the result is political upheaval and reprisals.

That’s all I am saying.. Logs or GTFO.

K.

Written by Krypt3ia

2015/01/08 at 12:40

Posted in SONY

Chongryon and Sony

with one comment

chongryon

#GOP Concerns

Pastebin posted 12/31/14

#G…O……P……. express highest regard to the People of North Korea.  It is the juche we strive to free the world.  It is our stance that 공화국영웅 shall be given to the most powerful leader whom have save Korea from shame.  재일본 조선인 총련 our family of old friends will always look over our Leader and protect him from dishonor even in the event he would not see us.  Soon our film of 리설주 will made ready for the sons of Korea to witness.  Through our leadership the 2 korea will be made whole and our brother will live in peace.  Our power is ultimate and strong as our secret war is being won in the world of American hate.
For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.

** Follow links in kanji to meanings above**

Theories and Suppositions:

I was Googling through the Pastebin’s as is my custom nowadays and came across this little post from December 31st. It caught my eye because of the Korean as well as the content. Now, language wise the Korean is standard, and not the Korean you would see coming from a DPRK person. I also noticed that the transliteration was direct into English which to me, implies that this was a translation carried out on Google translate. However, the translated text is all place names, people’s names or names of organizations that will stand fairly static in the linguistic play book so a variance issue on vernacular is less a factor in this case. Interestingly though they chose to use the English phonetc of “Juche” instead of Korean kanji for a term that covers “self reliance”, a term for how DPRK perceives itself against the world.

The idea has been floated in the past that the Chongryon may have had something to do with the attack on Sony and it is one that I could buy into, all I would need is some real proof from the government on things like IP’s they claim to know about or some other secret sources they refuse to release on the whole affair. This paste though is subtle and as such I thought I would bring it all to you as an interesting tidbit to think on with regard to Sony and the debacle of SPE’s hack. This morning I posted a tweet linking a story about how Sony may still be compromised because they were so utterly owned. It is entirely possible that they are and also that not only SPE was the target. Once again I will mention the Sony IP’s in the malware and the fact that the language of the GOP’s email on 11/30/14 talked specifically about human rights, reparations, and issues that they claimed to have directly with Sony itself and not just SPE.

So let’s once again take a step back and imagine that this was not just about “The Interview” and not just about SPE but Sony itself. A company that is Japanese and has their own history and issues with Korea as well as the DPRK. Consider that DPRK kidnapped Japanese citizens in the 70’s that they still have not accounted for. Or perhaps let’s talk about how the Chongryon headquarters is being sold out under them by the Japanese government which has caused consternation. There are many aspects of the region that seem to be lost on the media and it is disconcerting that this seems to be just about America but hey, we invented the Streisand Effect didn’t we?

The Last Sentence:

I suppose the most interesting bit for me is the last sentence in this possible troll; “For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.” It hit me once I had read it a couple of times that it made more and more sense if you consider the Chongryon as involved with this hack. The allegations of all the issues with human rights, the language around Sony and the restructuring that happened over the last year in particular, all of it. It makes a kind of a sense but it certainly is not evidence I would bring to a court. However, the sentiment and the language jive with what the DPRK rhetoric has always been inside and out. A long slog of “Poor North Korea against the world!” amongst other ideals that are indoctrinated into their people from the get go. So read it with that mindset. Is it really GOP? I can’t say that it is. What I can say though is that they writer knows some things about DPRK and the tensions in the region.

As I was writing this the AP came out with a story about how POTUS has approved sanctions against ten individuals from the DPRK in an attempt to cut off their access to American money. This is a flaccid response really added to the other sanctions we have against the DPRK. It has not stopped the DPRK and Un from carrying on but they have made it at least a little harder on him. I highly recommend that you take a look at this YouTube Money & Power in North Korea – Hidden Economy to get a sense of just how much money Un has and how he gets it as well as where. This will help you understand just how these sanctions are supposed to work. Once again the US reacts and I await the unintended consequences.

K.

Previous posts on Sony:

https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/

https://krypt3ia.wordpress.com/2014/12/20/fauxtribution/

Written by Krypt3ia

2015/01/02 at 19:44

Posted in SONY