(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for March 2016

Insider Threats: The Most Dangerous Threat

leave a comment »

Screenshot from 2016-03-14 07:58:00

On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?

All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.

The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.

Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.

At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.

Think about it.


Written by Krypt3ia

2016/03/14 at 12:10

“The Red Room” A Chamber of Horrors on The DarkNets?

leave a comment »


The Mikado: MillenniuM S03E13

I often like to take little trips into the dark seedy underbelly of the internet called the Darknet. Well today was just another day for that kind of thing until I came upon a site that claims to be a “Red Room” A “Red Room” is really a composite urban legend where snuff films and extreme BDSM meet in a dark corner of the internet. Up until today there have been many rumours of sites and often times one can find alleged “Snuff” films on the internet and darknet. This site though has a twist to the old rubric, this site wants you to sign up and pay a fee in BitCoin in order to watch content live in the future, 136 days in the future to be precise (see image below)

Screenshot from 2016-03-07 14:27:24

The spooky bloody countdown!

Now I don’t know about you all, but well, I have come across various sites in the corners of the net and of course in the darknet that, shall we say had unsavoury content in the past. You can imagine the kinds of things one see’s on the net especially if you consider “Rule 34” and have been around long enough *shudder* Anywho, this site piqued my interest because it reminded me a lot of an episode of MillenniuM back in the late 90’s. This episode pretty much presaged this site’s intent with an early online site that could not be traced being run by a serial killer who was killing people live online according to the number of hits the site got (see image at top, the number is how many hits he wanted before killing her)

Now I remember thinking that this was all bogus back then, particularly over the tech speak that they tried to use with the hacker trying to capture the location of the kill site. I tell ya, it was hilarious up to a point but I really had to wonder at the time whether or not this kind of thing would eventually become a reality. The site that I located today might be the real deal, but I really tend to think this is a little scam on the part of some enterprising Germans. I mean come on! Give me some content to start with that will make me WANT to give you Bitcoins guys!

Anyway, this site claims the following as it’s hook:

Three people will die … just one will survive. You will decide who is the lucky one. Livestream from 4 diffrent locations in this world. You decide what each person deserves. Choose between 67 diffrent torture methods. Whether physical or psychological pain, you choose by voting. All four camera livestreams on one site with a chat for each camera. Interested? Register now! More information after registration. Important! Access is limited to 300 registrations! Login will be possible 3 days before it starts.

So three unknown people will die after torture and the viewers are to choose the one who will live. With a wide array of torture methods (what we don’t know) including psychological torture how can one resist this? Frankly this reminds me of a recent “Castle” episode with the school room and the tortured kid (now grown up) who started killing people off with puzzles and terror.

Oooh… Ahhhhh…

Screenshot from 2016-03-07 14:27:14The registration page

Screenshot from 2016-03-07 14:38:03Confirmed accounts (notice the 176/300) ORLY?

The site is kinda poorly coded and leaves too much of a trail for someone to follow back to the creators. The BitCoin wallet was created recently it seems and has no transactions at all. So if there are people who have signed up where are their Bitcoins? According to the site out of 300 spots to view the murder/torture of unknown people 123 were taking up already. Would this not mean that there should be a substantial amount of Bitcoins in the wallet? The net here if 300 people actually paid the Bitcoins would net the creators about 300 Bitcoins (today $123,591.00) which is a tidy sum. If you then believe the site and not the Bitcoin wallet taint then 123 Bitcoins given already would total $50,672.31 Now if you look at the second page that you can access via code, you see that 176 people have allegedly signed up. Well, that would be how much in Bitcoin? Oh yeah: $72,506.72 so where are those funds HMMMMMM??? I am sure some Treasury or DEA agent would love to steal those eh?


Screenshot from 2016-03-07 14:28:33Blockchain Taint


Screenshot from 2016-03-07 14:43:21German language in the code

Another fascinating fact that I alluded to above is that this site was likely created by “Zose vacky Germans” as there are German words in the code and the video (oh yes, there is a video but in reality there is only text in it so cool down!) It figures that the cultural reference that ran through my head was the Cartman’s mother in Scheise videos here! Yep yep, German BDSM Red Rooms on the darknet! I can see the headlines now on Vice! Breathless stories about how the world is coming to an end and that the cause will not be something like an asteroid or a nuke, nope, it will be a Red Room that will drive our civilisation over the edge!

Alrighty, this was amusing. I will chalk this up to Slenderman and the other internet born Red Roomy urban legends. While I would not discount this kind of thing going on and being only something the Illuminati get to see, I seriously doubt that this is a real thing. If you decide to part with a bitcoin gentle reader, let me know how that goes for you. I will keep an eye on the site to see if anything interesting happens in 136 days.




Written by Krypt3ia

2016/03/07 at 21:58

Posted in DARKNET

“Прикарпаттяобленерго”: The “First” Attack On Infrastructure

leave a comment »

Screenshot from 2016-03-04 11:21:42

The Attack:

Well there has been a great hubbub about the “first” true cyber attack on an infrastructure system(s) in Ukraine and while I agree that it may be the first (admitted to) it is not something that is on par with the attack on Natanz frankly. As the reports keep coming out and feeds like Wired write kitschy articles about the super scary world we now live in, I thought it would be interesting to cut the bullshit and just put some data out there with some commentary on this event.

So yeah, 225k people were without power for a little while and overall this attack does in fact show us all just how probable this is on select targets, it should also show just how much work it takes to perform one of these. It should also show us all how segmented the systems are and how hard it would be to have an apocalypse event ala “Lights Out” happen anywhere in the world never mind America. The fact that the power was restored fairly quickly and that even when the attackers had tried to keep them down for longer, the systems are also resilient enough and manual enough to keep the lights on. It’s not all cyber and nor should it ever be.

What should be surprising if not galling is that the pre-attack work carried out by the adversaries (*cough Russia cough*) was easily successful and allowed access for the teams to recon the facilities, gain further access, and launch the attack in the end without every being detected and perhaps stopped. Why was this the case? Because this company, even with “robust firewalls” was not doing the due diligence is watching it’s network and did not have a SOC (Security Operations Center) that could monitor the traffic to determine bad actors within. What should worry you even more is that in talking to insiders in the power industry and from personal experience, these people were much better at security than the majority of the companies out there today including many in the US.


At the end of the day some of this is interesting but the majority of this attack is pedestrian in the grander scheme. This was a soft target and it was more than likely that it was Russia, a nation state at either the behest of Putin or Putin at the behest of his oligarch pals that did this. This is to say that any reasonably monied group could hire hacker teams to do the same anywhere else. This was a big fuck you to the power company and to Ukraine. It had thinly veiled Russian connection(s) and it has yet to be seen what if any response this will garner from Ukraine and the companies involved who may or may not be seeking to diversify their power generation and transmission.

There will be games…


So what happened in this attack?

  • The adversary foot-printed the power company and went after the weak points (users in the network) with phishing emails
  • The phish consisted of MACRO based word documents (VBA) that connected to C2 and got modules to further compromise the networks
  • The adversary then mapped the network and performed recon
  • The adversary gained access to VPN’s as well to remotely connect to ICS systems that lacked 2FA
  • The adversary planned their attack and set the stage to not only shut down the power but also to DoS the call center in an effort to muddy the waters and extend the attack


  • The adversary launches the attack
    • They take down the power systems by controlling systems with stolen creds (RDP)
    • They over-write firmware with garbage to further prevent the attack from being thwarted and to cause a longer outage
    • They DoS the phone system (call center)
    • They killdisk things to make it harder to come back up
    • Basically they tried a fire sale but they failed because of manual systems

While this attack was effective and is a cautionary tale, once again, this is not an extinction level event here. It was well planned and it went off pretty well but remember that the target made it easy and I am afraid that that is the state of affairs everywhere today. So that should be something for you to mull over as you think about this attack.

My Own Recon:

I wanted to know just how easy a target the “Прикарпаттяобленерго” systems were or should I say are? I went out and did some recon of my own with some tools to see and I was not surprised by the results. For the most part this company shared a lot of information through metadata and an open network infrastructure. I did not attempt to run any other kind of vulnerability scan but you can see from the data below that it would be easy enough to profile the company, their security posture, and their network just from tools like Foca.

Screenshot from 2016-03-04 15:41:38Users and naming conventions


Screenshot from 2016-03-05 06:51:17System types and vulnerabilities


Screenshot from 2016-03-05 06:35:22186 documents downloaded via Google with metadata


Screenshot from 2016-03-05 06:34:28Users


Screenshot from 2016-03-05 06:34:09File structure and folders

Screenshot from 2016-03-05 06:33:42Email addresses

Screenshot from 2016-03-05 06:33:33Systems by OS (note Xp)


Just by using Foca I was able to really get an idea of what they had in the network and how I would formulate an attack to get inside and map things out some more. This type of information is not uncommon to find on the internet and frankly I could have honed in more by using things like LinkedIN and VK to search people and work the OSINT. Let’s just say that this was an easy target and they were unaware of the OSINT they were just giving up by placing all this stuff online.


I also downloaded reports from numerous sources out there trying to get market share by putting together these pdf’s on the malware and C2’s used in the attacks. Once again, really nothing new here kids. Sure they re-packed the malware to have new hashes that would not be easily detected but for the most part nothing novel here. They phished people with common doc and excel files that we all get in our daily lives in the corporate security world. Honestly these attacks could be mitigated by just taking admin away from the users and now allowing them to run macro’s when asked to in broken English (or Russian) but hey, who does that kind of security today huh?







FileHash-SHA1     c7e919622d6d8ea2491ed392a0f8457e4483eae9
FileHash-SHA1     a427b264c1bd2712d1178912753bac051a7a2f6c
FileHash-SHA1     166d71c63d0eb609c4f77499112965db7d9a51bb
FileHash-SHA1     be319672a87d0dd1f055ad1221b6ffd8c226a6e2
FileHash-SHA1     502bd7662a553397bbdcfa27b585d740a20c49fc
FileHash-SHA1     f3e41eb94c4d72a98cd743bbb02d248f510ad925
FileHash-SHA1     b05e577e002c510e7ab11b996a1cd8fe8fdada0c
FileHash-SHA1     069163e1fb606c6178e23066e0ac7b7f0e18506b
FileHash-SHA1     e5a2204f085c07250da07d71cb4e48769328d7dc
FileHash-SHA1     20901cc767055f29ca3b676550164a66f85e2a42
FileHash-SHA1     84248bc0ac1f2f42a41cfffa70b21b347ddc70e9
FileHash-SHA1     16f44fac7e8bc94eccd7ad9692e6665ef540eec4
FileHash-SHA1     4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c
FileHash-SHA1     1cbe4e22b034ee8ea8567e3f8eb9426b30d4affe
FileHash-SHA1     1a716bf5532c13fa0dc407d00acdc4a457fa87cd
FileHash-SHA1     4bc2bbd1809c8b66eecd7c28ac319b948577de7b
FileHash-SHA1     2c1260fd5ceaef3b5cb11d702edc4cdd1610c2ed
FileHash-SHA1     e40f0d402fdcba6dd7467c1366d040b02a44628c
FileHash-SHA1     a9aca6f541555619159640d3ebc570cdcdce0a0d
FileHash-SHA1     bd87cf5b66e36506f1d6774fd40c2c92a196e278
FileHash-SHA1     e1c2b28e6a35aeadb508c60a9d09ab7b1041afb8
FileHash-SHA1     1a86f7ef10849da7d36ca27d0c9b1d686768e177
FileHash-SHA1     2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1
FileHash-SHA1     6d6ba221da5b1ae1e910bbeaa07bd44aff26a7c0
FileHash-SHA1     72d0b326410e1d0705281fde83cb7c33c67bc8ca
FileHash-SHA1     cd07036416b3a344a34f4571ce6a1df3cbb5783f
FileHash-SHA1     896fcacff6310bbe5335677e99e4c3d370f73d96
FileHash-SHA1     672f5f332a6303080d807200a7f258c8155c54af
FileHash-SHA1     aa67ca4fb712374f5301d1d2bab0ac66107a4df1
FileHash-SHA1     0b4be96ada3b54453bd37130087618ea90168d72
FileHash-SHA1     d91e6bb091551e773b3933be5985f91711d6ac3b
FileHash-SHA1     8ad6f88c5813c2b4cd7abab1d6c056d95d6ac569



You all can comb through the C2’s and the PE files yourselves. It’s pretty common and certainly is not on par with Stuxnet. It did however do the job and once again I have to remind you that this shit should not really work in a properly secured environment with awareness for employees and some semblance of a SOC and some HIDS/NIDS right? I mean the C2’s are well known for being dirty so they should have been caught or blocked already. Take a look at the C2’s in the Netherlands and elsewhere and they have quite the bad history. Once again, this adversary did not have to work that hard.


Now on to the big “attribution” game that everyone likes to play. I looked at the C2’s and at the data around them with a jaundiced eye. It is clear that whoever did this had some money for teams of people to do the work but maybe they got the access from spammer/phishers already out there who maybe sold the access to start. It became clear though that two of the C2 addresses had quite the past with romance scams and pharma schemes online over the years.

Screenshot from 2016-03-04 15:10:04Euegene and Andrey (both pseudonyms) registered sites out of the UK


Screenshot from 2016-03-04 15:36:41Romance scammer emails found used circa 2012


Screenshot from 2016-03-04 09:41:39All the pharma attached to Eugene


Screenshot from 2016-03-04 09:37:31Eugene’s addresses all point back to a brownstone in the UK


Screenshot from 2016-03-04 09:27:13malware reported by drive by at C2 address


Screenshot from 2016-03-04 09:07:55A poor bastard being targeted in the Romance scam on VK

I will say that all of the backstop data seems to imply a Russian connection and if you look at the politics of the region as well as the fact that the Oligarchs and Pooty are in charge, it is not hard to make the conclusion. It is a conclusion though and not proof in any way. So, this attack likely was Russia but no one, let me repeat, no one, can tell you for sure. I am sure that in the RSA week last week many a vendor was trying to make a sale with sure-fire attribution that it was Russia SO BUY MY PRODUCT!

No.. Just no.

What Have We Learned?

What have we learned? Well, I learned that this is nothing new, nothing spectacular, and nothing really to write home about. I know that I could probably hire someone like Nickerson and his team to do the same thing to a like target so really this could be nation state or it could be some person with money or a grudge. What you all learn from this depends on the level of investigation and thought you put into it. As many of my readers are in the business, you are likely coming up with much the same assessment as I have. This was bad but it was bad because the security was lacking at the facilities. A soft target is a soft target so really this should not be some hyped up story for a new Kim Zetter novella.

Here’s what you really should learn from this:

  • Generally today infrastructure security sucks
  • An all out fire sale like you saw in Die Hard is not likely because of manual systems still in place and segmentation
  • You should have a backup plan for power just like you should if you live in an area that gets snow and ice that knocks out power

Everyone seems to be all worked up about cyber war and frankly the gleam in too many people’s eyes makes me kind of sick. Lately I have been mulling over in my head the fact that no matter the technology humans always seek to weaponize it or use it against one another and that just sucks. We are our own worst enemies because we create this stuff insecurely, we manage it insecurely and we leverage it against one another for personal, political, or monetary gain. In short; “This is why we can’t have anything nice”


Written by Krypt3ia

2016/03/05 at 22:12