Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Author Archive

WANNACRY: PATIENT ZERO AND MALWARE EPIDEMIOLOGY

leave a comment »

Continuing on the hot topic of the month I had some thoughts about WannaCry’s infection vector and heat maps that I have been seeing all over the place. I wanted to see who patient zero may be and having played many a game of Pandemic, I thought maybe this approach might yield something of use. In looking online I found only two heat maps that give a timeline that shows what may be patient zero’s location(s) but in doing this research I cam to the conclusion that this may be impossible without the help of all of the AV vendors out there. When trying to ascertain who may be patient and country zero for this malware it becomes apparent that you have to rely on various vendors who may or may not have seen the malware with their products. So far I have Malwarebytes timeline and Symantec. Now, given that Symantec has a larger market share I will go with them for the base assessment of patient zero on Wannacry but if the other vendors want to kick on and give a timeline for each of their products seeing infections I would welcome the data.

Since Wannacry traversed the net via SMB attacks (ETERNALBLUE and DOUBLE PULSAR) it may be possible to see just who was infected first and just maybe, get a lock on where that SMB connection came from. This might help the investigations into who did this at least nominally because one would assume the adversary used a proxy box or some other obfuscation to launch the initial attack… Unless, they are inept n00bs that is, so maybe something could come of this line of investigation. Anyway, the best timeline(s) I saw were Malwarebytes and Symantec as I said above. Here are the findings of those two companies telemetry;

Malwarebytes has the first infection in Russia.

Symantec see’s the first infection vector in Thailand.

Which is correct? Are either of them right? I am not able to be sure but, given at least the market share of Symantec both legally and illegally, I would be looking to Thailand as the potential patient zero here. Now, in talking to people on Twitter about this someone (@Tinkersec) notes that there is IP space in Thailand that starts with 1.0.128.0-1.0.255.255 1.1.128.0-1.1.255.255 so there is the possibility according to his theory, that a scripted scan looking for 445 open on the internet could have just hit on those addresses because the script started scanning at say 1.1.1.1 (or 0.0.0.0) to 255.255.255.255 which I can grok. Either way, if Thailand was patient Zero, and that IP space for Thailand Chiang Rai Tot Public Company Limited, an telco in Thailand.

This line of thought is quite possible and I like it (thanks Tink!) it would explain the rando Thailand hit as the first infections started to show up. Now, how though would this work if not for some scripted mass-scan? Well, someone would either have to be phished on a very small targeted scale to start this or the malware was physically implanted in a network and set free. So far I am not seeing too much talk about how this thing all started so I would like to put all this out there as a possible explanation as to the how. I am not aiming at the who because right now it is a festival of attribution out there and my opinion of that is low. The how is more important and in fact could lead to the who if the gumshoe work is done properly.

Still, I would like more data… Anyone from said AV vendors care to speak up?

K.

EDIT: Someone just mentioned passive DNS too on the killswitch site. Say, anyone in the DNS world wanna stop talking about Trumps servers and weigh in on Wannacry telemetry?

Written by Krypt3ia

2017/05/24 at 12:48

Posted in EPIDEMIOLOGY, Malware

ATTRIBUTION GAMES: LAZARUS, SHADOWBROKERS, BLOFELD.

with one comment

The Game:

I figured since everyone else is playing the ATTRIBUTION GAMES over Wannacrypt0r that I would get in on the action and give it my own personal spin. The big difference here is that I am not selling any of you anything so if you read this post it is all about not buying my shiny new machine learning, next gen machine that goes PING! Nope, I just thought I would put a few words down to stop the insanity so to speak that I already see in the eyes of those $VENDOR’s out there about to hit SEND on their latest salvo of shenanigans concerning the Wannacry event of last week.

That’s right, I am already calling shenanigans!

Right so this game here is a red team on the idea that Wannacry was either an APT Nation State actor (either LAZ or SHADOW) or a criminal gang who will be represented by Ernst Stavro Blofeld. Once this is all said and done I hope that some sanity will ensue and more to the point, some elaborate death will be planned out, set into motion, and then foiled by James Bond…

Wait… what?

Let’s begin… DOMINATION OF THE WORLD….. Let’s just list the indicators and possible motivations all kinds of bulletized shall we?

THE LAZARUS GROUP (UNIT 180):

  • LAZARUS code snippets found in WANNACRY samples
  • LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
  • LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
  • LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS
  • LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
  • LAZARUS aka UNIT 180 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
  • LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

SHADOWBROKERS (GRU):

  • SHADOWBROKERS made no money on their auction and posted a long pissy diatribe about it after the incident reached critical media frenzy
  • SHADOWBROKERS had the code already and then needed to CRIB some of the ETERNALBLUE/FUZZBUNCH NSA code ganked from RiskSense because they lack the ability to make the shit work themselves… Which they then re-coded in C…  Huh?
  • SHADOWBROKERS want to just sow mayhem with WANNACRY and continue the massive schadenfreude that the NSA is feeling from their theft (*cough MOLE HUNT cough*) but once again, they had to STEAL that code snippet to make it work… Or, is that just another poke at the US? A diversion? A red herring so to speak? Hmmmm….
  • SHADOWBROKERS re-used or re-purposed old malware WANNACRYPT0R and threw in some code snippets from LAZARUS GROUP TTP’s to muddy the waters and have EVERYONE pointing their collective fingers at the Hermit Nation because WHY THE FUCK NOT HUH!? This would sow more FUD and gee, isn’t that the playbook chapter like 3 in ACTIVE MEASURES komrade?

ERNST STAVRO BLOFELD:

  • ERNST has a well known volcano lair and upkeep is rather steep in this global market so ransomware is the way to go baby!
  • ERNST is a Devil may care kind of guy and wants to sprinkle clues for both RUSSIAN and DPRK actors here to cause all kinds of mayhem while he sits and strokes his cat while the bitcoins amass.
  • ERNST is a gangster and his coders, well, sometimes they suck so they stole the ETERNALBLUE snippets but then they couldn’t make that work UNTIL they coded it all in C so.. yeah..
  • ERNST is a nihilist at heart so he just slapped this shit together and then made sure that there was a killswitch in there as a safety valve, I mean, look at how many times he tried to kill Bond but always missed by that much!

Well there you have it. I have gamed it all out for you. Who do you think dunnit? If you look at all of these players and their motivations along with the superior threat intel evidence we have out there that the attribution firms are selling…

OBVIOUSLY IT’S ALL OF THEM! THEY ARE WORKING TOGETHER PEOPLE! IT’S THE NEW SPECTRE! CAN’T YOU ALL SEE THAT WITH THE PLETHORA OF EVIDENCE WE HAVE! COME ON!

*breathe…..**

Ok ok ok… See what I did there? I am making a point with humor.

IT DOESN’T FUCKING MATTER WHO DID IT!

PATCH YOUR SHIT.

DO THE THINGS.

STOP.

Dr. K.

Written by Krypt3ia

2017/05/23 at 20:04

Posted in ATTRIBUTION, Cyber

WannaCrypt0r Roundup

leave a comment »

So last weekend and this week have been fun times in INFOSEC am I right or am I right? When Wannacry started making the rounds on Twitter I knew pretty much then and there I just likely lost my weekend to the derp of yet another ransomware distro. Luckily for me though, I forced my org to “do the things” on patching etc where the Shadowbrokers dump was concerned. So at the end of the day we came through the weekend unscathed by WannaCry yay me! However, in looking at the Twitter feed and Hyrbid/VT pages I began to worry that soon enough this malware would come at us all not just by worming through the net but also from phish waves. Today was the first day I have seen someone trying to at least possibly send a phish wave using a popped box in Egypt with the WannaCry.exe for download so hang on kids, you may well be seeing this as well and if you have not patched your shit and have old 2003/Xp your days may get to be like the end times that others around the globe have had since last Friday.

In the meantime though, I began looking at all the malware C2’s and exploits and notice a couple things. First off I kept seeing two IP addresses tied to the IPC$ in the binary/memory of the malware. I began to look for these addresses and while I surmised the 192.168 address was a off the shelf home router, the other maybe was something else. After some searches I came to the conclusion that this was another non routable address but that it may belong to an org or another off the shelf router of some kind.

With a little more looking I had thought that I had come up with the answer. It was some default IP scheme for a GSM gateway or some internal network somewhere in the world like China (found an F-5 with that scheme) but then I hit upon one last hit that suddenly appeared from a blog post by ZeroSum0X0. The post on Github was 6 days ago and that places it before the malware started to make the rounds. One day before the malware started burning through NHS I think if the reports are right from the news. Now this really has piqued my interest because if this IP and system belong to the blog poster or who they work with, then maybe the exploit was cribbed by the malware cabal to use EternalBlue. The poster (ZeroSum) seems to work for Rapid7 and Rapid7 was working on deploying the code for EternalBlue for Metasploit.

I reached out to ZeroSum on Twitter but nothing back so far. Coincidentally the code for the EternalBlue exploit was deployed this afternoon (as of this writing about an hour ago) to Metasploit. Now, the question I have is about this IP/System call that is in all the malware out there. Was this IP/system in the original binary that was pulled apart by ZeroSum from EternalBlue or was this an internal system that was being used to make the code work in some way? That it is directly in the post and that is a day before the great conflagration, I have to wonder. I would love for someone at R7 or Zero to let me know what the deal is with this. I mean, did someone steal the exploit code from you guys and deploy it after you got it working or, was this in the binary already? This is kind of a keystone to many questions concerning who may have created and deployed this malware as I see it.

The argument goes like this….

  1. The WannaCry campaign was carried out by criminals looking to score big money
  2. The WannaCry campaign was carried out by nation state actors (Lazarus Group/DPRK? Russia?)
  • Well, if it was just a criminal gang then did they reverse the binary and make this thing work? If they did then is that an internal IP that they used and forgot to sanitize from the code?
  • Well, if the nation state actors who potentially stole the exploits in the first place had to steal the actual working exploit from R7 then just how good are these guys anyway? It seems that there have been some other mistakes in coding as well that lead to snafoo’s with the bitcoin wallets as well so…

You see where I am going with this right?

Now, I had said from the beginning that this attack did not feel like it was about the money and the low numbers in the wallets kind of bears that out in my mind. However, there are some inconsistencies here and that IP/System in there makes me wonder some more especially when I see the same string in the code tied to R7’s work that was released today. If the code did in fact get cribbed from ZeroSum and by proxy R7 that does not bode well in the PR department for companies that do this kind of work (metasploit etc pentest tool vendors and creators) does it? It is kind of akin to leaving that hand grenade in front of the toddler right?

So, if R7/ZeroSum could respond to this little factoid it would be great. All of this also may bear some significance on the attempts at attribution that are flying about the news and Twittersphere right now where this attack is concerned. Frankly this all could have been much much worse had the coders thought to make domains that could not possibly be on the internet as kill switches. Kinda like this one I think (see below) that has been making the rounds in Hybrid and VT.

No kill switch and no way to sinkhole it would be a lot more devastating right? Of course the whole thing about the killswitch being there in the first place has a lot of people wondering. Then, there is the whole shadowbrokers foolery with the post last night they made. They are now claiming to have much more and will parse it all out in coming months…

Interesting times…

Ok.. Off to the deck for sun.

K.

UPDATE!

Well, I made some connections and had a chance to DM with someone from R7. For the record ZeroSum does not work for R7 he works for another company but is a contributor to Metasploit. R7 as of yesterday was trying to get a hold of ZeroSum to ask how that IP with IPC$ got in there and where it came from in the first place. As of this writing I have not heard back from them.

Tuesday when I posted this I connected with ZeroSum and he said someone else would email me….

I have no email.

In the interim the page that I located the IPC$ code snippet is no longer there. The page has been redacted. It also turns out that Malware Unicorn made a comment about the malware seeming to have been using Metasploit framework code for deployment of the exploit (DoublePulsar) and has since redacted that page as well…

Screenshot from 2017-05-18 16-00-52

So here’s my thing… Was the code snippet taken before the malware was launched and kluged into the wannacry malware to make it work? Was that code taken from the Zerosum git page on the day before or before that and then implemented by the wannacry authors? This would seem to be something logical given the hints I have seen with regard to that IPC$ and non route-able IP address. Was this an IP inside the networks where this code was being tested and perfected?

In essence, did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild?

I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief. No one is saying much of anything other than R7 saying they are looking into it (which I know they are in reality) so I believe them.

So, it’s either this code and the telemetry from it were in an original sample of the malware that maybe ZeroSum had BEFORE the outbreak and was reversing to use to make the git posts and get the metasploit deployment working or this code maybe was cribbed by the malware creators and used to global effect.

Which is it?

Of course all of this also paints a new picture on attribution right? If LAZARUS is the culprit (a theory I do not ascribe to) then why  would they hang around this git to grab code? These guys should have had the time to fully reverse this stuff and make it workable for them. It is my opinion either there is EPIC obfuscation going on here to make it look as though it is LAZARUS or that LAZARUS is deliberately trying to look inept and throw investigators off the trail. This information though, if true and can be verified might lead to some more breadcrumbs.

I look forward to some more light on this.

K.

UPDATE II: Response from RiskSense

Response:

The Metasploit module for the EternalBlue vulnerability was developed by community contributors, zerosum0x0 and JennaMagius, security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the video from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

Here’s a summary of context and the technical details:

–          On April 27th, JennaMagius created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. That recording was subsequently posted at https://github.com/rapid7/metasploit-framework/issues/8269#issuecomment-297862571. The recording included an IP that was used as a lab target of the original exploits.

–          Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using “2048” for the tree and user IDs, and the server has no idea what the client is talking about.

–          On April 30th, JennaMagius published a script that slightly enhanced that replay by substituting in the server provided TreeIDs and UserIDs. This code was subsequently posted at https://github.com/RiskSense-Ops/MS17-010/commit/9ddfe7e79256a9d386f0b488c38f5048a2dfd083

–          Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Written by Krypt3ia

2017/05/16 at 18:23

Posted in Malware

Blackberry Forward of Emails and Excuses for Firing the FBI Director

leave a comment »

Given the events yesterday I am feeling like unburdening a little bit on the subject of the emails being forwarded by Huma Abedeen to the laptop at home in the custody of Anthony (Carlos Danger) Weiner. One of the reasons for Comey’s firing ostensibly was about his mis-statements over the emails being sent to the Weiner laptop that he opened the can of worms on and helped lose the election for Hillary (not the only reason people!) as they say. The fact of the matter is now everyone is saying that Huma’s emails were auto backed up and that the term “sending” them is a misnomer in a way because the then director had said she was forwarding them for printing out by Anthony or her at home. Let me stop you all right there and say there is no difference. The intent of forwarding the emails or backing them up to an email address accessed by or directed to that personal laptop is the key here. Someone had to set that up right? It was something that did not evolve by itself and just came into being!

The issue here is the semantics of language and perhaps comprehension of how things work in the cyber. Comey made a mistake in wording but the basis of the argument stands. Why was she forwarding or backing up all data to that laptop or account outside of the government systems appropriate for this series of email? This is the question you all should be asking and once again it was against protocol and yes there were emails in there that later were deemed to contain classified information. This makes it an issue and it was something that needed to be looked at. Now, as to how it was announced, well that is a judgement call on the part of the director and perhaps a bad one. I honestly listened to his testimony and saw both sides of the issue as well and there was no good answer here.

Now though the director has been fired in a most unceremonious way and all of this smells bad with regard to the RussiaGate investigation and abuse of power. Let’s not allow Trump to skew this one thing amongst all the others into a reason for his firing a direct threat to his presidency. The real truth is that Huma was sending email to a non secure site/system and that was the crux of the issue. Director Comey’s description of this incident has little do to in my opinion with his summary dismissal of the director.

K.

Written by Krypt3ia

2017/05/10 at 13:05

Posted in .gov, FUCKERY

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

The Darknet As Medium for Proof of Life K&R Deals AKA OpFOQ

leave a comment »

Last week someone pointed out a story about how the Qatari government or relatives of some Qatari’s that had been kidnapped on a falcon hunt had started a darknet site and a fund in bitcoins for information on their whereabouts and return. This story intrigued me so I went looking for the site and someone on Twitter kindly pointed to it and the twitter feed with the address. I went to the site and took a look at it and then started looking at the larger picture of who the Qatari’s hired to do this as well. What follows are my thoughts on using a darknet site like this for proof of life and or transactions like this as well as the company that the Qatari’s turned to to do it for them. Of note is that this attempt was closed down as soon as the story came out in the press so that is an added twist but given the things I have seen it makes total sense why a little light on the subject would make the “company” hired by Qatar to close shop and run away.

Qatari’s abducted falconing

Global Strategies Council Inc:

As reports online had mentioned, the “company”  Global Strategies Council, was given 2 million dollars up front for work attempting to get proof of life for the abducted falconers. I decided to look further than the reporters (at least as much as they reported) and found some interesting things concerning this alleged company and the person(s) involved in it. First off, the company is so stealth that you have to really dig a fair bit to get to the guts of what it is. Even then, you really do not get much detail on who is in the company, who works there, and what it does exactly. The hinge seems to be on this “shoe salesman” or “Shoe Mogul” if you will, Miltos Goudamanis and no, it is not Militas as you see in the reports in the news. His real name is Miltos and he has a rather obscure past, unless you just go with the shoe angle.

Miltos is evidently the international sales guy for “Naughty Monkey” shoes, a crappy ass site that sells shoes and poorly for a number of years attached to Cyprus. Now, one lately hear Cyprus and think first off of money laundering and banks and so did I. I checked the Panama papers and he is not in there but generally everything is pretty sketch around this guy. Naughty Monkey is the most solid hit for this guy that you can backtrace, so now one has to ask how does the Greek Al Bundy get to the point of dealing with international terrorists and asking for an advance of 2 million dollars to set up darknet sites eh? That question kept ringing in my ears as I dug deeper into the inception zone.

If you look at all the data above in the screen shots you can see that this guy has no real experience with military or national affairs so how does he suddenly become a director or chair at this Global think tank? Furthermore how does a guy who makes less than 10G’s a year is getting a net of 499k?

Blink blink…

SHOES MUST BE SELLING LIKE NO TOMORROW!

This is starting to smell like some rotting carcass in the San Diego sun….

So yeahhhh, this “company” this think tank specializing in… In what? Well, fuckall really, is being run out of this condo it seems in San Diego according to all the records I could find. In fact the phone number to the place also matches with a land line for the area. Not one thing about this company says it has offices in Washington DC at all. Even though their site makes all kinds of DC imagery and allusions to connections therein… Obliquely that is.

Saaaaaaaayyyyyyyy.. is that office condo space zoned for this kind of fuckery?

Looking at their site you have to just ask yourself after reading it all; “Is this Enron?” because they seemed not able to tell you exactly what they did either and look what happened there huh? There are no employees, no experts listed on their rolls and certainly very little on Miltos as to his history or education for these kinds of things. If I were the Qatari’s I would be asking the guy who hooked this all up what cut of that two million he got. I am just gonna lay it out here in plain language;

  1. Company site is poorly made and has no real data
  2. No employees
  3. No history
  4. Two million up front and we get proof of life!
  5. PROFIT!

This all screams scam and when the whole operation was shut down I think we all got the same feeling about it huh? How are the Qatari families feeling about this? Is this guy just an opportunist shoe hawker or is there more? So far as I can tell this guy has been trying for years to get USGOV work and hasn’t been able to land anything. So a little grift for a cool two million and a cheap darknet site/twitter account is easy peezy.

About that darknet site….

Darknet Site:

The idea behind this site was to allow the hostage takers a medium to connect with the alleged “middle man” Miltos, to get in touch as well as maybe open source this thing so that anyone with information could leave a tip. Now, on the face of it this may be something of use if you keep it really down low and release that information only to the hostage takers right? I mean you leave this on the darknet and then publish it in the paper you are only gonna get trolls right?

I went to the site and checked it out. It was a clone of the global leaks site (using their frame) and you could create an ID and drop information there. You could log back in and see what responses came from Miltos and his crew but when I looked there were no other info drops that I could see. I signed up and got a number just to see how it would work.

Basically this was ill thought out and deployed so once again I think fly by night and not really meant to gather real intel on the status of the poor Qatari’s who have been jacked. Of course, it is now all shut down according to the Twitter account for the “Op” so so much for gathering information of proof of life for the families of those Qatari’s huh? I will keep an eye on the site to see when it comes down but generally I suspect it will just sit there on some rented space littering the darknet for years.

Thoughts on Darknet as Medium for Ransom:

Aside from thinking that this whole thing was just a grift by this guy Militos and his wife, the notion of using a site in the darknet as a means of proof of life is iffy at best. I should think that the terrorists or whoever that took these people is not surfing the darknet in the first place and would just as easily pick up a sat-phone or regular phone and call the Qatari government with their demands. These arcane measures just isn’t their shtick man.

For that matter just use a cutout gmail account and PGP huh? What the fuck! This whole debacle is just an exercise in how to pull off a short con on a lot of families looking for answers about their lost loved ones. If I were Qatar, I would be asking this Ali Hani about his connections to this Greek guy in San Diego tootsuite man. I am sure the money is spent already anyway…

Oh and as for the hacker angle of “OOOH SCARY HACKERS IN THE DARKNET MAKE SITE” cut the shit media! Anyone with half a brain can stand up a site in the darknet so cut it the fuck out. There was nothing spectacular here other than the lede that looked good for clickbait.

Now.. About those lost Qatari’s….

K.

Written by Krypt3ia

2017/04/17 at 17:09

Posted in DARKNET

Black Edge on the Darknet?

leave a comment »

Black Edge

I was trawling the darknet as you all know I like to do and came across a site I had seen once before and bookmarked but never got back to. The site http://b34xhb2kjf3nbuyk.onion “The Stock Insiders” is a php site that claims to be an insider trading site seeking users who will provide insider information for the collective to profit from. Now I will admit that I have been watching Billions and I am also reading “Black Edge” so this site finally struck a chord with me and I decided to mirror it and take a look inside. The following post is the sum total of what I found and some thoughts on the idea in the first place. …I am sure you all will be amused.

The Idea:

Right, well the darknet is supposed to be super secret and encrypted if you believe all of the reporters out there who cover it with conspiratorially raised brows. It only stands to reason that some enterprising joker would go and set up a site like this to trade in illegal insider information yes? Well obviously yes because here it is! As you can see from the screenshot above they are making no bones about it, they want to have players here who can provide solid insider information so as to make trades illegally and make oodles of money! Of course there are problems with that idea and I will be going into those here. Sure they make caveats about the legalities but they also claim that the server is not physically in the US and the whole server is “encrypted” which, ugh, come on people! Crypto is only as good as the system being shut down and the type of crypto being used.

….But I digress…

Now let’s talk about the intricacies of insider information and it’s use. You see, it is not that easy to obtain good insider information in the first place and secondly, using it has to be carried out carefully so as to not tip the SEC and other investigative bodies to your use of it to profit right? So by trying to open source this on the darknet is kinda scary in more than a few ways to my mind. I mean, who are these people? How do you vet them and their information they are passing? How do you not know you are being baited by a Fed or some moron in the first place? Then, how do you make the trades and profit without a trail and maybe even the potential for being ratted out if things go badly? I just keep coming up with all these scenarios where things go poorly from this idea. Personally, the notion of this site is half baked in my mind but hey, this could just be a honeytrap right?

Alright, let’s assume it is legit, how do you really go about this? Well, you start off by getting members and then testing them by asking for legit insider info to trade on so they will be allowed in as “full members” ya know, like becoming a made man ehhhhh? Ok, so I am say “jpompo6” (oh yeah wait till you get to the bottom of this here post!) and I want in. I have to create an account, then go through the vetting process by passing data to the “root” account (yes, I did say root!! wink wink nudge nudge!) on a sweet sweet insider stock tip and hope upon hope that I am accepted into the inner sanctum. One of two outcomes will happen:

  1. I wait, and I wait, and nothing happens.
  2. I hear back that I am a made man and HOO HA! I can then get into the inner sanctum and start reading all the juicy posts and making trades on them! WIN!

Unfortunately I had no real insider info to pass and, well, I am not an idiot so I did not go further than setting up a dummy account on this site. Instead I started looking at the site itself and gathering whatever intelligence I could to do a little OSINT on the users that I could see.

…And boy did I see things-n-stuff.

Membership Rules:

Anywho, the community has rules and those rules are listed below. I do sincerely love the first rule of INSIDER TRADING CLUB which is YOU MUST BE AN HONEST GENTLEMAN! Now that is some deep derp there kids. You are telling me that you want honest gents in this here illegal enterprise of insider trading informatics on the darknets? NO. WAY. The other rules pretty much follow the rules of Fight Club, don’t talk about Fight Club, Don’t fuck with Fight Club, yadda yadda yadda. The more I read the rules the more cognitive dissonance I have about the whole thing really. I do like the whole you have to keep reporting in new leads every 90 days in accordance with the SEC practice of 10-q reporting hahaha.

Say, is there a profit sharing plan here? How are the health benefits? Do I get a 401K here? Honestly, this whole model is good when you are in the real world and you are face to face with people you have developed a rapport with, not some shmuck who may be a Fed on the darknet kids. In reading the Black Edge book you can see how much of the intelligence is gathered on companies, usually you have paid sources or sources you do favors for quid pro quo and there is an understanding that if you fuck me you fuck yourself. The whole idea that I am just gonna take some inside info from the darknet and apply it to large trades on the market is a bit much for me to believe. Now maybe if you wanted to communicate data like this with known and trusted people in the darknet using encrypted comms maybe I would buy that but this site just seems to be to either be a honeytrap or a scam looking for suckers to put their legit inside info out there for a quick pump and dump.

But that’s just me…

OPSEC FAIL:

So yeah, you have this site out there and you promise all the super secret DARKNET black magic. You tell people that the data is secure and then you say “But.. You have to be careful” everyone is gonna take that to heart right? Well, almost everyone… Ok some people… Ok ok ok maybe one person. In the case of this site there was a “props” page that I found that listed users who they wanted to thank. For the most part the user names were innocuous enough to not go anywhere with an OSINT search regimen. However, there was one guy who seemed to not comprehend the idea of OPSEC.

The user JPOMPO6 who is listed in the thanks page seems to really not get the whole idea of not re-using online handles. This guy seems to have used his handle for everything online on this site and “root” likes him enough to give em props. A simple Google search for the ID drops a ton of hits that show this guy to might be Joe Pompo a CPA from upstate New York. Now given that the handle is exactly the same as the Twitter handle he uses and then further more that he is a CPA, well, I kinda think this is our man but I have to say for the record and for all you lawyers out there; (I Googled some shit and this MAY BE the guy, I am not saying IT IS THE GUY but JEEBUS it really does kinda all fit) so please, don’t sue me because I made a logical leap.

That this character under the handle jpompo6 is on this site does not in fact mean that they have traded insider information at all. In fact, I cannot see any postings by this user so it is not for me to say. All I can say is that a user who has the same handle as the Twitter user and that user has the name Joe Pompo exists is, well, there you have it… If this is the same guy then oops, your OPSEC sucks and the site’s admonishments were lost on you. One wonders what other OPSEC fails there must be inside the site, ya know, like using your corporate email or your one personal email as the contact for this site.

Oh my…..

Programming and Administration:

As if the OPSEC thing wasn’t bad enough, when the site was looked at from a security perspective things went from bad to worse. The site is leaking information, it was set up poorly and likely can be hacked if it hasn’t already. The mere fact that the root account is the one making all the posts here is scary as administrating php sites goes. However, when looking at the directory tree there was a lot left open. With all this hanging out I kinda really have my doubts about the security of the site don’t you? I personally would run away, change my name, and burn everything with my old name on it if I had traded anything of any import on this site kids.

So what have we learned today? Well, we learned that insider trading is best left to professionals and done in secret places other than the darknet I think. While the idea of insider trading is appealing to some, it is really going to fuck only you in the end when the feds come for you. Honestly, I think a better alternative is to just do OSINT and find data that has been accidentally leaked by companies and then make your trades, and as I understand it that is kinda grey area right? I mean no one told you the info, you did not pay for it, you happened upon it right? In the present day state of the internet there is so much information that is out there on mis-configured servers and the like that you could likely use that to day trade your way to riches right?

End of the day, stay away from these scam sites in the darknet kids… Unless federal prison appeals or being totally taken by fraudsters.

K.

PS.. Props to @chkefa for the heads up on jpompo6!

Written by Krypt3ia

2017/04/13 at 19:50

Posted in BlackEdge, DARKNET