Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Advanced Persistent Annoyance’ Category

ASSESSMENT: Operation Saffron Rose/Operation Flying Kitten

with one comment

Screenshot from 2014-05-14 13:10:34

 

The Saffron Rose Narrative:

Screenshot from 2014-05-14 13:23:37

I think it was a slow news day at FireEye or that they felt they needed media attention and thus was born the “Saffron Rose” campaign report that was released Monday. The report makes the evocative implication that Iran is upping their game against other nation states by either state actors or hacking groups who want to be such. I frankly looked at the report and immediately began to see inconsistencies in the claim that this was nation state at all nor advanced any more than anyone with a version of SET and some domains to use.

As I looked into the claims and the details further the more convinced I became that my assessment was more true than the claims made by FireEye in their “Threat Intelligence” on the Ajax Security Team. The net/net of this is that these guys were nothing to write home about and that in my opinion this was just a marketing piece that used Iran as a hot button to garner attention for the company. I am still of that opinion even after talking to DIB players as well as the Federal government about the Ajax Team and their antics over the years to today.

The FireEye Data:

FireEye lays out the exploit (as in an exploit not the common vernacular in tech for those of you who know not English)  and the C&C’s as usual with good details on how the mechanics work. The exploit though is in fact modified from a stock “stealer.exe” with some obfuscation crypto and a new pass/log it is still just an off the shelf known trojan and had been seen online since November 2013 if not earlier and there will be more on this below. Overall though FireEye makes a good attempt at nailing down the culprits but makes assumptions as to the level of expertise going from defacement skiddies to APT actors within a year or so.

The fact of the matter is that the primary movers of the group seem to be just two main actors in this phishing campaign and the group broke up and went their separate ways as they lacked money to keep domains and sites online. For that matter the people who own the domains and were active in the Ajax Team previously may have nothing to do with this campaign anyway as their domain was used without their consent. It remains to be seen just who did what but in the end the malware is detectable by AV systems and this is not a clear and present danger to the DIB partners on the whole.

The Exploit:

Screenshot from 2014-05-14 13:32:36

Screenshot from 2014-05-14 13:21:49

The “Stealer.exe” named in the FireEye report as well as the “IntelRS.exe” were reported back in November of 2013 as being seen in the wild and when I began looking at the data from Google it became clear that anyone getting this trojan may well have been able to stop it with AV on board already. This was not overly exotic and in fact the malware is a COTS in the community where you can compile it as you like and use it much like the POS software out there reported on recently.

Malware is malware and of course you can change it a bit making the hashes obfuscated to AV systems or you can build in other security but in this instance it seems that these guys did the minimal work to send out these phishing emails. What they did do however was create the fake aviation site and the like which anyone now can do because it is common knowledge as far as tactics go today after all the APT discussions out there. Honestly these guys may have been looking for credentials to further access to pass on to their government but I am seriously doubting that they were sponsored at all in this endeavour. Is this not one of the tactics that we use in the Red Team industry? Can’t you even do it with just a copy of SET or CoreImpact? Yes.. Yes you can. So it is not advanced nor persistent. Nor a threat really. Admittedly though FireEye does stop at that line and makes no equivocal statement that it is indeed nation state so I give them that. Overall though, still nothing to write home about… Unless you are looking to garner attention for your company with the scary boogey man of Iran that is.

UPDATE: Folks are FE are upset and saying I am wrong about this being a common tool. They cite the hashes below as not being this tool. Yes yes, it is not the same hash and it is not being seen by AV on the whole but is this not the game here? You update the tool or re-write and then recompile to obfuscate the AV? When you look at the calls in the registry you see the same variant behaviour in earlier malware coming from Nov/Dec 2013. So yes, it’s new malware according to the hashes but this is not a new and exotic malware is my point. It’s a re-hash. While  am at this once again here is the INTELIRS.EXE used in 2013 Nov. It’s a replay. So how uncommon is it if it’s already been used?

 

 

The Time Table:

Screenshot from 2014-05-14 13:23:10

Meanwhile, the FBI put out this BOLO on the intelIRS.exe back in December and listed at least “one” company being attacked with it. Since I got this I have talked to DIB people and yes, some saw the activity back in December and generally it was a blip on the radar and that was all. It was not a huge campaign and in the end it did not exfil a lot of data to the adversaries involved. Now if in fact these are the same actors here then either they re-packed their malware and tried again with DIB or FireEye is just catching on to this.. Or maybe they just wanted to let this out now in a lull period on their marketing management calendar… Overall I think that this is much ado about nothing and that this is old news but hey who am I anyway? I’m just the janitor really.

The Players:

Now we get to the interesting bits that FireEye failed to give in their report. They did go as far as looking at who owned domains historically and looked for some ID’s on popular sites but that’s about where they left off. Perhaps they went further and are not reporting it but I am going to right here for you all. The two major players, if the domains were in fact still controlled by them and were behind this phish campaign are  Keyvan Fayaz and Ali Ali Pur (Ali Alipur) Keyvan aka HURR!C4NE! and Ali aka Cair3x are both player from the early days of the Ajax Security Team of defacers and skidz.

As you can see from the data below, their email trails betrayed them eventually through re-use and I got their names. Of course overall these guys are not ninja’s really so it wasn’t all that hard to follow the Google trails to their real identities. In fact Ali is well known by his real name (as seen in a report from the ICT org) Keyvan goes by HURR!C4NE! or bl4ck.k3yv4n and eventually used his real name on a site that he had created early on with the K3yv4n moniker. What interested me further was that Keyvan also is connected with Soroush Dalili who is on LinkedIN as a pentester today. It seems they worked together back in the day finding vulns and publishing them. One has to wonder now if you would want to hire Soroush in any way since he had all this connection to the Ajax Team as recently as 2011.

As far as I have seen in my intelligence gathering on the current iteration of the Ajax Security Team, these are the players. The sites all came down due to non payment of domain costs and incidentally the blogs by cair3x are now gone as well post the FireEye report so at least there’s a good bit of intel that at least Ali was part of this phish campaign. It’s just the level at which he was involved that is at question. Overall though I would say that he and Keyvan were the ones doing this and that they certainly have not progressed to 3l337 ninja status or Chinese levels with this showing.

 

Screenshot from 2014-05-14 13:16:57

 

Screenshot from 2014-05-14 13:15:50

Screenshot from 2014-05-14 13:15:50

 

Screenshot from 2014-05-14 12:38:19

 

Screenshot from 2014-05-14 11:31:35

 

Screenshot from 2014-05-14 11:35:48

 

Screenshot from 2014-05-14 11:28:35

-lUn-5bw.png:small

 

Screenshot from 2014-05-14 11:35:32

 

TEXT

Threat Intelligence Report for AJAX SECURITY TEAM:

 

Screenshot from 2014-05-14 13:10:03

Screenshot from 2014-05-14 13:10:17

My final analysis is that this group of guys decided to get in on the action and they schooled up a bit on how APT act. They got some workable malware and set up a phish site with C&C’s to do their work and spammed a company within the DIB. The attack wasn’t overly exotic and the methods were lowest common denominator. If it was in fact something that the state of Iran was backing they certainly weren’t doing it very closely (i.e. monitoring these kids and helping them with technical know how) so my conclusion is that they did it on their own.

I do not think that the group is in fact working with other groups in Iran and evidence shows that even within the Islamic hacking scene these guys are small potato’s and were even prey to the hacking of one site by the JM511 in 2012 (passwords dumped and ID’s loosed) …So really it’s not a homogenous and formidable force we face coming out of Iran. Now that Ali (Cair3x) has been on a deletion spree I am sure that they will back up and take another look at how they might go about this in the future. Perhaps they will learn and get better. What I really would like to know though is just how much if any data was exfiltrated to Ajax with this phish campaign? This is something that FireEye nor anyone else is talking about so I assume that not much was made off with.

So, how does this report from FireEye help anyone other than what to look for as hashes go? No reports on the emails sent (structure, wording etc) to help people look for them in their spam systems. No real intel on who these guys are and why they are doing what they are doing other than the notions of national pride either. What are their targets? What are they looking to take if they are taking anything? What should we all as readers of this report be looking for to stop them?

….. ….. …..

Yeah, thanks FireEye for nothing. I guess it’s just buy our service and we will protect you eh?

This is one of my major beef’s with “Threat Intelligence” hawkers today. There’s barely even a C&C in this report that can be used. I mean this is all after the fact and it’s not a campaign as far as I can tell that is going on today so why report it? A fireside read is it? At the very least NAME THE ACTORS and make them uncomfortable. I guess it’s more about the cool factor along with the button pushing that gets the marketing wheels spinning eh?

Hey Ajax Team (Keyvan, and Ali) I see you.

K.

 

Written by Krypt3ia

2014/05/14 at 20:52

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

TH3J35T3R: Don’t Dox The Man, Dox The Actions….

with 9 comments

Preamble:

Over the last few years, Jester has been out there making waves and headlines. I have been watching all of this with a jaundiced eye and think that its once again time I sit down and put my thoughts on paper, so to speak, about his antics. Recently, he had been pretty quiet until I posted another piece about him prompted by a SANS report on him and Asymmetric Warfare Approximately 2-3 days after this post, Jester suddenly released a tale about his QR code exploit and dumped a PGP file as alleged proof of his exploits worthiness.

To me this just smacked of a positive response to his negative press that I perhaps helped put out there with my post. It all just seemed a bit too coincidental to me that someone just came along and noticed his QR code, thus foiling his plan. He could have just said it was a lark.. Instead he released the “details” and suddenly he was in the press again as a hero or a novelty. So I had a sit down and a think about it all…

And this is the result.

Operational History:

Upon reflection I should probably call this section “Operational Hysteria” but meh, I will go with it this way. Since Jester showed up on the internet with his DDoS attacks I have been calling into question the “why” and not caring as much about the “who” As others went on (anonymous and others) to try and “dox” him it became apparent that it would not work because he had allegedly covered his tracks. I too attempted to look into who it may be and got pretty much nowhere and gave up as he was more an annoyance than anything else in my book.

But, back to the issue at hand. Jester’s operational history is much more interesting in that you hear a lot about his “exploits” but you really don’t hear about the effects that they bring about. As such, I would call you all to pay attention to the facts of what has happened thus far.

  • DDoS: He claims to have DDoS’d jihadi sites and Anonymous sites.
  • DOX-ing: He alleges that he dox’d Sabu
  • Tampering Exploits: He alleges that he uploaded a tainted LOIC version for the Anonytards to use and thus pwn themselves
  • QR Code Exploits: Lastly, he alleges that he created a QRC exploit kit using his Twitter account and pwnd a bunch of phones, downloading pertinent data on the “villains” that he had on a list

This post is being put forth to separate the wheat from the chaff on his stories and to demystify, hopefully, for some the myth versus the reality of just what has been going on. I do this because I think that all too many people are just buying into the stories by accepting “trust me, I did it” instead of real proof of actions and outcomes. Some will say that I just have it in for him after his “blue on blue” attacks on me, and yes, I will cop to that too, but, it’s become more of a debunking thing instead of as some have said “sour grapes” I say this because those who think that it’s all about sour grapes aren’t actually taking into account that there is any real proof of his exploits being effective or in fact really having happened (case in point the QRcode thing recently, we just have his story on a blog and an encrypted file that no one can decrypt as proof)

People should question things a bit more in today’s world of Anonymous, and cyber warfare. In this case, I not only question the motivations of the Jester, but also his modus operandi as well. There, to me, seems to be a pattern of talk about operations, press releases if you like, and then very little actual proof that anything has been really done nor any real net effects being captured to lend credence to his operations being effective.

Proof Of Operations:

So, on the proof side lets take a look at the op’s that he has alleged he has carried out and just what we can cobble together as to real outcomes:

  • DDoS: He did indeed DDoS sites offline for short periods of time. In the case of Jihadi’s as well as Anonymous targets, it did little to stop them from operating online. In the case of the Jihad, he had made claims that he was “driving them” into actions that he did not elaborate on. In the case of the jihad, I have been intimately involved in monitoring these sites and the players out there. In my estimation, he has done little at all other than annoy the jihadis. I have made this point many times in the past in fact. The online jihad is carried out on multitudinous sites that are mirrored and have quite a high availability factor to start.
  • DOX-ing: Jester alleges that he dox’d Sabu, which he does lay out the name and some other data but, this has been born out to be after the fact. Backtracesec were the first to put out the name as well as others inside the Anonymous collective who were unhappy with the way things were going. It was Backtrace though, who had the real background data and dossier that was quickly removed from the internet at the behest of the FBI. So, any claims to doxing Sabu are circumspect at best because the Backtrace release was pretty well know. I in fact wrote a post backing up their findings using Maltego on their data.
  • Tampering Exploits: Jester alleges that he uploaded a tainted LOIC version for the Anonytards to use and thus pwn themselves. This is hard to prove as there was no real release of data from compromised systems. As jester is “anonymous” he cannot lay out the data (he claims) so there is no way to verify that it is indeed code he created but, the code and the tainted files were available for download. So, it may or may not have been him doing all of this as well as there “may” have been some who downloaded it and used it. There is however, no proof that anyone did and in fact any data was used to make arrests of anyone using this version of LOIC. In fact, the release of the exploit on jester’s blog only really served jester as publicity. Operationally, it compromised the op… If there was indeed one.
  • QR Code Exploits: Jester alleges that he created a QRC exploit kit using his Twitter account and pwnd a bunch of phones, downloading pertinent data on the “villains” that he had on a list. This exploit, according to him, netted data of users who actually scanned the QR code on their smart phones and as an exploit is already being questioned by certain people (here and here) The questions concern the outdated nature of the exploit code that Jester is claiming to use as well as the operational issues over the use of netcat and other means he claims he did. According to some, these would in fact not work or could not work.

In the end the QR exploits effectiveness or even actually working on any phone, cannot be proven because once again, we just have Jester’s word that he obtained data. Jester did put out a PGP encrypted file that he claims is some of the data he harvested, but, as usual, no one has the key to open it. So, again, we have claims of operational work but no real proof of any kind of solid outcome from the operation. This means that again, we have to take him at his word and for me, that just doesn’t cut it.

All of these exploits or operations that Jester is laying claim to have little to no proof backing up their worth or their working and this is the crux of the matter. Not who he is.. But what has he really done.. And Why?

Motivations:

So, why would Jester be doing all of this? He would claim that he is just a patriot, a former SPECOPS guy, a man of action. Others might say that he is just a man on a mission with an active imagination. Yet others might wonder if he is a he at all, maybe he is a “they” and perhaps this is all a means to a larger end that is being supported by the military or the government. Personally, I am not too sure that any of these fit the bill. Perhaps it’s a melange of all of these and Jester was a military guy with some hacking skills who is being supported by the DoD as a means to get more people to elist.

Maybe he is just someone seeking attention for himself.

I know, some have said “But wait! He’s anonymous so how can it all be about seeking attention for himself?!” Uhh, yes Virginia, someone CAN in fact get and revel in attention even though “they” are not known by many for who they are so that argument falls quite flat. Out of the multiple choices here though, I lean more toward a single actor seeking attention, but, will fall back on the idea that this is a permissed operation with a wink and a nod to benefit the “Cyber Brigades” of the world. That this guy wraps himself in the flag every time and calls people Ma’am or Sir in IRC just bespeaks the whole patriot angle.

Now, that the operations have been either failures or not proven to have had any effect on their targets becomes immaterial to the outcome of garnering attention by the very nature of the “secret” nature of the program that jester is putting out there as fact. It’s a self fulfilling prophecy for those who wish to idolize him as well as perhaps “fear” his machinations. Though, I don’t see too many people being that afraid of him. Nope, this all boils down to “what has he really done” to show you the “why has he done it” Since there have been no real big wins proven by actual details, I think it’s more about gathering attention or creating a legend, a sort of Sorkh Razil of the internet if you will.

In the end, I cannot say with certitude why Jester is doing what he is doing. All I can say is that he has never been able to present definitive proof that he has really done anything at all.

Inside The Fact Impervious Bubble:

It is this central problem of not really proving having done anything other than some DDoS attacks on hapless jihobbyist sites that has me in awe of the media and public response out there to his antics. Inside the Impervious Fact Bubble or IFB ™ so many have just glommed on to him and his exploits as a rallying call. Someone’s gotta “git er done” and by golly Jester will! Even in the face of the stunning lack of real outcomes from his “operations” the mystique of the “Red Rascal” has played out for him well. There are many people who just eat it up and rally to Jester as if he were the single handed savior to them all on the internet.

So, with every exploit that Jester claims he has perpetrated, the masses who believe in him without critical thinking cheer him on and look up to him. His IRC chat room has been a well of wanna be’s and hangers on as well as a place for trolling but the majority of it seems to be the former and not the latter. Believers get to visit with their hero and the trolls (non believers or anonymous minions who hate him) all the while he puts out his rep that he is the lone soldier in a war on terror, be they Anonymous or Islamic Jihad. All of this though, never seems to include any of the critical thought surrounding proof of his exploits or any real outcomes from them.

Why is this? Are people just that in need of a hero? I have to wonder, but it would seem that this all grants Jester a lot of attention and love from his followers, attention that I believe he revels in.

Conclusions:

Overall, my conclusions are that Jester has never really proven his worthiness to be adulated or looked up to. His swagger and his chutzpa only bedazzle those not willing to do more looking than to his blog or his twitter on his exploits worthiness. If indeed Jester is the sole proprietor of this operation, he has a pretty perfect means to garner attention with minimal output other than some creative writing and claims of grand schemes. Because the operations and their outcomes are super secret, it is the perfect scam really. After all, how can you prove anything didn’t happen? It’s all secret you know.

On the other hand, if this is some sort of condoned or sanctioned operation, what ends would there be? My suspicion would be to generate a buzz around such actions so as to make something like the “cyber brigade” a real attractive thing to the masses of hacker wannabe’s out there. If they all want to be like Jester, then they will sign right up for the brigade. I however have yet to see a real hand in this game from the military side. Nor have I ever been given any proof that these operations have had any real palpable effects on the targets to move them in directions perhaps the military or the government might like.

Thus it leads me back to the first premise. Jester may just be a person or a small group of people with an agenda of their own. An agenda that include a media arm and attention from said media and the populace and not altruism or patriotism. If indeed he/they think that they are doing something greater, then he/they are deluding themselves. Unless Jester can prove to me that there has been substantial action resulting in arrests or breaking up of cells (jihadi or other) by direct response to his/their actions, I just feel that it’s self aggrandizement on a grand scale.

So, J, if you really are doing something.. Prove it and I will take all of this back and support you.

If not.. Then you know where I stand… As you have before.

K.

Written by Krypt3ia

2012/03/14 at 20:09