Archive for the ‘APT’ Category
Threat intelligence report on the various North Korean advanced persistent threat groups, who we know from open source intelligence they are composed of, and what activities they have carried out over the last five years.
This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.
Threat Intelligence Report: North Korean Advanced Persistent Threat Groups
Executive Summary: North Korea is known for its active state-sponsored hacking groups that carry out cyber espionage and disruptive activities to further their strategic objectives. These Advanced Persistent Threat (APT) groups are known for their sophisticated tactics, techniques, and procedures (TTPs) to infiltrate targeted networks and steal data. This report provides an overview of the various North Korean APT groups, their composition, and the activities they have carried out over the last five years.
Background: North Korea’s regime has long recognized the importance of cyber warfare as a means of advancing its strategic interests. The country has been accused of orchestrating several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.
North Korean APT Groups: North Korea has a number of active APT groups that conduct cyber espionage and disruptive activities. The following are some of the most notable groups:
- Lazarus Group: Lazarus is one of the most well-known North Korean APT groups and has been active since 2009. The group is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency. Lazarus Group has been linked to several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.
- APT37: Also known as Reaper, APT37 is believed to be a sub-group of Lazarus Group. The group is known for its sophisticated malware and phishing campaigns and has targeted a range of sectors, including government, military, and the media.
- APT38: APT38 is a North Korean hacking group that is believed to be responsible for cyber attacks on financial institutions around the world. The group is known for its advanced capabilities, including the ability to bypass two-factor authentication and other security measures.
- Kimsuky: Kimsuky is a North Korean APT group that is believed to operate under the country’s military intelligence agency. The group is known for its spear-phishing campaigns targeting South Korean government agencies and the country’s military.
Activities over the last five years: Over the last five years, North Korean APT groups have been involved in a range of cyber attacks, including:
- The 2014 Sony Pictures hack: Lazarus Group was linked to the attack, which resulted in the theft and release of sensitive data and caused significant damage to Sony Pictures’ reputation.
- The 2016 Bangladesh Bank heist: APT38 was linked to the attack, which resulted in the theft of $81 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York.
- The 2017 WannaCry ransomware attack: Lazarus Group was linked to the attack, which affected over 200,000 computers in 150 countries and caused widespread disruption.
- The 2018 Pyeongchang Winter Olympics cyber attack: Kimsuky was linked to the attack, which targeted the email accounts of South Korean officials and organizations involved in the event.
Exposed Assets within DPRK Cyber Operations
North Korean state-sponsored hacking groups, also known as Advanced Persistent Threat (APT) groups, have been widely identified and studied by cybersecurity researchers over the years. These groups are believed to be operated by the North Korean government and are known for their sophisticated cyber espionage and cyber attack capabilities.
Here are some of the known names of operators within North Korean APT groups:
- Lazarus Group: The Lazarus Group is perhaps the most well-known North Korean APT group, and has been active since at least 2009. It is believed to be responsible for a wide range of cyber attacks, including the infamous Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Some of the known Lazarus Group operators include Park Jin Hyok, who was indicted by the US Department of Justice in 2018 for his involvement in the Sony Pictures hack, and Kim Il, who is believed to be a key member of the group’s cyber espionage operations.
- APT37: Also known as Reaper or Group123, APT37 is another North Korean APT group that has been active since at least 2012. It is known for its wide range of cyber attack capabilities, including espionage, data theft, and destructive attacks. Some of the known APT37 operators include Kim Hyon Woo and Jon Chang Hyok.
- APT38: APT38 is believed to be a sub-group of the Lazarus Group, focused specifically on financial gain through cyber attacks. It is known for its involvement in a number of high-profile attacks against banks and financial institutions, including the theft of $81 million from the Bangladesh Bank in 2016. Some of the known APT38 operators include Park Jin Hyok and Kim Su Jin.
- APT27: Also known as Emissary Panda, APT27 is believed to be a Chinese-speaking North Korean APT group that has been active since at least 2010. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT27 operators include Zhang Xiao and Zhu Qiang.
- APT10: APT10, also known as Stone Panda, is another Chinese-speaking APT group that is believed to have close ties to North Korea. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT10 operators include Zhang Zhang-Gui and Tan Daijing.
It is important to note that these are just some of the known names of operators within North Korean APT groups, and that these groups are constantly evolving and changing their tactics and techniques. Cybersecurity researchers and law enforcement agencies around the world continue to monitor these groups closely in order to better understand their capabilities and prevent their attacks.
TTP’s and IOC’s,and Campaigns by DPRK OPS
North Korean Advanced Persistent Threat (APT) groups have been actively engaged in cyber espionage and cyber attack campaigns for many years. These groups are known for their sophisticated Tactics, Techniques, and Procedures (TTPs), which they use to compromise networks, steal data, and conduct other malicious activities. In this report, we will discuss some of the key TTPs, Indicators of Compromise (IOCs), and campaigns associated with North Korean APT groups.
Tactics, Techniques, and Procedures (TTPs):
- Social Engineering: North Korean APT groups often use social engineering tactics to trick users into installing malware or providing sensitive information. This includes spear-phishing emails and fake social media profiles.
- Malware: North Korean APT groups develop and use a wide range of malware, including Remote Access Trojans (RATs), Keyloggers, and data exfiltration tools. They often customize their malware for specific targets to avoid detection.
- Exploits: North Korean APT groups actively search for vulnerabilities in software and operating systems that they can exploit to gain access to target networks. They have been known to use exploits for zero-day vulnerabilities to remain undetected.
- Encryption: North Korean APT groups often use encryption to protect their malware and data exfiltration activities. They may also use steganography to hide malware within benign-looking files.
Indicators of Compromise (IOCs):
- IP addresses: North Korean APT groups often use IP addresses associated with their attacks. Some of the well-known IP addresses used by these groups include 175.45.176.0/22 and 210.52.109.0/24.
- Domains: North Korean APT groups often register domains that are similar to legitimate websites in order to trick users. Some of the known domains used by these groups include dc56wd4z2f4q3vix.onion and gosmail[.]co.
- Malware signatures: Researchers have identified a range of malware signatures associated with North Korean APT groups. Some of the well-known malware signatures include “Freenki” and “SiliVaccine.”
- Command and Control (C2) infrastructure: North Korean APT groups often use unique C2 infrastructure to communicate with their malware. This includes custom protocols and communication channels.
Campaigns:
- Operation AppleJeus: This campaign was carried out by the Lazarus Group and involved the creation of a fake cryptocurrency trading application called Celas Trade Pro. The malware used in this campaign was designed to steal cryptocurrency from users of the fake application.
- Operation GhostSecret: This campaign involved the use of malware designed to steal sensitive data from a wide range of industries, including healthcare, telecommunications, and finance. The malware used in this campaign was linked to the APT37 group.
- Operation Sharpshooter: This campaign was carried out by the Lazarus Group and involved the use of a new malware called “Rising Sun.” The malware was designed to steal sensitive data from military and government organizations in the US and Europe.
- Operation North Star: This campaign was carried out by the APT38 group and involved the use of malware to steal millions of dollars from financial institutions in countries including South Korea and India.
Malware Groups
North Korean Advanced Persistent Threat (APT) groups have been developing and using a wide range of malware for many years. This malware is used to conduct cyber espionage, cyber attacks, and other malicious activities. In this report, we will discuss some of the known North Korean malware and the APT groups that are associated with them.
- Destover: This malware was used in the 2014 Sony Pictures hack and was attributed to the Lazarus Group. Destover is a wiper malware that is designed to delete files and overwrite the master boot record of infected systems.
- Joanap: This malware was attributed to the Bluenoroff group and was used in a range of attacks against South Korean targets. Joanap is a Remote Access Trojan (RAT) that is capable of executing commands on infected systems, stealing data, and conducting reconnaissance activities.
- Brambul: This malware is associated with the APT38 group and is used to conduct SMB brute-force attacks. Brambul is designed to infect vulnerable Windows systems and use brute-force attacks to gain access to network shares.
- WannaCry: This ransomware attack occurred in 2017 and was attributed to the Lazarus Group. WannaCry was designed to exploit a vulnerability in the Windows operating system and encrypt files on infected systems, demanding a ransom for their release.
- Andariel: This malware is associated with the APT37 group and is designed to steal cryptocurrency. Andariel is capable of stealing credentials, executing commands, and exfiltrating data from infected systems.
- ELECTRICFISH: This malware is associated with the Hidden Cobra group and is used to create a tunnel for exfiltrating data from infected systems. ELECTRICFISH is capable of bypassing firewalls and other security measures to exfiltrate data to command and control (C2) servers.
- KEYMARBLE: This malware is associated with the Kimsuky group and is designed to steal data from infected systems. KEYMARBLE is capable of stealing passwords, executing commands, and exfiltrating data to C2 servers.
- SILENTTRINITY: This malware is associated with the APT10 group and is a modular backdoor that can be customized for specific attacks. SILENTTRINITY is capable of executing commands, stealing data, and conducting reconnaissance activities on infected systems.
Conclusion: North Korean APT groups continue to pose a significant threat to global security and stability. Their sophisticated tactics, techniques, and procedures (TTPs) make them difficult to detect and mitigate. To mitigate the risk of North Korean cyber attacks, it is essential for countries and organizations to invest in better cybersecurity measures, share threat intelligence, and adopt a proactive approach to cyber defense.
Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this blog
OilRig Games: Dumping IOC’s, Tools, and Deets on Iran
NARRATIVE:
On March 26th 2019 an account on Telegram named لب دوخته گان (sealed lips) “Labdookhtegan1″ began dropping details on OilRig aka Muddywaters APT group on Twitter. The data that this account dropped consisted of names, details of the actors allegedly behind OilRig/APT34, and screen shots and details of compromised systems and tools being used by Iran. Since March the actors involved in dropping the dime have gone on to create two darknet sites as well as three accounts on Telegram where they dropped much of the same data. The Telegram and the successive Dookhtegan1 account(s) on Twitter also put out a video with their announcement. The video consists of clips of President Obama making a speech much like the kind of thing you see in movies threatening someone using sound bytes.
Analytics on Dookhtegan:
- Dookhtegan لب دوخته گان “sealed lips” as an image and a maxim was the creation of Mehdy Kavousi, an Iranian immigrant in the Netherlands who is protesting immigrant deportations. The image is famous and literally shows Mehdy with lips sewn together in protest.
- The original photo has been shopped by many including the actors here creating these accounts and dropping data
- Dookhtegan is only one of many accounts
- labdookhtegan
- labdookhtegan1
- Green_leaks
- Green_Leakers
- Bl4ck_B0x
- The data drops all included Farsi commentary as well as English
- The backstopping of the data is tied to actual compromised system addresses and files of malware
- Interestingly, the translations of Farsi to English seem to imply that the writer is not a native speaker of Farsi
DATA DROPPED:
The data dropped by these guys is rather splashy. They have named names of at least six guys and two companies in Iran they claim are part of MOIS/IRGC actor group
- Omid_Palvayeh
- alireza_ebrahimi
- mohamad masoomi
- saeid shahrab
- taha mahdi tavakoli
- Noorsec —>Sec Company
- Rahacrop –> Sec Company/School
All of the actors dossiers are included in my zipped drop below for you all to oggle. OSINT on these guys may come later but for now I am kinda meh, they are blown.
FILES DROPPED:
Labdookhtegan1 dropped many files as proofs of their work and outing of the IRGC. These included such things as passwords to compromised systems, tools they used, and other proofs to show IRGC activities on the following places of interest (see list pictured) The targets pretty much show activities in the middle east and areas that the IRGC would like to attack. Of course I am not seeing any US assets nor other areas, which, is rather interesting no? More on this in the context and timing section below….
I am currently looking at the technical tools and may have an update later on with tech details but for now, be happy with Uncle Krypt3ia’s gift of all the files and dox in one zip!
CONTEXT OF TIMING:
Right! So, the timing of these drops is rather convenient for the US huh? I mean, even as we speak Donny and his mustachioed pal Bolty are looking to maybe attack Iran for whatever reasons they have. The actors here try to make a case that perhaps they are in fact Turks, but I am kinda not buying that at all and the touches with “sealed lips” aka Mehdy Kavousi is also a nod toward some sympathy for Iranian immigrant feelings on deportation and feeling silenced. This too I am not buying, so once again that brings us back to the whole idea of “Cui Bono” and for me who really benefits here on so many levels would be America and the NSA perhaps or CyberCOMMAND?
So picture this… We decide to drop dox and TTP’s on Iran in the REGION as a means to blow IRGC out of the water and re-tool as we are ramping up for maybe some action in the region and we need, oh, let’s say, a receptive audience(s) in said region to help us were we to get kinetic with Iran. How’s that play for you all? It certainly plays for me. This is a stick that likely is dual edged and wins for us in my opinion. After all, the IRGC is in the regions playing their games as always, but the skinny recently is that IRGC messaged all their proxies and took them off the leash, and more to the point, in Iraq.
Think about that kids….
Say, didn’t we just pull out all our State folks from Iraq?
Why yes we did… Gee… WHO KNEW?!?!
Ponder that.
ASSESSMENT:
Overall these are interesting times and if you are in the game here and want to have all the fun bits, download the zip file with all the things. You’re welcome. I am glad to put it all in one place for you to have instead of playing games with all the companies out there trying to get you to buy their content while hiding the good shit behind a paywall. My assessment is this, that the players have been exposed, the companies they work for have been blown, and we all likely have much more to dig into now and coming soon. In fact a little birdie told me about a new dump this morning (yes it is in the zip file) so WHEEEEEEE!
Watch Iran and the region… I have a bad feeling.
K.
PS! I almost forgot.. I found some of the malware online in VT/Hybrid
https://app.any.run/tasks/a74d0d54-a996-4ae0-979f-675bbdd3bbad/
https://app.any.run/tasks/69ad1f9f-9dc4-475e-8762-b31283f314f1/
Enjoy!
PPS! Almost forgot.. These cats even created a LinkedIN page for one of the burned!
*giggle*
KONNI: Malware Campaign Inside Pyongyang
So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.
- The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
- The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
- One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
- The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
- The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
- All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
- HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
- The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
- MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file
Conclusions:
What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.
When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.
I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.
All of these questions beg another question….
Do we know for sure these were aimed at DPRK embassies/personnel?
Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.
Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?
Come on, you can tell uncle Krypt3ia!
SAMPLES:
Ask for them and we will work out a transfer method
LINKS:
LinkedIN: The APT Phisherman’s Friend
I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.
The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.
Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.
Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.
Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.
Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.
Does the name Robin Sage ring a bell?
Speaking of Robin….
Here are Elisabeth’s connections…
Do you see the irony there?…
I do…
*giggle*
Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..
Hmm….
Whatever.
Keep your eyes open kids and just don’t click accept on shit mmmkay?
K.
PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!
PPS!!
Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.
All Those Derpy APT Code Names Got You Confused?
THANK THE FUCKING GODS someone took the time to get these all collated into a spread sheet! After all, WHO KNOWS what derpily named actor is attacking you!! YOU COULD //HAVE HELSING HURRCAINE DRAGON PANDA// and you would be unable to respond unless you have a primer!
My. God.
While this may be helpful to many of you out there it is for me just another symptom of a larger malaise that is attribution fever. Yes, attribution fever, much like a good Malarial bout gives one chills and flop sweat when you are looking at your SIEM/IDS/IPS/LOGS and you see… Well something happening. Something you really don’t understand but you know it’s OBVIOUSLY some bad actor from a foreign land trying to steal your IP!
NOW YOU TOO CAN PLAY THE NAME THAT ACTOR GAME!
With this handy sheet you can attempt to maybe sorta kinda know who may be exfil’ing your data and laughing in some obviously Mandarin tinted accent! Seriously though, ummm fuck if I care really. If you don’t have the infrastructure and the defenses in depth to handle even understanding your traffic this really means fuck all to you. Well, unless you are a marketing wanker or an upper echelon exec amiright?
On a more serious note though, if you are playing the game and you have some sense of what is going on, then perhaps this excel sheet will help you some. I am really really really * a gogolplex unimpressed with all the secret sauce attribution fuckery we see in all the marketing bullshit blasts from the vendors out there on this shit. Know what? I remember when I saw BaitLick say that basically his company would come in, do their thing, and then six months later they’d be back again because they could not keep the APT out. So what the fuck with all the super secret code names and IP fuckery that you guys pull on “actors huh?
Cut it the fuck out.
Share the intel with EVERYONE
STOP THE FUCKERY
That will be the only way that we can make a unified effort here.
I will say it again… It’s not about the who… It’s about the how.
K.
SAND APT WORM 28 Screedle
SANDWORMS AND APT’S
Recently there has been a hubbub over iSight’s dox drop on what they called Sandworm. This was a group of Russian actors (alleged) that were spying digitally on Ukraine and NATO with malware and phishing. The program had been ongoing for a long time and iSight needed that market share so they dropped their report on us all, ya know, to let us all know that Russia spies on shit like Ukraine when they are in a heated battle with that runaway state.
WHO’DA THUNK IT??
Anywho, now FireEye wants to get in on the action and has dropped their report on APT-28… AKA Sandworm. They pretty much say the same things. There’s a group of Russians out there spying digitally on Ukraine and NATO with malware and phishing.
WOO
At least the FireEye report is less derpy than the iSight report so there is that. Sure the APT-28 report gives more IOC’s and such for the technowonks out there to follow up on and maybe put in C&C’s on their collective SIEM’s but really, what use is all this to the rest of us? Nada. Nada and this burns my ass. I really hate all this posturing bullshit marketing that passes for intelligence. To my amazement even the FireEye report states that this is nothing new and that these guys have been in the news in security circles for some time. Now it’s just time to make them a new BUZZWORD for the marketing and this is what makes me apoplectic about all of these services out there.
What have we learned here in this report?
- Russian APT uses phishing
- Russian APT uses obfuscation in code
- Russian APT use Cyrillic keyboards
- Russian APT knows more than one language
- Russian APT are sneaky
No.. Really? As the report remarks, there is nothing new here.. So why post it?
MARKETING
All of this from FireEye as well as iSight is just tit for tat marketing to garner media attention for their “services” and nothing more. There is nothing in this report that really applies to the average blue team player unless you are in Ukraine or in NATO and ya know what? Those guys already know because they have been briefed by the intelligence agencies. So really, there is very little value to these reports to the common security player. It’s all just marketing HOODOO and we should all just see it as that ok?
“But it’s cool and now we have TTP’s on the Russki’s” you say… Well fuck that. The intelligence agencies are the players in that space not you. How many of you out there not in Defense base companies have EVER run into a known C&C for APT on your networks actively being used?
…. Anyone?
Yeah, thought so. Look, FireEye reports are the new EBOLA of ISIS! It’s utter wankery.
POLITICS
Meanwhile, some on my time-line asked a very pertinent question.. “Just how long has FireEye been the US governments lapdog anyway?” To which my answer was “since APT-1” This report feels more like a mix of marketing as well as political pokery on the part of FE for the US government who happens to be having a pissing match over Ukraine and general Pooty Poot fuckery. So really, is this a report that we can all use or is this just a grab for political fuckery and money through self aggrandizing and self serving marketing to preserve market share that maybe iSight was perceived to have taken from them?
Your mileage may vary…
K.
Dropping DOX on APT: aka Free Lessons on OPSEC!
“And gentlemen in England now-a-bed
Shall think themselves accurs’d they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin’s day.”
“Prince Hal” Henry V Act 4 Scene 3 ~William Shakespeare
Stuck in The Middle with APT and YOU:
If you are like me then you too have to look at the feeds from FireEye, Crowdstrike, Mandiant, and others on a daily basis for my job. The job that I speak of includes fighting APT at times and having to keep executives aware of what is going on as well. Lately though, since the drop by Mandiant on the “China problem” (aka CN actors 1-13) there has been a huge uptick in reports that try to do the same thing, i.e. name and shame those attackers as a means to an end. That means to an end I feel 99.999% of the time is to garner attention by the media and to increase market share.
Others may have reasons that are more closely aligned with “America FUCK YEAH!” and may be well intentioned but misguided to my mind. I have seen the gamut of this and I too have played my roll in this as well. I have dox’d players in the Jihad as well as nation state actors (mostly wannabe’s) on this very blog and have watched as a pile of nothing really happened most of the time. These big companies though that sell “Threat Intelligence” seem to really mostly be driven by attention and marketing appeal for their services than nation state concerns in my opinion when they drop dox on B or C level players in the “great game” and sadly I think this is rather useless, well, in the great game that is, not in the bottom line of lining their pockets right? …But I digress…
Let’s face it folks, we are all subject to the great game and we have little to no power in it on the whole. The APT and the nation state will continue their games of thievery and espionage. The companies selling services will ubiquitously use their “insider” knowledge gathered from all of their clients DNS traffic to generate these reports and market them to garner more clients and we, the people at the end of and the beginning of this process will just have to sit by and get played. Sure, if you are running your program right in your environment and you are getting good threat intelligence telemetry at the least, then you can attempt to staunch the exfil flow but really, in the end that flow is after the fact right? The PWN has happened and you are just being reactive. From this though you feel a certain amount of angst right? So when some company drops dox on some third stringer in China you pump your fist in the air and say “FUCK YEAH! GOT YOU!” and feel good right?
Yeah… I have news for you. It doesn’t mean anything. It will not stop it from happening. In fact, the services you just paid for that just shamed Wang Dong just taught him a valuable lesson….
FREE OPSEC LESSONS!:
What Wang and the PLA just learned is that Crowdstrike offers FREE OPSEC TRAINING! If any of you out there believe that this will curb the insatiable Chinese Honey-badger they have another thing coming. While it may feel like a slam dunk it is really just a Pyrrhic victory in a larger war while it is really in fact a marketing coup. The Chinese don’t care and in fact all they will do is re-tool their exploits/ttp’s/C&C’s and learn from their mistakes to become more stealthy. Really, we are training the 3rd string to be better at their job when we drop all this stuff on the net. This is a direct forced reaction to their being outed instead of attempting to just share the data in a more covert manner within the IC community or other more secretive channels where it could be used effectively in my opinion.
So yeah, some PLA kids got a spanking and now they are known entities but really, this will not stop them from doing their job and it certainly will have an effect of changing their operational paradigms to be more subtle and inscrutable. While the marketing goal has been fulfilled I see really little other value in doing this ….unless there is a greater unseen game going on here. Some might imply that there is another dimension here and that may include disinformation or other back channel pressures by the government. In fact it was alluded to by the Crowdstrike folks that the government is fully aware and part of the whole “process” on these. So, is this also a synergistic tool for marketing AND nation state agendas for the US?
Eh… Given my opinion of late of the current Admin and the IC, not so much. Nope, I think in the end I will stick to the opinion that this is nothing more than marketing smoke and magic…
I hope the third stringers appreciate the free OPSEC lessons. I mean gee, the going rate for classes is pretty high.
K.
ASSESSMENT: Operation Saffron Rose/Operation Flying Kitten
The Saffron Rose Narrative:
I think it was a slow news day at FireEye or that they felt they needed media attention and thus was born the “Saffron Rose” campaign report that was released Monday. The report makes the evocative implication that Iran is upping their game against other nation states by either state actors or hacking groups who want to be such. I frankly looked at the report and immediately began to see inconsistencies in the claim that this was nation state at all nor advanced any more than anyone with a version of SET and some domains to use.
As I looked into the claims and the details further the more convinced I became that my assessment was more true than the claims made by FireEye in their “Threat Intelligence” on the Ajax Security Team. The net/net of this is that these guys were nothing to write home about and that in my opinion this was just a marketing piece that used Iran as a hot button to garner attention for the company. I am still of that opinion even after talking to DIB players as well as the Federal government about the Ajax Team and their antics over the years to today.
The FireEye Data:
FireEye lays out the exploit (as in an exploit not the common vernacular in tech for those of you who know not English) and the C&C’s as usual with good details on how the mechanics work. The exploit though is in fact modified from a stock “stealer.exe” with some obfuscation crypto and a new pass/log it is still just an off the shelf known trojan and had been seen online since November 2013 if not earlier and there will be more on this below. Overall though FireEye makes a good attempt at nailing down the culprits but makes assumptions as to the level of expertise going from defacement skiddies to APT actors within a year or so.
The fact of the matter is that the primary movers of the group seem to be just two main actors in this phishing campaign and the group broke up and went their separate ways as they lacked money to keep domains and sites online. For that matter the people who own the domains and were active in the Ajax Team previously may have nothing to do with this campaign anyway as their domain was used without their consent. It remains to be seen just who did what but in the end the malware is detectable by AV systems and this is not a clear and present danger to the DIB partners on the whole.
The Exploit:
The “Stealer.exe” named in the FireEye report as well as the “IntelRS.exe” were reported back in November of 2013 as being seen in the wild and when I began looking at the data from Google it became clear that anyone getting this trojan may well have been able to stop it with AV on board already. This was not overly exotic and in fact the malware is a COTS in the community where you can compile it as you like and use it much like the POS software out there reported on recently.
Malware is malware and of course you can change it a bit making the hashes obfuscated to AV systems or you can build in other security but in this instance it seems that these guys did the minimal work to send out these phishing emails. What they did do however was create the fake aviation site and the like which anyone now can do because it is common knowledge as far as tactics go today after all the APT discussions out there. Honestly these guys may have been looking for credentials to further access to pass on to their government but I am seriously doubting that they were sponsored at all in this endeavour. Is this not one of the tactics that we use in the Red Team industry? Can’t you even do it with just a copy of SET or CoreImpact? Yes.. Yes you can. So it is not advanced nor persistent. Nor a threat really. Admittedly though FireEye does stop at that line and makes no equivocal statement that it is indeed nation state so I give them that. Overall though, still nothing to write home about… Unless you are looking to garner attention for your company with the scary boogey man of Iran that is.
UPDATE: Folks are FE are upset and saying I am wrong about this being a common tool. They cite the hashes below as not being this tool. Yes yes, it is not the same hash and it is not being seen by AV on the whole but is this not the game here? You update the tool or re-write and then recompile to obfuscate the AV? When you look at the calls in the registry you see the same variant behaviour in earlier malware coming from Nov/Dec 2013. So yes, it’s new malware according to the hashes but this is not a new and exotic malware is my point. It’s a re-hash. While am at this once again here is the INTELIRS.EXE used in 2013 Nov. It’s a replay. So how uncommon is it if it’s already been used?
The Time Table:
Meanwhile, the FBI put out this BOLO on the intelIRS.exe back in December and listed at least “one” company being attacked with it. Since I got this I have talked to DIB people and yes, some saw the activity back in December and generally it was a blip on the radar and that was all. It was not a huge campaign and in the end it did not exfil a lot of data to the adversaries involved. Now if in fact these are the same actors here then either they re-packed their malware and tried again with DIB or FireEye is just catching on to this.. Or maybe they just wanted to let this out now in a lull period on their marketing management calendar… Overall I think that this is much ado about nothing and that this is old news but hey who am I anyway? I’m just the janitor really.
The Players:
Now we get to the interesting bits that FireEye failed to give in their report. They did go as far as looking at who owned domains historically and looked for some ID’s on popular sites but that’s about where they left off. Perhaps they went further and are not reporting it but I am going to right here for you all. The two major players, if the domains were in fact still controlled by them and were behind this phish campaign are Keyvan Fayaz and Ali Ali Pur (Ali Alipur) Keyvan aka HURR!C4NE! and Ali aka Cair3x are both player from the early days of the Ajax Security Team of defacers and skidz.
As you can see from the data below, their email trails betrayed them eventually through re-use and I got their names. Of course overall these guys are not ninja’s really so it wasn’t all that hard to follow the Google trails to their real identities. In fact Ali is well known by his real name (as seen in a report from the ICT org) Keyvan goes by HURR!C4NE! or bl4ck.k3yv4n and eventually used his real name on a site that he had created early on with the K3yv4n moniker. What interested me further was that Keyvan also is connected with Soroush Dalili who is on LinkedIN as a pentester today. It seems they worked together back in the day finding vulns and publishing them. One has to wonder now if you would want to hire Soroush in any way since he had all this connection to the Ajax Team as recently as 2011.
As far as I have seen in my intelligence gathering on the current iteration of the Ajax Security Team, these are the players. The sites all came down due to non payment of domain costs and incidentally the blogs by cair3x are now gone as well post the FireEye report so at least there’s a good bit of intel that at least Ali was part of this phish campaign. It’s just the level at which he was involved that is at question. Overall though I would say that he and Keyvan were the ones doing this and that they certainly have not progressed to 3l337 ninja status or Chinese levels with this showing.
TEXT
Threat Intelligence Report for AJAX SECURITY TEAM:
My final analysis is that this group of guys decided to get in on the action and they schooled up a bit on how APT act. They got some workable malware and set up a phish site with C&C’s to do their work and spammed a company within the DIB. The attack wasn’t overly exotic and the methods were lowest common denominator. If it was in fact something that the state of Iran was backing they certainly weren’t doing it very closely (i.e. monitoring these kids and helping them with technical know how) so my conclusion is that they did it on their own.
I do not think that the group is in fact working with other groups in Iran and evidence shows that even within the Islamic hacking scene these guys are small potato’s and were even prey to the hacking of one site by the JM511 in 2012 (passwords dumped and ID’s loosed) …So really it’s not a homogenous and formidable force we face coming out of Iran. Now that Ali (Cair3x) has been on a deletion spree I am sure that they will back up and take another look at how they might go about this in the future. Perhaps they will learn and get better. What I really would like to know though is just how much if any data was exfiltrated to Ajax with this phish campaign? This is something that FireEye nor anyone else is talking about so I assume that not much was made off with.
So, how does this report from FireEye help anyone other than what to look for as hashes go? No reports on the emails sent (structure, wording etc) to help people look for them in their spam systems. No real intel on who these guys are and why they are doing what they are doing other than the notions of national pride either. What are their targets? What are they looking to take if they are taking anything? What should we all as readers of this report be looking for to stop them?
….. ….. …..
Yeah, thanks FireEye for nothing. I guess it’s just buy our service and we will protect you eh?
This is one of my major beef’s with “Threat Intelligence” hawkers today. There’s barely even a C&C in this report that can be used. I mean this is all after the fact and it’s not a campaign as far as I can tell that is going on today so why report it? A fireside read is it? At the very least NAME THE ACTORS and make them uncomfortable. I guess it’s more about the cool factor along with the button pushing that gets the marketing wheels spinning eh?
Hey Ajax Team (Keyvan, and Ali) I see you.
K.
ASSESSMENT: The Target Hack As An APT Style Attack
Fazio Heating & Cooling Phished via OSINT:
With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.
Side Channel Attacks:
In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.
APT Activities by Non State Actors:
Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.
ANALYSIS:
The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.
K.
So APT Is China *snicker* Now What?
zl’s egt amsk sbfmt kze kwcyfocggp ktlhiu!
Avanced? Persistent? Threat?
As RSA comes to a close and the corridors of the hall stop ringing with the acronym APT bleated out by a megaphone from the Mandiant booth I find myself once again looking at the problem as opposed to the hype. Let me simplify this for you all a little bit here to start though. APT is not necessarily “advanced” as the Mandiant finally lets you all out there not in the secret squirrel club know. In fact the APT’s are often just outsmarting the average end user on a daily basis and you and I both know it does not take a mental genius to do that right? Seriously there is nothing overly advanced nowadays in sending phishing emails and doing recon to assess your targets. Sure there is some coding going on once inside that is novel but really, any good hacker will tell you that they can code some shit up to keep persistence or maybe just buy it on the black market if needed. This is not rocket science here.
On the persistence thing yes, yes they are. They are persistent not only in trying to keep their toehold but also in that they bombard companies with emails in order to have a signal to noise attack. This is nifty but really it’s not a new technique. So ok persistence means they keep trying but it is often our own failings that ALLOW their persistence. Everything from the #click_sheep who keep clicking on every god damned email they get that asking if they want a bigger penis to companies lack of controls over patching and other standard procedures that they should be carrying out on their infrastructure. So when really looking for someone to blame look in the mirror folks. Hey maybe you will look in the mirror and see that you are Chinese huh?
Finally the “threat” part well I think I just covered that huh? YOU are the real threat in this vector. The adversary is just leveraging that fact to obtain their goals. The threat is not Chinese, Russian, Israeli, or French. It’s us. We are the threat and this was the case even before computers and espionage came together. How do you think a lot of the information was stolen back in the day from governments and companies? That’s right kids! It was by people being paid off or being leveraged in some way by spies and spy agencies. Now though, we really don’t have to leverage people as much with compensation or threats. Instead we just leverage their human natures and boy oh boy does it work ever so well!
Our sloth, greed, and general cluelessness are our own undoing.
Is WHO Hacked You That Important?
So Mandiant puts out a report on our Chinese hackers and everyone is a twitter over the “revelations” As someone who has personally dealt with this type of activity in my work life I was pretty apathetic about the report and it’s being published outside of the “sekret squirrel” world. Sure, they probably set us all back some and certainly have set the stage for a great amount of douchery to come but really, what good comes from this report and the data it dropped? Hurriedly I have seen many glom onto the hashes and the techniques that the Comment Crew was using in order to fortify their environments since the drop. Of course this may be to no avail as soon I am sure the CC will be changing their ways but hey, it gives us all something to do huh?
Meanwhile people are nodding their heads and saying “BAD CHINA” while the government pops out 140 page draft resolutions on how to deal with China and their hacking of our IP. I for one see this as just a lot of smoke and mirrors that may in the end have no greater effect other than political gain but hey who am I right? Let’s let it roll as everyone gets their panties in a bind over China. Others though have piped in and said that maybe it’s not only China but all too often these voices are not enough to cut through the cacophony of stupid to make it to the reasoned ear. Guess what kids it’s not just China and it never has been and this is the problem of fixating on one target. You tend to lose the other and then they come up behind you and shoot you in the back of the head.
The upshot here? Who hacked you is NOT as important as WHY you got hacked and HOW you got hacked. The old WHO WHAT WHY WHEN & HOW are important equally and we unfortunately have collectively latched onto the WHO and this will be our downfall. At least Mandiant is looking at the how but I am not hearing much about how to remediate the problems that cause the problem to start with. Instead as we see with the government response they are going to the WHO and saying “cut it out” and anyone who thinks that that is going to make them stop is really biting too tightly on the crack pipe. So back to the point which should be plainly clear. We are the target and we are the problem. It is important to understand the who but you cannot leave out the WHAT, WHERE, WHEN, and WHY. If you do then you will never win the battle.
Know Thy Enemy.. Know Thyself…
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
Sun Tzu: Art of War
It’s a trite thing to some out there *looking at you Jericho* to quote Sun Tzu in any cyber context but in my case here it is absolutely correct to quote. The problem I am finding in much of the approaches to trying to defeat or lessen the APT problem focuses less on knowing the self (aka your network and your people) and more on blinky light solutions to stop them dead in their tracks as the vendor propaganda states. Some even go as far as to proclaim that security awareness is pointless which I called bullshit on before rather vociferously in the past. I find it to be one of the more reprehensible statements made up until yesterday’s revelations that a panel gave at RSA saying that “We are soon going to live in a post crypto world” and that crypto is pointless because the APT keeps avoiding it. This is one of the most idiotic statements I have heard in a while and it just makes me think people misunderstand APT even more than before. Everyone thinks they are unstoppable and that is not right. These attacks can be mitigated but it will take real work to do do not some blinky verndor solutions.
The point here is this; We need to carry out due diligence and we need to be vigilant in our security apparatus. We need to engage the end users and teach them about malware and phishing and keep teaching them over and over and over again. Wrote learning is the ONLY way that this will get into their collective heads. Sure, we can also use technologies to attempt to arrest the spear phishing attacks but if you have a 3 star general who is a #click_sheep well, you are pretty much fucked if you are not really paying attention to the network SIEM and other mitigations in place and even then, with creativity those too can be outwitted. These APT types use common traffic to hide within and that is the problem. The pivot is the key here, they are using your network to their advantage just like a Judo expert. Will you be able to stop them all? No. Will you be able to considerably cut the attack success down with holistic methods? I believe you can and I have seen it in action. Others have said much the same thing and I hope more people start paying attention.
I agree that knowing who is attacking is important but it is only important as long as you take the time to be introspective about what they are seeking from you and how they are getting it out of you. What flaws in your infrastructure and culture are they exploiting that is allowing them to rob you blind and how can you remedy them to stop them. These are the key questions that seem to be missing from so many vendor offers like Crowdstrike and others out there today offering offensive defense or active defense. Sure, if your org is working properly and you have security enlightened end users go for the disinformation honeypot things and other means of defense. However, if your people are a bunch of #click_sheeple then what is the point? You will be PWND and it will be all be moaning and wailing “woe is me” in the end …Trust me.
Oh, and a last word here on the #click_sheep thing. Why am I harping on it? Look at the reports again. 99.999 percent of the attacks are being performed via phishing and spear phishing STILL! We have known about this type of attack how long? Come on people! There’s a reason it is done this way. It’s because people are not being trained properly as well as their systems are not being patched up! I know what you are thinking “but there’s 0day!” Yes yes there is but that is only a small percentage of the attack surface at present.
CLICK CLICK PWN.
Behavior Modification Is Needed
Now that I have ranted a while let me just re-iterate the facts. We are to blame for the APT successes. The term was coined back in 2006 and though it’s been in the secret squirrel world it was a known quantity. In fact I would say that it was not only the APT but generally crackers who were using these techniques for the most part and the APT just went along with it and refined it. This is not new and now that it is all out in the open we need to really pay attention here and look at the problem from the macroverse level and not just the myopic microverse that we in the industry tend to have. This isn’t just a technical problem it’s a sociological and psychological problem that we have to work on. Many say that there is no defense to social engineering attack but I do not ascribe to that. With the proper security education and awareness training anyone can defeat SE attacks. It just takes training like that which Dave Aitel thinks is pointless.
9/11 pointed out to the intelligence community that an over-reliance on technology failed to detect and stop the 19 hijackers from AQ. This failure was remedied by adding record numbers of assets post 9/11 to carry out HUMINT (Human Intelligence) and what we learned most of all that technology in itself is useless against human nature and a healthy dose of avoiding tech. It was tradecraft that allowed the plot to succeed even when their phone conversations were being tapped. I make this analogy because once again we are facing the same problem within the INFOSEC community as well as the government and military’s. The adversary is relying on human nature and we are relying on technologies created by humans. It’s a bad mix really and it needs to be re-evaluated to include more introspection on the people creating, maintaining, and using the technologies today. So far I am not seeing too much of this ethos being bandied about in the community and I think it is at our own peril.
I feel like it should be a catch phrase akin to the GHW Bush era’s “It’s the economy stupid” In my case though its more along the lines of “It’s not just the technology stupid” We have been myopic and we need to cut that out. The next shiny whizbang appliance is not going to stop that 3 star #click_sheep from opening the email addressed to him with the misspellings about how he has a package from UPS and needs to install this .EXE file to get it.
Derp.
K.
Krypt3ia 