Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘APT’ Category

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

LinkedIN: The APT Phisherman’s Friend

leave a comment »

screenshot-from-2016-10-28-14-36-24

I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.

The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.

screenshot-from-2016-10-28-14-38-05

screenshot-from-2016-10-28-14-38-22

Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.

screenshot-from-2016-10-28-14-57-20

screenshot-from-2016-10-28-15-00-46

Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.

screenshot-from-2016-10-28-14-39-01

screenshot-from-2016-10-28-15-12-27

Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.

Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.

Does the name Robin Sage ring a bell?

Speaking of Robin….

Here are Elisabeth’s connections…

screenshot-from-2016-10-28-14-34-29

Do you see the irony there?…

I do…

*giggle*

Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..

Hmm….

Whatever.

Keep your eyes open kids and just don’t click accept on shit mmmkay?

K.

PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!

PPS!!

screenshot-from-2016-10-28-15-44-46

Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.

 

Written by Krypt3ia

2016/10/28 at 19:27

Posted in APT, CUTOUTS, OPSEC, Phishing

All Those Derpy APT Code Names Got You Confused?

with 2 comments

Screenshot from 2016-06-01 13:16:58

THANK THE FUCKING GODS someone took the time to get these all collated into a spread sheet! After all, WHO KNOWS what derpily named actor is attacking you!! YOU COULD //HAVE HELSING HURRCAINE DRAGON PANDA// and you would be unable to respond unless you have a primer!

My. God.

While this may be helpful to many of you out there it is for me just another symptom of a larger malaise that is attribution fever. Yes, attribution fever, much like a good Malarial bout gives one chills and flop sweat when you are looking at your SIEM/IDS/IPS/LOGS and you see… Well something happening. Something you really don’t understand but you know it’s OBVIOUSLY some bad actor from a foreign land trying to steal your IP!

NOW YOU TOO CAN PLAY THE NAME THAT ACTOR GAME!

With this handy sheet you can attempt to maybe sorta kinda know who may be exfil’ing your data and laughing in some obviously Mandarin tinted accent! Seriously though, ummm fuck if I care really. If you don’t have the infrastructure and the defenses in depth to handle even understanding your traffic this really means fuck all to you. Well, unless you are a marketing wanker or an upper echelon exec amiright?

On a more serious note though, if you are playing the game and you have some sense of what is going on, then perhaps this excel sheet will help you some. I am really really really * a gogolplex unimpressed with all the secret sauce attribution fuckery we see in all the marketing bullshit blasts from the vendors out there on this shit. Know what? I remember when I saw BaitLick say that basically his company would come in, do their thing, and then six months later they’d be back again because they could not keep the APT out. So what the fuck with all the super secret code names and IP fuckery that you guys pull on “actors huh?

Cut it the fuck out.

Share the intel with EVERYONE

STOP THE FUCKERY

That will be the only way that we can make a unified effort here.

I will say it again… It’s not about the who… It’s about the how.

Link to excel

K.

Written by Krypt3ia

2016/06/01 at 17:53

Posted in APT, CYBER CYBER CYBER

SAND APT WORM 28 Screedle

leave a comment »

THISISMARKETING

 

SANDWORMS AND APT’S

Recently there has been a hubbub over iSight’s dox drop on what they called Sandworm. This was a group of Russian actors (alleged) that were spying digitally on Ukraine and NATO with malware and phishing. The program had been ongoing for a long time and iSight needed that market share so they dropped their report on us all, ya know, to let us all know that Russia spies on shit like Ukraine when they are in a heated battle with that runaway state.

WHO’DA THUNK IT??

Anywho, now FireEye wants to get in on the action and has dropped their report on APT-28… AKA Sandworm. They pretty much say the same things. There’s a group of Russians out there spying digitally on Ukraine and NATO with malware and phishing.

WOO

At least the FireEye report is less derpy than the iSight report so there is that. Sure the APT-28 report gives more IOC’s and such for the technowonks out there to follow up on and maybe put in C&C’s on their collective SIEM’s but really, what use is all this to the rest of us? Nada. Nada and this burns my ass. I really hate all this posturing bullshit marketing that passes for intelligence. To my amazement even the FireEye report states that this is nothing new and that these guys have been in the news in security circles for some time. Now it’s just time to make them a new BUZZWORD for the marketing and this is what makes me apoplectic about all of these services out there.

What have we learned here in this report?

  • Russian APT uses phishing
  • Russian APT uses obfuscation in code
  • Russian APT use Cyrillic keyboards
  • Russian APT knows more than one language
  • Russian APT are sneaky

No.. Really? As the report remarks, there is nothing new here.. So why post it?

MARKETING

All of this from FireEye as well as iSight is just tit for tat marketing to garner media attention for their “services” and nothing more. There is nothing in this report that really applies to the average blue team player unless you are in Ukraine or in NATO and ya know what? Those guys already know because they have been briefed by the intelligence agencies. So really, there is very little value to these reports to the common security player. It’s all just marketing HOODOO and we should all just see it as that ok?

“But it’s cool and now we have TTP’s on the Russki’s” you say… Well fuck that. The intelligence agencies are the players in that space not you. How many of you out there not in Defense base companies have EVER run into a known C&C for APT on your networks actively being used?

…. Anyone?

Yeah, thought so. Look, FireEye reports are the new EBOLA of ISIS! It’s utter wankery.

POLITICS

Meanwhile, some on my time-line asked a very pertinent question.. “Just how long has FireEye been the US governments lapdog anyway?” To which my answer was “since APT-1” This report feels more like a mix of marketing as well as political pokery on the part of FE for the US government who happens to be having a pissing match over Ukraine and general Pooty Poot fuckery. So really, is this a report that we can all use or is this just a grab for political fuckery and money through self aggrandizing and self serving marketing to preserve market share that maybe iSight was perceived to have taken from them?

Your mileage may vary…

K.

Written by Krypt3ia

2014/10/28 at 17:13

Posted in .gov, .mil, APT

Dropping DOX on APT: aka Free Lessons on OPSEC!

with 3 comments

The_enemy_is_listening

 

“And gentlemen in England now-a-bed
Shall think themselves accurs’d they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin’s day.”

“Prince Hal” Henry V Act 4 Scene 3 ~William Shakespeare

Stuck in The Middle with APT and YOU:

If you are like me then you too have to look at the feeds from FireEye, Crowdstrike, Mandiant, and others on a daily basis for my job. The job that I speak of includes fighting APT at times and having to keep executives aware of what is going on as well. Lately though, since the drop by Mandiant on the “China problem” (aka CN actors 1-13) there has been a huge uptick in reports that try to do the same thing, i.e. name and shame those attackers as a means to an end. That means to an end I feel 99.999% of the time is to garner attention by the media and to increase market share.

Others may have reasons that are more closely aligned with “America FUCK YEAH!” and may be well intentioned but misguided to my mind. I have seen the gamut of this and I too have played my roll in this as well. I have dox’d players in the Jihad as well as nation state actors (mostly wannabe’s) on this very blog and have watched as a pile of nothing really happened most of the time. These big companies though that sell “Threat Intelligence” seem to really mostly be driven by attention and marketing appeal for their services than nation state concerns in my opinion when they drop dox on B or C level players in the “great game” and sadly I think this is rather useless, well, in the great game that is, not in the bottom line of lining their pockets right? …But I digress…

Let’s face it folks, we are all subject to the great game and we have little to no power in it on the whole. The APT and the nation state will continue their games of thievery and espionage. The companies selling services will ubiquitously use their “insider” knowledge gathered from all of their clients DNS traffic to generate these reports and market them to garner more clients and we, the people at the end of and the beginning of this process will just have to sit by and get played. Sure, if you are running your program right in your environment and you are getting good threat intelligence telemetry at the least, then you can attempt to staunch the exfil flow but really, in the end that flow is after the fact right? The PWN has happened and you are just being reactive. From this though you feel a certain amount of angst right? So when some company drops dox on some third stringer in China you pump your fist in the air and say “FUCK YEAH! GOT YOU!” and feel good right?

Yeah… I have news for you. It doesn’t mean anything. It will not stop it from happening. In fact, the services you just paid for that just shamed Wang Dong just taught him a valuable lesson….

FREE OPSEC LESSONS!:

What Wang and the PLA just learned is that Crowdstrike offers FREE OPSEC TRAINING! If any of you out there believe that this will curb the insatiable Chinese Honey-badger they have another thing coming. While it may feel like a slam dunk it is really just a Pyrrhic victory in a larger war while it is really in fact a marketing coup. The Chinese don’t care and in fact all they will do is re-tool their exploits/ttp’s/C&C’s and learn from their mistakes to become more stealthy. Really, we are training the 3rd string to be better at their job when we drop all this stuff on the net. This is a direct forced reaction to their being outed instead of attempting to just share the data in a more covert manner within the IC community or other more secretive channels where it could be used effectively in my opinion.

So yeah, some PLA kids got a spanking and now they are known entities but really, this will not stop them from doing their job and it certainly will have an effect of changing their operational paradigms to be more subtle and inscrutable. While the marketing goal has been fulfilled I see really little other value in doing this ….unless there is a greater unseen game going on here. Some might imply that there is another dimension here and that may include disinformation or other back channel pressures by the government. In fact it was alluded to by the Crowdstrike folks that the government is fully aware and part of the whole “process” on these. So, is this also a synergistic tool for marketing AND nation state agendas for the US?

Eh… Given my opinion of late of the current Admin and the IC, not so much. Nope, I think in the end I will stick to the opinion that this is nothing more than marketing smoke and magic…

I hope the third stringers appreciate the free OPSEC lessons. I mean gee, the going rate for classes is pretty high.

K.

 

Written by Krypt3ia

2014/06/17 at 13:11

Posted in APT, OPSEC, OSINT

ASSESSMENT: Operation Saffron Rose/Operation Flying Kitten

with one comment

Screenshot from 2014-05-14 13:10:34

 

The Saffron Rose Narrative:

Screenshot from 2014-05-14 13:23:37

I think it was a slow news day at FireEye or that they felt they needed media attention and thus was born the “Saffron Rose” campaign report that was released Monday. The report makes the evocative implication that Iran is upping their game against other nation states by either state actors or hacking groups who want to be such. I frankly looked at the report and immediately began to see inconsistencies in the claim that this was nation state at all nor advanced any more than anyone with a version of SET and some domains to use.

As I looked into the claims and the details further the more convinced I became that my assessment was more true than the claims made by FireEye in their “Threat Intelligence” on the Ajax Security Team. The net/net of this is that these guys were nothing to write home about and that in my opinion this was just a marketing piece that used Iran as a hot button to garner attention for the company. I am still of that opinion even after talking to DIB players as well as the Federal government about the Ajax Team and their antics over the years to today.

The FireEye Data:

FireEye lays out the exploit (as in an exploit not the common vernacular in tech for those of you who know not English)  and the C&C’s as usual with good details on how the mechanics work. The exploit though is in fact modified from a stock “stealer.exe” with some obfuscation crypto and a new pass/log it is still just an off the shelf known trojan and had been seen online since November 2013 if not earlier and there will be more on this below. Overall though FireEye makes a good attempt at nailing down the culprits but makes assumptions as to the level of expertise going from defacement skiddies to APT actors within a year or so.

The fact of the matter is that the primary movers of the group seem to be just two main actors in this phishing campaign and the group broke up and went their separate ways as they lacked money to keep domains and sites online. For that matter the people who own the domains and were active in the Ajax Team previously may have nothing to do with this campaign anyway as their domain was used without their consent. It remains to be seen just who did what but in the end the malware is detectable by AV systems and this is not a clear and present danger to the DIB partners on the whole.

The Exploit:

Screenshot from 2014-05-14 13:32:36

Screenshot from 2014-05-14 13:21:49

The “Stealer.exe” named in the FireEye report as well as the “IntelRS.exe” were reported back in November of 2013 as being seen in the wild and when I began looking at the data from Google it became clear that anyone getting this trojan may well have been able to stop it with AV on board already. This was not overly exotic and in fact the malware is a COTS in the community where you can compile it as you like and use it much like the POS software out there reported on recently.

Malware is malware and of course you can change it a bit making the hashes obfuscated to AV systems or you can build in other security but in this instance it seems that these guys did the minimal work to send out these phishing emails. What they did do however was create the fake aviation site and the like which anyone now can do because it is common knowledge as far as tactics go today after all the APT discussions out there. Honestly these guys may have been looking for credentials to further access to pass on to their government but I am seriously doubting that they were sponsored at all in this endeavour. Is this not one of the tactics that we use in the Red Team industry? Can’t you even do it with just a copy of SET or CoreImpact? Yes.. Yes you can. So it is not advanced nor persistent. Nor a threat really. Admittedly though FireEye does stop at that line and makes no equivocal statement that it is indeed nation state so I give them that. Overall though, still nothing to write home about… Unless you are looking to garner attention for your company with the scary boogey man of Iran that is.

UPDATE: Folks are FE are upset and saying I am wrong about this being a common tool. They cite the hashes below as not being this tool. Yes yes, it is not the same hash and it is not being seen by AV on the whole but is this not the game here? You update the tool or re-write and then recompile to obfuscate the AV? When you look at the calls in the registry you see the same variant behaviour in earlier malware coming from Nov/Dec 2013. So yes, it’s new malware according to the hashes but this is not a new and exotic malware is my point. It’s a re-hash. While  am at this once again here is the INTELIRS.EXE used in 2013 Nov. It’s a replay. So how uncommon is it if it’s already been used?

 

 

The Time Table:

Screenshot from 2014-05-14 13:23:10

Meanwhile, the FBI put out this BOLO on the intelIRS.exe back in December and listed at least “one” company being attacked with it. Since I got this I have talked to DIB people and yes, some saw the activity back in December and generally it was a blip on the radar and that was all. It was not a huge campaign and in the end it did not exfil a lot of data to the adversaries involved. Now if in fact these are the same actors here then either they re-packed their malware and tried again with DIB or FireEye is just catching on to this.. Or maybe they just wanted to let this out now in a lull period on their marketing management calendar… Overall I think that this is much ado about nothing and that this is old news but hey who am I anyway? I’m just the janitor really.

The Players:

Now we get to the interesting bits that FireEye failed to give in their report. They did go as far as looking at who owned domains historically and looked for some ID’s on popular sites but that’s about where they left off. Perhaps they went further and are not reporting it but I am going to right here for you all. The two major players, if the domains were in fact still controlled by them and were behind this phish campaign are  Keyvan Fayaz and Ali Ali Pur (Ali Alipur) Keyvan aka HURR!C4NE! and Ali aka Cair3x are both player from the early days of the Ajax Security Team of defacers and skidz.

As you can see from the data below, their email trails betrayed them eventually through re-use and I got their names. Of course overall these guys are not ninja’s really so it wasn’t all that hard to follow the Google trails to their real identities. In fact Ali is well known by his real name (as seen in a report from the ICT org) Keyvan goes by HURR!C4NE! or bl4ck.k3yv4n and eventually used his real name on a site that he had created early on with the K3yv4n moniker. What interested me further was that Keyvan also is connected with Soroush Dalili who is on LinkedIN as a pentester today. It seems they worked together back in the day finding vulns and publishing them. One has to wonder now if you would want to hire Soroush in any way since he had all this connection to the Ajax Team as recently as 2011.

As far as I have seen in my intelligence gathering on the current iteration of the Ajax Security Team, these are the players. The sites all came down due to non payment of domain costs and incidentally the blogs by cair3x are now gone as well post the FireEye report so at least there’s a good bit of intel that at least Ali was part of this phish campaign. It’s just the level at which he was involved that is at question. Overall though I would say that he and Keyvan were the ones doing this and that they certainly have not progressed to 3l337 ninja status or Chinese levels with this showing.

 

Screenshot from 2014-05-14 13:16:57

 

Screenshot from 2014-05-14 13:15:50

Screenshot from 2014-05-14 13:15:50

 

Screenshot from 2014-05-14 12:38:19

 

Screenshot from 2014-05-14 11:31:35

 

Screenshot from 2014-05-14 11:35:48

 

Screenshot from 2014-05-14 11:28:35

-lUn-5bw.png:small

 

Screenshot from 2014-05-14 11:35:32

 

TEXT

Threat Intelligence Report for AJAX SECURITY TEAM:

 

Screenshot from 2014-05-14 13:10:03

Screenshot from 2014-05-14 13:10:17

My final analysis is that this group of guys decided to get in on the action and they schooled up a bit on how APT act. They got some workable malware and set up a phish site with C&C’s to do their work and spammed a company within the DIB. The attack wasn’t overly exotic and the methods were lowest common denominator. If it was in fact something that the state of Iran was backing they certainly weren’t doing it very closely (i.e. monitoring these kids and helping them with technical know how) so my conclusion is that they did it on their own.

I do not think that the group is in fact working with other groups in Iran and evidence shows that even within the Islamic hacking scene these guys are small potato’s and were even prey to the hacking of one site by the JM511 in 2012 (passwords dumped and ID’s loosed) …So really it’s not a homogenous and formidable force we face coming out of Iran. Now that Ali (Cair3x) has been on a deletion spree I am sure that they will back up and take another look at how they might go about this in the future. Perhaps they will learn and get better. What I really would like to know though is just how much if any data was exfiltrated to Ajax with this phish campaign? This is something that FireEye nor anyone else is talking about so I assume that not much was made off with.

So, how does this report from FireEye help anyone other than what to look for as hashes go? No reports on the emails sent (structure, wording etc) to help people look for them in their spam systems. No real intel on who these guys are and why they are doing what they are doing other than the notions of national pride either. What are their targets? What are they looking to take if they are taking anything? What should we all as readers of this report be looking for to stop them?

….. ….. …..

Yeah, thanks FireEye for nothing. I guess it’s just buy our service and we will protect you eh?

This is one of my major beef’s with “Threat Intelligence” hawkers today. There’s barely even a C&C in this report that can be used. I mean this is all after the fact and it’s not a campaign as far as I can tell that is going on today so why report it? A fireside read is it? At the very least NAME THE ACTORS and make them uncomfortable. I guess it’s more about the cool factor along with the button pushing that gets the marketing wheels spinning eh?

Hey Ajax Team (Keyvan, and Ali) I see you.

K.

 

Written by Krypt3ia

2014/05/14 at 20:52

ASSESSMENT: The Target Hack As An APT Style Attack

with 3 comments

140110103529-computer-hacker-620xa

Fazio Heating & Cooling Phished via OSINT:

Screenshot from 2014-02-12 13:42:14

With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.

Side Channel Attacks:

In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.

APT Activities by Non State Actors:

Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.

ANALYSIS:

The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.

K.

Written by Krypt3ia

2014/02/12 at 19:13