Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘ASSESSMENT’ Category

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

ASSESSMENT: Operation Saffron Rose/Operation Flying Kitten

with one comment

Screenshot from 2014-05-14 13:10:34

 

The Saffron Rose Narrative:

Screenshot from 2014-05-14 13:23:37

I think it was a slow news day at FireEye or that they felt they needed media attention and thus was born the “Saffron Rose” campaign report that was released Monday. The report makes the evocative implication that Iran is upping their game against other nation states by either state actors or hacking groups who want to be such. I frankly looked at the report and immediately began to see inconsistencies in the claim that this was nation state at all nor advanced any more than anyone with a version of SET and some domains to use.

As I looked into the claims and the details further the more convinced I became that my assessment was more true than the claims made by FireEye in their “Threat Intelligence” on the Ajax Security Team. The net/net of this is that these guys were nothing to write home about and that in my opinion this was just a marketing piece that used Iran as a hot button to garner attention for the company. I am still of that opinion even after talking to DIB players as well as the Federal government about the Ajax Team and their antics over the years to today.

The FireEye Data:

FireEye lays out the exploit (as in an exploit not the common vernacular in tech for those of you who know not English)  and the C&C’s as usual with good details on how the mechanics work. The exploit though is in fact modified from a stock “stealer.exe” with some obfuscation crypto and a new pass/log it is still just an off the shelf known trojan and had been seen online since November 2013 if not earlier and there will be more on this below. Overall though FireEye makes a good attempt at nailing down the culprits but makes assumptions as to the level of expertise going from defacement skiddies to APT actors within a year or so.

The fact of the matter is that the primary movers of the group seem to be just two main actors in this phishing campaign and the group broke up and went their separate ways as they lacked money to keep domains and sites online. For that matter the people who own the domains and were active in the Ajax Team previously may have nothing to do with this campaign anyway as their domain was used without their consent. It remains to be seen just who did what but in the end the malware is detectable by AV systems and this is not a clear and present danger to the DIB partners on the whole.

The Exploit:

Screenshot from 2014-05-14 13:32:36

Screenshot from 2014-05-14 13:21:49

The “Stealer.exe” named in the FireEye report as well as the “IntelRS.exe” were reported back in November of 2013 as being seen in the wild and when I began looking at the data from Google it became clear that anyone getting this trojan may well have been able to stop it with AV on board already. This was not overly exotic and in fact the malware is a COTS in the community where you can compile it as you like and use it much like the POS software out there reported on recently.

Malware is malware and of course you can change it a bit making the hashes obfuscated to AV systems or you can build in other security but in this instance it seems that these guys did the minimal work to send out these phishing emails. What they did do however was create the fake aviation site and the like which anyone now can do because it is common knowledge as far as tactics go today after all the APT discussions out there. Honestly these guys may have been looking for credentials to further access to pass on to their government but I am seriously doubting that they were sponsored at all in this endeavour. Is this not one of the tactics that we use in the Red Team industry? Can’t you even do it with just a copy of SET or CoreImpact? Yes.. Yes you can. So it is not advanced nor persistent. Nor a threat really. Admittedly though FireEye does stop at that line and makes no equivocal statement that it is indeed nation state so I give them that. Overall though, still nothing to write home about… Unless you are looking to garner attention for your company with the scary boogey man of Iran that is.

UPDATE: Folks are FE are upset and saying I am wrong about this being a common tool. They cite the hashes below as not being this tool. Yes yes, it is not the same hash and it is not being seen by AV on the whole but is this not the game here? You update the tool or re-write and then recompile to obfuscate the AV? When you look at the calls in the registry you see the same variant behaviour in earlier malware coming from Nov/Dec 2013. So yes, it’s new malware according to the hashes but this is not a new and exotic malware is my point. It’s a re-hash. While  am at this once again here is the INTELIRS.EXE used in 2013 Nov. It’s a replay. So how uncommon is it if it’s already been used?

 

 

The Time Table:

Screenshot from 2014-05-14 13:23:10

Meanwhile, the FBI put out this BOLO on the intelIRS.exe back in December and listed at least “one” company being attacked with it. Since I got this I have talked to DIB people and yes, some saw the activity back in December and generally it was a blip on the radar and that was all. It was not a huge campaign and in the end it did not exfil a lot of data to the adversaries involved. Now if in fact these are the same actors here then either they re-packed their malware and tried again with DIB or FireEye is just catching on to this.. Or maybe they just wanted to let this out now in a lull period on their marketing management calendar… Overall I think that this is much ado about nothing and that this is old news but hey who am I anyway? I’m just the janitor really.

The Players:

Now we get to the interesting bits that FireEye failed to give in their report. They did go as far as looking at who owned domains historically and looked for some ID’s on popular sites but that’s about where they left off. Perhaps they went further and are not reporting it but I am going to right here for you all. The two major players, if the domains were in fact still controlled by them and were behind this phish campaign are  Keyvan Fayaz and Ali Ali Pur (Ali Alipur) Keyvan aka HURR!C4NE! and Ali aka Cair3x are both player from the early days of the Ajax Security Team of defacers and skidz.

As you can see from the data below, their email trails betrayed them eventually through re-use and I got their names. Of course overall these guys are not ninja’s really so it wasn’t all that hard to follow the Google trails to their real identities. In fact Ali is well known by his real name (as seen in a report from the ICT org) Keyvan goes by HURR!C4NE! or bl4ck.k3yv4n and eventually used his real name on a site that he had created early on with the K3yv4n moniker. What interested me further was that Keyvan also is connected with Soroush Dalili who is on LinkedIN as a pentester today. It seems they worked together back in the day finding vulns and publishing them. One has to wonder now if you would want to hire Soroush in any way since he had all this connection to the Ajax Team as recently as 2011.

As far as I have seen in my intelligence gathering on the current iteration of the Ajax Security Team, these are the players. The sites all came down due to non payment of domain costs and incidentally the blogs by cair3x are now gone as well post the FireEye report so at least there’s a good bit of intel that at least Ali was part of this phish campaign. It’s just the level at which he was involved that is at question. Overall though I would say that he and Keyvan were the ones doing this and that they certainly have not progressed to 3l337 ninja status or Chinese levels with this showing.

 

Screenshot from 2014-05-14 13:16:57

 

Screenshot from 2014-05-14 13:15:50

Screenshot from 2014-05-14 13:15:50

 

Screenshot from 2014-05-14 12:38:19

 

Screenshot from 2014-05-14 11:31:35

 

Screenshot from 2014-05-14 11:35:48

 

Screenshot from 2014-05-14 11:28:35

-lUn-5bw.png:small

 

Screenshot from 2014-05-14 11:35:32

 

TEXT

Threat Intelligence Report for AJAX SECURITY TEAM:

 

Screenshot from 2014-05-14 13:10:03

Screenshot from 2014-05-14 13:10:17

My final analysis is that this group of guys decided to get in on the action and they schooled up a bit on how APT act. They got some workable malware and set up a phish site with C&C’s to do their work and spammed a company within the DIB. The attack wasn’t overly exotic and the methods were lowest common denominator. If it was in fact something that the state of Iran was backing they certainly weren’t doing it very closely (i.e. monitoring these kids and helping them with technical know how) so my conclusion is that they did it on their own.

I do not think that the group is in fact working with other groups in Iran and evidence shows that even within the Islamic hacking scene these guys are small potato’s and were even prey to the hacking of one site by the JM511 in 2012 (passwords dumped and ID’s loosed) …So really it’s not a homogenous and formidable force we face coming out of Iran. Now that Ali (Cair3x) has been on a deletion spree I am sure that they will back up and take another look at how they might go about this in the future. Perhaps they will learn and get better. What I really would like to know though is just how much if any data was exfiltrated to Ajax with this phish campaign? This is something that FireEye nor anyone else is talking about so I assume that not much was made off with.

So, how does this report from FireEye help anyone other than what to look for as hashes go? No reports on the emails sent (structure, wording etc) to help people look for them in their spam systems. No real intel on who these guys are and why they are doing what they are doing other than the notions of national pride either. What are their targets? What are they looking to take if they are taking anything? What should we all as readers of this report be looking for to stop them?

….. ….. …..

Yeah, thanks FireEye for nothing. I guess it’s just buy our service and we will protect you eh?

This is one of my major beef’s with “Threat Intelligence” hawkers today. There’s barely even a C&C in this report that can be used. I mean this is all after the fact and it’s not a campaign as far as I can tell that is going on today so why report it? A fireside read is it? At the very least NAME THE ACTORS and make them uncomfortable. I guess it’s more about the cool factor along with the button pushing that gets the marketing wheels spinning eh?

Hey Ajax Team (Keyvan, and Ali) I see you.

K.

 

Written by Krypt3ia

2014/05/14 at 20:52

ASSESSMENT: Tesco.com Hack and Account Drop

with one comment

Screenshot from 2014-02-17 08:56:17

TESCO Dump:

Screenshot from 2014-02-17 09:04:27

Two thousand accounts and passwords to Tesco.com’s site were dumped on Pastebin 2/12/14 and it set the news all a twitter about how Tesco had been hacked. The accounts and passwords have all been deactivated and changed according to Tesco and if they had it their way I am sure they’d just like to move on. However, the news on the hack has as yet been unclear as to how it happened. In looking around the usual dirty corners of the internet I have found a few details about how common it seems companies like Tesco have been the target of these kinds of attacks. I found trails of chatter going back to August of last year talking about how to go about abusing the Tesco online system to order goods and have them delivered in many places as well as offers by coders for scripts and programs to carry out the attack that seems to have befallen Tesco.

Tesco_Checker.exe and Freelancers:

Screenshot from 2014-02-17 09:45:45

Screenshot from 2014-02-17 09:03:45

One of the first hits that I located was talk of a “Tesco Account Checker” program back in October of last year. I was unable (as yet) to locate the live download of the program but above you can see a screen shot of one of the common file sharing sites where it was hosted back then. This program allegedly checks the site by imputing user ID’s (emails) and passwords which it will check for a (200) on the site and output a report much like what was uploaded to Pastebin recently. In fact there are many offerings out there for these kinds of scripts and programs that will work on many sites and some of them have a brute force element as well. It has yet to be determined though if the Tesco event was an actual hack on their systems with something like these programs or if the Pastebin dump was just a shot over the bow from data gathered and tested with a new tool. Of course Tesco was also not very strong on their security for their passwords or their practices here with six character non complex passwords and a tendency to send pass resets in email clear text. These factors may also have been at play in this dump of the two thousand accounts actually occurring but it still doesn’t elucidate on why someone would just dump them there and not just use them.

Carding Forums:

 

Screenshot from 2014-02-17 09:07:05

Screenshot from 2014-02-17 09:07:23

Tied to the scripts and programs being created for the purpose of checking accounts at Tesco and other places, the carding forums make their appearance selling the data culled as well as giving short tutorials on how to check balances and such. As seen above there are at least two different groups of carders involved in this incident (v3ch4j.cc as well as tuxedocrew.biz) so it seems that perhaps it may have been more than 2k accounts compromised and may in fact be being sold on their closed markets today. It does seem though that these guys are in it for the purchase of goods then having them shipped as Tesco is an online super market. There are posts asking how to get food sent and how to scam the site to get that food so it seems that this has been going on for some time now. Tesco users may want to check into their accounts for small charges that may have gone unnoticed as well as Tesco themselves should be looking at a full scale DFIR on their systems to see just what has happened here.

ANALYSIS:

Screenshot from 2014-02-17 09:07:41

The overall analysis here is that Tesco was using insecure processes to generate passwords as well as reset them for people (in the clear in email) as well as perhaps had been under attack for some time (since last summer really) by these attackers. Probes of their site should have been noticed and one would hope that Tesco would have some sort of intelligence gathering to tell them when these types of campaigns are being created. My Googling only took about 15 minutes and I had a plethora of data on who was talking about this script as well as methods to cheat Tesco out of goods online. The upshot here is these guys weren’t really hiding very well and this stuff should be monitored. If they had been paying attention though they might have noticed Moad Abo Al Sheakh (G+ above) who posted a tutorial on using the Tesco account checking tool on his blog under the title “no secret her” and aside from his poor typing/spelling skills, lays it out pretty plainly. Overall this isn’t a Target attack on the scale of interesting but it does show just how poorly some places treat security as a primary goal only to get popped and dumped on Pastebin.

K.

Written by Krypt3ia

2014/02/17 at 15:26

Posted in ASSESSMENT, Hacking