Archive for the ‘CyberFAIL’ Category
Amaq News Malware Attempt Using Old Malware
Amaq Hack:
Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.
As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?
REALLY?
Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.
Domains:
After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.
Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:
Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.
When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.
Here you go!
IOC’s:
Malware:
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/
Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86
Malware:
The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.
These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?
Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.
The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.
Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?
I am still deciding…
K.
EquationGroup, ShadowBrokers, and Loving The Cyber Pathogen Bomb
We all knew that this shit was going on but now it’s reaching epic cyber douchery levels kids…
Monday:
Hey someone posted some shit on the Github and the everywhere! LOOK!
DOWNLOAD
DOWNLOAD
DOWNLOAD
Tuesday:
Shiiiit this stuff looks kinda real!
FUCK THEY TOOK DOWN ALL THE LINKS!
…EXCEPT MEGA OF COURSE…
LOOK! RC5 and RC6 Implementations match EQUATION GROUP!
ERMEGERD!
LOOK ODAYS!
SNOWMAN SAYS LAY OFF RUSSIA BECAUSE YOU WAKE DA BEAR! (Uhh hey, can I have my dacha now? I have been a good comrade)
ASS-ANGE FROM HIS EVITA BALCONY: WE HAVE ALL THE SHIT AND WE WILL BE POSTING IT BECAUSE FUCK YOU ALL!
Wednesday:
SECRET SQUIRRELS FORMERLY AT NSA SAY HOLY SHIT!
SECRET SQUIRRELS AT TAO SAY OOPS!
SECRET SQUIRRELS AT TAO SAY THIS IS RUSSIA BY GOD!
Fuckery. It’s all fuckery kids. The world is at war already and the populace never got a vote on this one. These scripts and exploits are just the tip of the 2013 iceberg and the reality is that knowing what the likes of J-39 and their ilk were hoping for back in the day we are well and truly fucked if they decide to go all out cyberdouche. Now we have this almost parity with this leak by who? The 2016 cyber equivalent of the Rosenbergs? I haven’t a fucking clue and no one else does as to who did this and why. No really, fuck you if you say you do. And if you attempt to “treat intelligence cyber attribute” this shit you are only trying to get clicks for ads.
But seriously, the biggest issue I have with all of this is that while we are all slobbering over the dump and the potential one to come no one seems to be talking about how fucked up this is. While these guys are making and buying 0days and pwning foreign nations our own infrastructure lays like a burned out whore in the missionary position. We are prosecuting the war but we are not securing the “homeland” for shit and we see it every day. See, the rub of it all is that corporations are the ones that hold the infrastructure and fuck all trying to make them become secure through legislation or any kinds of rules. So here we are with all our shit in the wind to start with, no mass movements to secure the nations everything, and now a dump of just some of our cyber weapons has been spilled online as a big fat fuck you.
Yeah, I feel good about where we are.
Still, the shit is three years old.. Who’s to say that those sploits still work on systems in China let’s say. Anyone checked by the way? Anyone?… Well in any case either someone fucked up and left this shit on a server in 2013 to now OR as some have intoned, this was an insider. Either case still leads to the inevitable fuckery the nations have all been up to and we are not alone, not by a long shot. Some have said that the NSA should be securing things and I just laugh and laugh at that. What the fuck do you think their operational aegis is anyway? It’s to break all the things and own them! So all you who look to Ft. Meade for any solutions are just deluded. Nope, the war is on, it is hot, and it is all under cover. When someone finally decides to go batshit they will unleash all the sploits in tandem with kinetic operations and that will be it. A real hot war will erupt.
It’s still true.. We are the reason we can’t have anything nice.
Oh well, at the end of the day there’s fuck all we can do. The shit is in the wind and now everyone has it. It will be used as a platform of attack until all the things are patched but in between they will be used for whatever ends lone actors or nation states feel like using them for.
Yay.
Move on.
K.
Wait Till October…
There is so much talk about the leak by Wikileaks of the DNC emails (20k) which is only a partial dump I think in the end. Much of the Tweet stream is going on about how this is likely the KGB (No, I will not call them FSB) and how this is bad in so many ways. The DNC dump Friday has been fun to go through from the perspective of laughing at their hubris and gawking at the people involved, the money, and the fuckery. However, once you get past all the schadenfreude you start to realize just how fucked we all are.
First you begin to realize just how dirty and full of fuckery politics is to start, that is if you aren’t already jaded about this shit. Then you realize the proportions of the fuckery when you see proof of some of the things that go on via the leaks from the DNC’s and Hill’s toilet server and you think
“What the SHIT?”
You take a shot of whiskey and crawl back into your lizard brain for a while to get away from it all.
Once you have ruminated on all of this then you start to ponder on the motives and the actions taken by the actors here. They hack Hill’s server in the disused crapper and then DNC’s systems? Or was it the opposite? What is the motive here? Is this a hack by some kids to upset the political apple cart? Or is this something more? Is this a nation state? The attribution firms are in high gear promoting their theories but this time I will go with what Crowdstrike is selling.
Pooty and his funtime band are doing a number on us is my vote too and fuck are they pulling a whammy using our own political fuckery to destabilize all the things. This has been the hack that I would consider to be an outright CIA styled destabilization operation, the kind that you would find material online on (think South American fruit and sugar) with a cyber cyber twist. Even Nixon, who pulled this kind of shit with the plumbers and Watergate would be envious right? The only difference here is that Nixon got caught. Pooty is not gonna get caught because of the nature of hacking, attribution, and cyber cyber cyber.
Once you start to look at it as a destabilization operation against the US then you have to look at the possible goals here. The US is on a five front war? How many fuck fronts is it now anyway? We are precariously teetering on the edge of failing empire, and we have these nitwits (both party candidates) running for office, both of them now tainted beyond redemption. Hillary with bathroom servers, no malware protections, and not even the forethought or ability to hire people to help them secure her shit properly? Then she goes on to consider their machinations safe for fucking un-encrypted classified email?
JESUS FUCK!
*deep breath*
Then we have Trump, with his.. Well.. His everything. He is the worst candidate I could ever think of and yet here we are, he is the RNC candidate. We are well and truly fucked. I can only imagine the security posture of his systems but gee, no one has hacked him.. Have they? If they have no one has leaked anything… Yet. I am sure his servers are full of dirty shit too.
Ok, so yeah, here we are in July and November rapidly approaches. We have Trump as the official RNC candidate for ORANGE CAESAR which scares the living fuck out of me, and we have Hillary, the lady who flouts all security measures for ease of use…Wait… Shit, that really is everyone ain’t it? HELL that is most of corporate MURICA! God dammit we are so fucked!
Anyway, Hill goes on to mishandle CLASSIFIED information and skates on it while frankly others have been pilloried for less. Truly people, with the leaks so far and just the epic fuckery of the race, I am just crawling into that lizard brain more and more with the help of a good grain alcohol. The problem is I keep coming back to lucidity and then hear/see/read the news and end up chugging the shit again to make it go away!
The sad thing is that what we have seen is just the tip of the shitberg. Trust me, wait till October when the real revelatory emails show up. It’s called and “October Surprise” and fuck it’s gonna make Hunter’s worst drug and loathing fueled nightmares seem tame in comparison. Think about it people, Pooty and the KGB are easily, handily, fucking us all over with the cudgel of our own hubris and lack of due care.
All the while these fuckheads are crafting all our dooms with malware and cyber cyber cyber WAR that would make Dr. Strangelove weep in ecstasy. While they argue over surveillance as good and crypto as bad they really don’t comprehending any of it. If it weren’t true it would make one hell of a farcical film. Unfortunately for us it is true, and it is happening today. We the people are the ones being fucked over by their collective business as usual in so many ways.
This isn’t over kids…
Put your helmets on and wait for October for the last of the dumps. I am fairly certain some shit will come out and in the end MURICA will begin it’s 2nd empire with an orange, small handed, orangutan at the helm of this country. Hunter was smart to have left because if he were alive now he would be reaching for the shotgun all over again in much more despair.
Dr. K.
PS.. I have written about possible motives recently… You might wanna take a look.
The QNB Hack: Cui Bono?
The Dump
The recent dump of data from the Qatari National Bank was of interest to me and many others because it was purporting to have the accounts and identities of spies within it’s csv and text files. I downloaded the files from Cryptome thanks to someone pointing me in their direction and took a nice long look. As the story has unfolded it has come to light that the bank itself says the data is real and that they are now “completely secure” which is amusing given that this was an ols SQLi attack that netted this Turkish hacker group the jewels of QNB.
The dump consists of the oracle database files, the passwords, and the banking information of all the users therein. I have to say that most of it is really quite pedestrian but then the hackers, or the bank management, created file folders (as seen above) that marked people as spies, Mukhabarat, Security, Gov, and other tantalizing names. I first had thought that the file folders and their speculative names had been created by the hackers to sex up their dump but it has come to light that if you look within the database dump itself you see the directories and names have headings like intelligence and defence. So it seems that the bank itself may in point of fact created these tags in the belief or inside knowledge that the people in the data were in fact what they claimed, or at least thought they were.
The Spies
I looked at all the interesting folders and the data all the while wondering about the validity of the idea that these names were in fact corresponding to real assets, NOC’s or just functionaries in Qatari space that had just been quite well blown by this hack and subsequent data dump. On the whole I would call into question all of the names being linked directly to espionage organs. I really have to wonder if the bank would in fact be that “in the know” about spooks in their country and really have to be circumspect about their putting that in the users bank records. I mean even the Mukhabarat would at least demand that it be obfuscated one would hope by a code of some sort and not just in the headers/directories themselves.
It really kind of feels like the natural tendencies of the Arab nature had gotten the best of the database admin and the managers of the bank and they believed that these people were spies without there being any real proof. In any case, if these people, especially those who are FORN and in country, now may have some trouble with people thinking that they are really spies and subject to attacks. Imagine if you will any jihadi types who might take this data as gospel and go after these people for da’esh or AQ. This could be bad. I have yet to hear of anyone leaving their positions or the country. If I were one of them I would at least be looking over my shoulder henceforth.
The other data I can see perhaps the military accounts and names being totally on the money because they are their own Ministry of Defence and really, that is not top secret stuff. Likely the bank see’s where these people get their pay from (Qatari funds from the gov) but even these people could now be targets because this hack was motivated by political means it seems after all.
Cui Bono?
It seems that the Bozkurtlar (Grey Wolves) a Turkish political group and their hackers were the perpetrators of this hack. There is a long history between Turkey and Qatar and most of it seems kind of benign but when you scratch the surface a bit you can see that there are some issues between them as well as some synergies in their support of certain terrorist groups like da’esh. (click linked image below)
So, “Cui Bono?” Well, certainly the Grey Wolves, to what end I am not completely sure. They did post their video before the hack hit the pastebins out on the net so it was pretty much their gig but I still don’t quite understand why. Perhaps these hackers are quasi wolves and or it is some other entity using the wolves as a cover for their activities. Given that there has been no real perceived fire coming out of Qatar over this nor in other areas of the world that we are aware of, I kind of doubt all these people were in fact assets of foreign powers.
At the end of the day, this just turns out to be yet another derpy easy hack using SQLi on an entity that wasn’t performing any due diligence but it had the sexy sexy for the masses with the idea that some great hack exposing spies had occurred. In my opinion not so much really. So hey Grey Wolves, gimme some more context would you than some poos British shmucks MySpace page in the future would you?
K.
Fear and Loathing On The Internet: A Savage Journey to the Heart of the Cyber Trenches
Image courtesy of GonzoPhD
O’Five Hundred
It was 5am and the coffee had just started to brew when I saw the tweets that the DPRK was back online. Immediately my bloodshot eyes closed in salutation because the game was on. I booted up the laptop and got the old terminal up and typed the old familiar line $ nmap -Pn 175.45.176.0/24. I hit enter and began the worship of caffeine as is my custom at this ungodly hour that I find myself in my old age waking up to more often.
Once the coffee had been poured I came back to my comfortable seat to find that one IP address in the subnet (/24) had come up with all kinds of ports open! “Ooooh, this will be interesting” I thought as I began to play with the ports in my browser and other tools. Little did I know then what I would know now about life in the 21st century cyber war!
No sooner had I begun to poke at the ports I began to sense dark forces moving against me. I decided to forge ahead though and hit the second sub that DPRK has. The Nmap began unleashing it’s port scanning hell upon the enemy and I went back to the SMTP server that I had located. It began to offer up it’s dirty flower to me as I poked and prodded. It seemed that because the DPRK had been down since the night or so before they were still recovering, their firewall still trying to come back from the oblivion that had been wrought upon it by… Whoever.
O’Five Thirty
As I started to get bored with the one address that was available I decided to turn on the old iPad and listen to a flick while playing. I had not been watching long when all of a sudden WHAM! I could feel the palpable blow from my.. Nay, OUR enemy! The DPRK had hit back! My iPad stopped mid sentence and began to just become completely verklempt. I checked the wireless sig and it was fine… What in holy hell was happening! A creeping feeling of dread began to creep up my coccyx with a cyber chill! “Could it be that the infernal Kim Jong Un has hit me?” I thought to myself. “Nah, just a wireless issue” I mused but I decided to check. I brought up my browser and hit the router address… Nada.
“Uh oh”
I flew to my office and booted up another wired box and frantically hit the router again… 500 error…
“Shit!”
I sat and pondered it all.. I had just become a casualty of the great cyber war of 2014! My router was offline, my shit was smoking and I knew that that creeping feeling of cold dread from my coccyx was in fact the cruel reality… I had been DDoS’d!!
O’Five Thirty Five and Three Seconds
I rebooted the everything and began to work the systems. I had my cyber helmet on now and I was prepared to fire a new salvo at the dreadnaught that was DPRK! The router cycled, the IPS… The Wireless… I frantically typed in the address for the IPS and began looking at logs. I scanned as the caffeine began to really sing in my veins to see the following addresses had hit me like a metric shit ton of SYN!
222.220.35.5
222.66.55.245
183.61.244.73
125.227.197.158
222.186.15.161
It was all there in black and white. The wiley Kim Jong Un and his frightening UNIT 121 had hit me with the dreaded SYN FLOOD! But wait, what? Those addresses aren’t DPRK! They are all in CHINA!
*cold sweat begins to trickle down my back with the realization that I had begun a new international incident!*
“CHINA! CHINA!” I yelled at the screen. I tried to calm myself and remember my cyber attribution training! “The IP’s are in China! I am being attacked by China! It’s incontrovertible! It’s China attacking me as a proxy for DPRK! MY GOD!” This is when the klaxons began going off.
INBOUND PACKETS!
WHAM!
I was hit again wave after wave from China. There was no way around it. I had to declare cyber war on DPRK because China attacked me after I used a network tool on DPRK addresses!
DAMN THE CYBER TORPEDOS!
The packets flew and the Chinese hit me with everything they could. I could hear KJU screeching in the background yelling orders of more salvo’s against the capitalist cyber swine that was me!
WHAM!
BOOM!
My cyber helmet developed a crack and there was only one thing left to do… I blocked them on my firewall. The war ended then… At approximately 0540 hours the great “Cyber War” of 2014 ended. I looked around to see posters torn from walls.
The. Horror!
Now I am a veteran of the cyber wars… I still have not gotten my purple heart. Listen well you young men and women. Heed the tale of this cyber warrior and his time in the cyber trenches. Cyber war is cyber hell.
K.
Digital Jihad: The Great Irhabi Cyber War That Won’t Be.
Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.
Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.
They are now boasting it is only a matter of time before their plan becomes a reality.
The Great Cyber Jihad
Since Junaid Hussain escaped over the border to the new lands of jihad (aka Syria) he has been vocal on Twitter showing off his great cyber manhood in classic irhabi bloviating online. That Junaid made some inroads by hacking into the prime minister’s email address at Gmail only lends him dubious credit to his hacking skills to a person involved in the security field. This however is not how the great unwashed within the media and certain quarters of the government and the military seem to perceive the threat posed by Junaid today now that he is an ISIL irhabi.
Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.
Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.
They are now boasting it is only a matter of time before their plan becomes a reality.
The above text came from just one of the spate of recent reports on the great “Cyber Jihad” that is being touted to come from the likes of Junaid and ISIS/L as they attempt to expand their reach from the Middle East globally. This ls.particular commentary makes the bile rise within my gut on so many levels though. But that kind of pales in comparison to the one right below…
“We’re in a pre-9/11 moment with cyber,” John Carlin, assistant attorney in charge of the Justice Department’s National Security Division, warned at a July conference in Aspen. “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction as they can to our infrastructure.”
PRE-9/11 OMG!!! Look you fuckwit if that were the case then China would have already put us out of our misery really. For that matter some half assed pot sodden kid who happened to hack into our grid would have taken us down years ago. There is just no need for this posturing and certainly above all coming from someone without a clue in their head about how things really work in the world of computer security. This kind of scare tactic aimed at getting people to respond in fear to allow for the government to do anything in the name of protecting us is vile.
Meanwhile you have other players such as the one below making statements of “ALL OUT CYBER WAR” while commenting on Anonymous’ operation against ISIS. I laughed and I laughed and I laughed until I just wanted to cry at the sheer stupidity of it all. Look, Anonymous can’t get their shit together enough to be both leaderless and effective so really, how much of an “ALL OUT CYBER WAR” can there be there huh? Do you even know what a cyber war really means? Cyber warfare is both digital and kinetic in it’s purest form and what kinetics did Anonymous really carry out in this operation to DoS ISIS offline?
Lemme give you a clue… None.
“Anonymous announced late last week a full scale cyber war against the Islamic State (Operation Ice ISIS), intended to attack ISIS supporters using social media for propaganda purposes”
So aside from the bloviating and the scare tactics coming out of ISIS itself we also have our responses from the government and the media with all their so called experts on cyber war and jihad. There is a lot of wankery going on here but finally this guy makes a little sense in the middle of his post on this mess…
ISIS’s main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions, as well as victory parades, as part of developing deterrence and creating an illusion of force in excess of the organization’s actual strength. The essence of its online activity, however, is broader. It enables its supporters to obtain operational information, including training in preparing explosives and car bombs, and religious rulings legitimizing massacres in regions under ISIS control. In tandem, it distributes indoctrination materials, such as a maagzine called Dabiq: The Return of Khilafah, which focuses mainly on topics relating to formation of the new Islamic state headed by ISIS leader Abu Bakr al-Baghdadi. However, ISIS’s technological expertise is not the only factor. Perhaps the public, which is revolted by the organization’s deeds but closely follows these clips and photos as a kind of reality show, is contributing a great deal to the organization’s popularity.
Yes, there it is.. ISIS has been carrying out a PROPAGANDA war primarily and with that comes from PSYOPS as well. This is the first true set of statements I have seen to date over this whole debacle. Ok, they are waging a propaganda war and a recruitment drive for sure but really, a cyber caliphate? I mean to date I have not seen this show up verbatim anywhere on the boards or on twitter so who’s leaping logic here? Seems to me that there’s a sucker born every minute and about 99% of them want to go into journalism nowadays.
A propaganda war using Twitter does not a cyber war make.
Cyber Warfare and Jihad
So let’s chat about the realities here about the capabilities of the Irhabi (ISIS/L or AQ or SEA) in a context of what we have seen so far. What have we seen you ask? Well, DoS, some data thievery, some malware use and phishing, but generally nothing spectacularly scary. Certainly nothing on the level of a nation state actor like China has been seen out of any of the loose groups that claim some jihadi notions online to date. So where do we get all this BOOGA BOOGA over the likes of Junaid Hussain and ISIS taking down our grids and things?
*squint*
Yeah, there’s no there there. I am sorry but even if ISIS/L used it’s monies that it has stolen over the last months to set up a “cyber team” they still would be LIGHT YEARS behind the likes of China.. Hell they would even be way behind Iran for that matter so really, there is nothing to fear here. Never mind that many of these guys like Junaid are working in countries that are actively being bombed and shooting is happening so really, how much longer does Juny have anyway before he gets a Hellfile missile up his ass?
Truly the cyber jihad is a non starter for me and it should be for you too. On the other end of that equation though is the fact that they are actively recruiting and getting their message out using social media and this is a problem. Now don’t get me wrong, it is not a clear and present danger kind of thing because really, 100 Americans out of how many people seeing their online drivel have actually left the country to go to jihad pretty much gives a sense of the threat. You have to be pretty unbalanced to want to do this shit to start with so if you get up and leave the country to join up you are a truly unbalanced person to start. One so easily swayed by the propaganda wing of ISIS needs help and what they will certainly get is a bullet instead while fighting. Even ISISL really doesn’t care about the Takfiri, you see kids, they are just bodies to be used… Nothing more. They may call you brother but under their breath they call you fodder.
Much Ado About Nothing
The reality is that ISIS is more a conventional force than anything else. They are not as well planned as AQ and they tend to be one dimensional thinkers. I will admit that their propaganda war has been interesting to watch but I don’t see that it is an existential threat. In fact, I concur with the assessment that AQ is still the real player here who can strike at the US and had a better track record thus far. Surely if ISIS continues to carry out the propaganda war they may garner more recruits but I just don’t see them being that inspirational to get lone wolves to activate/radicalize. I certainly don’t see them being able to put teams together to hack our infrastructure and take us down either. In fact I am not a proponent of that line of thinking anyway as a great threat. Our systems are too complex and fragmented to allow for such a spectacular attack.
So please news media… STFU.
K.
ASSESSMENT: The Islamic Cyber Resistance: Wikileaks.ir Bin Laden Group and Mossad Dumps
Dmvtz MCB!
The Islamic Cyber Resistance:
It seems that there is a new player in the cyber town and they call themselves the Islamic Cyber Resistance ( هيئة دعم المقاومة الاسلامية في لبنان ) They are loosely affiliated with Anonymous and it also seems perhaps the Syrian Electronic Army due to a combined hack effort recently. In the case of the Wikileaks.ir dump however they seem to be working on their own and doing so because of the loss of Hassan Lakkis a Hezbollah commander who was killed near his home recently. The ICR dump was to “honor” him and to perhaps get people energized to do more even using “rememberhassan” as the password to the rar files uploaded to the net. I do wonder though at just how newly minted the ICR is because they have no Facebook site, no website that can be found as yet and little mention until recently. The are affiliated with Hezbollah notionally and seem to have ties to moqwama.org, the Hezbollah resource site which collects support for the Hezbollah organization. Ostensibly this hack attack against the Mossad and other entities and this dump were revenge for what is perceived as Israel’s killing of Hassan but the realities of the dump (which I will go into below) are much less vengeance and more an attempt to grab the spotlight in the great cyber jihad.
Hassan Lakkis
OPIsrael with Anonymous
moqwama.org front page
WHOIS of moqwama.org
Wikileaks.ir:
Meanwhile there’s a new Wikileaks in town and that is the Wikileaks.ir domain and site that these dumps were announced and posted on. It seems that the Wikileaks.ir domain has been around for a few years now and stared off as a WordPress site that wanted to be affiliated from the get go. However, it seems that the site was not an official one nor is it today according to what I have found looking around the internet. The domain is currently owned by someone calling themselves Ehsan Goorabi, who according to searches has been a graphic designer/web designer/printer owning his own business called “Lemon Graphics” in Lebanon. It turns out that Eshan is also in fact now a CEH so this kind of ties a nice little cyber bow on him as perhaps being a part of if not the main player in the ICR. The wikileaks.ir site is now getting play within the media and I am sure is getting plenty of traffic. However, after looking at all the dumps on there I just don’t see anything really spectacular in the way of secret information. In fact what can be found is the usual rhetoric and talk but no real shock and awe.
WHOIS wikileaks.ir
Ehsan Goorabi CEH
Ehsan Goorabi Printer
Wikileaks.ir FOR SALE!
The Dump:
The data dump in memory of Hassan too was pretty much a re-hash of data already out there in other dumps. The alleged hacking of Mossad data (personnel data seen already out there) and the alleged hack of the Bin Laden Group (BLG) Now the ICR and the WL site claims that there is some real bombshell information here but in reality it’s all just common data from the company that was hacked. PDF files and emails on daily business things that after looking at are nothing at all to be interested in even if there are claims of shoddy workmanship and perhaps some fraud. If you listened to the ICR they would have you believe it shows complicity with the government and other terrible things. Honestly though what would this data really mean to anyone within AQ, who nominally are mentioned in the dumps other than a sleight against the Bin Laden family who begat OBL in the first place? I guess time will tell if the dumps get better with this crew but to date they certainly aren’t stellar and more than certainly not worthy of all the press attention that this has garnered them.
Cyber Jihad:
So, the cyber jihad is on evidently. Well perhaps not a jihad, but at least a resistance as the moniker places them. It would seem that the ICR and SEA, who are already working together, along with the Wikileaks.ir site may be something to keep an eye on if they get their acts together. SEA has been very active with low end hacks that grab headlines but really don’t create any substantive change. In aligning with the Wikileaks ethos though perhaps they will seek to out corruption within their area of influence. Maybe they will just keep flailing along in hopes of garnering the attention they seek, we shall see in the near future I imagine. I do wonder though at the alleged connections with IRGC though. To date these seem to be just pipe dreams of the media though. I cannot see my way to seeing any kind of IRGC support here because these people lack OPSEC as well as skill it seems from what they have laid out so far. In fact I think SEA, as lame as their attacks have been in real impact, are much more technically capable than the ICR today.
It will be interesting to keep an eye on these guys and see what they come up with next….
K.
DPR: Not so dread inspiring but surely now full of dread….
zwfviyhpjvezupkhcfz?
No one would surrender to the Dread Pirate Ulbricht.
Well the news cycle exploded this week with the arrest of Ross Ulbricht aka DPR or if you like The Dread Pirate Roberts of Princess Bride and now Silk Road fame. The schadenfreude here had been epic as the criminal empire that was one of the largest in the darknet was taken down because the “pirate” could not comprehend how to carry out OPSEC properly. What lead to this guy’s demise was some good old fashioned internet gumshoe work by an SA who also worked on the Sabu case back last year. Ross it seems decided to use his personal Gmail address for postings pimping Silk Road as well as other assets that tied it all together digitally back to him. Not the best of OPSEC here Ross.
I challenge you to a battle of wits.
Anyway Ross had an idea and that idea was pretty interesting in that he wanted to use the darknet to have a Libertarian nirvana of commerce for just about anything. He set up his site, maintained it himself for a time, and then began to realize that he could not do it alone and this is where things start to go wrong. You see, when you run something yourself you only have yourself to deal with. When you start bringing in people to work for you and they know things about you (and you will always slip up here and give things away unless you are a trained spook) and that makes them a liability to your Operational Security. Ross learned this the hard way I suppose in that he started to feel that people needed to be whacked because they knew too much.
Meanwhile the OPSEC failures that Ross had made were steadily creeping up on him. So too were the UC’s on Silk Road who worked their way into the boards making deals and gaining his trust. In the end Ross decided that one of the UC’s was actually a cool Huggy Bear kind of guy and asked him to whack one of his administrators who he felt was a threat… OOOPS! If it’s one thing a Dread Pirate should know is to “Trust No One” but Ross I guess did not read that lesson in his Econ Theory classes. I guess it’s just another pointer I would make to all of you would be Pirates or Ninja’s out there … You can’t trust anyone. Oh, and yeah unless you are trained for this at say Langley or maybe Академия федеральной службы безопасности Российской Федерации you are more than likely to fuck up majorly and end up in the clink with Ross and many others. I have to say though that the idea of using the darknet and all the means that Ross had put together was a pretty good plan. The only real hitch was that he never took into account that he was going to be going up against a nation state(s) and they always win.
Hey, at least he didn’t fall for that land war in Asia thing right? …..
Look, are you just fiddling around with me or what?
So Ross went on to become the ersatz Walter White of the darknet until one day at his apartment in San Fran his doorbell rang. At the door was ICE/DHS and they had an interesting package for him in their hands. The package was full of ID’s with his face on them but not his name and when asked about them according to the complaint/affidavit his answer was “Anyone could get documents like these online at places like Silk Road” which let me tell you Ross, isn’t the thing you want to be saying here. After some questions and answers it seems the ICE/DHS folks went away which is confusing to me. First off, I surmize that the ICE Q&A was just a front for the FBI’s ongoing investigation into Ross but really, why tip their hand like that? If I were Ross I would have closed the door, waved at the feds through the window, watched them leave and RAN to my system to have a fire sale at Silk Road. I would have chosen a new DPR and been on my way to a non extradition country but ol’ Ross?
…..Nope.
Ross instead of cutting and running doubled down! He went on to do an interview with Forbes and continued on his way doing the business of being the “Dread Pirate” which let me tell you son, was one of the most ballsy and stupid things I have seen since Barrett Brown on camera threatened federal officers lives. Ross what were you thinking? I mean damn dude, did you really think you were Walter White? Oh well I guess time will tell as interviews are carried out or data dumps come from the feds as we go along slouching toward a plea bargain. Perhaps though your cognitive dissonance between personae online and offline just sort of short circuited you out and you couldn’t do anything other than carry on thinking you were covered.
Time will tell… But let this be a lesson to all you would be Pirates out there. You may call yourself a pirate or a ninja or even a Ninja Pirate but you really are just some shmuck with a grandiose sense of the self instilled in you by your helicopter parents who always told you just how fucking special and magnificent you were. So as you sit in federal pound you in the ass prison Ross take heart, for I am sure there will be another DPR someday in the darknets ….Sailing the dark digital waters with the shrieking eels that will some day end up in the cell next to yours where you can commiserate.
K.
WEAPONS OF MASS INANITY: MIKE HAYDEN RETIRES BUT NEVER GOES AWAY
oepseqlrndhrypgwcqvo
LADIES AND GENTS, THE NEW DOCTOR CYBERLOVE IS….
What is it Mike? Why do you feel you need to sit and smirk on panels while spinning more and more exotic fantasist tales about the terrible cyber future out there? For that matter why do you feel compelled to joke about putting Ed Snowden on a kill list? I mean, you are retired man! You should be somewhere warm with your wife, sitting on a porch sipping a warm beer and enjoying life. Instead you are making the rounds trying increasingly more boldly to steal Dr. Cyberlove’s (Richard Clarke) thunder? What is up with you man? I mean are you trying to sell services or some kind of security appliance to the masses now that you are on that sweet sweet government pension? Or is it that you are now able to be the center of attention and talk after being bottled up so long as a secret squirrel at NSA?
Well in any case you are taking THE PRIZE with this little story you told about “CYBER MASS SHOOTERS!!” WHOA dude you went completely plaid with this one! You have my attention at the very least! Well, that may not be so good though having my attention but I digress. Shall I tell the folks out there what I think about your little story?
*looks conspiratorially at the crowd and ushers them closer with an eyebrow waggle*
BOLLOCKS! It’s absolu-fucking-lutely bollocks my friend! Holy what the hell? Dude you are delusional and those panels that people are inviting you to increasingly are going to be comprised of you and Alex Jones having aneurysm fights.
ZOMG IT’S A CYBER MASS SHOOTER WITH METASPLOIT! TAKE COVER!
The fastest-growing cyber threat is from a kind of digital mass shooter, a deranged or outraged hacker able to obtain cyberweapons currently available only to nation-states and organized crime, a former senior U.S. intelligence official said Thursday.
“They’re just mad, they’re mad at the world,” said retired Air ForceGen. Michael Hayden. “They may have demands that you or I cannot understand.”
Mr. Hayden warned that within five years hackers “will acquire the [cyberattack] capabilities that we now associate with criminal gangs or nation states,” such as being able to conduct online sabotage of industrial control systems that run power plants, factories and utilities.
Looks at that statements over and over and over again always having the same vapor lock.. HOLY WTF? Who do you think invented this shit in the first place? The hackers, the criminals, and YOU GUYS Mike! I cannot fathom just how clueless Mike seems here. I mean, he was in charge of the NSA so how could he be so out of touch? Perhaps he has early onset Alzheimers? Did he eat the British beef in the 80’s?
*shakes head*
Ok so yeah “cyber mass shooters” I am trying to stifle a giggle every time I say it in my head. I don’t think Mike has really thought this one through. Has he seen the hackers out there? Has he got a good grasp of the infrastructure as well that we have? I mean HOLY COW! First off, let’s look at the hackers. It would take a cabal to do what he is talking about. The only cabals I know of are the criminal gangs, the nation states, and maybe Anonymous. So yeah, it’s all groups Mike, not one sole hacker master mind. I mean really, we aren’t all Thomas Jane ya know..
*slips in Die Hard refence #score!*
Next we have the idea that one sole hacker is going to be able to attack the “infrastructure” in a way that will be able to take it down. Uh yeah Mike, I’m sorry but that is just not so easy. I mean, it’s not like all the power companies run all the same things and are all connected to the same subnet mmkay? No Mike, it will take nation state patience, money, and access to take down a section of the grid for example and cause mass annoyance. There will not be “mass casualties” as you allude to and what did you say.. “Dislocation”???
Head—>Desk—>Head—>Desk
Following that stellar statement we have this claptrap about how the hacker can now have “cyber weapons” like those of the nation state. Let me disabuse you of this notion right now Mikey…
WE ALREADY HAVE THEM! AND WE ARE MAKING THEM EVERY DAY!
The derp on that statement makes me want to just punch some small furry critter in the nuts man. SEE WHAT YOU DO TO ME MIKE!?!? Look, if you have a copy of Metasploit you are now actually, according to you Mike, A MASS CYBER SHOOTER! Your statement is infantile and it is the WORST type of fear mongering I have seen since your predecessor Dr. Cyberlove (aka Richard Clarke)
*hangs head*
Lastly, let’s talk about this infinitely stupid comment about how the “mass cyber shooter” may have no “demands” that we can understand.
*blink*
What? Just how many movies have you been watching since you retired man? I think you have some real misinformation in your head from watching one too many Die Hard movies my friend. Wow.. Just WOW man! I am in awe of your derp on this one and that is a hard thing for me to do. I am almost speechless here …. Well not really.
THE NEW MINISTRY OF FEAR
Finally I think Mike has envisioned a new “Ministry of Fear” for us all to cling to in troubled times. He will be in charge of the ministry and he will make the rounds to all of the appropriate places to spew his stories of “cyber mass shooters” to a ravening lame stream media machine. Your hopes I am sure, are that you and your pals can scare the straights into compliance with the NSA pogroms you and yours have been carrying out and are now in trouble over. As long as you keep the fear levels at the right height, you and your pals can keep on keepin on with the tacit approval from the people.
Mike, you’d be wrong.
The Ministry of fear will fail and as long as you are out there saying these epic derptastic things I will be here countering them on my measly little blog. So, for the news media I will now break this down into small bytes, which I will then puree into a nice baby food consistency for you to slurp down.
//BEGIN
- There will be no singular cyber mass shooter it takes too much effort and coherence to pull something off like this.
- WE ALREADY HAVE THE TECH TO WREAK HAVOC I MEAN, HAVE YOU SEEN ANONYMOUS? MASS ANNOYANCE IS ALREADY HERE!
- If demands are made sure, you may have to look up some terms on Wikipedia or 4chan but hey, you will understand what “we” want so rest assured you will know.
- FINALLY: NO NO NO NO THE GRID WILL NOT COLLAPSE FROM A HACKER. THIS IS NOT A BRUCE WILLIS FILM! THE END IS NOT NYE.
END\\
God I need a drink…
K.
Krypt3ia 
Commentary: OPM Is Just Another Link In The CyberFail Chain
with 2 comments
OPM is the exemplar of how our government deals with information security, or should I say doesn’t deal with it. Some will say that there are many mitigating circumstances like old systems that cannot be updated that caused much of the failures that lead to the OPM being compromised for over a year. However, the subsequent pivoting by the adversaries into many other networks we have not begun to even discuss as a nation yet because we are now media and governmentally fixated on the fact that the adversary had access to SF86 forms. Forms mind you that should be one of the better protected things out of all the possible things the government holds in it’s systems. So far the discourse in the media has been more sensationally oriented on the magic secret code names that the likes of Crowdstrike and Mandiant have come up with respectively for actors. Actors that they claim with varying vociferousness are in fact China whether it be the PLA (People’s Liberation Army) or the MSS (Ministry of State Security) though neither is accepting the pure hubris of all their press releases and anonymous or semi anonymous back-channel chats with the media in hopes of more attention.
Whether or not these attacks were from China and their varying and vying espionage organs is rather irrelevant now and everyone needs to understand this. The cat is proverbially out of the bag here and by the cat slipping the bag, we now notice that the emperor who was holding that burlap sack of cat is in fact naked. Or at least that should be the story here but as you can see from the stories filed above by the New York Times alone, the real attention seems to be on the fact that China is in fact hacking us. Well, I am sorry but I have news for you all, they have been hacking us for a long time now and doing very well at it. The primary reason for their being so able to steal us blind though is not as the media and the government and the Mandiant or Crowdstrike’s of the world would like you think. The APT (Advanced Persistent Threat) it seems, does not have to be advanced. They just need to be persistent and might I add patient.
So when you read the headlines and the stories like those in the Times about the advanced malware called “Sakula” and how the tricksy Chinese have gotten administrator on OPM systems I cannot blame the uninitiated thinking that this is hard and that the Chinese actors are the equivalent of super villains hacking from beneath islands with skull faced volcano’s on them. After all, the media is teaching the people not in the know by these lede’s that computer security is unfathomable and hard. You know, like the comment by Archuleta in the Congressional hearing that “Security takes decades” No ma’am it doesn’t and as the congressman who yelled at you that day said, we don’t have decades. In fact, I would say that this game of Go is almost done and we aren’t winning. We have lost and the reasons we have lost are manifold but I would say that the root of it all is that we, America, have abdicated the notion of securing the things that we should have long ago. The excuses are many; because it would be costly, or hard, or perhaps more so due to government stagnation, self interest, and indolence.
I know that the majority of the readers of my blog are in the security community but I wanted this post to reach across the void to the everyman on this matter. I exhort you to read the stories in the news and to take a step back. Consider the following statements and really understand where we are today.
Brass tacks, we deserved to be hacked.
Sad but true.
So gentle reader, consider what I have told you here. The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.
Physician heal thyself.
K.
Rate this:
Written by Krypt3ia
2015/06/22 at 14:09
Posted in .gov, China, Commentary, CyberFAIL