Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘.gov’ Category

Blackberry Forward of Emails and Excuses for Firing the FBI Director

leave a comment »

Given the events yesterday I am feeling like unburdening a little bit on the subject of the emails being forwarded by Huma Abedeen to the laptop at home in the custody of Anthony (Carlos Danger) Weiner. One of the reasons for Comey’s firing ostensibly was about his mis-statements over the emails being sent to the Weiner laptop that he opened the can of worms on and helped lose the election for Hillary (not the only reason people!) as they say. The fact of the matter is now everyone is saying that Huma’s emails were auto backed up and that the term “sending” them is a misnomer in a way because the then director had said she was forwarding them for printing out by Anthony or her at home. Let me stop you all right there and say there is no difference. The intent of forwarding the emails or backing them up to an email address accessed by or directed to that personal laptop is the key here. Someone had to set that up right? It was something that did not evolve by itself and just came into being!

The issue here is the semantics of language and perhaps comprehension of how things work in the cyber. Comey made a mistake in wording but the basis of the argument stands. Why was she forwarding or backing up all data to that laptop or account outside of the government systems appropriate for this series of email? This is the question you all should be asking and once again it was against protocol and yes there were emails in there that later were deemed to contain classified information. This makes it an issue and it was something that needed to be looked at. Now, as to how it was announced, well that is a judgement call on the part of the director and perhaps a bad one. I honestly listened to his testimony and saw both sides of the issue as well and there was no good answer here.

Now though the director has been fired in a most unceremonious way and all of this smells bad with regard to the RussiaGate investigation and abuse of power. Let’s not allow Trump to skew this one thing amongst all the others into a reason for his firing a direct threat to his presidency. The real truth is that Huma was sending email to a non secure site/system and that was the crux of the issue. Director Comey’s description of this incident has little do to in my opinion with his summary dismissal of the director.

K.

Written by Krypt3ia

2017/05/10 at 13:05

Posted in .gov, FUCKERY

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

Prosecuting The Russian Cyber War: Beyond The Hyperbole

leave a comment »

screenshot-from-2016-12-19-13-42-28

This weekend my father actually asked me what I thought Big O was gonna do to respond to the hacking of our elections. He continued in the same breath to ask if we were going to take out Russia’s grid or something like that. My first thought was to say “Noooo” and to then explain to him how that might go all kinetic real quick like on us if we did. My response to him yesterday will be the genesis of this blog post today for you all. Since everyone seems all hot and bothered as to how we will respond and not giving Big O the benefit of the doubt that he actually reads the PDB’s and thinks about them, I will boil it all down to what I would do against Russia and Pooty to thread the needle and not cause an escalation.

First:

I would undertake the review on what exactly happened with the IW/DISINFO/PSYOP/Hack that took place for the election. This is important to not only understand what happened, but to understand just how much damage was done and what actions it took to set that into motion. From this you can assess the response level you need and in this case it has been rather speculative as to what really went down. This I also really point at the whole argument that the election machines in key states may or may not have had some supply chain tampering going on. So far I personally have seen no evidence that there was enough of an investigation to rule this out.

Second:

I would look at the capabilities we have and the intelligence we have collected on Putin. Intel such as a good psych profile and anything on his wealth/business structure. With both of these I would seek to discern what would hurt him personally, not so much the country. I would also use the psych profile to determine in red teaming out what his responses would be to certain scenarios. In essence I would perform a game scenario simulation to get the best results for us and start to build a plan(s) on those.

Third:

I would, knowing that this attack was personal for Pooty, and given his nature (much like Trumps really) I would perform the following actions;

  1. Attack his finances. All of the dirty ones first.
  2. Attack him with whatever kompromat we have (CIA/NSA) in the same leaks style that we saw from the elections (See news today about Tillerson for a cue)
  3. IF we have the assets in place both digital and “other” I would work to counter ongoing efforts in Germany and France as well as other places where we know he wants to do the same thing politically

These are the things I would do in parallel to assessing the damage to our forward capacities regarding the ShadowBrokers recent tease. IF all of those exploits on there are real, then all of them have been compromised and burned. Any operations that may have used those tools are burned and any future use of them has been burned. It is my opinion that the new events with the ersatz “Boceefus” account is just Pooty and the GRU saying “Try anything and you will fail” but that is only one dimensional thinking frankly. It is time to go beyond bits and bytes and also use HUMINT.

Just this guys take…

K.

Written by Krypt3ia

2016/12/19 at 19:05

Re-Counts and Forensics in 2016

leave a comment »

screenshot-from-2016-11-28-08-06-06

Since the election I have taken a break from the insanity as much as I could. I blocked off Trump on Twitter but he keeps leaking through the blocks anyway. I have been reading though on the usual source sites like the New York Times and other news sites and with each day I am seeing the utter unravelling of America. Thinking about it though I have to wonder if the unravelling happened long ago and this is all just an echo of the failure finally reaching us all like a radio wave from a distant dying pulsar…

Anyway, I wanted to write today about the current debacle concerning the vote and the calls for an audit of that vote. Since the Green’s have gotten the ball rolling and the Clinton camp finally agreed to look at the vote it seems to be happening and that is a good thing. In an election where blatant tampering through hacking and information operations (DISINFO and IFO-OPS) by the Russian state one can have some sense that perhaps the same adversaries ‘might’ have tampered with the actual votes as well. Now, had it been just troll propaganda wars I might say; “Ok we have been played, they did it, we lost because we as a people are unable to comprehend real news from fake news” but that is not all that happened here. We saw actual hacking campaigns carried out on our voting infrastructure and one of the parties outright and still no one is clamouring for a re-count AND an audit of the systems that are already known to be security challenged?

It is incomprehensible to me at times how our government works at all. The group think and the lackadaisical attitudes towards information security are staggering but this whole episode takes the cake. You mean to tell me that the DHS and the government, the ones who brought us the OPM hack and other massive data breaches are going to tell us that the vote could not have been hacked and it is silly to even consider a forensic audit? This is what I keep hearing in the media and out of the government as calls for the votes to be re-counted and audited. It is also what I am hearing post Halderman’s paper and blog post that says: “I’m not saying the vote was hacked but there is evidence enough to say maybe we should look into it”  What the fuck? We know things went down so why all the reticence to check?

Well let’s look at it another way shall we? let’s say the government, ya know the one who keeps claiming we have “cyber superiority” in fact is shown to have such a poor state of security (like OPM isn’t enough to cast doubt on that one) that the election systems, the ones that the security community has been warning about as insecure for years now, was in fact manipulated as part of a larger operation to fix the election for Putins puppet regime? What exactly would the outcomes be from that revelation?

  1. The system would not be trusted
  2. The country would be in chaos
  3. The government would be seen as incompetent
  4. Putin wins.

It seems to me that most of these things have already come to pass. Sure, we have not actually proven that the systems in key Electoral College states were tampered with by malware or added code yet. That code could have been put in the supply chain easily by infecting the key systems the polling places use (see Halderman’s paper *think USB and ballot templates*) but all it takes is a real forensic evaluation to determine if something was amiss right? Yet I still don’t hear a clamour to get this done. Why is that really? We have been sold the idea on many occasions that it is too hard to hack the election but really, with a limited target and a goal of manipulating it subtly one would not see it blatantly would they? I mean fuck, look, Clinton has what like 2 million more popular votes and this fuckwit wins the college? It is either fantastic strategy on the part of his campaign (I mean Putin’s campaign) or, given all of the other evidence of tampering and obfuscation that something could be amiss with the known insecure systems we vote with right?

Really what I am saying here is this; “We have been played. We have been played and now we have this kleptocrat in office who’s been placed there, whether or not you want to hear this, by the Russian governments intelligence apparatus. The least you can do now is do the due diligence to see if something more happened than the hacks and disinformation operations we already know about.” I suspect though that the government does not want to do this because it would call everything into question. It would openly call out the fact that a nation state fucked with us in such a fundamental way that the only real response would have to be, well, war? I mean what is the response to something of this scale anyway right?

Weigh the evidence.

Occams Razor this shit.

DO THE FUCKING FORENSICS.

K.

Written by Krypt3ia

2016/11/28 at 13:39

Posted in .gov, 2016

Scenarios on Outcomes from Russian Information Operations on the US 2016 Election

with 2 comments

1016374513

Assessment Goals:

With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.

The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?

Interesting times….

SCENARIO 1: VOTE TAMPERING

The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.

POTENTIAL OUTCOME:

  • Trust in the election system is diminished
  • Recalls are called for by both candidates and the public
  • The electronic systems will lose public trust and a re-assessment of the process will be mandated

SCENARIO 2: VOTER ROLLS TAMPERING

Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.

POTENTIAL OUTCOME:

  • Voters are unable to vote once they get to the polling place.
  • Voters are not allowed to correct these records and are thusly negated from the process
  • Attack key states once again, going for the electoral college and you can change the outcome of an election
  • All of the above once again have the amplification of causing distrust of the system and damage to the election
  • The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?

SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY

Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.

POTENTIAL OUTCOME:

  • Voters are unable to vote or the process takes so long that they walk away with a more analog process
  • Trust in the electronic system would be degraded or destroyed
  • The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
  • Continuity of government is challenged

CONCLUSIONS:

These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.

I suggest you red team these ideas yourselves and see what else you can come up with…

Written by Krypt3ia

2016/10/11 at 14:20

Influence Operations: We All Carry Them Out

leave a comment »

Screenshot from 2016-09-06 08-29-26

 

All of the hand wringing and whinge-ing over the possibility that Russia has hacked our completely insecure election systems has my bile up… Well that and it seems I am lactose intolerant and ate whole ice cream last night. Anyway, back to INFLUENCE OPS and their use globally. The article above from the Boston Globe really set me off this weekend. All of these guys in the corridors of power all hand wringing over the possible fact that Russia has been messing with our political process makes me want to fly to Washington and bitch slap people. This type of activity has been going on forever and it is not just Russia pulling these strings even today. If you take a look at the actual history of the world you will see many players playing the same games with or without the benefit of Wikileaks and computers both then and now. This is not new people and for fucks sake wake up and realize that the US playing the “hurt” card in this game is really quite absurd in the grand scheme of things.

Now once you have taken a little trip down history lane with those links I just provided, then I want to ruminate on the whole problem today of the hacks on our democratic systems. See, as a former pentester and now a blue team guy I often ran into places that just did not have a clue about security. Still today there are many places that are very clue free and that also includes our government and those bodies that comprise our election systems. Seriously? Seriously those election systems were not even being monitored? You are shitting me right that the alleged Russian hackers used Acunetix to scan and then just SQLi dumped shit right? …

And no one saw a god damned thing…

It’s hardly INFLUENCE OPS when all you need to do is run a shitty tool and just take what you want with a script kids. So really, stop with the hurt and surprised bullshit Congressman and Senators alike! Put on your big boy and big girl pants and get the fuck over the fact that someone would have the audacity to fuck with our already fucked up election cycle anyway! As to Putin’s comment on the subject recently ‘‘It doesn’t really matter who hacked this data from Mrs. Clinton’s campaign headquarters,’’ I agree, it doesn’t really matter because the fact of the matter here is that her actions alone concerning the BleachBit of her server days after it’s public disclosure should be enough to show us all just what fuckery is afoot without Russian intervention to begin with. What the paradigm change here is is that we now don’t have to send plumbers to Watergate’s to break into file cabinets to get the data. All one needs to do now is fucking Acunetix an IP and then run SQLi map to fuck with a national election and that is just fucking sad.

Screenshot from 2016-09-06 09-17-01Shut up Grandma Nixon!

At the end of the day I for one don’t care who hacked the shit, what I care about is that there is enough evidence to show that even with out information/influence operations that there’s some crooked shit going on. The problem is that this is the default state of our governance and election system so one tends to just become complacent about it. The hack on the election here and now, with the fate of the world in the balance so to speak, with Führer Trump or Grandma Nixon only makes it all the more piquant for the hungry news media but in the end means a choice between two terrible shit sandwiches to those paying attention here.

We are all fucked either way.

Move on.

Dr. K.

Written by Krypt3ia

2016/09/06 at 13:26

No, Juny Was Not Whacked Because He Was A Hacker

leave a comment »

1488

With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.

Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.

That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.

So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.

Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.

K.

Written by Krypt3ia

2015/08/28 at 10:37

Posted in .gov, .mil, Da'esh