Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Threat Intel’ Category

Ryuk Ransomware Threat Intel Report

leave a comment »

I cobbled together some stuff on Ryuk in case you all want to have a report you can re-purpose.

K…

PDF is here

 

 

 

Ryuk Ransomware Threat Intelligence Report

1/4/2019

Table of Contents

    1. Executive Summary:

The Ryuk variant of ransomware is a new type of ransomware that first appeared in August 2018 and has been used since then in an targeted attack scheme by unknown actors online. The evolution of the attack has taken shape to mimic some of the attack methodologies used by the SAMSAM group (Iran) in locating vulnerable enterprises/organizations through reconnaissance and phishing to then gain a foothold in as a first phase of their attack.

The Ryuk actors then escalate the incursion by loading the ransomware (Ryuk) onto servers in the enterprise and thus locking that business down completely from daily business. The attacks have been seen recently (Dec/January 2018-2019) in attacks against publishing and media corporations such as the LA Times, Chicago Times (Tribune Group) as well as DataResolution Cloud Service. The financial damages to those companies has yet to be determined but due to the attack on the Tribune group, printing of newspapers was degraded or stopped for a time.

The Ryuk actor group uses two probable means to gaining access to internal networks:

1) phishing to infect systems with EMOTET (trojan variant using PowerShell via doc files that use macros to start ps.exe) and then pivot laterally to gain more access.

2) Locating vulnerable systems online using Shodan and other tools to find open RDP sessions and exploits them to escalate the attack.

In both attack vectors the second stage of the attack is to use the access gained to recon the org to locate systems (servers) to infect with Ryuk. The Ryuk infection will then encrypt all data, delete shadow copies and leave a message that the systems have been encrypted and where to send bitcoins.

The malware campaign to date (Aug 2018 to today) has accrued approximately $2,680,077.93 in bitcoin transfers from affected organizations. The average demand for money per each attack, is per the organizations tolerances judged by the actors estimate of what they can afford. This method is a lot like the SAMSAM group.

    1. Recommendations:

Threat intelligence on the malware and the tactics of the group provide the following recommendations for response to this threat:

  • Put all IOC’s into HIDS/NIDS

  • Block known C2’s

  • Assess for vulnerable RDP sessions to the internet (Shodan)

  • Block all hashes and C2’s for EMOTET campaigns

  • Be aware of ps.exe (powershell) sessions going to the internet

    1. Technical Details:

The malware immediately begins by shutting down A/V systems and specifically SOPHOS and McAfee as well as other processes focusing not only on A/V but backup programs. Early Virus Total assessments as well as Hybrid Analysis online show some signs that the actors had tested early versions of the malware and that it had been detected by SOPHOS and McAfee.

Strings:

stop “Enterprise Client Service” /y

stop “Sophos AutoUpdate Service” /y

stop “Sophos Clean Service” /y

stop “Sophos Device Control Service” /y

stop “Sophos File Scanner Service” /y

stop “Sophos Health Service” /y

stop “Sophos Safestore Service” /y

stop “Sophos System Protection Service” /y

stop “Sophos Web Control Service” /y

stop “SQLsafe Backup Service” /y

stop “SQLsafe Filter Service” /y

stop “Veeam Backup Catalog Data Service” /y

stop “Zoolz 2 Service” /y

stop Antivirus /y

stop BackupExecAgentAccelerator /y

stop BackupExecAgentBrowser /y

stop BackupExecDeviceMediaService /y

stop BackupExecJobEngine /y

stop BackupExecManagementService /y

stop BackupExecRPCService /y

stop BackupExecVSSProvider /y

stop EhttpSrv /y

stop EPSecurityService /y

stop EPUpdateService /y

stop MBAMService /y

stop McAfeeEngineService /y

stop McAfeeFramework /y

stop McAfeeFrameworkMcAfeeFramework /y

stop MSSQL$BKUPEXEC /y

stop MSSQLServerOLAPService /y

stop ntrtscan /y

stop PDVFSService /y

stop ReportServer /y

stop ReportServer$SQL_2008 /y

stop ReportServer$SYSTEM_BGC /y

stop ReportServer$TPS /y

stop ReportServer$TPSAMA /y

stop SAVAdminService /y

stop SAVService /y

stop SepMasterService /y

stop Smcinst /y

stop SmcService /y

stop SMTPSvc /y

stop SntpService /y

stop SQLAgent$BKUPEXEC /y

stop SQLAgent$CITRIX_METAFRAME /y

stop SQLSafeOLRService /y

stop swi_service /y

stop tmlisten /y

stop TrueKey /y

stop TrueKeyScheduler /y

stop TrueKeyServiceHelper /y

stop VeeamDeploymentService /y

stop VeeamTransportSvc /y

TerminateProcess

Currently a high number of A/V client engines now see the Ryuk malware by hashes. It is assumed that the actor may in fact re-pack the malware to avoid such detection’s if not upgrade functionality to have a wider ability to succeed and avoid HIDS/NIDS detection as well.

The malware also requires ADMIN to perform all it’s functions. This need for ADMIN is the reason that Ryuk is a second stage and not a one and done attack. EMOTET infections attain the ADMIN level access and allow the actors to recon the enterprise and determine where to attack as well as what they can access to load Ryuk and encrypt files.

    1. IOC’s:

IP(s) / Hostname(s)

  • 104.199.153[.]189

  • 104.239.157[.]210

  • 187.17.111[.]103

  • 195.20.45[.]185

  • 200.98.255[.]192

  • 23.253.126[.]58

  • 68.168.222[.]206

  • 89.119.67[.]154

URLs

  • bedava-chat[.]com

  • bestinfo[.]vv[.]si

  • digiturk[.]adsl[.]com[.]tr

  • freshmirza[.]tk

  • ibrahimreb[.]com

  • infocommsystems[.]com

  • jaragroup[.]com[.]ar

  • klkjwre9fqwieluoi[.]info

  • kukutrustnet777[.]info

  • kukutrustnet777888[.]info

  • kukutrustnet888[.]info

  • kukutrustnet987[.]info

  • lavanyacreation[.]com

  • natufarma[.]net

  • radiantjewelcraft[.]com

  • sets-hm[.]tk

  • veddagroup[.]twomini[.]com

Associated-file-path:

  • C:\Users\Public\cjoZX[.]exe

  • C:\Users\Public\window[.]bat

Associated-email-addresses:

  • WayneEvenson@tutanota[.]com

  • WayneEvenson@protonmail[.]com

  • stevkramer@protonmail.com

  • johnfraz@protonmail.com

  • stevkramer@tutanota.com

  • johnfraz@tutanota.com

  • kurtschweickardt@protonmail.com

  • kurtschweickardt@tutanota.com

  • wayneevenson@protonmail.com

  • wayneevenson@tutanota.com

  • steveedelman@protonmail.com

  • steveedelman@tutanota.com

  • andymitton@protonmail.com

  • andymitton@tutanota.com

  • kaykienzler@protonmail.com

  • bennidiez@protonmail.com

  • kaykienzler@tutanota.com

  • bennidiez@tutanota.com

  • dustinloose@protonmail.com

  • dustinloose@tutanota.com

  • AdamasVorms@tutanota.com

  • AdamasVorms@protonmail.com

  • RcsonanaGemmaran@tutanota.com

  • RcsonanaGemmaran@protonmail.com

  • dfvdc@protonmail.com

  • khgvkh@tutanota.com

  • yu66MarsellBlan@protonmail.com

  • yu66MafrsellBlan@tutanota.com

  • BruceSmithh@protonmail.com

  • BruceSmithh@tutanota.com

  • vejoydyLunde@tutanota.com

  • vejoydyLunde@protonmail.com

  • RichardsonStan@tutanota.com

  • RichardsonStan@protonmail.com

  • WillysFranks@tutanota.com

  • WillysFrank@protonmail.com

  • KangCheonSoo@tutanota.com

  • KangCheonSo@protonmail.com

  • RaulDrake@protonmail.com

  • kaidrake@tutanota.com

  • fgbfs@protonmail.com

  • fgbf@tutanota.com

  • ElaineDeaVille@tutanota.com

  • ElaineDeaVille@protonmail.com

  • TinaHahn@tutanota.com

  • TinaHahn@protonmail.com

  • ChrisJohnes@protonmail.com

  • ChrisJohnes@tutanota.com

  • DeborahPATINO@tutanota.com

  • DeborahPATINO@protonmail.com

  • CristopherBrandstrom@protonmail.com

  • CristopherBrandstrom@tutanota.com

  • DANIELEdEBLOIS@tutanota.com

  • DANIELEdEBLOIS@protonmail.com

  • petterSpurier@protonmail.com

  • petterSpurier@tutanota.com

  • arWalagnCuad@tutanota.com

  • arWalanCuad@protonmail.com

  • degrv@tutanota.com

  • fhnf@protonmail.com

  • taigrizalsec1973@protonmail.com

  • arturDale@tutanota.com

  • CamdenScott@protonmail.com

  • eliasmarco@tutanota.com

  • MelisaPeterman@protonmail.com

  • MelisaPeterman@tutanota.com

Associated-bitcoin-address:

  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

  • 1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ

  • 1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ

  • 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

  • 1LKULheYnNtJXgQNWMo24MeLrBBCouECH7

  • 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

  • 15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4

  • 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

  • 1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH

  • 1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt

  • 1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu

  • 162DVnddxsbXeVgdCy66RxEPADPETBGVBR

  • 12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau

  • 1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs

  • 18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G

  • 19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op

  • 1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS

  • 12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx3

  • 1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr

  • 13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi

  • 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

  • 12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

  • 1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw

  • 1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt

  • 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

Malware Hash (MD5/SHA1/SH256)

  • c0202cf6aeab8437c638533d14563d35

  • d348f536e214a47655af387408b4fca5

  • 958c594909933d4c82e93c22850194aa

  • 86c314bc2dc37ba84f7364acd5108c2b

  • 29340643ca2e6677c19e1d3bf351d654

  • cb0c1248d3899358a375888bb4e8f3fe

  • 1354ac0d5be0c8d03f4e3aba78d2223e

  • 5ac0f050f93f86e69026faea1fbb4450

  • 1b465c0e12523747f892b48fa92a30f82e5027199a2aff06587c5269bd99f69a

  • 3c8531fc54eca31a79a23bf16d4f528067c89a5e58e1e745a2c5b1b05140f5a8

  • 95b228b664dca2e18935444c67c7c7dbda9da7450a18d429cb04f7e311af5fe9

  • 46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e

  • 8d50d9fe17eb36edc9945a2673c1594f58a6e653f5a794058ee42e46d24d83d7

  • f21f222d8f62f2223faec375e834efb76f96b73ef70e0ef09024586cf9eef638

  • b7e945a8dafc91ebe8c8717ee3107498afc1ad5461599611d2fb07aaa7700aa1

  • 88d491bb73d509aacca103919d3a7418f9c6b611ce7dc453e1cacffed9c0f0d5

  • 5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28

  • aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83

  • 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac

  • 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20

  • 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17

  • 695a716f2c43a69bdd03e74058fa23fb77e596bb4f1f3a021d529c85e9564f7d

  • 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619

  • 965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26

  • 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

  • 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4

  • b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8

  • 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2

  • 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

  • 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

  • c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e

Dropped Files:

details

“gimap.jar” has type “data”

“org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“Download_on_the_App_Store_Badge_fr_135x40.svg” has type “data”

“PIXEL.INF” has type “data”

“close.svg” has type “data”

“com.jrockit.mc.components.ui.ja_5.5.1.172852.jar” has type “data”

“org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“javaws.jar” has type “data”

“org-netbeans-modules-options-api.jar” has type “8086 relocatable (Microsoft)”

“org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar” has type “data”

“ADEBASE.MSI” has type “data”

“org-netbeans-core-io-ui_zh_CN.jar” has type “data”

“org.eclipse.help.ui_4.0.100.v20140401-0608.jar” has type “data”

“VeriSign_Class_3_Code_Signing_2001-4_CA.cer” has type “data”

“org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar” has type “data”

“com.jrockit.mc.browser.ja_5.5.1.172852.jar” has type “data”

“org-openide-loaders_zh_CN.jar” has type “data”

“com-sun-tools-visualvm-host-remote_zh_CN.jar” has type “data”

“org-netbeans-modules-queries.jar” has type “data”

source: Extracted File

Virus Total Assessments:

Hybrid Analysis Assessments:

    1. Appendix:

URL’s:

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-involved-in-cyberattack-stopping-newspaper-distribution/

https://niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Aug_2018_Edition_2.0.pdf

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf

https://resources.malwarebytes.com/files/2018/12/Malwarebytes-Labs-Under-The-Radar-APAC-1.pdf

https://research.checkpoint.com/wp-content/uploads/2018/08/Threat_Intelligence_News_2018-08-27.pdf

https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/

https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27951/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryuk_v2.pdf

http://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ryuk-evolves-as-a-new-targeted-ransomware

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/ryuk

https://www.maltiverse.com/sample/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

Written by Krypt3ia

2019/01/04 at 18:24

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

Much Ado About Nothing: Team System DZ and Defacements

with one comment

Screenshot from 2015-03-27 08:35:58

Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.

Screenshot from 2015-03-27 08:48:59

Screenshot from 2015-03-27 08:06:26

In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 41.100.113.208 and 41.100.76.152 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.

Anyway, the IP space is for the following in Algeria:

IP address: 41.100.113.208
inetnum:        41.100.0.0 – 41.100.255.255
netname:        RegChlef
descr:          region chlef
country:        DZ
admin-c:        SD6-AFRINIC
tech-c:         SD6-AFRINIC
status:         ASSIGNED PA
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered
parent:         41.96.0.0 – 41.111.255.255

person:         Security Departement
address:        Alger
phone:          +21321911224
fax-no:         +21321911208
nic-hdl:        SD6-AFRINIC
source:         AFRINIC # Filtered

Other Data:

Poti-Sadz aka PoTi SaD DaRkY
https://www.youtube.com/channel/UCnHsj8Q7xOgTGSB9S-6mZdA

youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
http://video.exstrim-bog.ru/author/ahmedsaoudik

Skype: poti_sad-dz

There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?

Skype: ahmed.saoudi1992

Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.

HOLY WTF PEOPLE! CUT THIS SHIT OUT!

Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.

Enjoy the lulz…

K.

Written by Krypt3ia

2015/03/27 at 15:08

Global Threat Intelligence Report: FEBRUARY 2015

with one comment

photo

Global Threat Intelligence Report

February 2015

Contents

  1. Executive Summary

In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.

This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.

  1. Global Threats

  1. Attackers have cloned malware-laden copies of the most popular apps your employees use

http://www.csoonline.com/article/2892017/malware-cybercrime/attackers-have-cloned-malware-laden-copies-of-the-most-popular-apps-your-employees-use.html

Discussion:

Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.

As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.

If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.

  1. What is Freak and who is at risk?

http://www.telegraph.co.uk/technology/internet-security/11448900/What-is-Freak-and-who-is-at-risk.html

Discussion:

Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.

While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.

It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.

  1. D-Link Routers Face Multiple Vulnerabilities

http://www.infosecurity-magazine.com/news/dlink-routers-face-multiple/

Discussion:

Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.

So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.

Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.

It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.

  1. Seagate Business NAS Firmware Vulnerabilities Disclosed

http://threatpost.com/seagate-business-nas-firmware-vulnerabilities-disclosed/111337

Discussion:

NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.

Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.

Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.

  1. Microsoft Patches 41 Internet Explorer Vulnerabilities

http://www.eweek.com/security/microsoft-patches-41-internet-explorer-vulnerabilities.html

Discussion:

Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.

This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.

It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.

  1. Spam Uses Default Passwords to Hack Routers

http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

Discussion:

Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.

This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.

It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.

  1. FBI: Businesses Lost $215M to Email Scams

http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

Discussion:

Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.

The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.

It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.

Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.

  1. Phishers Pounce on Anthem Breach

http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/

Discussion:

As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.

The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.

It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.

  1. Anthem Breach May Have Started in April 2014

http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/

Discussion:

The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.

As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.

Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.

  1. Supply Chain Tampering

  1. Lenovo Superfish Adware Leaves Computers Insecure Out of the Box

http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html#.VPctfqzoqII

Discussion:

Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.

While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.

If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?

  1. Advanced Persistent Threats

  1. Threat Intelligence: The How Instead of the Who

http://blog.uncommonsensesecurity.com/2015/02/we-need-to-talk-about-attribution.html

Discussion:

Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.

By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.

It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.

Document for download and dissemination HERE

Written by Krypt3ia

2015/03/04 at 20:08

GLOBAL Threat Intelligence Report AUGUST 2014

with one comment

GLOBAL Threat Intelligence Report – AUGUST 2014

Executive Summary

Globally August 2014 was much of the same as we have seen in the previous months. The norm today is to see large corporations admit that they have been hacked and lost data, malware is consistently being released in the wild, and personal data has been stolen and is for sale in the darknet. This report covers the following stories that can be seen as indicative of what is happening in the world today and could affect your organization. These incidents should be looked at as potentially happening in your environment and as such any mitigations that would have prevented these from happening should be implemented in your network.

This month’s global threat indicators are:

  • JP Morgan hacked and data manipulated
  • Traffic lights are easily hacked and manipulated
  • SONY was DD0S’d again
  • Hacking victims become targets of the federal government
  • CHS Medical loses patient data to an alleged APT attack
  • The Nuclear Regulatory Committee was hacked and data stolen by nation state actors
  • A study of Black POS and Backoff POS malware
  • Carbon Grabber hits EU auto makers
  • Poisoned Hurricane APT malware uses Hurricane Electric
  • Taiwan claims to be the testing ground for Chinese APT attacks

Global Threats

JP Morgan Hacked Allegedly by Russia

JP Morgan lost gigabytes of sensitive data during a mid-August cyberattack that also targeted other top U.S. banks, according to sources familiar with the investigation of the hacking. ~Gantdaily.com

http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480
http://gantdaily.com/2014/08/28/jp-morgan-loses-data-fbi-suspects-russians-behind-hacking/
http://arstechnica.com/security/2014/08/the-long-game-how-hackers-spent-months-pulling-bank-data-from-jpmorgan/

Analysis:

The attack was carried out by actors alleged to be from Russia and there is talk of state sponsorship. As the investigation goes on nothing much has been released about the malware (if any) used nor the names of the possible players involved. However, if this attack was carried out by a nation state backed actor it is a paradigm shift for the US and corporations in general.
The purpose of this attack seems to have been to manipulate funds within the bank for certain accounts and not for criminal purposes common to hacking of this type. The attack was quiet and thorough which speaks to the nation state backing and also may in fact be a message from Russia over sanctions by the US. This type of attack would be a new chapter in the hacking going on to date in that it would be a nation state able to manipulate the US markets through attacks on banking infrastructure.

Hacking Traffic Lights and Infrastructure

“Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” writes the research team led by computer scientist J. Alex Halderman.
“With the appropriate hardware and a little effort, [a hacker] can execute a denial of service attack to cripple the flow of traffic in a city, cause congestion at intersections by modifying light timings, or even take control of the lights and give herself clear passage through intersections,” according to the researchers’ findings.
http://time.com/3146147/hacking-traffic-lights-is-apparently-really-easy/

Analysis:

While this type of attack has been portrayed in movies for quite some time it is now a reality and a potential security nightmare for the country. Attacking infrastructure like the traffic systems could be a prelude to larger kinetic attacks on the country or localized to a specific target area. One has to consider that this is just one step in a larger direction toward attacks on infrastructures that could be used by terrorists or criminals for other purposes. Being that this hack was carried off by a small team with a nominal amount of capital used to do it, this should be a concern for the country.

Sony PSN DD0S and Lizard Squad

Sony was attacked with a DD0S (Distributed Denial of Service) that took their systems offline for hours. The attackers call themselves the “Lizard Squad” and to date they are still at large. The group also was able to obtain information about a Sony exec flying on a commercial airline that they then used to phone in a bomb threat concerning that executive and flight.
http://www.forbes.com/sites/insertcoin/2014/08/27/fbi-hunted-hacking-group-continues-attacks-targets-twitch/

Analysis:

Lizard Squad generally seems to be a bunch of kids and the real author of the DD0S on Sony was another actor altogether. FamedGod is another entity online who claims that he was the one who attacked Sony and he did so because they are still not secure even after they were hacked in 2013. FamedGod posted some information that seems to lend credence to his being the arbiter of this attack on Sony and does have a valid point about the insecurity of the Sony networks still post their hack in 2013 which leaked user details including credit cards that had been improperly stored by Sony on their network.
In the final analysis however, it is a truism that DD0S is not going away and can be aimed at any system at the whim of any kid with the money to pay for a botnet. This should be the real takeaway and all corporations should have some mitigation in place to protect their presence online from DD0S.

Hacking Victims Become Federal Targets

What do you do if you’re a company that gets hacked, and the Federal Trade Commission treats you like a criminal? That was the quandary facing Wyndham Hotels after the FTC claimed a data security breach gave it the right to supervise the company’s IT department. Thus began the latest episode of the Obama Administrations’s habit of using vague laws to justify regulatory schemes that Congress never intended. More than 40 companies have already acquiesced to the FTC’s data security overreach—often small companies without the means to fight—but Wyndham to its credit is pushing back.
http://online.wsj.com/articles/wsj-hacking-victims-become-federal-targets-1408318038

Analysis:

As hacking incidents increase within large corporations and they get reported it is likely that the government will look to sanction companies that are not in compliance with security best practices. In the Wyndham case, it seems that the FTC feels obliged to regulate the activities of the network and security teams at the hacked company in order to insure best practices are followed. This of course is a new and troubling occurrence but not unforeseen as the government tries to regulate the security space.
This is a heads up for all companies that may handle PII, PCI, or HIPAA data should a compromise occur and lawsuits ensue. The government may want in as well on the remediation and oversight of the security and operations of the company.

CHS Hospital Systems Hacked and Leaked Patient Data

Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers. Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years or was merely referred there by an outside doctor is affected.
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/

Malware sigs for what was used in CHS

Analysis:

While not much has been put out through the media there are certain areas where data has been released on the malware involved in this hack. The following links below are for samples sent to malwr.com before they shut down. Both of these show the same type of malware used and the hashes match for the family APT-18 was using.
https://malwr.com/analysis/Zjg2MDhkZjIyNDg4NDNhYTk0MTYzMWRhYjc2MTM3OTE/
https://malwr.com/analysis/Y2VlNDY0NmI3NjE0NDRiYjk1YmMxYTVkNjIyZjZlZGU/

Analysis:

The CHS hack has allegedly been pinned on a Chinese APT (Advanced Persistent Threat) known to the community as APT-18. However, the modus operandi of APT-18 does not fit well with what was stolen from CHS. Additionally, there is evidence that the CHS networks had many issues that allowed for numerous other types of infections to be ongoing within it’s confines that allowed for easy access for hackers. Instances of “Code Red” and other malware from many years ago has been seen beaconing from their IP space.
Whether or not the APT were involved though, the networks there were in a poor state specifically with regard to patching. As is common with Medical networks they are often not patched well because of the antiquated programs that run on them and disallow for proper patching. Overall the assessment here is that the network and their security practices were sub best practices and thus allowed for easy access to patient records even with HIPAA regulations.

Nuclear Regulatory Commission Hacked

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation. One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general reportNextgov obtained through an open-records request. The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”
http://www.defenseone.com/technology/2014/08/foreign-government-agents-suspected-hacking-us-nuclear-regulator/91856/

Analysis:

The NRC hack is common to the type of APT activities we have seen in the news over the last few years. In this case the NRC was phished with emails containing links to a Google Drive spread sheet that infected their systems with malware. This is a common attack today and should be covered in any respectable security awareness program but often still is the key to hackers getting into systems. Had the users checked the links to start or had thought better of logging into a site to verify an account then the compromise may not have happened at all.
All users should be aware of what phishing looks like and the tactics that the phishers use to trick people into compromise. In this case this is a nation state actor (likely China) and is par for the course today.

Crimeware

Backoff POS and BlackPOS

The “Backoff” POS (Point Of Sale) malware is a new version of skimming software that was used in a recent attack on the SuperValu grocery chain. This malware get’s it’s name from the word “backoff” in the code. BlackPOS is another malware that was created by the Rescator/Lampeduza network for their attacks on Target and now Home Depot. This also get’s it’s name from code snippets and the actual name being used on the Russian hacking/carding boards that sell it and the data that has been stolen.
http://threatpost.com/secret-service-warns-1000-businesses-hit-by-backoff-pos-malware
https://www.us-cert.gov/ncas/alerts/TA14-212A

Analysis:

These types of malware are common to this type of crime today because in the US we do not have the “chip and pin” technology that would prevent this attack from succeeding. Both of these pieces of malware have been bespoke for the crews that are using them and attack the actual interfaces for the POS device. When a card is scanned by the POS this malware scrapes the memory of the machine and captures the card numbers and the pin during the transaction. It then sends that data to an aggregator (compromised machines in the network) for exfiltration to servers usually in the Baltics.
Given that this type of attack now has leaked millions of cards (including a new Home Depot leak ongoing today) we can expect that retailers and banks in the US will soon be looking to upgrade the infrastructure here to a chip and pin system to stop this from happening. Banks in the US are already feeling the pinch from these attacks and are pushing behind the scenes for these changes.
Addendum: It has been reported by the FBI that as many as 1000 companies may in fact be compromised with these types of malware and actively being used to steal credit and debit cards.

Carbon Grabber Hits Automotive Industry

Europe’s automotive supply chain is being targeted by a malware campaign connected to the increasingly popular Carbon Grabber crimeware kit, researchers at Symantec have warned. At first glance, what Symantec uncovered earlier this month when investigating a spam campaign spreading malicious attachments looks relatively innocuous, one of dozens of such incidents security firms pick up on in any given month.
The giveaway that there is more to this one is the unusual level of targeting which aims more than half of all spam at the at the car rental, insurance, commercial transport, and second-hand commercial and agricultural vehicle sales sectors in Germany, The Netherlands, Italy and to a lesser extent, the UK
http://news.techworld.com/security/3539706/carbon-grabber-campaign-hunts-for-automotive-industry-logins/

Analysis:

The Carbon Grabber is a part of a larger supply chain attack and may be the work of a nation state actor. The initial attack gets the user to install software that in turn starts to mine data within their corporate network. Black Carbon then steals credentials and sends them to a C&C server. This attack is ongoing and more may come from this in the near future. However, this is a common 2 stage attack against companies in order to steal their secrets with the primary attack coming from a phishing campaign. The novelty here is that it is using spam campaigns and directed targeting (cars and rentals) to obtain their objectives.

APT Activities

Poisoned Hurricane

“We found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as adobe.com. Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service.

Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” ~Fireeye
http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html

Analysis:

The use of Hurricane Electric’s loose network has long been a staple for malware and APT activities. The fact that you could use their permissive DNS services only added to the ability of malware campaigns to effectively obfuscate their attacks and to exfiltrate data more easily. It is important as a company or security group to monitor your DNS traffic to insure that you are not compromised and beaconing traffic to bad actors and thus losing your data.

Taiwan: Testing Ground for China’s APT

http://thediplomat.com/2014/08/taiwan-complains-of-severe-cyber-attacks-from-china/

Analysis:

Taiwan has made a claim that they are the firing test ground for China’s APT activities.  This would make sense from the standpoint that now Taiwan is under Chinese control (for the most part but is still called Free Taiwan by many) If indeed the case, then the malware and hacking techniques could be possibly seen being tested in Taiwan and thus perhaps an intelligence boon for the US and other countries were we to be able to see that traffic as it happens.

Editable DOC file for DOWNLOAD to use for your organization

Written by Krypt3ia

2014/09/11 at 21:25

Posted in Threat Intel

JUNE 2014 Global Threat Intelligence Report

leave a comment »

photo

GLOBAL THREAT INTELLIGENCE ASSESSMENT JUNE 2014

 

Executive Summary:

In the month of June 2014 there were 3 top breaches that caused a loss of data within the range of 242,908 personal records. This is just one aspect of loss due to compromises due to criminal activities as well as state actors today within the realm of hacking. This report is being presented to you to give insight into what is happening in the world today and this last month online and in corporations where information security is involved.

This month has seen more activities from not only nation state actors but also defenders within the US working towards stopping them. Crowdstrike, Fireeye, and others have put out reports on actors and methods that are currently attacking infrastructures both private and public. In this report you will see some of the highlights from global events that is germane to your understanding of the threatscape today.

Screenshot from 2014-06-30 10:02:04

Report Highlights:

  • OpenSSL had another vulnerability found that could cause compromise of people’s credentials.
  • Iranian hackers attempted to socially engineer and spearphish numerous defense base users with LinkedIn, Facebook, and Twitter
  • A social engineering campaign was launched against the author of this report via LinkedIn in an attempt at intelligence gathering
  • The Russian state has allegedly launched attacks using the HAVEX RAT which attacks SCADA and ICS systems (Energy Sector)
  • The Syrian Electronic Army attacks Reuters website and defaces it in an propaganda campaign
  • The Dyreza RAT bypasses SSL sessions by stealing credentials and is attacking larger bank users
  • ANONYMOUS is planning an OP on ISIS funding states
  • ISIS/ISIL leveraging Twitter for propaganda and recruitment purposes
  • SEA (Syrian Electronic Army) Compromises and defaces Reuters website

Global Threats

Open SSL:

Summary:

Post the Heartbleed vulnerabilities disclosure, attackers have been working on other vulnerabilities within the code for SSL (Secure Sockets Layer) encryption. This is the encryption that protects internet traffic and has been the standard for many years. As of June 5th a new vulnerability was released and has been since patched in the code by the makers of SSL.

The attack allowed for a “Man in the Middle” attack that could have led to decryption of traffic and loss of credentials and data. This means that an intermediary machine would have to be in the middle of the traffic for this to work. This attack is feasible and it has been recommended that all instances within your environment that are vulnerable to this should be patched as soon as practicable.

From OpenSSL.org

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution

This attack though and Heartbleed show an inherent security problem with commonly used protocols or software like this due to the prevalence of use and the level of compromise that could come from exploiting this type of bug.

Social Engineering via LinkedIn: NEWSCASTER

Summary:

On May 28th iSight Partners put out a report on an alleged Iranian phishing and social engineering campaign that used some common tactics for APT (Advanced Persistent Threat) actors. This campaign started in or around August 2013 and continued up until the roll up after this report was put on the internet.

The site above posed as an on air radio station as well as a news site catering to topics that defense base individuals would be interested in. In tandem with this or at least in parallel, the adversary also created a group of accounts on Twitter, Facebook, and LinkedIN to socially engineer targets and backstop the fictitious site.

The parallell attack consisted of socially engineering employees and heads of departments up to and including high level brass in the military and C level exectuives from places like Pratt & Whitney and other companies that make defense hardware. Once users had accepted LinkedIN requests or Facebook requests they would be enticed to go to the Newsonair site to read the news and perhaps listen online. The links sent to the targets would then be drive by sites for infection or simple sites that requested users credentials to enter their site for content. These attempts would then perhaps net the adversary the users credentials to Outlook (one particular attack was a page that presented an outlook login) and thus compromising their email as well as perhaps other access such as VPN (depending on implementations)

According to the iSight report the gambit of socially engineering people via Facebook and LinkedIN worked well enough to gather approximately two thousand users “friending” or adding the fictitious (cutout) accounts that the adversary had created to mine for access. Given the numbers accredited to have been within the friends/linkedin connections it is a high probability that the adversary had at least some insight into the workings of their targets habits and perhaps even may have elicited access through the drive by attacks as well as perhaps SE data from unaware targets.

Analysis:

This campaign is not important or of note in its modus operandi generally as APT goes but it is an object lesson that should be heeded. The melding of the SE with the drive by attacks show how easy it is to attempt to get users to compromise their systems as well as their personal/corporate data through social media attacks.

Where this may in fact be an Iranian actor (not nation state but instead a hacker/group in Iran looking to carry out a campaign under the rubric of political fervor) we have also seen actors like the Lampeduza Republic (carders who attacked Target) use the same APT tactics to affect their goal of stealing PCI data.

Given that social media is so prevalent today, it is a given that campaigns are ongoing within the space and that our users as well as our executives could fall prey to these attacks by other adversaries than APT (Nation-state or other) As such we should insure that our education on Phishing as well as Social media attacks and SE should continue if not actually expand. This is the current and future of pivot attacks that will continue to be the means by which attackers break into companies and extract data.

Another factor to take into account is the endpoint where traffic is going on the internet. In the case of newsonair the IP space was located physically in DFW (Texas) but the end point of the data trail leads to Iran and a server within the Islamic Republic. IDS and SIEM can help to determine traffic patterns to such places outside of the country and should be leveraged to determine where data is ex-filtrating to. In the case of this team the SIEM and IDS solutions actually caught the traffic (hits on sites) as well as malware telemetry and remediation tools stopped the malware from compromising machines.

Social Engineering via LinkedIn: Personal Account

linkedinSE

Summary:

I personally received this invite from an alleged recruiter. Upon inspection of the account I found that the user had inconsistencies in their profile and began digging into it. Once I took the headshot and put it into an image search engine I was able to determine that the person in it certainly was not the person they claimed to be in LinkedIn.

By using the email address attached to the account I was able to then look up the metadata on the real person behind the account. This person does live in Alaska and purportedly works for a telco there. Having tracked him further using the email account provided in the LinkedIn profile I was able to track much of his life because he had placed it all online for anyone to see. This included an arrest report in 2013 for being drunk and trespassing in a residence.

linkedinSE3

 

linkedinSE2

Analysis:

The analysis for this incident follows much of what is discussed in the NEWSCASTER report. The takeaway is that your social media profile can lead to corporate or personal compromise. Care should be taken as to what you share and with whom on such sites as LinkedIn, Facebook, Twitter, etc as they can be used to create a dossier on you for further attacks.

In the case of this attempt, the user had poor OPSEC (Operational Security) and thus his legend (cover story) lacked credibility as well as leaving bread crumbs to follow easily to his real name and location. I personally do not list the companies I am employed by because of such attacks and leakage of information that would be counter to security. As such, this attacker was looking for what he had hoped was a target with entre into the government and military spaces that I listed in past jobs that I had had.

** Note at 6am 6/30/14 the user had 109 connections within the federal and MIL space**

HAVEX RAT (Russia)

scan_lanimage from F-Secure blog

Summary:

The HAVEX RAT (Remote Access Tool) has been leveraged by Russian APT to attack specific industries that now include power systems and energy companies. This actor group has modified the RAT and their modus operandi to attack SCADA and ICS systems (Supervisory Control and Data Acquisition) in hopes of perhaps carrying out supply chain attacks on those systems. This is the 43rd iteration of this RAT tool in use by this actor (RU)  This group also has used the “LightsOut Exploit Kit” watering hole attack as well to carry out attacks (http://pastebin.com/qCdMwtZ6) according to MalwareMustDie and Cisco.

**Crowdstrike designates this group “Energetic Bear” and currently this month showed them to be active and being reported on by the press.**

**Further analysis by Symantec HERE having named it DRAGONFLY**

Analysis:

This group of alleged Russian attackers has been active for some time now (circa 2012) and have been seeking data from systems within the energy sector. Given that Russia is a large player in the energy sector it is easy to assume that their motives are for state/private consumption within the energy space. The attacks have been not only on US assets but also on French and other countries companies that they have interests in.  As a whole, this group is believed to be nation state but it can be seen as perhaps a co-owned endeavour on the part of the state and the oligarchs who run the large petro and other energy concerns within the former USSR.

With the advent of the HAVEX RAT’s SCADA/ICS functionality though it can be an assumption that attacks on those systems could be used in ways that could help the Russian state’s prices on energy consumables as well as further other deeper state desires of the Putin government. An attack by an adversary with a horse in the game and geopolitical with monetary repercussions on the supply chains of certain competitors would place the Russian government in a better position globally if not regionally.

Crimeware

(DYREZA) SSL BYPASS RAT

Summary:

Dyreza is a new RAT that has a special method of gathering intelligence. This malware performs an SSL bypass allowing credentials to then be passed in the clear as a kind of man in the middle attack. It in fact steals the credentials in the targets browser thus nullifying the encrypted session altogether. Currently the primary targets of this malware/RAT have been Bank of America, Natwest, Citibank, RBS, and Ulsterbank. This malware campaign also has been cited to have an adversary set that is planning on turning this into a malware as a service model of business. They have set up money “mules” and are seeking to make this a global campaign that one can buy into as a full pipeline from compromise to money movement and laundering.

Analysis:

While this RAT and group (Assumed to be Russian with the naming of Dyreza) are ambitious they have failed to program encrypted comm’s into their model thus SIEM and IDS traffic will easily capture and stop their activities. While their approach is novel, they are not as yet a true threat to a larger swath of corporations due to their technical limitations. It is also assumed that these new players are attempting to cash in on the void that was left by the GoZeus takedown recently. Until such time as they next iteration includes encrypted C&C this group should not be considered a major threat actor.

APT Activities

China

Summary:

Crowdstrike reported on a new PLA unit active online today attacking corporations and government entities naming the unit (Unit 61486) as well as some of the players involved by name. In what is called OSINT (Open Source Intelligence) the Crowdstrike team reported on the actual names of PLA members who comprise this unit including pictures and personal details. Crowdstrike is calling this group “Putter Panda” and they are primraily attacking the government, defense, and technology research sectors.

PLA Unit 61486 focuses their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks (i.e. SpearPhishing)

**Currently there are 13 groups/cells within the Chinese PLA active today as APT (Advanced Persistent Threats)**

Analysis:

Attribution is a troublesome thing in hacking and cyber warfare but the data presented by Crowdstrike is compelling enough to say that they in fact were right. However, the usefulness of such reports is called into question as relations with China sour and the legalities surrounding all of this preclude any solid action of merit. In the case of the Putter Panda report and their doxing of the PLA players it may be a moot point. Outing these players will not necessarily change their tactics as we have seen from the Mandiant reporting on CN activities in the past. In the case of the Mandiant report those actors changed some of their activities but on the whole they fell back into the same practices.

On the legal front outing such sources of attacks also may in fact lead to some sort of naming and shaming at a political level that the US may leverage but I personally unsure of it’s efficacy. As we have seen to date the US and the globe lack the proper legal means to attack these problems as well as politically there are no common grounds for countries to apply warfare as separate from civil actions taken by individuals perhaps at the governments behest. In the case of the PLA they are military however, many of their proxy actors are private citizens that are motivated by patriotism and perhaps monetary incentives to carry out these attacks.

On the whole this is just another common APT group within the arcology of Chinese APT who’s OPSEC (Operational Security) was lacking and thus they re-used information or aligned information and backstopping for their campaigns with personal data. This allowed OSINT (Open Source Intelligence) analysts to easily follow Wang Dong’s trail back to his own personal accounts with photographs etc. While this is a marketing coup for Crowdstrike the efficacy as mentioned above is still questionable on outing these players.

Iran (See above NEWSCASTER campaign)

Russia(See above HAVEX RAT campaign)

Syria/SEA (Syrian Electronic Army)

Summary:

The SEA attacked and compromised the Reuters website on June 22nd 2014. This attack followed the usual protocol of defacement by the Syrian Electronic Army and its leader Th3Pr0. The SEA is a group that has formed to fight on the web in a propaganda war of web defacements for the Assad regime. It seems that this hack against the Reuters site was carried out via an attack on a third party vendor who had access to key systems. Someone from SEA fooled a company employee, into giving up their password and then used the access to Taboola’s Backstage platform to change the header in the Reuters widget, and thus to deface the page.

Screenshot from 2014-06-30 11:41:46

Analysis:

It is debated whether or not the SEA is considered to really be a nation state actor or not. As yet it is indeterminate if the SEA has backing from the Assad regime (i.e. money and support) but is something that should be watched and thought about. Such instances of anarchy and propaganda online are much more common post the Anonymous and LulzSec incidents from 2010 on and the model is now popular with online movements.

For the most part SEA’s attacks are more propaganda than anything on the level of espionage or acts of warfare. It is debatable whether or not SEA is really capable of much more than defacements but it may also be that the actors within this group may have been holding back on more serious actions. Given their penchant for SE attacks to gather access it is very possible that they could carry out more devastating attacks against their targets internal systems.

It is the recommendation of this assessment that a little of both applies here.

HACTIVISM:

ANONYMOUS: OP: NO2ISIS

Screenshot from 2014-06-30 12:10:29

Summary:

Anonymous has announced that it plans on attacking ISIS/ISIL funding sources and state backers. In an operation they are calling OP: NO2ISIS Anonymous claims they will be attacking the sources of funding for the group that is presently taking over large sections of Iraq. The three primary targets of Op: No2ISIS will be Turkey, Saudi Arabia, and Qatar but may include other targets as they get intelligence implicating other countries or individuals.

Anonymous plans to attack these sources of funding because they claim that ISIS is not something they can attack online as they are fighting a ground war in Iraq and Syria. Another reason that the Anonymous collective has targeted ISIS is because ISIS took over the account @theanonmessage (an Anon account) and feels that this operation would suffice for retribution against the newly minted terrorist organization. It is not possible to know what real damage Anonymous can have against the funding of ISIS nor perhaps against ISIS itself due to the primary modus operandi of distributed denial of service may or may not have any effect on those targeted.

OFFICIAL ANNOUNCEMENT:

Analysis:

It is of note that Anonymous feels moved to target the funding structure of ISIS for a couple of reasons. Firstly, a frontal attack on ISIS, as they say in their media is hard because ISIS is in fact fighting a ground war in Iraq. However, ISIS does use Twitter and other social media very effectively in a propaganda and recruitment war and this could be attacked rather easily by a group such as Anonymous. This cognitive dissonance on the part of the Anon’s makes them look a bit more impotent than they would like on the whole and this operation will likely hardly be a win in any book against ISIS or their funding feeds. This operation will likely have little to no effect on ISIS nor their funding and it is the opinion of this assessment that Anonymous would be better served by attacking the ISIS media wing instead. By degrading the ISIS capabilities for propaganda and recruitment Anonymous might play a better role within the GWOT.

PSYOPS & PROPAGANDA

ISIS/ISIL (Islamic State of Nineveh)

article-2661007-1EC4125D00000578-306_634x453

Summary:

The ISIS (Islamic State of Iraq and Syria) has been in a media jihad for some time now and it has accelerated this campaign with the current takeover of sections of Iraq that it has been carrying out. ISIS has a media arm that has been using social media such as Twitter (as seen above) to leverage the internet in a propaganda war as well as a recruitment drive. The group has not only been using twitter with individual accounts but also has created a twitter application that allowed the terrorist organization to use other accts to geometrically reach a larger audience. The tool would be loaded on to user systems and had an API function that allowed the user to put in their credentials and authorize the app to post ISIS jihadi media posts to all of the followers of that account.

Screenshot from 2014-06-30 13:07:59

Analysis:

ISIS has been rather novel in their use of Twitter online. Their creation of an application to bypass Twitter’s own systems is interesting to see as well as it’s inherent means of doubling or quadrupling their messages getting out through proxy accounts. (i.e. users allowing themselves to be the conduit of the media jihad) As a means of propagandizing their war in Iraq as well as a tool for recruitment (which has been rising since their campaigns both digitally and on the ground have taken off) ISIS has harnessed the internet and social media in a way that the old guard of Al Qaida never did. This is clearly an advance and should be noted not only from the position of the GWOT but also any other movement that might learn from ISIS and begin their own propaganda wars using social media as the primary medium.

MILITARY FACEBOOK PSYOPS TESTING

Summary:

Facebook has recently published a 2012 study in the March issue of the Proceedings of the National Academy of Sciences. The study was to determine whether it could alter the emotional state of its users and prompt them to post either more positive or negative content, the site’s data scientists enabled an algorithm, for one week, to automatically omit content that contained words associated with either positive or negative emotions from the central news feeds of 689,003 users. This study found that it could manipulate those users emotions to a certain degree by said manipulation.

According to an abstract of the study, “for people who had positive content reduced in their News Feed, a larger percentage of words in people’s status updates were negative and a smaller percentage were positive. When negativity was reduced, the opposite pattern occurred.” The study was partially funded by the Army Research Office — an agency within the U.S. Army that funds basic research in the military’s interest  according to a press release from Cornell University.

Analysis:

While this type of testing is a normative thing within the psychology sphere, the problem that many have latched onto is that the US military funded this one. The assessment of this story and the study itself does lead one to believe that on the whole the military as well as Facebook have some ethical questions to face about this. Facebook surely is looking to manipulate their users for purposes of sales and the synergy of that in tandem with the military’s desire for PSYOPS tools is rather assured. By using social media like Twitter or Facebook, the millitary as well as other actors could manipulate populaces en mas with these techniques and this is a dangerous precedent to set.

GLOBAL INTELLIGENCE ANALYSIS:

Summary:

Overall this report has been put together to show a high level approach to global trends in threats online. The actors are varied from criminal syndicates, to nation state actors and spies, to global jihadist movements abroad. Truly the internet and computers have brought a new and very extensible means of espionage, terror, and manipulation of peoples through social media, hacking, and other means within the digital realm.

As we have been seeing the technologies are becoming easier to master for many to use guerrilla tactics and unconventional warfare online to further their goals. Whether that be a nation state like Russia using malware to  effect the supply chains of other nation states energy companies or Ukrainian syndicates seeking to steal masses of personal data along with credit card numbers and pins we are seeing a change in paradigms digitally. All of the attacks written about in this report are fodder for the reader to consider the technological landscape today and the types of attack methods as well as goals that predicate them.

The takeaways from this June report are the following bullet points:

  • Social engineering has always been a staple but now that social media is in the mix it’s use is much more devastating to organizations
  • Malware tools are constantly being upgraded or created anew with various attack vectors that leverage phishing/spearphising/ and social media attacks
  • Globally, intelligence gathering techniques are no longer solely the purview of nation state actors and their spy agencies alone.
  • Propaganda and misdirection are becoming more popular not only with nation state actors but also terrorists and criminal gangs

 

PDF VERSION OF THIS DOCUMENT HERE

APPENDIX A: LINKS

http://www.stockhouse.com/news/press-releases/2014/06/10/akamai-warns-fortune-500-of-high-risk-threat-from-zeus-crimeware

http://www.nytimes.com/2014/06/10/technology/private-report-further-details-chinese-cyberattacks.html?_r=0

http://www.openssl.org/news/secadv_20140605.txt

http://www.crowdstrike.com/…/CrowdStrike_Global_Threat_Report_2013.pdf

http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/a-dyre-new-banking-trojan/d/d-id/1278620

http://www.zdnet.com/chinese-army-group-hacks-us-satellite-partners-crowdstrike-7000030353/

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB0QFjAA&url=http%3A%2F%2Fcdn0.vox-cdn.com%2Fassets%2F4589853%2Fcrowdstrike-intelligence-report-putter-panda.original.pdf&ei=ooOxU97iNYWqyATRqoKQDg&usg=AFQjCNHzq5qbTVgD8V-gwGKo_-naV9GG5Q&sig2=6TYhWyIHI4ZfRjO0NbyUxg&bvm=bv.69837884,d.aWw

http://www.eweek.com/security/third-party-service-providers-scrutinized-after-seas-reuters-hack.html

http://www.forbes.com/sites/jasperhamill/2014/06/27/anonymous-hacktivists-prepare-for-strike-against-isis-supporters/

http://www.kshb.com/news/us-government-helped-fund-facebook-experiment-that-manipulated-users-emotions

 

 

Written by Krypt3ia

2014/06/30 at 18:00

Posted in Threat Intel