(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Threat Intelligence’ Category

Pandemic Threat Intelligence and Response Briefing For Executives: Planning For INFOSEC/Supply Chain/Continuity

leave a comment »

Johns Hopkins COVID-19 Heat Map Tracking

Threat Intel:

SARS-CoV-2 has been exponentially spreading within the global community and the effects of the virus and its attendant disease (COVID-19) are rapidly causing shocks within the global community. The affects of the pandemic are far reaching, we have seen the strain on the global supply chain as China fell into the height of the pandemic with supply chains being diminished or broken outright. As such, as the virus spreads, it is important to consider the threat space to the security and function of your organization due to loss of these supply chains as well as work forces within and without. As the spread of this disease continues, expect more supply chain degradation if not complete failures for some amount of time as the quarantines commence and play out.

As such, here are some basic questions to consider for your organizations security and continuity both as a whole and as separate functions such as the security of your networks. Use this document to spark discussions around the security response as well as the larger continuity and integrity of the whole as we are affected by this pandemic. These scenarios may not actually come to pass, but, as a security body, it is our job to forecast eventualities and the responses to them that might be needed to continue the function of the org.

Executive Briefing:

With the outbreak of SARS-CoV-2 and it’s resultant COVID-19 (syndrome from infection) we have been seeing the arc of this outbreak becoming a global pandemic. With that in mind, it is advantageous to start planning for the effects from this pandemic on the businesses that you are responsible for. In this assessment, we will be taking a look primarily at the CIA Triad of the response but not just on a data security level, but, at an expanded outlook on the security, continuity, and supply chains that make up the the CIA triad. All of these affect the security of your organizations as well as the basic functionality of your business.

With this in mind, it is important to look to the effects of the pandemic projecting out from initial outbreak to pandemic globally and how that will affect your business. Primarily the effects can be broken down into these discreet areas of concern:

  1. Supply chains: What supply chains will be affected that will impact your business model?
    • Human capital, how many people does it take to function properly if the work force is down from COVID-19
      • What are your tolerances on head count?
      • What contingencies do you have if work force is depleted due to sickness and quarantine?
      • Where are your single points of failure in the knowledge base were these assets to be sick and quarantined?
    • Supplies on demand that go into making your product; How much tolerance do you have for supply chains breaking?
      • What regions do your supplies come from?
      • Are they affected now?
      • Plan for pandemic loss of work forces and how long you can function without supplies or with less

2.) Infrastructure Capacities: What tolerance does your network have to expanded remote working capabilities?

    • With a workforce that may be in social isolation mode, what is the capacity for your company to allow people to work from home?
      • People will self quarantine if they become ill
      • Children may be home as schools and day care shut down in order to prevent spread of disease
      • The state and federal government may recommend that people stay home and isolate to stop spread
      • In a protracted scenario of isolation and potential re-infection, what are your projections on your organizations ability to function?

3.)  Information Security Events and Response: With a global pandemic, the same draw down on work forces will also apply to MSP’s (SOC) workers as well

    • With automation today much of the function of a SIEM/SOC is canned response, but, there is always a need for human intervention, who handles your response?
      • During the time of pandemic and response, if your team is depleted due to sickness or quarantine procedures, what is your contingency for response?
      • During the time of pandemic and response, the same applies to your SIEM/SOC solutions that you pay for if you do not have it in house, what is their contingency?
      • If you have a true incident in your environment, how will you handle it if the primary incident handlers are unavailable?
      • Do you have a service you work with?

All of these questions should be addressed going into an event like the one that is playing out globally with the SARS-CoV-2 (COVID-19) pandemic today. It is recommended that the executive suite be briefed on these questions and assure that these possible eventualities can be answered by the organization to insure the continuity of the org. Other elements of this narrative also come to bear on scenarios in others areas such as infrastructure, and overall output of whatever your organizations products are, but these are a good set of questions for the security element to bring to the executive suite to have the initial discussions.

As such, use this document accordingly.

PDF format of this post here

Written by Krypt3ia

2020/03/02 at 14:38

2020 Threat Assessment

Here’s my threat assessment for the United States post the impeachment acquittal of Trump and the possible scenarios for the 2020 election cycle. I am putting these out there for you all to consider and to keep in the back of your minds as we move forward these nine months to the election as well as what we may see after November 8th 2020. Given recent events it is not hard to posit these scenarios as equally possible and all having grave import to the freedom of this nation and its people.

As we have seen so far, the elections systems are insecure, the government itself and the Framers intentions are all now in question as to what is real, and the net effect is this; we now have a president who believes he has the power to do anything and now likely will push the envelope before the election. However, if he wins this election, you will see the power grabs and the illegalities only increase, eroding the rule of law further with his co-conspirators in the DOJ and elsewhere.

What we have seen in the last week alone should have you all thinking about the actions to come, and what, if anything, the government can do about it. I will tell you straight up here right now, this is a slide into fascism boys and girls. In the last day we have seen the President Tweet a comment about the “unfair” sentencing of Roger Stone with an almost immediate response from the DOJ to throw out the sentencing guidelines and recommendations of the prosecution and with that, the resignation of the four DOJ lawyers who were handling the case for the government.

This. Is. Not. Normal.

…. And it’s just the start.

As we move into the Election cycle, I would hasten you all to go and read this piece in The Atlantic on the disinformation war to come. We are going to see an all out attack cycle not only from the outside, but from within in this election. Added to this, the outcomes of the election are a key factor in what may be to come and at what rate things happen. So, read on and consider these scenarios.

Things are going to be very messy.

The Election Cycle:

Scenario 1: Trump Wins The Election By The Electoral College Again

This is the most likely event that I foresee for the 2020 election. Given the information war to come, I am willing to say that what happened in 2016 will happen again given the polarity of the nation and the machinations on the part of the Republicans to fudge the vote. There will be no need for Russia to really weigh in here and tip the scales with hacking for this to happen, but imagine if we have a replay of 2016 though. Once Trump has won the second term he will have four more years to push the envelope and do whatever he likes. This is primarily because once the election is won, he has no reason to be restrained in any way.

Think about it, impeachment was a failure. The senate is willing to not only tow the party line in a partisan way, but to whole cloth eschew the constitution for Trumpism merely to stay in power. With the senate under his thrall, and the beliefs that Article Two says he can do whatever he pleases, he will overreach, and with the help of the senate and now the DOJ…

Well, you can see what that means.

Scenario 2: Trump Wins By A “Landslide”

Given the polling and the stats that have been pretty consistent, if Trump won by a landslide, there would definitely be something wrong with the process in 2020. If this were to come to pass, it would surely mean that the election had been manipulated in a way that we have only seen in countries in Africa and South America. No amount of persuasion allows for this scenario. So, if it happens the outcome will be these:

  • The election will be investigated while Trump will still be in office
  • The investigation will take a long time, and during that time Trump and his minions will do everything in their power to obfuscate
  • The election would likely have to be re-run… But… Could Trump attempt a coup and declare a national emergency to keep power?

All of these scenarios are not as likely as the Electoral College win, but, this should scare you all because you know, he will not just leave the White House and allow for a free and fair election right?

Scenario 3: Trump Loses and Declares The Vote To Be Rigged

IF Trump loses the election, do you really all believe he will accede to the will of the people and leave? Do you further believe he will leave knowing that right after he does the SDNY will be slapping cuffs on him and trying him for crimes he committed pre election and after? The short answer to this is no, he will not willingly leave in my opinion.

So, with that said, let’s look at the scenario that he does lose, even losing the Electoral College. You all have seen him already use the terms “rigged” before in the first election, but now with so much on the line, he will immediately call for a recall. In fact, this may already be a contingency plan that the Russians or others can help with by actively penetrating our election systems. The damage would only have to be the fact that some votes were changed or databases were abused, that is all it would take to call into question the vote, and for Trump to use his powers as president to mandate an emergency situation in which he will retain power.

Once again, if this happens, the elections investigations will take a long time, and in that interim Trump will still be in power and able to overreach to keep it. So far, I have little faith in the system (e.g. the government) to stop him from doing this. We have seen how Impeachment went, and we have seen just how dangerous a totally tribal majority is in power.

Use of the DOJ As A Weapon:

Scenario 1: Trump And DOJ Start Arresting Opponents

We are already seeing this play out with Barr and Trump. With the DOJ now directly accepting disinformation dirt from Rudy for the 2020 campaign, I have little doubt that that information will now be used as a means to an end of creating charges at the most, but at the least reasons for search warrants and the like for the DOJ to start using against Trumps opponents (primarily Biden at this time)

Right now Trump has an enemies list, but first on that list seems to be Bolton. If Bolton is suddenly presented with search warrants or arrested, this will be the first domino to fall in a cascade of abuse that Trump and Barr will carry out. If there is nothing to stop them arresting Bolton, expect others on that enemies list to be next. Post re-election, you will likely see this escalate and the enemies list will grow as well.

Scenario 2: Trump Pardons and Free’s Manafort & Stone

As of yesterday, the events around Trump and Barr’s manipulation of the DOJ shows you where they are willing to go for their peeps. It is likely that Trump will Pardon Stone after the Judge decides whatever she is going to give him. She does have discretion, so, one hopes that the original 7-9 year stint is what she chooses to do. However, if that happens, yeah, he will get pardoned and inserted back into the election cycle where Trump would like him.

Manafort too will also get a pardon, likely after re-election. This will also allow Manafort to re-kindle his ties to Ukraine and help Rudy as well. Trump will pardon Manafort most of all for his steadfast not being a rat and rolling over on Trump. This is the real key to this happening. This will set the precedent for others, like any other mob boss, Trump will show that if you do time for him, he will reward you later for not being a rat.

Scenario 3: Trump and Barr Close Cases Against Flynn & Erik Prince

Next in line are Flynn and Prince. My assessment will be that these two will slip away for two different reasons. Flynn will get away because he dealt with the government in the first place, but, he also did not totally rat out Trump. It’s been obvious that he has been holding back and obfuscating, so whatever it is, he has given enough to get leniency from the government, but with Barr in DOJ, well, they can just make it all go away right?

Erik Prince will get good treatment from Trump and have his case tossed because Prince is the wet works guy that Trump needs for the proxy wars and connections. This too will likely happen after re-election.

Scenario 4: Trump Starts Removing Non Conforming Justices

This is already starting to happen. The administration recently set forth the idea that they were going to “investigate” doing this in sanctuary cities. Those left leaning justices need to be removed according to Trump. Of course, if this happens just to sanctuary city justices I will be truly surprised. This is a means to an end. If you will note, Trump has been putting in more right wing justices than anyone every has. The control of the judicial system is a keystone in the ultra rights playbook, so don’t expect this to be forgotten.

Scenario 5: Trump and His Operatives Start Disinformation Campaigns Against Journalists and Starts Arresting Them

In the run up to the 2020 election you will see directed attacks on reporters by the Trump admin and the Republican machine. If you read the above linked disinformation story in The Atlantic you can see how Trumps son Don Jr, is directly working with operatives on caching dirt on reporters to sow disinformation on and use dirty tricks against to discredit anyone who opposes them. Post re-election this will likely continue if not actually escalate. (As Trump becomes more aggressive without checks against him and as the media continues to do its job)

Final Assessment:

You might be reading this and thinking that I am just paranoid.


But, what we are actively seeing today is not a slide into a greater democracy. These tactics, the overall machinations by the Republican party (aka Trump party) are all indicators of an overall planned slide into authoritarian tactics. Given that the laws of the land have not been able to stop Trump and the Russians so far, has shown the inherent weaknesses of the American systems that have been attacked. With the rule of law being presently slowly poisoned by Barr’s acquiescence to Trumps will, we are sliding further and further into a quasi fascist state. The longer Trump is in power and keeps pushing the envelope without reproach, the further and further from autocracy to totalitarianism we will be.

The system has been challenged and we are finding that it is insecure and unable to right itself. These scenarios are just posits, but if they come to pass, you had better be thinking of an exit plan.


Written by Krypt3ia

2020/02/12 at 16:36

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »


In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire


Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”


Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.


This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…



May 2015 Global Threat Intelligence Report

leave a comment »

GLOBAL Threat Intelligence Report – May 2015




  1. Executive Summary

In the month of May 2015 we saw the advent of “stunt hacking” with the claims of one researcher being able to hack a plane’s engines while in flight. While this event was the talk of all the media the real point of the thing was that nothing is secure, not planes, not trains, not automobiles, and certainly not your networks.

The common factor here is that security is an ongoing process that never stops. It is not a static thing and must always be perpetually worked on to hopefully prevent a breech or more than likely, to detect one that is or has happened and to react to it properly. The following document covers some of the events in the security sphere that took place in may and are commented on to give direction as to their importance in the scheme of things.

Please use this document as a means to an end to enlighten yourselves on the current threatscape out there and as a guide to a process with which you can grow your own practice to a maturity where this information cycle becomes your own.

  1. Global Threats

      1. Tiversa accused of hacking clients to extort them:

When you hire a firm to take care of your cybersecurity, you’re hiring a team of experts whom you assume you can trust. But one such firm allegedly used the trust of its clients to straight-up extort them with made-up “data breaches.”

CNN Money gives us a rundown on Tiversa, a still-operating cybersecurity company that offers up digital security services to other companies. According to a whistleblower who worked there and is now testifying in federal court, Tiversa was running a very simple and clever scam.

      1. Analysis:

The importance of this story cannot be overstated today in a world where often times security is checked by hiring an outside firm to test it. In the case of Tiversa, the extreme is that they were extorting companies with false data or worse, by hacking firms and then extorting them into buying their services.

It is important to not only vet the companies you are doing business with but also to have security functions within the org that can vet the data being presented as well. If there are any questions on the findings they should be called out and researched to insure their validity in cases where companies offering these services may not be doing their due diligence.

It is also important for the executive management to understand the importance of the findings presented in these types of assessments as well as the differences between a vulnerability scan and a penetration test. All too often this key difference is not apparent to the C-Suite.

      1. What’s the difference between a vulnerability scan, penetration test and a risk analysis?:

You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?

Don’t get hacked!

An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.

      1. Analysis:

The differences between a vulnerability scan and a penetration test is a key point to understand for any organization to effectively secure an organization. The above article does a fair job at describing the differences and is a must read for any C-suite or middle manager who has a security function. In turn, this information should be imparted to those in charge to comprehend the differences and the needs for both to secure a company.

Even today after years of having these types of assessments available, often times you will find companies selling what they call ‘penetration tests’ when in fact they are not testing by penetration of exploits at all. On the flip side of this coin, many companies shopping for these services are much more comfortable with just a vulnerability scan without actually exploiting their networks due to the FUD (fear, uncertainty, and doubt) that surround such activities.

If your org is only having vulnerability tests run and not having penetration tests carried out as a real world test of the security of the org, you are only setting yourselves up for an eventual compromise and the fallout that comes with this. Both of these functions are integral to the hygeine of any security program.

      1. Criminals stealing money via Starbucks App:

Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.

The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.

That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.

      1. Analysis:

Starbucks, like many other companies today allows for the connection of bank accounts to honor cards that can be used to pay for services as well as give that user perks when they do use them. As smartphones take on the physical replacement of the honor cards we create a new vector for attacks against the user.

In this case the users passwords to the Starbucks application and system may have been weak but this does not discount other types of attacks against the mobile phones and the applications like the Starbucks app itself. In either case, the attack can allow for connected cards and bank accounts to be siphoned off rapidly by these events.

It is important to understand that this story can apply to you personally as well as perhaps organizationally if you have honor cards or deal with them. Honor cards specifically attached to bank accounts as well, can be hacked and the personal data as well as the banking data can be stolen.

Additionally, companies should be aware of these situations when potential applications have been compromised on users who may also have corporate data on phones as well. If an application is compromised, just how much access does it have to the phone’s operating system and thus the users data?

      1. 1.1 Million customer records lost to hack on Carefirst:

For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making security upgrades, the company discovered that it had actually already been breached—in June 2014.

1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.

      1. Analysis:

While this attack has the hallmarks of potentially being nation state instigated, it is important to note that even with a security program in place, compromises may be missed if the adversary is skilled. On average, according to Mandiant, most orgs are compromised for up to about a year before they are usually informed by someone else that they had been breeched and this is an important statistic to be mindful of.

It is not clear just how well the Caremark security program runs from the story nor is it possible for every security team to catch everything, but it does show that without indicators of compromise it can be difficult to spot when a company has been hacked and when data is leaving the network. Thus it is important to consistently strive to have a firm grasp on your network, it’s traffic, and any possible anomalies that may in fact be indications that you have in fact been compromised and data is being stolen.

Organizations should have mitigations in place such as IDS/IPS as well as robust logging and correlation in tandem with a SIEM product to watch the traffic in and specifically out of the domain to detect and potentially stop an incursion in process.

      1. Stop using painfully obvious security answers:

We all love pizza, but that doesn’t mean you should be using it as a way to keep your data safe online.

In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.

For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.

      1. Analysis:

This article may be aimed at end users but it should also be aimed squarely at companies that use these types of questions as a means of authentication for their paying clients. These questions and their easy answers are not a feasable security layer today and could lead to compromise not only of end user systems but also corporate networks if they are not using more robust authentication techniques.

This article concludes that it should be taken even further to disallow the questions to be asked as they are too easy to guess from the start. This is a correct assessment of these kinds of questions. If you or anyone else is using a household pets name or a birth date of a child as a password you are already behind the security 8 Ball because these are easily obtainable bits of information on the internet today for adversaries to find.

A two factor authentication system today is a better way to secure your network and this usually consists of a user ID, A pin, and a password. As these systems are more costly many organizations try to avoid them, but they are the best way we have today of securing a network that is accessed by end users remotely.

  1. Malware & Crimeware

      1. Hackers sneak malware into job applications:

Hackers are slipping malware into resumes submitted through the job posting website to infect businesses, security researchers have found.

Attackers are browsing open positions and attaching malicious documents disguised with the name “resume.doc” or “cv.doc” to applications, according to the Sunnyvale, Calif.-based security company Proofpoint. The attack sends malware directly to hiring managers and interviewers because CareerBuilder automatically emails job-poster notifications and attachments with resumes when candidates submit applications.

      1. Analysis:

With the rise in phishing and the attendant rise in awareness on the part of corporations and their employees, the tactics needed to evolve to work. While phishing exploits still work pretty well on average, this pivot to sending resume’s pre-loaded with malware to specific targets was only a matter of time.

The upshot of this article and this analysis is that even with AV often times malware makes it through the defenses and is activated by internal users. When this happens you may have started the domino’s falling on a larger compromise to the whole of the network through one infected doc file or pdf.

Companies should take the extra step of having a sandbox technology on top of AV/Spam systems that can be used to open documents and test them for malware before being introduced into the common network environment. As seen with the attack on Target, the criminal elements (i.e. Russian carders) are using similar tactics to advanced persistent threats now and anyone who handles PII/PCI/HIPAA or any other kind of data that can be sold is a target.

      1. Mumblehard turns WordPress sites into spambots:

The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.

Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.

Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a “full-featured spammer daemon” process, which is launched via a command received via the backdoor.

      1. Analysis:

Not all hacking attempts are used to compromise networks and not all malware is used to steal data. In the case of Mumblehard, the malware was created and used to turn your system into a slave to be used as a means of making money via spam. This type of attack may seem more a nuisance but it really is a problem especially if the compromise could lead to further compromise of your network down the line.

As WordPress sites have had a track record of vulnerabilities in the past, it is important that if you have WordPress in your environment you keep up with patches and alerts concerning the application security of your sites. Anyone who has WordPress as a working part of their infrastructure, especially if it is internet facing, should be on the distribution lists for patching that wordpress puts out and be a regular part of the patch cycle.

      1. The return of macro malware:

Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

The majority of the macro-malware attacks have taken place in the United States and United Kingdom.

Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.

Success of course requires the email recipient to fall for a social engineering technique and open the attachment.

      1. Analysis:

Within the realm of malware and phishing attacks this old malware attack has come back to the fore with a vengeance recently. Relying on the social engineering portion heavily to get the user to open the email first and then to turn on macro support has been partially successful in many instances.

Once opened the macro will then contact a download site and install other tools on the compromised system thus finishing the attack cycle. In many cases these phishing attacks and the files attached are not being seen by AV applications and thus passed to end users for them to open.

It is important that your organization have a good grasp on awareness for phishing/social engineering attacks and the different means that an attacker will try to get an end user to compromise their system and allow the adversary in. If you are not carrying out awareness on an ongoing and repeated basis it is highly likely that an end user(s) will be the arbiter of a compromise at your org.

      1. New ‘Rombertik’ malware destroys master boot record if analysis function detected:

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.

Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.

This malware spreads through spam and phishing messages sent to possible victims.

      1. Analysis:

While the Rombertik malware has made a splash in the news this month it is not necessarily novel in that it has a MBO (Master Boot Record) deletion program within it. This type of attack has been around for nearly eighteen years, however, the triggering of this piece of the malware is interesting.

As counter detection methods goes though, this is an extreme case and as such may not end up being all that common in the long run. However, the fact that this malware had it and that it was a purchased piece of malware being used by an individual and not a nation state is important to note.

(please see attribution article below for context of last statement)

Clearly the bar is being lowered on malware and phishing attacks and organizations should be cognizent of this fact. It does not take a nation state with resources and human assets to carry out an attack on a company that could possibly shut it down with such malware as this on the wrong computers.

      1. Malware hidden in technet:

In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.

According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.

      1. Analysis:

While this article shows that the nation state hackers had been using Microsoft’s own Technet site as a means of command and control it is important to understand that this can happen with any site. Small changes within code can be used to trigger malware to carry out actions as well as they can also be the arbiter of a drive by attack on users systems.

Given that the bar to access is being lowered as code can be bought and more savvy adversaries (both nation state and criminal) are getting in on the game, organizations should pay more attention to telemetry. As mentioned earlier in this document, the use of technologies to monitor traffic and their destinations should be a key part of any security program today.

  1. Advisories

      1. [SECURITY] [DSA 3250-1] wordpress security update:

Multiple security issues have been discovered in WordPress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.

      1. Analysis:

These attacks are key to much of the kinds of attacks that are mentioned throughout this report. It is important to keep up with the patching for any WordPress site in your DMZ and these sites should be monitored for activities that may show indicators of comproimse.

In the case of this advisory, the attacks could be the first step in an internal compromise to the back end as well and as such could lead to a major breech.

      1. Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :

Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof user interface elements.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code on the target system [CVE-2015-1152, CVE-2015-1153, CVE-2015-1154]. The code will run with the privileges of the target user.

Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements

      1. Analysis:

While Mac and OSX has a history of seeming to be less prone to vulnerabilities, the reality is that OSX, like any system that is popular, will be attacked to gain access to people’s systems. In the case of this vulnerability, the main browser (Safari) is the weak point and may lead to drive by attacks on users systems.

It is important that any org that has a complement of Mac systems also be up to date on the patches and vulnerabilities to this platform and not consider it more secure because of the perceptions that Mac would like people to have about their products.

      1. Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:

A local or remote user can obtain elevated privileges on the target system.

Silverlight does not properly allow applications intended to run at a low integrity level (e.g., very limited permissions) to be executed at a medium integrity level (e.g., permissions of the current user) or a higher integrity level.

A remote user can create a specially crafted Silverlight application that, when executed by the target user, will execute arbitrary code on the target system with the privileges of the target user instead of with limited privileges.

      1. Analysis:

While Silverlight is a defunct language today it is still used by many organizations. This vulnerability may be mitigated by end users not having escalated privileges on the system that is attacked. However, there are still places where people have administrative privileges on systems and where this type of attack can cause root compromise of the system.

It is important to be aware of the use of Silverlight in your organization and to understand the vulnerability matrix where a compromise to this might lead within an org.

      1. Apache Cordova vulnerability leaves Android apps wide open to hackers:

Security Researchers at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.

Apache Cordova, which is used in 5.6 percent of Android applications, is a toolkit of APIs used by mobile app developers to access native device functions, including cameras and accelerometer, from JavaScript.

      1. Analysis:

While this 5.6 percentile figure may seem small, this is an important vulnerability as are many others if you are using Android systems within your BYOD program. Without the right mitigations (sandbox/separate identities/systems) on a phone today you could potentially compromise a network as well as a smartphone.

Application hacks could lead to compromise of the OS itself as well as any applications you may have (i.e. touchdown and others) on the phone that facilitate access to your internal network or mail systems.

      1. Logjam Vulnerability: 5 Key Issues:

While the “Logjam” vulnerability raises serious concerns, there’s no need to rush related patches into place, according to several information security experts.

These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive ‘Logjam’ Flaw Discovered). And given the age of the flaw and absence – so far – of publicly documented exploits, experts say organizations do not need to rush related fixes into place.

      1. Analysis:

With the advent of vulnerabilities that seem to have their own marketing campaigns attached, it is as important as ever, to understand the vulnerabilities as well as their risk. In the case of Logjam, there was a lot of media attention on it but the reality is that it is not the end of the world.

The vulnerability to the system is twenty years old and as it has not been seen in the wild previously denotes that it is not something that will show up in the wild soon. It is important to patch for it and manage encryption methods with or without this vulnerability as a standard practice.

  1. Directed Threat Data & Metrics

      1. Analysis:

      2. TITLE:


Word doc for you to download and edit for your own use is here

Written by Krypt3ia

2015/06/01 at 19:02

Global Threat Intelligence Report April 2015

with 2 comments


  1. Executive Summary

In the month of April the world saw much of the same tricks and hacks against companies, governments, and people carried out by the usual suspects. Needless to say, the fact of the matter is that today if you are online you are likely to be phished, hacked, infected with malware, or socially engineered. There are ways to attempt to avoid these things from happening to you but the in the aggregate you have to realize that everyone will get hacked and you will lose data. The difference though is that realizing it is one thing, to act against it is quite another.

The following threat intelligence report is to be used as a notional guide to show you what has happened within the last month in the way of new hacks and exploits and to point to areas of the CIA triad where you can bolster your security awareness. By seeing what has been happening perhaps you and your organization can seek remedies to security vulnerabilities that you have by insights in this document.

  1. Global Threats

Social Media & Reputation Management In Danger from Easy Hacks

Lately there has been a spate of attacks on Twitter and other social media accounts that have raised the bar on schadenfreude for the month. Whether the issue stems from poor password systems security within the platforms like Twitter or just a persistent and creative group of adversaries, the outcome has been noticed.


The above link is only one in a multitude of attacks on Twitter and other social media accounts of late. The use of these types of attacks against companies is usually aimed at a goal of embarrassment to the entity being attacked. A secondary outcome from these attacks usually stems from poor password strength and most of all password re-use on more sensitive systems.

A tertiary effect is reputational loss due to the hacks on these accounts. Often times the accounts are then used to spread propaganda or just to shame the company/entity with the fact that they got hacked very publicly and in some cases used as a tool to spread hacked information from their own accounts. One should consider this whenever accounts like these are created and maintained. Insure that the passwords are not re-used, the systems that access it are secure and not of a sensitive nature, and that you use good password hygiene at all times including changing those passwords at regular intervals.

Passwords… Yeah, OPSEC Much?

It is bad enough when your TV station gets hacked and used as a platform for propaganda. It is quite another thing when the hack itself was caused by a password(s) being shared on your own TV stations broadcast. This is the case of the French TV station that got hacked by the Cyber Caliphate in April. This is what is called OPSEC failure in the world of information security.


The hack of TV 5 Monde in April stemmed directly from a segment that aired containing their sensitive passwords to systems at the station itself. The Cyber Caliphate, a pseudo aligned group with daesh (ISIL) must have seen the segment or heard online that the passwords were in the video. Once this happened they went to work on hacking the TV station altotgether. It is not known to what level the hackers had gained access to the network before they were shut down but it is assumed that they had gotten inside deep enough to cause havoc. The station shut itself down to remediate the issues but not before the Caliphate made it known they had been hacked.

The fundamental issue here though is that no one, not the videographers, the technical force there, nor the security people that they may have at Tv 5 Monde stopped this from happening in the first place. It is a complete lack of security awareness about passwords, their placement on screens or other media in a segment or online that is stunning in this case. It is important to note this story and to take pains to insure that you are not the next company to lose control of it’s networks due to simple security failures like simple passwords or their sharing in public media.

The Dangers of Insider Threats

The hack of the lottery by an insider is a classic signpost for anyone in information security. The aphorism goes something like this in this business; “The insider threat is the biggest threat”and this is absolutely true.


In the case of the great lottery job of 2015, the insider tried as best as he could to pull off the job of the century. This insider almost made it but lost in the end because of the logistics of claiming the prize that did him in. It seems that the insider could not get someone right away to claim the winnings and waited a year before trying to get prize.

The object lesson here is that this attacker worked for more than a year on his plan and bided time to collect the winnings. The insider subverted not only air gapped computers with a self destructing rootkit but also the camera systems that watched the room that they reside in. This should be a lesson for everyone running a security program. Remember the mantra; “The insider threat is the biggest one”How does one stop insider threats? Well that is the problem isn’t it? Consider looking into this issue at your company and assess what steps you can take to mitigate some of these attacks.

Average Time To Intervene In A Phishing Attack: One Minute Twenty Seconds:

Phishing… What can you say about phishing that hasn’t already been said? Well, I guess you could conduct a study and determine just how long you have as a security body to stop one from being successful. That seems to be a window of one minute and twenty seconds today.


Phishing and more to the point, spear phishing, are tactics that rely heavily on the end user and the psychology of the human animal. In that you have a period of just over a minute to attempt to intervene between a user and a clickable link, loaded file, or other methods to exploit the end user system one can see the immensity of the issue.

There are many means to attempt to stop these attacks from happening in the first place such as email sandboxing, malware and semantic detection through systems like spam sifting. However, the human being at the beginning of the attack chain will always find a way to subvert those systems and get the lure to the end user. This is why it is exceedingly important to understand the human psyche and to use that to train users to understand what phishing and spear phishing is.

As the primary attack vector today in most compromises, it is the duty of all security organizations to attempt to educate their users in a fashion that will give them real knowledge and not just wrote memorization. To understand the attacks and think like an attacker is probably the best way to deter attacks. As a security organization please consider this story and work on education programs as well as check up systems of self phishing end users to inculcate awareness. Technology alone cannot solve this problem and will only lead to the cycle continuing.

A Majority of Incidents Are Aided By The End Users:

As you just read above, it seems that the end user is the primary target today for attacks on organizations. Phishing emails, social engineering exploits, and poor user security hygiene most often than not leads to greater company compromise today.


In an era when the moat, castle, and portcullis (firewall) aren’t the arbiters of stopping attacks, one must then consider that the Troy fell to the Greeks by the use of a Trojan Horse. It amazes me that even today people still fall prey to the notion that they have some security technologies like a firewall and believe that they are good to go.

What this story should give you as a takeaway, along with the previous story on phishing in tandem, is that the end user is the key to 95% of the security threats we face today. Yet, many still believe that a technological solution alone is the way to go and that education for end users is pointless. The fact of the matter is that it is quite the opposite and more orgs should come to understand the human animal’s psychology to lead them to better security choices and educate them to do so.

If your org does not have a robust program of iterative security education for the end users, you are doing a disservice to the company and the end users. You will in the end, lose your battle much quicker and have larger compromises if you are not carrying out continuing security education.

Default Passwords; A Security Threat

Insanity: doing the same thing over and over again and expecting different results.

~Albert Einstein

Default passwords on secure systems. This is an oxymoron yet it happens all of the time in networks and organizations. How is it that systems are placed on networks or facing the internet with these same defaults left in their original states?


Once again the human psyche seems to be at work in our security failures and foibles. All too often default passwords or default configurations are the cause of compromise for organizations that lead to great loss of data and reputation. Are these things just oversights by overtaxed network admins? Or is there just a lack of comprehension on the part of the workers and management within the security milieu?

As a security organization you should by default (ha ha) be seeking out these defaults with network vulnerability tools and testing to deny their use by others to access your networks. This is the lowest of low hanging fruit and yet it keeps happening.

RyanAir Hacked and Five Million Dollars Stolen Electronically:

Attacks on banking systems as well as other payment type systems are becoming more prevalent as well as creative. In the case of the Ryan Air compromise, the attackers knew their target and their ways very well indeed to carry out this hack and transfer of 5 million dollars.


This case is specifically of interest because of the way that the adversary used the daily operations of the company to transfer large sums of cash without raising a red flag internally. Like many companies Ryan Air, had a set of accounts and practices that could be leveraged by an astute attacker to make off with funds and not raise an eyebrow. In this case it was the accounts that are used to pay for re-fueling the planes.

Since the costs of fuel fluctuates this made these the perfect accounts because they often had high volume transactions with some regularity. In many companies you will also find such accounts and practices that could be leveraged by attackers to make off with money transfers that would not be noticed. As organizations you should consider looking at these high value accounts and consider means to track them more assiduously to detect and perhaps deter such attacks.

What’s Your Security Maturity Level?

Brian Krebs brings up a very important question when considering your security posture at a corporate level. In this piece he begs the question through a poll that was taken and data that shows how orgs tend to fail as security bodies. The maturity level of the company directly correlates to the level of threat that company faces from adversaries leveraging the lack of maturity to effect their goals.


One of the primary tenets of INFOSEC is that unless the security organization has buy in from the top and a clear channel to communicate, it will fail in it’s job. This is much of the point of the article and the data that Mr. Krebs is pointing out. Every organization should consider the data within this article and question what their organizational structure is and seek to better it if it is not already functioning at high level.

How does your org function? Can you get buy in from the CEO down? If not, you are not likely to be successful.

  1. Malware & Crimeware

False Positives Sink Antivirus Ratings

Antivirus is problematic to start with. All too often it is seen as a panacea by the executives but the reality is that it is quite an imperfect system and must be used in tandem with a layered approach to mitigating attacks. With the prevalence of false positives we can see how just this one factor can lead to ratings hits as well as a sense of crying wolf.,2817,2481367,00.asp


The fact that AV has so many false positives as well as issues around patterns either not being up to date or missing often times makes the system a flawed one at best. Orgs should not be looking at the ratings of detection as much as the overall issues surrounding the efficacy of the products themselves as well as their balanced use in a layered approach.

Overall, orgs should look at their AV choices and implementations to determine where gaps exist in the efficacy of the programs technically and logically. Those gaps should then be closed with other means logically or technically to stop gap areas of concern. A single AV solution in an environment is futile as a means to protect your organization today.

New Malware Spreads Through Advertising Channels:

Malware campaigns spread via advertising channels is a stroke of genius for the adversaries. The prevalence of advertisements on sites and the ability to spread malware through them enables the attacks to geometrically progress.


An uptick in this activity has been seen in many channels and should be considered a clear and present danger. Once the malware channels have been created by taking over linkages to advertisements in sites and feeds the drive by potential is increased geometrically. Depending on the malware variants and the adversaries we could see quite an uptick in directed attacks.

A curated malware campaign by these attackers could conceivably be used to go after particular targets through the types of ads being used as the transmission point. Say that you were able to go after luxury item ads and inject malware into those who use them. The return on investment here by the adversaries could be huge. As well, given the prevalence for ads on sites today in every corner of the page, one imagines that this vector will become the go to method in the near future.

Banking Malware Now Using More Exotic Evasion Tactics:

The crimeware creators are taking cues from the advanced persistent threat crowd and building in features that will allow for not only greater compromise but longer periods of entrenchment in the victim networks. These factors will make crimeware the new APT and the APT seem like old hat.


As time has past we have seen the crimeware creators become more adept at integrating the tools and techniques of the advanced persistent threat set. In the case of this report we can see directly how the criminals have taken up the mantle of APT by using advanced techniques to keep persistence on the networks they are attacking.

As the technology gets more complex so too will the ability to detect and deter the attacks. In samples recently, malware of a more pedestrian nature via phishing exploits of a lower end type have shown to have malware that has been built to be network aware as well as sandbox aware. These escalations in techniques will require organizations to catch up to their level and have operations that can detect, reverse, and report on these attacks as their frequency and technological complexity rises. Orgs should invest in people and technologies to deal with these threats appropriately.


  1. Vulnerabilities

CISCO ASA Bug Allows Arbitrary Commands and DoS

Several vulnerabilities were reported in Cisco ASA. A remote user can cause denial of service conditions on the target system. A remote user can execute arbitrary commands on the target system.


A remote user on the local network can send specially crafted UDP packets to the target failover device via the failover interface to trigger a flaw in the failover IPSec feature and execute arbitrary configuration commands on the target device [CVE-2015-0675]. This can be exploited to take full control of the active and standby failover units.

This is another good example of a core system being attacked with code that could allow for greater compromise of a network. Please insure that your org is looking at these types of core systems and their feeds for vulnerabilities and patches that should be applied or investigated.

Windows HTTP Protocol Stack (‘HTTP.sys’) Parsing Error Allows Aritrary Code

A vulnerability was reported in Windows ‘HTTP.sys’. A remote user can execute arbitrary code on the target system.


A remote user can send a specially crafted HTTP request to trigger a parsing flaw in the HTTP protocol stack (HTTP.sys) and execute arbitrary code on the target system. The code will run with System privileges.

This is another flawed that exists in common core features of the internet. As has been mentioned before it seems that the attackers are now going after core systems and protocols for larger effect today. Such vulnerabilities should be considered a clear and present danger being patched as soon as practicable.

Microsoft Security Bulletin April 2015

In Aprils patch Tuesday there were 27 vulnerabilities patched that ranged from critical to informational.


As with all systems, Microsoft has patches that are produced from alerts and events concerning their operating systems vulnerabilities. It is important that all orgs focus time on a monthly basis following up on Microsoft security patches that are put out each 2nd Tuesday of the month.

Microsoft, being what they are, is a bit of a monoculture in many networks and as such a compromise of one system likely will mean the compromise of the greater network because of trusts within the domain as well as weaknesses in the operating systems.

Please insure that your organization’s security group is involved with the patch cycle by involvement in the decision making of patching vulnerabilities per their criticality to your own environment.

Word Document to download and edit for your org HERE

Written by Krypt3ia

2015/05/04 at 21:58

Global Threat Intelligence Report March 2015

with one comment


GLOBAL Threat Intelligence Report – March 2015

  1. Executive Summary

In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.

This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.

  1. Global Threats

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest


Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.

What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.

However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.

The Largest Email Hack in History

The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ


The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.

The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.

The FREAK Vulnerability and SSL

Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.


The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Target Offers 10 Million Dollars in Breach Payments

Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.

Court documents show hacking victims could get as much as $10,000 apiece.


The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.

Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.

The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.

One in Three Websites at Risk on the Net

Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.

Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.


There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.

I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.

 ISIS Hit List and Information Warfare

At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.

The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.


While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.

A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.

Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.


On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.

The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.


China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.

The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.

For more on DdoS go here

Your Private Data Available Through Anonymous Shares On-line

Our lives are digital now.

Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.

Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.

In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.


Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.

This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.

Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.

  1. Malware & Crimeware

Superfish! Lenovo Pre-Installed Malware

Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.


These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.

Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.

Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.

To remove SuperFish go here

Kilim Facebook Worm Hooks with Sexy Pics

Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.

The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.

If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two links – first to an Amazon Web Services page and then a malicious site,, which apparently checks their computer.


One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like and is common as well and should be filtered if possible in your environment to disallow these attacks.

As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.

The Hanjuan Exploit Kit and Malvertising

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told that the issue has been resolved.


Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.

Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.

The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.

Android Malware Risk to Almost 50 percent of all Devices

Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.

Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.


As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.

With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.

A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.


New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.

The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.

It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.


Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.

In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.

Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!

Bitcoin blockchain exploitation could allow for malware spreading

Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.


As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.

However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.

  1. Vulnerabilities


Description: A vulnerability was reported in some dynamic random-access memory (DRAM) devices. A local user can obtain elevated privileges on the target system.

A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.


This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.

Technical Report:

We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.

This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.


FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.


As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

re attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.

Security Advisory Feeds

Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.


The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.

Websense XSS Vuln

Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.


Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:

This issue is resolved in TRITON APX Version 8.0. More information about

the fixed can be found at the following location:

  1. Directed Threats Data

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.








Written by Krypt3ia

2015/04/07 at 15:27

Global Threat Intelligence Report: FEBRUARY 2015

with one comment


Global Threat Intelligence Report

February 2015


  1. Executive Summary

In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.

This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.

  1. Global Threats

  1. Attackers have cloned malware-laden copies of the most popular apps your employees use


Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.

As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.

If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.

  1. What is Freak and who is at risk?


Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.

While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.

It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.

  1. D-Link Routers Face Multiple Vulnerabilities


Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.

So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.

Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.

It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.

  1. Seagate Business NAS Firmware Vulnerabilities Disclosed


NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.

Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.

Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.

  1. Microsoft Patches 41 Internet Explorer Vulnerabilities


Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.

This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.

It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.

  1. Spam Uses Default Passwords to Hack Routers


Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.

This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.

It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.

  1. FBI: Businesses Lost $215M to Email Scams


Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.

The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.

It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.

Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.

  1. Phishers Pounce on Anthem Breach


As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.

The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.

It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.

  1. Anthem Breach May Have Started in April 2014


The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.

As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains ( etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.

Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.

  1. Supply Chain Tampering

  1. Lenovo Superfish Adware Leaves Computers Insecure Out of the Box


Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.

While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.

If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?

  1. Advanced Persistent Threats

  1. Threat Intelligence: The How Instead of the Who


Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.

By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.

It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.

Document for download and dissemination HERE

Written by Krypt3ia

2015/03/04 at 20:08

Threat Intelligence Report – December/January 2014/2015

with 2 comments


Threat Intelligence Report – December/January 2014/2015


Executive Summary:

In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.

This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.

Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.

The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.

In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.

Global Threats:

The Sony Hack & New Norms in Intrusions

The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.

In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.

This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.


The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.

The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.

Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.

Reading Material:

The Government Response to Sony

As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.

The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.


The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.

Reading Material:

Chaotic Actors: Lizard Squad

The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.

These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.

At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.


The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.

This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.

It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.

Reading Material:

Skeleton Key Malware: Bypassing Domain Admin

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”

CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.


This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;

The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.

However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.

Reading Material:

Internal Telemetry & Alerts

IDS Alerts

Phishing Attacks

Malware Trends

Log Correlation

Full report for download HERE: Report

Written by Krypt3ia

2015/01/21 at 21:00

Threat Intelligence: The Blame Game

with 2 comments



Lately I have been sitting and thinking about TI and Attribution as well as the state of the state as the year comes to a close. I sit, I ponder, and then I get all kinds of rage filled with the shit I see happening out there. So, after a particular sit down I had over the weekend I decided to post this manifesto on the Internet’s front door. For what it’s worth I am not trying to be a so called “thought leader” here as much as I have just had fucking enough of the insanity and would like to see a little sense shoved down everyone’s collective cyber throats.

Open wide kids! Uncle bastard has a few words for you!

Threat Intelligence:

What is Threat Intelligence? Well, ask random people and you will get random answers. Ask vendors and you will get super buzz wordy speak offering many APT’s and IOC’s and TTP’s along with a host of other jargon. The reality is that Threat Intelligence has been co-opted as an idea from the military (one again in our business like so many other things) and kluged into our business process in IT and Security.

Strictly speaking though, threat intelligence should be informatics that can be used to determine the threat to your environment. It is most of the time data in the form of IP’s, ports, protocols, and actions that are being seen in the wild being used against other companies, governments, and people. As such it can be useful if you are a like entity or you have the same vulnerabilities that are being leveraged. You can take that feed of data and put in firewall rules to block C&C’s etc to prevent them being used on you. Along with this, you should be getting informatics on patches that are available for 0day’s being used as well as perhaps the types of information the hackers are targeting most often.

With all of this data one can formulate a plan and put in some rules in your own environment to perhaps detect or prevent it happening on your digital soil. Unfortunately though, much of the time the feeds and “intelligence” being sold to companies is just data. The company may lack the comprehension levels needed to understand the data or “intelligence” because they lack a person or group to analyse it all and rationalize it for their organization. This is where much of the fail happens in our business where Threat Intelligence is concerned if you ask me. Companies pay a lot of money for a data feed and then they fail to leverage it. It is also a fail on the part of the companies selling TI because they often just sell you the feed and pretty shiny reports on APT actors because they are cool and leave the end user struggling with the meanings. I mean, it’s an extra fee for comprehension right? So we have a fundamental failure on the part of the business to serve the clients in my opinion.


Ah yes, attribution, the word itself sends a shiver of fuckery up and down the spine. This is the hook that all TI firms are selling their shit on. Detecting attacks and then attributing them to sophisticated actors. All of these firms are the new cool right? Seems like every month we see a new and shiny report dumped on the internet alleging that some or other group of APT actors is hacking up a storm and stealing things. This may in fact be the case, that there are actors out there stealing shit left and right, but the attribution thing? Well, that is notional at best. I have to say though lately I have been surprised to see some of these reports start to use the words “may be” which is a good thing. You see, attribution is a lot like guessing you are holding a tree trunk while blind while in fact is is an elephant’s trunk.

Attribution should be in my opinion removed from the equation altogether from these threat intelligence firms business cycle. Here’s what they should do;

  1. Determine what the actor is doing and how
  2. To whom
  3. Then report on those actions and how to stop them by their modus operadi (C&C’s TTP’s IOC’s Hashes etc)

That’s it. That is all they should be doing. By colouring it with all the Spy vs. Spy shit they may think that they are super cool but in reality they are just muddying the waters for anyone trying to do real work. All of these swank reports on bad guys is just marketing and a certain desire to sell shit to the government. The regular Joe in the trenches working in security, it does nothing for.

So cut it out. I have little hope that will happen though.

Oh and one last word on attribution… It’s never that easy. Let’s see us go to war over your attribution…

Intelligence Cycle:

Back in 2013 I did a presentation on the intelligence cycle at BsidesLV. I would like to point you all at it again and once again say take a look. My premise is that any company that is looking to perform Threat Intelligence needs to not just have a feed without a real person or group who can analyse the data and report back to the company on the threats. If you strip out all the attribution crapola you may or may not have useful information depending on your position. The crux of the matter is comprehending what is being given to you and using that information to make better security decisions in your environment.

All too often now it’s all just shiny blinky appliances, reports, and language from so called thought leaders and vendors while Rome burns. If you are going to be serious about doing threat intelligence drop all the “ain’t it cool” crap and get down to brass tacks about securing your environment by knowing your weaknesses. You do this by leveraging threat intelligence where you can and introspection and action on where your environment has weaknesses.


The Threat Intelligence Cycle


Written by Krypt3ia

2014/12/15 at 15:11


leave a comment »

Executive Summary:

In the month of November 2014 two stories made the news that have direct corollaries to many corporations. These two stories center on actor’s modus operandi and their targeting of companies, individuals, and infrastructure in vary particular ways.

The first actor/incident is SONY and their alleged attacker the GOP (Guardians of Peace) Sony was hacked by unknown person(s) and approximately 111tb (Terabytes) of information taken from their networks and systems. The data began to be leaked on the internet via Bit-torrent and other sites in blocks of 1 gig to 100 gig per release.

The second attack/actor is being called FIN/4 and they are an unknown group that has been targeting corporations’ executives via Phishing. FIN/4 is looking for M&A information that they can steal to play the market with or have inside information for other companies to use by selling it to them. FIN/4 has been detected attacking Big Pharma looking for insider information primarily but has also been seen attacking other types of companies such as holding companies in search of information they desire.

Global Threats:

Sony Hack (GOP): Destructive Hacking and Malware

The Sony Corporation was hacked over an indeterminate time within the last year and was tipped to the fact on or about November 24th – 25th of 2014 by the attackers. A group or person, calling themselves “The GoP” or Guardians of Peace released malware on the Sony network that then changed the login screens of all machines to a picture of a skeleton and a threat (see below)

Once the malware was delivered and triggered the screens of PC’s were changed to the image and a wiper utility went into action destroying the MBR (Master Boot Record) thus damaging the operating system and all data on the drive.

The attack on Sony should be a warning to all companies and entities with networking infrastructures. This attack seems to have been carried out by an insider (likely an IT person) with intimate knowledge of their network and where data lives. The malware itself had been hard coded with server DNS names within Sony’s network as well so this was a very targeted attack.

The attack on Sony has been in the news quite a bit and the full extent of the hack and the repercussions has yet to be fully determined. In the case of Sony stock it has taken a hit and has been up and down with the news stories and releases of information by the GOP online. Reputation wise the company has taken a great hit and in fact may be in jeopardy because other companies and banks are not wanting to loan them funds or work with them as thousands of records online already from Sony show that they were not taking due diligence with PII and PCI data internally. The majority of documents were unencrypted as well as those with passwords had the actual passwords in a file with the documents or built into the documents file name itself.


The attack on Sony was most likely an insider attack and as such is one of the hardest types of attacks to protect against. However, since the release of data from Sony has been on the internet it has come to light that the following glaring issues existed that led to their devastating compromise;

  • Sony did not have adequate staff working in information security and had in fact been heavily relying on contractors which were transient in nature

  • Sony had not been using encryption on files for PII or PCI

DATASECFull employee lists with SSN’s not encrypted and not passworded

  • Sony had not fully instituted complex passwords on systems and files


Password in the file name itself

    • Examples: s0ny123 (lotus notes user pass)

    • Notes password II: password

    • AD login: 163erie (Less than 8 chars)

    • Passwords were re-used for user in this case with corporate AMEX account as well.

  • Attackers were able to exfiltrate 111 terabytes of information. This exfil likely happened on local external drives but could have been done over the network over time. IF this was carried out over the network then Sony either could not see the immense amount of data being siphoned or they ignored it. Internal intelligence and telemetry is a key to stopping exfiltration of corporate data.

  • This attack and exfil of data so thoroughly compromised Sony that they had to shut down their network completely and have employees only use pencils and paper for work.


This attack on Sony was motivated (most likely) not by nation state actors upset about a movie, but instead by how Sony treated some employee(s) somewhere in their view. The GOP in their communications keeps talking about how Sony is a bad corporation and it treats its people poorly. No matter the motives and the actors however, the important things to learn from this attack are the following things;

  1. Insider attacks are the greatest risk to any organization

  2. Lax security policies and processes for securing data on drives with proper passwords and encryption led to complete compromise of corporate and employee data from this attack. Were the files encrypted and properly password protected this may have been mitigated.

  3. Any corporation could fall victim to the same type of attack.

  4. The malware used, contrary to the news cycle. Is not new and not exotic. MBR wipers have been around since 1998. It is easy to re-work malware (reverse engineer) to be undetectable to the antivirus utilities and thus not be seen.

What corporations need to take away from this incident is that it can happen to anyone. It can especially happen to a company not paying attention to internal data, systems, and traffic. A secondary concern that companies all should have is that now that this attack has happened, it will give others ideas and potentially open the door to more like this in the future as a means of hacktivism or revenge. A second and more important takeaway should be the following;

“It’s not important who attacked you after the fact. It’s important to discover and remediate the compromise through proper incident response and then fix the problems that allowed for the compromise to happen in the first place”

While threat intelligence is an important tool in the security arsenal, the focus on the who and not so much on the why and how has been in the news and the focus of Sony at least in the media sphere. A recent memo from the founder of Mandiant, the company carrying out the DFIR on Sony in this incident and leaked, alludes to the fact that this attack was “unprecedented and unstoppable” This language and this memo is a disservice to the industry and allows for companies to believe that by having lax security controls and the illusion of nation state actors, one can have the blame for a major incident removed from the company whose atmosphere allowed the attack.

As shown above the data was out in the open and efforts to protect data like PII and PCI were just not taken. Of course an insider attack is hard to foil but at this time it is speculative whether or not it was an insider even with the GOP bulletins saying that it was in fact the case. As well, in the case of Sony there is a long history of over 20 hacks on them that succeeded in the past, and thus it seems that not only are they a big target, but also an easy one because they seem to have not been able to secure their environment well enough to stop attacks whatsoever. Given all of these factors it should be evident that any corporation should look at the data coming out of Sony to study just what went wrong and attempt to not be the next company to fall prey to this.

Finally, this attack on Sony should be a lesson for everyone in that now that this has happened, and utterly destroyed the capacity of a company others in the future will use it as a model for their own attacks. The notion is now out there in the open and in reality I guess one could call this the realization of the “Fire Sale” as seen in the movies. This is a turning point in information warfare and protection that everyone should take heed of and attempt to be ready for. While there may be no magic bullet to stop these types of attacks from happening there are certainly means at the disposal of corporations and security groups to at least attempt to detect and stop such attacks. Specifically there should be means to detect large data transfers within the network as well as going out of the domain itself.

FIN4: Spear Phishing and Stock Manipulation

FIN/4 is the name that Cylance has given to the group of actors using “Spear Phishing” to attack corporations email systems to steal corporate information. The information that these attackers are leveraging though is all to do with M&A’s and other insider information that the adversary wants to use or sell as intelligence for stock trades.

What makes the FIN/4 different is this focus only on M&A or insider data. They only go after OWA or other email systems and do not hack any further into the networks. This type of activity nets them what they want and does not lead to their being discovered as easily. Through password dumps and email trails these attackers are able to compromise systems and data they require and then go quiet while auditing all the information passing through those systems.


FIN/4 is a new twist on an old idea. This actor set is as yet new and it is unclear whether or not it is nation state or other. However their pattern of attacks should be something that every company should pay attention to whether they are actively traded on the stock market or not. This type of attack set is low and slow and nets quite a bit of data from common end user frailties. The introduction of malware or just the compromise of accounts can lead to the full compromise of a company just as much as is evidenced in the Sony attack above.

Download Document HERE

Written by Krypt3ia

2014/12/09 at 19:58