Archive for the ‘Threat Intelligence’ Category

ChatGPT; Create a dossier on room 39 in DPRK

This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.

Room 39 is a secretive organization within the Democratic People’s Republic of Korea (DPRK) that is believed to be involved in illegal activities, including money laundering, arms smuggling, and counterfeiting. Here is a dossier on Room 39, detailing its history, operations, and significance.

The exact location of Room 39 within the Democratic People’s Republic of Korea (DPRK) is unknown, as the organization operates under a high level of secrecy and its members are believed to be highly skilled at concealing their activities and avoiding detection.

However, it is widely believed that Room 39 is headquartered in the capital city of Pyongyang, and that it has branch offices and operational centers throughout the country. The organization is thought to operate under the direct authority of the North Korean leadership, and to have close ties to the country’s ruling elite.

Despite its secretive nature, Room 39 has been the subject of intense scrutiny by international organizations and governments, as its illicit activities are seen as a major challenge to regional stability and security. Efforts to track the organization’s activities and disrupt its operations have been ongoing for many years, but progress has been limited by the organization’s secrecy and the support it enjoys from the North Korean regime.

The exact amount of money that flows through Room 39 is difficult to estimate due to the secretive nature of the organization and its operations. However, some estimates suggest that the organization generates billions of dollars in revenue each year, largely through illicit activities such as money laundering, counterfeiting, and smuggling.

It is widely believed that a significant portion of the revenue generated by Room 39 is used to fund the North Korean regime’s military and nuclear programs. However, it is unclear how much of this revenue is directly funneled into the accounts of the Kim family, which has ruled North Korea for three generations.

While there is no concrete evidence to support the claim that the Kim family directly benefits from Room 39’s activities, some reports suggest that members of the family have used the organization to acquire luxury goods and other items that are subject to international restrictions. For example, a 2017 report by the United Nations suggested that Kim Jong Un had used front companies associated with Room 39 to acquire luxury yachts, musical instruments, and other items.

History

Room 39 was established in the late 1970s by Kim Jong Il, the former Supreme Leader of North Korea and the father of current leader Kim Jong Un. The organization is believed to have been created to provide a source of foreign currency for the North Korean regime, which has been subject to international sanctions and trade restrictions.

One of the key tactics used by Room 39 in its illicit operations is the use of grey markets. Grey markets are informal networks of traders and middlemen who operate outside of formal channels of commerce, often in the context of goods that are subject to sanctions or trade restrictions.

Room 39 is believed to be involved in a wide range of grey market activities, including the smuggling of goods and the evasion of international sanctions. The organization is thought to use a network of front companies and intermediaries to transfer funds and goods, and to conceal its activities from international authorities.

For example, Room 39 has been linked to the smuggling of minerals, such as coal and iron ore, which are subject to international sanctions. The organization is believed to use a network of traders and middlemen to transfer these goods across borders, often using deceptive practices such as mislabeling or transshipment to avoid detection.

Room 39 has also been linked to the smuggling of luxury goods, such as high-end automobiles, watches, and liquor. These goods are subject to international restrictions, as they are believed to provide a source of revenue and prestige for the North Korean regime. Room 39 is thought to use a range of tactics to evade these restrictions, such as the use of front companies and the exploitation of loopholes in international regulations.

In addition to its grey market activities, Room 39 is also believed to be involved in a range of other illicit activities, including money laundering, counterfeiting, and the production of illegal drugs. The organization’s operations are highly secretive, and it is notoriously difficult to identify its members or track its activities. Nevertheless, Room 39 is widely believed to be a significant source of revenue for the North Korean regime, and its activities are seen as a major challenge to international efforts to promote stability and security in the region.

Operations

Room 39 is believed to be involved in a wide range of illegal activities, including:

Money laundering: Room 39 is thought to be involved in laundering money from drug trafficking, smuggling, and other illicit activities. The organization is believed to operate several front companies in China and other countries to facilitate the transfer of funds. According to a report by the US Department of the Treasury, Room 39 has used these companies to conduct transactions worth millions of dollars.
Counterfeiting: Room 39 is believed to be involved in the production of counterfeit US dollars and other currencies. The organization is reported to have sophisticated facilities and printing equipment, and to use advanced techniques to avoid detection. In 2019, a Hong Kong-based news outlet reported that North Korea was using its embassy in Beijing as a base for its counterfeiting operations, with Room 39 reportedly involved in the scheme.
Trading: Room 39 is also believed to engage in legitimate business activities, such as trading in minerals, metals, and other commodities. These activities are believed to provide cover for its illegal operations and to generate revenue for the regime. According to a report by the Korea Institute for International Economic Policy, Room 39 has been involved in the export of coal, iron ore, and other minerals to China and other countries.
Arms smuggling: Room 39 is believed to be involved in the smuggling of weapons and military equipment, including missiles and nuclear components. According to a report by the US Department of State, the organization has been involved in arms smuggling to countries in the Middle East and Africa, and has also provided military training and support to non-state actors.

Cyber Operations

North Korea has been linked to a number of cyber operations in recent years, many of which are believed to be conducted by the country’s military intelligence agency, the Reconnaissance General Bureau (RGB). These operations include attacks on financial institutions, cyber espionage, and the theft of cryptocurrency.

While the exact role of Room 39 in these cyber operations is unclear, it is believed that the organization plays a key role in generating revenue for the regime from cybercrime. For example, Room 39 is believed to be involved in the theft of cryptocurrency, which is then used to fund the regime’s military and nuclear programs. In addition, the organization is thought to be involved in the development of advanced cyber capabilities, which are used to conduct cyber espionage and other operations.

The most high-profile cyber operation attributed to North Korea was the 2014 attack on Sony Pictures, which was carried out in retaliation for the studio’s production of a movie that portrayed the North Korean leader in a negative light. The attack, which was attributed to the RGB, resulted in the theft of sensitive data, the release of embarrassing emails, and the destruction of computer systems.

Other cyber operations attributed to North Korea include the WannaCry ransomware attack in 2017, which affected hundreds of thousands of computers around the world, and the theft of $81 million from the Bangladesh Bank in 2016, which was carried out using stolen SWIFT credentials.

Ties to Room 39

While it is unclear to what extent Room 39 is directly involved in cyber operations, the organization is believed to play a key role in facilitating North Korea’s cybercrime activities. Room 39 is thought to be involved in the laundering of funds generated by cybercrime, as well as the acquisition of technology and equipment used in these operations.

For example, a 2019 report by the UN Panel of Experts on North Korea noted that Room 39 had been involved in the acquisition of advanced encryption software and other technology that could be used to conceal the country’s cyber activities. The report also noted that the organization had used front companies and other means to transfer funds for the purchase of this technology.

In addition, a 2020 report by the US Department of the Treasury identified several individuals and entities involved in North Korea’s cyber activities, many of whom were linked to Room 39. The report noted that these individuals and entities had been involved in a range of cyber operations, including the theft of cryptocurrency and the development of malware and other tools for use in cyber espionage and other activities.

These and other reports suggest that Room 39 plays a significant role in North Korea’s cyber activities, and that the organization’s illicit operations are intertwined with the country’s cybercrime activities. As such, efforts to curb North Korea’s cyber activities will need to take into account the role of Room 39 and other organizations involved in generating revenue for the regime.

The individuals associated with Room 39 are notoriously difficult to identify, given the secretive nature of the organization. However, here are some examples of known individuals who have been linked to the group:

Kim Chol: In 2013, the US Department of the Treasury designated Kim Chol, a senior official in the North Korean government, as a “specially designated national” for his involvement in Room 39’s illicit activities. According to the Treasury Department, Kim Chol was involved in the management of several front companies used by Room 39 to launder money and evade international sanctions.
Ko Chol Man: In 2017, the UN Panel of Experts on North Korea identified Ko Chol Man as a key figure in Room 39’s illicit activities. According to the Panel’s report, Ko Chol Man had been involved in the operation of several front companies used by Room 39 to transfer funds, and had also been involved in the smuggling of coal and other commodities.
Kim Su Il: In 2020, the US Department of the Treasury designated Kim Su Il, a North Korean government official, for his involvement in Room 39’s illicit activities. According to the Treasury Department, Kim Su Il had been involved in the operation of several front companies used by Room 39 to transfer funds, and had also been involved in the smuggling of coal and other commodities.

It is likely that there are many other individuals associated with Room 39 who have not been identified publicly. The organization operates under a high level of secrecy, and its members are believed to be highly skilled at concealing their activities and avoiding detection.

Ties to crypto currencies and illicit operations

Room 39 is believed to be involved in a wide range of illicit activities, including money laundering, arms smuggling, counterfeiting, and trading. One of the tactics used by Room 39 in its illicit activities is the use of cryptocurrencies.

Cryptocurrencies provide a means for Room 39 to evade international sanctions and bypass traditional financial channels, making them an attractive option for the organization. Room 39 is believed to be involved in a range of cryptocurrency-related activities, including:

Cryptocurrency mining: Room 39 is believed to operate a significant cryptocurrency mining operation, which allows it to generate large quantities of Bitcoin and other cryptocurrencies. The organization is thought to use a network of servers located in China and other countries to conduct its mining activities.
Cryptocurrency theft: Room 39 is also believed to be involved in the theft of cryptocurrencies from exchanges and other targets. The organization is thought to use a network of hackers and intermediaries to steal the cryptocurrencies, which are then used to fund the North Korean regime’s military and nuclear programs.
Cryptocurrency laundering: Room 39 is also believed to be involved in the laundering of cryptocurrencies through a network of intermediaries and front companies. The organization is thought to use these intermediaries to convert the stolen cryptocurrencies into fiat currency, which can then be used to fund the regime’s activities.

One example of Room 39’s involvement in cryptocurrency-related activities is the 2018 theft of $530 million in cryptocurrencies from the Japanese exchange Coincheck. According to reports, the hackers responsible for the theft were linked to North Korea and may have been associated with Room 39. The stolen cryptocurrencies were likely used to fund the North Korean regime’s military and nuclear programs.

Overall, Room 39’s involvement in cryptocurrencies is part of a wider strategy to evade international sanctions and generate revenue for the North Korean regime. The use of cryptocurrencies allows the organization to operate outside of traditional financial channels and to conduct its activities with a high degree of anonymity and secrecy.

Significance

Room 39 is significant because it provides a vital source of income for the North Korean regime, which is subject to severe economic sanctions and trade restrictions. The organization is believed to generate billions of dollars in revenue each year, which is used to fund the regime’s military and nuclear programs, as well as to support the lavish lifestyle of its leaders.

The activities of Room 39 have also contributed to the isolation of North Korea from the international community, as many countries view the organization as a threat to global security and stability. The US and other countries have imposed sanctions on individuals and companies associated with Room 39, in an effort to curb its illegal activities and to pressure North Korea to abandon its nuclear and missile programs.

Despite these efforts, Room 39 continues to operate and to generate revenue for the North Korean regime. Its activities are likely to remain a challenge for the international community, as they represent a significant source of support for one of the world’s most repressive and isolated regimes.

Open Source Reporting:

There have been several reports in open-source media on Room 39 and its operations. For example:

In 2017, the United Nations published a report that identified several companies and individuals involved in Room 39’s money laundering activities. The report found that these entities were using a network of shell companies and front companies to evade international sanctions and transfer funds to North Korea.
In 2018, a report by The New York Times alleged that Room 39 was involved in the theft of $81 million from the Bangladesh Bank in 2016. The report suggested that North Korean hackers were behind the theft, and that Room 39 was involved in laundering the stolen funds.
In 2019, The Wall Street Journal reported that North Korea was using its embassy in Berlin as a base for its illicit activities, including the smuggling of goods and the acquisition of technology for its nuclear and missile programs. The report cited unnamed Western officials who suggested that Room 39 was involved in the scheme.
In 2020, the United Nations published a report that highlighted Room 39’s involvement in illicit activities. The report noted that the organization was involved in money laundering, counterfeiting, and smuggling, and had used a network of front companies to evade international sanctions. The report also suggested that Room 39 had been involved in the acquisition of luxury goods, which are subject to international restrictions.
In 2021, The Diplomat published an article that detailed Room 39’s involvement in the smuggling of cigarettes. The article cited sources who suggested that the organization had been involved in the smuggling of cigarettes from China to North Korea, and had used the profits to fund its other illicit activities.
In 2021, Radio Free Asia reported on Room 39’s involvement in the production of methamphetamine. The report cited unnamed sources who suggested that the organization had established several drug labs in North Korea, and was producing large quantities of methamphetamine for export.
These and other reports indicate that Room 39 remains a significant source of revenue for the North Korean regime, and is involved in a wide range of illicit activities. The organization’s operations pose a significant challenge for the international community, as they contribute to the regime’s ability to pursue its nuclear and missile programs, and to maintain its grip on power. The continued reporting on Room 39 underscores the need for continued vigilance and enforcement measures to curtail its activities.

Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this publication.

Written by Krypt3ia

2023/03/06 at 13:54

Posted in A.I., A.I. Red Teaming, DPRK, Threat Intel, Threat Intelligence

SARS-CoV-2 Lab Leak Intelligence Assessments

leave a comment »

This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.

As this is in the news this week, and Director Wray came out and spoke about it last night, I thought a little intelligence report generated by ChatGPT and a threat assessment might be fun. Personally, I have always held that the potential of the origin of SARS-CoV-2 was higher in this scenario than the wet market scenario due to several things.

Firstly, the virus seems to have been, for a zoonitc event, all too readily infectious for humans right from the start. While SARS virus’ are already seen in humans and of course SARS had an outbreak in China back in 2002, the impacts of that particular strain were not as massive as SARS-CoV-2. One of the primary reasons for that from my reading, has been the difference in the virus in Cov-2-19 is it’s ability to bond to the ACE2 within our systems and run rampant. It is also to be noted that the genetic structure of the virus does not rule out genetic manipulation, specifically, that of gain of fucntion research, which is what WIV had been working on.

Secondly, there were at least three emplyees of the WIV who got sick in November, just before the pandemic started in Wuhan, who may have in fact had Covid-19. Not much is known about these three people as the Chinese governmnet is not being transparent about them, but, it is quite the coincidence that these three lab workers got sick with an unknown disease, in November, and then the full outbreak of SARS-CoV-2 began in December, in Wuhan of all places.

Thirdly, the Chinese government has been very obtuse in cooperating with anyone about getting to patient zero in this pandemic and has actively blocked investigations. Of course, this is a tricky situation for any country, the epicenter of a pandemic, but China has really blocked so much of the potential truth that it cannot be dismissed. I am not saying in any way, that this was a deliberate release, or that this virus was being “weaponized” in a military program though. It is my contention, that they were doing gain of function work in efforts to understand how to counter such shifts in the SARS genome should it happen and create vaccines against it. It is just a matter of it walked out on someone’s shoe before they even had a chance to come up with a counter to the bug they had just souped up.

Added to this last set of facts, I also can easily see how the virus could have escaped from WIV due to reporting before the pandemic where the lab had been cited for poor security practices. This is also a known quantity that is not a slam dunk, but, if you take all of the known known’s and assess the situation before and after the initial beginnings of the pandemic, well, I can easily see my way to a low to a medium confidence theory on a lab leak being the possible caue of the pandemic writ large.

Anyway, here’s an assessment written by ChatGPT on this…

ChatGPT: Create an intelligence estimate of the lab leak theory for sars-cov-2 and cite data that backs up this theory

Executive Summary:

The theory that SAR-CoV-2 originated from the Wuhan Institute of Virology (WIV) through a laboratory accident remains inconclusive. While there is some circumstantial evidence to support this hypothesis, there is also evidence against it, and alternative explanations remain plausible. Further investigation is necessary to determine the virus’s origins and the role of the WIV, including tracing the early spread of the virus and studying its genetic makeup. The possibility of a laboratory accident cannot be completely ruled out, and the scientific community and policymakers must continue to take steps to ensure the safety of biosecurity labs and prevent future accidents.

Background:

The emergence of the novel coronavirus SAR-CoV-2 in late 2019 has led to intense speculation about its origins. One hypothesis is that it may have accidentally leaked from the WIV, a high-level biosecurity laboratory located in Wuhan, China. The lab is known for its research on bat coronaviruses and is part of China’s effort to become a world leader in virology research.

Intelligence Assessment:

Evidence supporting the lab leak theory:

There is some circumstantial evidence to support the theory that SAR-CoV-2 originated from the WIV through a laboratory accident. For example, the lab was conducting research on bat coronaviruses at the time of the outbreak, and there have been reports of lax safety protocols at the facility. In addition, some scientists have suggested that the virus’s genetic makeup is more consistent with laboratory manipulation than natural evolution. However, none of this evidence is conclusive, and alternative explanations remain plausible.

Evidence against the lab leak theory:

There is also evidence that contradicts the lab leak theory. For example, the virus’s genetic makeup closely resembles that of other bat coronaviruses found in the wild, suggesting a natural origin. In addition, many experts believe that the virus likely originated in a wet market in Wuhan, where the sale of live animals provided an opportunity for the virus to jump from animals to humans. Furthermore, some early cases of COVID-19 were traced back to individuals who had no connection to the WIV, further casting doubt on the lab leak theory.

Unanswered questions:

There are still many unanswered questions about the origins of SAR-CoV-2, and the possibility of a laboratory accident cannot be completely ruled out. Further investigation is necessary to determine the virus’s exact origins, including tracing its early spread in Wuhan and studying the genetic makeup of the virus. In addition, more information is needed about the safety protocols at the WIV and other biosecurity labs around the world.

Confidence in the intelligence assessment:

The level of confidence in the intelligence assessment varies depending on the specific evidence and alternative explanations. Overall, there is a medium level of confidence in the assessment due to the inconclusive nature of the evidence and the need for further investigation.

Conclusion:

The theory that SAR-CoV-2 originated from the WIV through a laboratory accident remains inconclusive. While there is some circumstantial evidence to support this hypothesis, there is also evidence against it, and alternative explanations remain plausible. Further investigation is necessary to determine the virus’s origins and the role of the WIV. The possibility of a laboratory accident cannot be completely ruled out, and the scientific community and policymakers must continue to take steps to ensure the safety of biosecurity labs and prevent future accidents. This includes increasing funding for biosafety research, strengthening regulations and oversight, and improving international cooperation to address global public health threats.

ChatGPT: Write a threat assessment remote on the hypothesis that the Wuhan virological lab was the source of an accidental leak of SAR-CoV-2

Threat Assessment Remote: Hypothesis of an Accidental Leak of SAR-CoV-2 from the Wuhan Virological Lab

Introduction:

Since the emergence of the novel coronavirus SAR-CoV-2 in late 2019, speculation has circulated around the origins of the virus. One hypothesis is that it accidentally leaked from the Wuhan Institute of Virology (WIV) in China. This assessment will consider the potential threats associated with this hypothesis.

Background:

The Wuhan Institute of Virology is a high-level biosecurity laboratory located in Wuhan, China. The lab is known for its research on bat coronaviruses and is part of China’s effort to become a world leader in virology research. According to some reports, the lab may have been conducting research on bat coronaviruses at the time of the outbreak.

Threat Assessment:

Public health threat:

If SAR-CoV-2 did originate from the Wuhan Virological Lab, the consequences of this accidental leak could have been catastrophic. The virus has caused a global pandemic, resulting in millions of deaths and widespread economic and social disruption. The risk of future pandemics originating from labs is a serious concern and could result in even more devastating outcomes.

Economic and geopolitical threat:

The potential for damage to global economies and international relations is significant. If it is found that the virus originated from the Wuhan lab, there may be calls for reparations or punitive measures against China, leading to economic and geopolitical tensions.

Threat to the credibility of biosafety protocols:

The safety of biosecurity labs is critical to preventing the accidental release of dangerous pathogens. If the hypothesis of an accidental leak from the Wuhan Virological Lab is proven to be true, it could damage the credibility of biosafety protocols and undermine public trust in the safety of such facilities.

Risk of future accidents:

The risk of future accidents is a concern. If it is found that the virus did indeed originate from the Wuhan lab, it may indicate that the current safety protocols are insufficient. This could lead to increased scrutiny and stricter regulations for biosecurity labs, potentially hampering their ability to conduct critical research.

Conclusion:

The hypothesis that SAR-CoV-2 originated from the Wuhan Virological Lab presents a number of potential threats, including public health, economic, geopolitical, and credibility risks. While investigations into the origins of the virus are ongoing, it is crucial that biosecurity labs adhere to the highest safety standards to prevent future accidents and ensure the safety of researchers and the public.

Written by Krypt3ia

2023/03/01 at 12:42

Posted in A.I., A.I. Red Teaming, China, PANDEMIC, Threat Assessment, Threat Intel, Threat Intelligence

Hypothesize on how threat intelligence analysis jobs will suffer with A.I. being deployed into SIEM and EDR systems

leave a comment »

This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.

One of the ruminations I have had since ChatGPT and AI became a reality for us all, has been humans place in the world once this technology has been eagerly applied to business by corporations. There has been of course, a lot of talking head cut lines out there in the blog and media sphere, but, I wanted to discuss this topic specific to an area I am familiar with. Primarily, the field of information security and in particular, the area of CTI (Cyber Threat Intelligence)

I was having a conversation with my mentee about the job search, and a dearth of positions for a younger person with only a few years of experience in the field as well as my travails in trying to land another position and got on the subject of A.I. I began to hypothesize on the near future, where the A.I. (generative and other) would no doubt, be implemented in the tools of the trade for hacking as well as blue team efforts including that of Threat Intelligence. What I eventually worked out was the notion, like many others out there making prognostications, was that once the technology is integrated more completely with ML, the role of a “Threat Analyst” may become not so much a single role, but, just a portion of a larger role for someone within a security group. As such, the potential for future CTI jobs may be less and less a position one can get.

If the combination of SIEM and EDR systems, both have an A.I. component, then, all of the large data (structured and now, even unstructured) could be sifted through and analysis carried out by an A.I. which then would only have to be told or automatically programmed to create threat analysis reports for all of the various consumers that the organization has dedicated to them, and emailed without human intervention once the maturity model is met.

The natural conclusion of the hypothesis for me, was that what we already see within the security world of contraction and the drive to get more with less (e.g. layoffs and seeing positions for single person catch all duties roles on req’s today) will be exacerbated when A.I. gets wider implementation in the CTI space. Corporations will always seek to spend less, and within the security space, which is always a cost center for corporations, if the A.I. is the panacea, and offered as a service by EDR and SIEM vendors, you can bet that positions will be eliminated just like in other spaces where robotics and A.I. become the go to for cost savings.

Just how long we have is a guess, but, I am going to make a stab at saying that in five years, this is likely to come to pass. So, just one more job that A.I. will likely subsume. Sure, there will have to be human hands involved for a while, but, eventually, the role of a CTI analyst will likely become less and less of a role companies will really need as a single function one that requires a dedicated employee. As the A.I. itself points out below, it will likely be, that we analysts will have to evolve to keep up with the A.I. and service it’s needs to create more components it can use, or create augmentations that, at present, would take human intervention.

…and that is some cost savings given the salaries out there.

Coincidently, this article was on Mastodon this morning as well… The Future of Network Security: Predictive Analytics and ML-Driven Solutions

ChatGPT: “Hypothesize on how threat intelligence analysis jobs will suffer with A.I. being deployed into SIEM and EDR systems”

With the deployment of AI into SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) systems, it is likely that some aspects of threat intelligence analysis jobs will be affected. Here are a few potential hypotheses:

Increased Automation: The use of AI in SIEM and EDR systems could automate many routine tasks that are currently performed by threat intelligence analysts. For example, AI could be used to automatically categorize and prioritize alerts, reducing the amount of time analysts spend on these tasks. This could lead to a reduction in the number of entry-level threat intelligence analysis jobs.
Higher Accuracy: AI has the potential to improve the accuracy of threat detection and response, which could reduce the need for human intervention in some cases. However, it is important to note that AI is not infallible and will require ongoing human oversight and tuning to ensure it is effective.
Shift in Focus: As AI takes on more routine tasks, it is likely that threat intelligence analysts will need to shift their focus to more complex and strategic tasks. This could include analyzing trends and patterns in attack data, developing new detection strategies, and investigating new threats.
Need for Specialization: As AI becomes more prevalent in threat detection and response, there may be a growing need for analysts with specialized knowledge in areas such as AI algorithms, data analytics, and machine learning. This could lead to a shift away from generalist threat intelligence analysis roles towards more specialized positions.

With the increasing adoption of AI in SIEM and EDR systems, it is likely that some aspects of threat intelligence analysis jobs will be impacted. As AI becomes more sophisticated, it has the potential to automate routine tasks and improve the accuracy of threat detection and response, reducing the need for human intervention.

While this may lead to improved efficiency and cost savings for organizations, it could also result in the elimination of some threat intelligence analysis positions. This is particularly true in industries where security is viewed primarily as a cost center, and organizations may be more willing to replace human analysts with AI to reduce costs.

However, it is important to note that the deployment of AI in SIEM and EDR systems may also lead to new opportunities for threat intelligence analysts. As AI takes on more routine tasks, analysts may need to develop new skills and specialize in areas such as AI algorithms, data analytics, and machine learning. This could lead to the creation of new, more specialized roles that require a higher level of expertise.

Overall, the impact of AI on threat intelligence analysis jobs will depend on various factors, including the industry, the organization’s view on security, and the level of sophistication of the AI system. While some positions may be eliminated, the deployment of AI in SIEM and EDR systems may also create new opportunities for analysts with specialized skills. It will be important for organizations to balance the benefits of AI with the potential impact on their workforce and develop strategies for reskilling and upskilling their employees accordingly.

Written by Krypt3ia

2023/02/28 at 13:41

Posted in A.I., A.I. Red Teaming, Threat Assessment, Threat Intel, Threat Intelligence

Threat intelligence report on the various North Korean advanced persistent threat groups, who we know from open source intelligence they are composed of, and what activities they have carried out over the last five years.

leave a comment »

This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.

Threat Intelligence Report: North Korean Advanced Persistent Threat Groups

Executive Summary: North Korea is known for its active state-sponsored hacking groups that carry out cyber espionage and disruptive activities to further their strategic objectives. These Advanced Persistent Threat (APT) groups are known for their sophisticated tactics, techniques, and procedures (TTPs) to infiltrate targeted networks and steal data. This report provides an overview of the various North Korean APT groups, their composition, and the activities they have carried out over the last five years.

Background: North Korea’s regime has long recognized the importance of cyber warfare as a means of advancing its strategic interests. The country has been accused of orchestrating several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.

North Korean APT Groups: North Korea has a number of active APT groups that conduct cyber espionage and disruptive activities. The following are some of the most notable groups:

Lazarus Group: Lazarus is one of the most well-known North Korean APT groups and has been active since 2009. The group is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency. Lazarus Group has been linked to several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.
APT37: Also known as Reaper, APT37 is believed to be a sub-group of Lazarus Group. The group is known for its sophisticated malware and phishing campaigns and has targeted a range of sectors, including government, military, and the media.
APT38: APT38 is a North Korean hacking group that is believed to be responsible for cyber attacks on financial institutions around the world. The group is known for its advanced capabilities, including the ability to bypass two-factor authentication and other security measures.
Kimsuky: Kimsuky is a North Korean APT group that is believed to operate under the country’s military intelligence agency. The group is known for its spear-phishing campaigns targeting South Korean government agencies and the country’s military.

Activities over the last five years: Over the last five years, North Korean APT groups have been involved in a range of cyber attacks, including:

The 2014 Sony Pictures hack: Lazarus Group was linked to the attack, which resulted in the theft and release of sensitive data and caused significant damage to Sony Pictures’ reputation.
The 2016 Bangladesh Bank heist: APT38 was linked to the attack, which resulted in the theft of $81 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York.
The 2017 WannaCry ransomware attack: Lazarus Group was linked to the attack, which affected over 200,000 computers in 150 countries and caused widespread disruption.
The 2018 Pyeongchang Winter Olympics cyber attack: Kimsuky was linked to the attack, which targeted the email accounts of South Korean officials and organizations involved in the event.

Exposed Assets within DPRK Cyber Operations

North Korean state-sponsored hacking groups, also known as Advanced Persistent Threat (APT) groups, have been widely identified and studied by cybersecurity researchers over the years. These groups are believed to be operated by the North Korean government and are known for their sophisticated cyber espionage and cyber attack capabilities.

Here are some of the known names of operators within North Korean APT groups:

Lazarus Group: The Lazarus Group is perhaps the most well-known North Korean APT group, and has been active since at least 2009. It is believed to be responsible for a wide range of cyber attacks, including the infamous Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Some of the known Lazarus Group operators include Park Jin Hyok, who was indicted by the US Department of Justice in 2018 for his involvement in the Sony Pictures hack, and Kim Il, who is believed to be a key member of the group’s cyber espionage operations.
APT37: Also known as Reaper or Group123, APT37 is another North Korean APT group that has been active since at least 2012. It is known for its wide range of cyber attack capabilities, including espionage, data theft, and destructive attacks. Some of the known APT37 operators include Kim Hyon Woo and Jon Chang Hyok.
APT38: APT38 is believed to be a sub-group of the Lazarus Group, focused specifically on financial gain through cyber attacks. It is known for its involvement in a number of high-profile attacks against banks and financial institutions, including the theft of $81 million from the Bangladesh Bank in 2016. Some of the known APT38 operators include Park Jin Hyok and Kim Su Jin.
APT27: Also known as Emissary Panda, APT27 is believed to be a Chinese-speaking North Korean APT group that has been active since at least 2010. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT27 operators include Zhang Xiao and Zhu Qiang.
APT10: APT10, also known as Stone Panda, is another Chinese-speaking APT group that is believed to have close ties to North Korea. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT10 operators include Zhang Zhang-Gui and Tan Daijing.

It is important to note that these are just some of the known names of operators within North Korean APT groups, and that these groups are constantly evolving and changing their tactics and techniques. Cybersecurity researchers and law enforcement agencies around the world continue to monitor these groups closely in order to better understand their capabilities and prevent their attacks.

TTP’s and IOC’s,and Campaigns by DPRK OPS

North Korean Advanced Persistent Threat (APT) groups have been actively engaged in cyber espionage and cyber attack campaigns for many years. These groups are known for their sophisticated Tactics, Techniques, and Procedures (TTPs), which they use to compromise networks, steal data, and conduct other malicious activities. In this report, we will discuss some of the key TTPs, Indicators of Compromise (IOCs), and campaigns associated with North Korean APT groups.

Tactics, Techniques, and Procedures (TTPs):

Social Engineering: North Korean APT groups often use social engineering tactics to trick users into installing malware or providing sensitive information. This includes spear-phishing emails and fake social media profiles.
Malware: North Korean APT groups develop and use a wide range of malware, including Remote Access Trojans (RATs), Keyloggers, and data exfiltration tools. They often customize their malware for specific targets to avoid detection.
Exploits: North Korean APT groups actively search for vulnerabilities in software and operating systems that they can exploit to gain access to target networks. They have been known to use exploits for zero-day vulnerabilities to remain undetected.
Encryption: North Korean APT groups often use encryption to protect their malware and data exfiltration activities. They may also use steganography to hide malware within benign-looking files.

Indicators of Compromise (IOCs):

IP addresses: North Korean APT groups often use IP addresses associated with their attacks. Some of the well-known IP addresses used by these groups include 175.45.176.0/22 and 210.52.109.0/24.
Domains: North Korean APT groups often register domains that are similar to legitimate websites in order to trick users. Some of the known domains used by these groups include dc56wd4z2f4q3vix.onion and gosmail[.]co.
Malware signatures: Researchers have identified a range of malware signatures associated with North Korean APT groups. Some of the well-known malware signatures include “Freenki” and “SiliVaccine.”
Command and Control (C2) infrastructure: North Korean APT groups often use unique C2 infrastructure to communicate with their malware. This includes custom protocols and communication channels.

Campaigns:

Operation AppleJeus: This campaign was carried out by the Lazarus Group and involved the creation of a fake cryptocurrency trading application called Celas Trade Pro. The malware used in this campaign was designed to steal cryptocurrency from users of the fake application.
Operation GhostSecret: This campaign involved the use of malware designed to steal sensitive data from a wide range of industries, including healthcare, telecommunications, and finance. The malware used in this campaign was linked to the APT37 group.
Operation Sharpshooter: This campaign was carried out by the Lazarus Group and involved the use of a new malware called “Rising Sun.” The malware was designed to steal sensitive data from military and government organizations in the US and Europe.
Operation North Star: This campaign was carried out by the APT38 group and involved the use of malware to steal millions of dollars from financial institutions in countries including South Korea and India.

Malware Groups

North Korean Advanced Persistent Threat (APT) groups have been developing and using a wide range of malware for many years. This malware is used to conduct cyber espionage, cyber attacks, and other malicious activities. In this report, we will discuss some of the known North Korean malware and the APT groups that are associated with them.

Destover: This malware was used in the 2014 Sony Pictures hack and was attributed to the Lazarus Group. Destover is a wiper malware that is designed to delete files and overwrite the master boot record of infected systems.
Joanap: This malware was attributed to the Bluenoroff group and was used in a range of attacks against South Korean targets. Joanap is a Remote Access Trojan (RAT) that is capable of executing commands on infected systems, stealing data, and conducting reconnaissance activities.
Brambul: This malware is associated with the APT38 group and is used to conduct SMB brute-force attacks. Brambul is designed to infect vulnerable Windows systems and use brute-force attacks to gain access to network shares.
WannaCry: This ransomware attack occurred in 2017 and was attributed to the Lazarus Group. WannaCry was designed to exploit a vulnerability in the Windows operating system and encrypt files on infected systems, demanding a ransom for their release.
Andariel: This malware is associated with the APT37 group and is designed to steal cryptocurrency. Andariel is capable of stealing credentials, executing commands, and exfiltrating data from infected systems.
ELECTRICFISH: This malware is associated with the Hidden Cobra group and is used to create a tunnel for exfiltrating data from infected systems. ELECTRICFISH is capable of bypassing firewalls and other security measures to exfiltrate data to command and control (C2) servers.
KEYMARBLE: This malware is associated with the Kimsuky group and is designed to steal data from infected systems. KEYMARBLE is capable of stealing passwords, executing commands, and exfiltrating data to C2 servers.
SILENTTRINITY: This malware is associated with the APT10 group and is a modular backdoor that can be customized for specific attacks. SILENTTRINITY is capable of executing commands, stealing data, and conducting reconnaissance activities on infected systems.

Conclusion: North Korean APT groups continue to pose a significant threat to global security and stability. Their sophisticated tactics, techniques, and procedures (TTPs) make them difficult to detect and mitigate. To mitigate the risk of North Korean cyber attacks, it is essential for countries and organizations to invest in better cybersecurity measures, share threat intelligence, and adopt a proactive approach to cyber defense.

Written by Krypt3ia

2023/02/22 at 15:58

Posted in A.I., A.I. Red Teaming, Advanced Persistent Threat, APT, DPRK, Threat Assessment, Threat Intel, Threat Intelligence, Uncategorized

How Threat Intelligence Will Leverage A.I.

leave a comment »

Written by ChatGPT at my prompt.

Threat intelligence is a critical component of cybersecurity, providing organizations with the information they need to defend against cyber threats. Traditionally, threat intelligence has been a manual process, with analysts gathering and analyzing data to identify threats. However, the use of artificial intelligence (AI) has the potential to revolutionize threat intelligence by automating the process of identifying and responding to threats. In this article, we will explore in-depth how AI will leverage threat intelligence and how long it may be until it is fully implemented.

How AI Will Leverage Threat Intelligence

AI can be used in various ways to leverage threat intelligence. One of the most significant advantages of AI is that it can analyze vast amounts of data in real-time, allowing it to identify threats quickly and efficiently. By analyzing network traffic, user behavior, and other indicators of compromise, AI algorithms can identify threats that may go unnoticed by human analysts.

AI can also be used to automate the process of threat analysis and response. For example, AI algorithms can be used to monitor network traffic and detect anomalous behavior. If a threat is detected, the AI system can automatically respond by blocking the threat, isolating infected systems, or alerting security personnel. This can significantly reduce the time it takes to respond to threats, minimizing the impact of an attack.

Moreover, AI can help organizations prioritize their response to the most critical threats. For instance, by analyzing the behavior and tactics of known threat actors, AI can identify patterns and signatures that indicate the likelihood of an imminent attack. This way, organizations can prioritize their defenses and prepare for the most severe threats that pose the greatest risk to their operations.

Finally, AI-powered threat intelligence can help organizations stay ahead of emerging threats. With the ever-evolving threat landscape, AI can help organizations detect new types of attacks and respond proactively to potential vulnerabilities in their networks.

How Long Will It Be Until AI-Powered Threat Intelligence Is Fully Implemented?

The use of AI in threat intelligence is already happening, with many organizations using AI-powered threat intelligence platforms to detect and respond to threats. However, the implementation of AI-powered threat intelligence is not without its challenges.

One of the biggest challenges of implementing AI-powered threat intelligence is the need for large amounts of high-quality data. AI algorithms rely on large datasets to train their models and identify patterns. Organizations that lack high-quality data may find it challenging to implement AI-powered threat intelligence effectively. Therefore, organizations must prioritize data quality and develop strategies for collecting and processing large datasets effectively.

Another challenge of implementing AI-powered threat intelligence is the need for skilled personnel. AI algorithms may be able to identify threats automatically, but they still require human oversight to ensure that the system is functioning correctly. Organizations will need skilled personnel who understand AI and threat intelligence to implement and manage AI-powered threat intelligence systems effectively. The shortage of skilled cybersecurity professionals is a significant challenge, and organizations must invest in upskilling their existing workforce or recruit new talent to address this gap.

Finally, the cost of implementing AI-powered threat intelligence can be significant. AI-powered threat intelligence systems require significant investment in hardware, software, and personnel. Organizations will need to evaluate the cost-benefit of implementing AI-powered threat intelligence carefully. They must assess the potential risks and benefits of implementing AI and make informed decisions that align with their business objectives.

Conclusion

The use of AI in threat intelligence has the potential to revolutionize cybersecurity. AI algorithms can analyze vast amounts of data, detect threats in real-time, and automate threat response. Moreover, AI-powered threat intelligence can help organizations prioritize their defenses and stay ahead of emerging threats. However, the implementation of AI-powered threat intelligence is not without its challenges. Organizations must prioritize data quality, invest in upskilling their workforce, and evaluate the cost-benefit of implementing AI carefully. Despite these challenges, the benefits of AI-powered threat

Written by Krypt3ia

2023/02/20 at 22:27

Posted in A.I., Cyber, Threat Intel, Threat Intelligence

The Pivot: Nuke To Cyber

leave a comment »

Sitting here monitoring the situation, with the activation of the nuclear ready forces in Russia by Putin, I had to game things out a bit and wanted to share.

Short of a tactical nuclear strike, and then escalation, Putin may turn to the cyber arena instead come Tomorrow or later this week in reprisal for his being cut off from SWIFT, as well as other pressures that are coming to bear today. In the last few minutes, I have also seen Sweden sending lethal aid as well as other warfare equipment, Switzerland freezing Russian assets, British Petroleum pull out of Rosneft, and others around the globe starting to make Putin and Russia a pariah state.

These actions, mostly financial, are already wreaking havoc on his economy, but the more of them that come to play, the more cut off he will be to even prosecute his war…. Except maybe his cyber, war. Which brings me to the point. Come Monday, we may see reprisal attacks that generally, will not be considered, or haven’t been in the past, as reasons for kinetic responses.

As such, expect that soon we may see DDoS attacks on financial infrastructure, Ransomware attacks, Wiper attacks, and general detonation of malware. If you are in the FI space as a defender, get ready. If not, be aware that all of these actions could have effects on your business and your personal lives.

Be ready.

Written by Krypt3ia

2022/02/27 at 18:10

Posted in Cyber, DD0S, Digital Ecosystem, Digital Forensics, Economic Warfare, Pooty Poot, Russia, Threat Intel, Threat Intelligence, Weaponized Code

Pandemic Threat Intelligence and Response Briefing For Executives: Planning For INFOSEC/Supply Chain/Continuity

leave a comment »

Johns Hopkins COVID-19 Heat Map Tracking

Threat Intel:

SARS-CoV-2 has been exponentially spreading within the global community and the effects of the virus and its attendant disease (COVID-19) are rapidly causing shocks within the global community. The affects of the pandemic are far reaching, we have seen the strain on the global supply chain as China fell into the height of the pandemic with supply chains being diminished or broken outright. As such, as the virus spreads, it is important to consider the threat space to the security and function of your organization due to loss of these supply chains as well as work forces within and without. As the spread of this disease continues, expect more supply chain degradation if not complete failures for some amount of time as the quarantines commence and play out.

As such, here are some basic questions to consider for your organizations security and continuity both as a whole and as separate functions such as the security of your networks. Use this document to spark discussions around the security response as well as the larger continuity and integrity of the whole as we are affected by this pandemic. These scenarios may not actually come to pass, but, as a security body, it is our job to forecast eventualities and the responses to them that might be needed to continue the function of the org.

Executive Briefing:

With the outbreak of SARS-CoV-2 and it’s resultant COVID-19 (syndrome from infection) we have been seeing the arc of this outbreak becoming a global pandemic. With that in mind, it is advantageous to start planning for the effects from this pandemic on the businesses that you are responsible for. In this assessment, we will be taking a look primarily at the CIA Triad of the response but not just on a data security level, but, at an expanded outlook on the security, continuity, and supply chains that make up the the CIA triad. All of these affect the security of your organizations as well as the basic functionality of your business.

With this in mind, it is important to look to the effects of the pandemic projecting out from initial outbreak to pandemic globally and how that will affect your business. Primarily the effects can be broken down into these discreet areas of concern:

Supply chains: What supply chains will be affected that will impact your business model?

- Human capital, how many people does it take to function properly if the work force is down from COVID-19
  - What are your tolerances on head count?
  - What contingencies do you have if work force is depleted due to sickness and quarantine?
  - Where are your single points of failure in the knowledge base were these assets to be sick and quarantined?

- Supplies on demand that go into making your product; How much tolerance do you have for supply chains breaking?
  - What regions do your supplies come from?
  - Are they affected now?
  - Plan for pandemic loss of work forces and how long you can function without supplies or with less

2.) Infrastructure Capacities: What tolerance does your network have to expanded remote working capabilities?

- With a workforce that may be in social isolation mode, what is the capacity for your company to allow people to work from home?
  - People will self quarantine if they become ill
  - Children may be home as schools and day care shut down in order to prevent spread of disease
  - The state and federal government may recommend that people stay home and isolate to stop spread
  - In a protracted scenario of isolation and potential re-infection, what are your projections on your organizations ability to function?

3.) Information Security Events and Response: With a global pandemic, the same draw down on work forces will also apply to MSP’s (SOC) workers as well

- With automation today much of the function of a SIEM/SOC is canned response, but, there is always a need for human intervention, who handles your response?
  - During the time of pandemic and response, if your team is depleted due to sickness or quarantine procedures, what is your contingency for response?
  - During the time of pandemic and response, the same applies to your SIEM/SOC solutions that you pay for if you do not have it in house, what is their contingency?
  - If you have a true incident in your environment, how will you handle it if the primary incident handlers are unavailable?
  - Do you have a service you work with?

All of these questions should be addressed going into an event like the one that is playing out globally with the SARS-CoV-2 (COVID-19) pandemic today. It is recommended that the executive suite be briefed on these questions and assure that these possible eventualities can be answered by the organization to insure the continuity of the org. Other elements of this narrative also come to bear on scenarios in others areas such as infrastructure, and overall output of whatever your organizations products are, but these are a good set of questions for the security element to bring to the executive suite to have the initial discussions.

As such, use this document accordingly.

PDF format of this post here

Written by Krypt3ia

2020/03/02 at 14:38

Posted in COVID19, Threat Intel, Threat Intelligence

2020 Threat Assessment

Here’s my threat assessment for the United States post the impeachment acquittal of Trump and the possible scenarios for the 2020 election cycle. I am putting these out there for you all to consider and to keep in the back of your minds as we move forward these nine months to the election as well as what we may see after November 8th 2020. Given recent events it is not hard to posit these scenarios as equally possible and all having grave import to the freedom of this nation and its people.

As we have seen so far, the elections systems are insecure, the government itself and the Framers intentions are all now in question as to what is real, and the net effect is this; we now have a president who believes he has the power to do anything and now likely will push the envelope before the election. However, if he wins this election, you will see the power grabs and the illegalities only increase, eroding the rule of law further with his co-conspirators in the DOJ and elsewhere.

What we have seen in the last week alone should have you all thinking about the actions to come, and what, if anything, the government can do about it. I will tell you straight up here right now, this is a slide into fascism boys and girls. In the last day we have seen the President Tweet a comment about the “unfair” sentencing of Roger Stone with an almost immediate response from the DOJ to throw out the sentencing guidelines and recommendations of the prosecution and with that, the resignation of the four DOJ lawyers who were handling the case for the government.

This. Is. Not. Normal.

…. And it’s just the start.

As we move into the Election cycle, I would hasten you all to go and read this piece in The Atlantic on the disinformation war to come. We are going to see an all out attack cycle not only from the outside, but from within in this election. Added to this, the outcomes of the election are a key factor in what may be to come and at what rate things happen. So, read on and consider these scenarios.

Things are going to be very messy.

The Election Cycle:

Scenario 1: Trump Wins The Election By The Electoral College Again

This is the most likely event that I foresee for the 2020 election. Given the information war to come, I am willing to say that what happened in 2016 will happen again given the polarity of the nation and the machinations on the part of the Republicans to fudge the vote. There will be no need for Russia to really weigh in here and tip the scales with hacking for this to happen, but imagine if we have a replay of 2016 though. Once Trump has won the second term he will have four more years to push the envelope and do whatever he likes. This is primarily because once the election is won, he has no reason to be restrained in any way.

Think about it, impeachment was a failure. The senate is willing to not only tow the party line in a partisan way, but to whole cloth eschew the constitution for Trumpism merely to stay in power. With the senate under his thrall, and the beliefs that Article Two says he can do whatever he pleases, he will overreach, and with the help of the senate and now the DOJ…

Well, you can see what that means.

Scenario 2: Trump Wins By A “Landslide”

Given the polling and the stats that have been pretty consistent, if Trump won by a landslide, there would definitely be something wrong with the process in 2020. If this were to come to pass, it would surely mean that the election had been manipulated in a way that we have only seen in countries in Africa and South America. No amount of persuasion allows for this scenario. So, if it happens the outcome will be these:

The election will be investigated while Trump will still be in office
The investigation will take a long time, and during that time Trump and his minions will do everything in their power to obfuscate
The election would likely have to be re-run… But… Could Trump attempt a coup and declare a national emergency to keep power?

All of these scenarios are not as likely as the Electoral College win, but, this should scare you all because you know, he will not just leave the White House and allow for a free and fair election right?

Scenario 3: Trump Loses and Declares The Vote To Be Rigged

IF Trump loses the election, do you really all believe he will accede to the will of the people and leave? Do you further believe he will leave knowing that right after he does the SDNY will be slapping cuffs on him and trying him for crimes he committed pre election and after? The short answer to this is no, he will not willingly leave in my opinion.

So, with that said, let’s look at the scenario that he does lose, even losing the Electoral College. You all have seen him already use the terms “rigged” before in the first election, but now with so much on the line, he will immediately call for a recall. In fact, this may already be a contingency plan that the Russians or others can help with by actively penetrating our election systems. The damage would only have to be the fact that some votes were changed or databases were abused, that is all it would take to call into question the vote, and for Trump to use his powers as president to mandate an emergency situation in which he will retain power.

Once again, if this happens, the elections investigations will take a long time, and in that interim Trump will still be in power and able to overreach to keep it. So far, I have little faith in the system (e.g. the government) to stop him from doing this. We have seen how Impeachment went, and we have seen just how dangerous a totally tribal majority is in power.

Use of the DOJ As A Weapon:

Scenario 1: Trump And DOJ Start Arresting Opponents

We are already seeing this play out with Barr and Trump. With the DOJ now directly accepting disinformation dirt from Rudy for the 2020 campaign, I have little doubt that that information will now be used as a means to an end of creating charges at the most, but at the least reasons for search warrants and the like for the DOJ to start using against Trumps opponents (primarily Biden at this time)

Right now Trump has an enemies list, but first on that list seems to be Bolton. If Bolton is suddenly presented with search warrants or arrested, this will be the first domino to fall in a cascade of abuse that Trump and Barr will carry out. If there is nothing to stop them arresting Bolton, expect others on that enemies list to be next. Post re-election, you will likely see this escalate and the enemies list will grow as well.

Scenario 2: Trump Pardons and Free’s Manafort & Stone

As of yesterday, the events around Trump and Barr’s manipulation of the DOJ shows you where they are willing to go for their peeps. It is likely that Trump will Pardon Stone after the Judge decides whatever she is going to give him. She does have discretion, so, one hopes that the original 7-9 year stint is what she chooses to do. However, if that happens, yeah, he will get pardoned and inserted back into the election cycle where Trump would like him.

Manafort too will also get a pardon, likely after re-election. This will also allow Manafort to re-kindle his ties to Ukraine and help Rudy as well. Trump will pardon Manafort most of all for his steadfast not being a rat and rolling over on Trump. This is the real key to this happening. This will set the precedent for others, like any other mob boss, Trump will show that if you do time for him, he will reward you later for not being a rat.

Scenario 3: Trump and Barr Close Cases Against Flynn & Erik Prince

Next in line are Flynn and Prince. My assessment will be that these two will slip away for two different reasons. Flynn will get away because he dealt with the government in the first place, but, he also did not totally rat out Trump. It’s been obvious that he has been holding back and obfuscating, so whatever it is, he has given enough to get leniency from the government, but with Barr in DOJ, well, they can just make it all go away right?

Erik Prince will get good treatment from Trump and have his case tossed because Prince is the wet works guy that Trump needs for the proxy wars and connections. This too will likely happen after re-election.

Scenario 4: Trump Starts Removing Non Conforming Justices

This is already starting to happen. The administration recently set forth the idea that they were going to “investigate” doing this in sanctuary cities. Those left leaning justices need to be removed according to Trump. Of course, if this happens just to sanctuary city justices I will be truly surprised. This is a means to an end. If you will note, Trump has been putting in more right wing justices than anyone every has. The control of the judicial system is a keystone in the ultra rights playbook, so don’t expect this to be forgotten.

Scenario 5: Trump and His Operatives Start Disinformation Campaigns Against Journalists and Starts Arresting Them

In the run up to the 2020 election you will see directed attacks on reporters by the Trump admin and the Republican machine. If you read the above linked disinformation story in The Atlantic you can see how Trumps son Don Jr, is directly working with operatives on caching dirt on reporters to sow disinformation on and use dirty tricks against to discredit anyone who opposes them. Post re-election this will likely continue if not actually escalate. (As Trump becomes more aggressive without checks against him and as the media continues to do its job)

Final Assessment:

You might be reading this and thinking that I am just paranoid.

Maybe.

But, what we are actively seeing today is not a slide into a greater democracy. These tactics, the overall machinations by the Republican party (aka Trump party) are all indicators of an overall planned slide into authoritarian tactics. Given that the laws of the land have not been able to stop Trump and the Russians so far, has shown the inherent weaknesses of the American systems that have been attacked. With the rule of law being presently slowly poisoned by Barr’s acquiescence to Trumps will, we are sliding further and further into a quasi fascist state. The longer Trump is in power and keeps pushing the envelope without reproach, the further and further from autocracy to totalitarianism we will be.

The system has been challenged and we are finding that it is insecure and unable to right itself. These scenarios are just posits, but if they come to pass, you had better be thinking of an exit plan.

Written by Krypt3ia

2020/02/12 at 16:36

Posted in Threat Assessment, Threat Intelligence

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

2014 Inspire

2010 Inspire 2 “Ultimate Mowing Machine”

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

Written by Krypt3ia

2016/07/15 at 13:52

Posted in A New Paradigm, ASSESSMENT, Digital Insurgency, Dystopian Nightmares, Internet Jihad, jihad, Jihad Recruitment, Jihobbyists, Kinetic Attacks, Lone Wolves, Mapping Internet Jihad, Panopticon, Psychology of Terrorism, PsyOPS, SIGINT, Situational Awareness, Stand Alone Complex, Threat Intel, Threat Intelligence

May 2015 Global Threat Intelligence Report

leave a comment »

GLOBAL Threat Intelligence Report – May 2015

Executive Summary

In the month of May 2015 we saw the advent of “stunt hacking” with the claims of one researcher being able to hack a plane’s engines while in flight. While this event was the talk of all the media the real point of the thing was that nothing is secure, not planes, not trains, not automobiles, and certainly not your networks.

The common factor here is that security is an ongoing process that never stops. It is not a static thing and must always be perpetually worked on to hopefully prevent a breech or more than likely, to detect one that is or has happened and to react to it properly. The following document covers some of the events in the security sphere that took place in may and are commented on to give direction as to their importance in the scheme of things.

Please use this document as a means to an end to enlighten yourselves on the current threatscape out there and as a guide to a process with which you can grow your own practice to a maturity where this information cycle becomes your own.

Global Threats

Tiversa accused of hacking clients to extort them:

When you hire a firm to take care of your cybersecurity, you’re hiring a team of experts whom you assume you can trust. But one such firm allegedly used the trust of its clients to straight-up extort them with made-up “data breaches.”

CNN Money gives us a rundown on Tiversa, a still-operating cybersecurity company that offers up digital security services to other companies. According to a whistleblower who worked there and is now testifying in federal court, Tiversa was running a very simple and clever scam.

http://gizmodo.com/cybersecurity-firms-outrageous-cons-included-fake-hacks-1703120936

Analysis:

The importance of this story cannot be overstated today in a world where often times security is checked by hiring an outside firm to test it. In the case of Tiversa, the extreme is that they were extorting companies with false data or worse, by hacking firms and then extorting them into buying their services.

It is important to not only vet the companies you are doing business with but also to have security functions within the org that can vet the data being presented as well. If there are any questions on the findings they should be called out and researched to insure their validity in cases where companies offering these services may not be doing their due diligence.

It is also important for the executive management to understand the importance of the findings presented in these types of assessments as well as the differences between a vulnerability scan and a penetration test. All too often this key difference is not apparent to the C-Suite.

What’s the difference between a vulnerability scan, penetration test and a risk analysis?:

You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?

Don’t get hacked!

An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.

http://www.csoonline.com/article/2921148/network-security/whats-the-difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html

Analysis:

The differences between a vulnerability scan and a penetration test is a key point to understand for any organization to effectively secure an organization. The above article does a fair job at describing the differences and is a must read for any C-suite or middle manager who has a security function. In turn, this information should be imparted to those in charge to comprehend the differences and the needs for both to secure a company.

Even today after years of having these types of assessments available, often times you will find companies selling what they call ‘penetration tests’ when in fact they are not testing by penetration of exploits at all. On the flip side of this coin, many companies shopping for these services are much more comfortable with just a vulnerability scan without actually exploiting their networks due to the FUD (fear, uncertainty, and doubt) that surround such activities.

If your org is only having vulnerability tests run and not having penetration tests carried out as a real world test of the security of the org, you are only setting yourselves up for an eventual compromise and the fallout that comes with this. Both of these functions are integral to the hygeine of any security program.

Criminals stealing money via Starbucks App:

Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.

The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.

That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.

http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/index.html

Analysis:

Starbucks, like many other companies today allows for the connection of bank accounts to honor cards that can be used to pay for services as well as give that user perks when they do use them. As smartphones take on the physical replacement of the honor cards we create a new vector for attacks against the user.

In this case the users passwords to the Starbucks application and system may have been weak but this does not discount other types of attacks against the mobile phones and the applications like the Starbucks app itself. In either case, the attack can allow for connected cards and bank accounts to be siphoned off rapidly by these events.

It is important to understand that this story can apply to you personally as well as perhaps organizationally if you have honor cards or deal with them. Honor cards specifically attached to bank accounts as well, can be hacked and the personal data as well as the banking data can be stolen.

Additionally, companies should be aware of these situations when potential applications have been compromised on users who may also have corporate data on phones as well. If an application is compromised, just how much access does it have to the phone’s operating system and thus the users data?

1.1 Million customer records lost to hack on Carefirst:

For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making security upgrades, the company discovered that it had actually already been breached—in June 2014.

1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.

http://www.slate.com/blogs/future_tense/2015/05/21/carefirst_insurance_hack_exposes_1_1_million_customer_records.html

Analysis:

While this attack has the hallmarks of potentially being nation state instigated, it is important to note that even with a security program in place, compromises may be missed if the adversary is skilled. On average, according to Mandiant, most orgs are compromised for up to about a year before they are usually informed by someone else that they had been breeched and this is an important statistic to be mindful of.

It is not clear just how well the Caremark security program runs from the story nor is it possible for every security team to catch everything, but it does show that without indicators of compromise it can be difficult to spot when a company has been hacked and when data is leaving the network. Thus it is important to consistently strive to have a firm grasp on your network, it’s traffic, and any possible anomalies that may in fact be indications that you have in fact been compromised and data is being stolen.

Organizations should have mitigations in place such as IDS/IPS as well as robust logging and correlation in tandem with a SIEM product to watch the traffic in and specifically out of the domain to detect and potentially stop an incursion in process.

Stop using painfully obvious security answers:

We all love pizza, but that doesn’t mean you should be using it as a way to keep your data safe online.

In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.

For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.

http://time.com/3892793/security-questions-answer/

Analysis:

This article may be aimed at end users but it should also be aimed squarely at companies that use these types of questions as a means of authentication for their paying clients. These questions and their easy answers are not a feasable security layer today and could lead to compromise not only of end user systems but also corporate networks if they are not using more robust authentication techniques.

This article concludes that it should be taken even further to disallow the questions to be asked as they are too easy to guess from the start. This is a correct assessment of these kinds of questions. If you or anyone else is using a household pets name or a birth date of a child as a password you are already behind the security 8 Ball because these are easily obtainable bits of information on the internet today for adversaries to find.

A two factor authentication system today is a better way to secure your network and this usually consists of a user ID, A pin, and a password. As these systems are more costly many organizations try to avoid them, but they are the best way we have today of securing a network that is accessed by end users remotely.

Malware & Crimeware

Hackers sneak malware into job applications:

Hackers are slipping malware into resumes submitted through the job posting website CareerBuilder.com to infect businesses, security researchers have found.

Attackers are browsing open positions and attaching malicious documents disguised with the name “resume.doc” or “cv.doc” to applications, according to the Sunnyvale, Calif.-based security company Proofpoint. The attack sends malware directly to hiring managers and interviewers because CareerBuilder automatically emails job-poster notifications and attachments with resumes when candidates submit applications.

http://www.marketwatch.com/story/hackers-sneak-malware-into-job-applications-2015-05-01?siteid=rss&rss=1

Analysis:

With the rise in phishing and the attendant rise in awareness on the part of corporations and their employees, the tactics needed to evolve to work. While phishing exploits still work pretty well on average, this pivot to sending resume’s pre-loaded with malware to specific targets was only a matter of time.

The upshot of this article and this analysis is that even with AV often times malware makes it through the defenses and is activated by internal users. When this happens you may have started the domino’s falling on a larger compromise to the whole of the network through one infected doc file or pdf.

Companies should take the extra step of having a sandbox technology on top of AV/Spam systems that can be used to open documents and test them for malware before being introduced into the common network environment. As seen with the attack on Target, the criminal elements (i.e. Russian carders) are using similar tactics to advanced persistent threats now and anyone who handles PII/PCI/HIPAA or any other kind of data that can be sold is a target.

Mumblehard turns WordPress sites into spambots:

The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.

Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.

Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a “full-featured spammer daemon” process, which is launched via a command received via the backdoor.

http://www.theregister.co.uk/2015/05/01/mumblehard_linux_server_spam_malware/

Analysis:

Not all hacking attempts are used to compromise networks and not all malware is used to steal data. In the case of Mumblehard, the malware was created and used to turn your system into a slave to be used as a means of making money via spam. This type of attack may seem more a nuisance but it really is a problem especially if the compromise could lead to further compromise of your network down the line.

As WordPress sites have had a track record of vulnerabilities in the past, it is important that if you have WordPress in your environment you keep up with patches and alerts concerning the application security of your sites. Anyone who has WordPress as a working part of their infrastructure, especially if it is internet facing, should be on the distribution lists for patching that wordpress puts out and be a regular part of the patch cycle.

The return of macro malware:

Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

The majority of the macro-malware attacks have taken place in the United States and United Kingdom.

Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.

Success of course requires the email recipient to fall for a social engineering technique and open the attachment.

http://www.infosecurity-magazine.com/news/macro-malware-returns-with-a/

Analysis:

Within the realm of malware and phishing attacks this old malware attack has come back to the fore with a vengeance recently. Relying on the social engineering portion heavily to get the user to open the email first and then to turn on macro support has been partially successful in many instances.

Once opened the macro will then contact a download site and install other tools on the compromised system thus finishing the attack cycle. In many cases these phishing attacks and the files attached are not being seen by AV applications and thus passed to end users for them to open.

It is important that your organization have a good grasp on awareness for phishing/social engineering attacks and the different means that an attacker will try to get an end user to compromise their system and allow the adversary in. If you are not carrying out awareness on an ongoing and repeated basis it is highly likely that an end user(s) will be the arbiter of a compromise at your org.

New ‘Rombertik’ malware destroys master boot record if analysis function detected:

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.

Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.

This malware spreads through spam and phishing messages sent to possible victims.

http://www.scmagazine.com/cisco-writes-up-new-malware-campaign/article/413068/?utm_source=feedburner&utm_medhttp://krebsonsecurity.com/2015/05/malware-evolution-calls-for-actor-attribution/#more-31131ium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Analysis:

While the Rombertik malware has made a splash in the news this month it is not necessarily novel in that it has a MBO (Master Boot Record) deletion program within it. This type of attack has been around for nearly eighteen years, however, the triggering of this piece of the malware is interesting.

As counter detection methods goes though, this is an extreme case and as such may not end up being all that common in the long run. However, the fact that this malware had it and that it was a purchased piece of malware being used by an individual and not a nation state is important to note.

(please see attribution article below for context of last statement)

http://krebsonsecurity.com/2015/05/malware-evolution-calls-for-actor-attribution/#more-31131

Clearly the bar is being lowered on malware and phishing attacks and organizations should be cognizent of this fact. It does not take a nation state with resources and human assets to carry out an attack on a company that could possibly shut it down with such malware as this on the wrong computers.

Malware hidden in technet:

In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.

According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.

http://www.sci-tech-today.com/news/Hackers-Hid-Malware-on-MS-TechNet/story.xhtml?story_id=032003KNHI00

Analysis:

While this article shows that the nation state hackers had been using Microsoft’s own Technet site as a means of command and control it is important to understand that this can happen with any site. Small changes within code can be used to trigger malware to carry out actions as well as they can also be the arbiter of a drive by attack on users systems.

Given that the bar to access is being lowered as code can be bought and more savvy adversaries (both nation state and criminal) are getting in on the game, organizations should pay more attention to telemetry. As mentioned earlier in this document, the use of technologies to monitor traffic and their destinations should be a key part of any security program today.

Advisories

[SECURITY] [DSA 3250-1] wordpress security update:

Multiple security issues have been discovered in WordPress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.

https://lists.debian.org/debian-security-announce/2015/msg00138.html

Analysis:

These attacks are key to much of the kinds of attacks that are mentioned throughout this report. It is important to keep up with the patching for any WordPress site in your DMZ and these sites should be monitored for activities that may show indicators of comproimse.

In the case of this advisory, the attacks could be the first step in an internal compromise to the back end as well and as such could lead to a major breech.

Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :

Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof user interface elements.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code on the target system [CVE-2015-1152, CVE-2015-1153, CVE-2015-1154]. The code will run with the privileges of the target user.

http://www.securitytracker.com/id/1032270

Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements

Analysis:

While Mac and OSX has a history of seeming to be less prone to vulnerabilities, the reality is that OSX, like any system that is popular, will be attacked to gain access to people’s systems. In the case of this vulnerability, the main browser (Safari) is the weak point and may lead to drive by attacks on users systems.

It is important that any org that has a complement of Mac systems also be up to date on the patches and vulnerabilities to this platform and not consider it more secure because of the perceptions that Mac would like people to have about their products.

Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:

A local or remote user can obtain elevated privileges on the target system.

Silverlight does not properly allow applications intended to run at a low integrity level (e.g., very limited permissions) to be executed at a medium integrity level (e.g., permissions of the current user) or a higher integrity level.

A remote user can create a specially crafted Silverlight application that, when executed by the target user, will execute arbitrary code on the target system with the privileges of the target user instead of with limited privileges.

http://www.securitytracker.com/id/1032298

Analysis:

While Silverlight is a defunct language today it is still used by many organizations. This vulnerability may be mitigated by end users not having escalated privileges on the system that is attacked. However, there are still places where people have administrative privileges on systems and where this type of attack can cause root compromise of the system.

It is important to be aware of the use of Silverlight in your organization and to understand the vulnerability matrix where a compromise to this might lead within an org.

Apache Cordova vulnerability leaves Android apps wide open to hackers:

Security Researchers at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.

Apache Cordova, which is used in 5.6 percent of Android applications, is a toolkit of APIs used by mobile app developers to access native device functions, including cameras and accelerometer, from JavaScript.

http://www.theinquirer.net/inquirer/news/2410650/apache-cordova-vulnerability-leaves-android-apps-wide-open-to-hackers

Analysis:

While this 5.6 percentile figure may seem small, this is an important vulnerability as are many others if you are using Android systems within your BYOD program. Without the right mitigations (sandbox/separate identities/systems) on a phone today you could potentially compromise a network as well as a smartphone.

Application hacks could lead to compromise of the OS itself as well as any applications you may have (i.e. touchdown and others) on the phone that facilitate access to your internal network or mail systems.

Logjam Vulnerability: 5 Key Issues:

While the “Logjam” vulnerability raises serious concerns, there’s no need to rush related patches into place, according to several information security experts.

These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive ‘Logjam’ Flaw Discovered). And given the age of the flaw and absence – so far – of publicly documented exploits, experts say organizations do not need to rush related fixes into place.

http://www.bankinfosecurity.com/logjam-vulnerability-x-facts-a-8249/op-1

Analysis:

With the advent of vulnerabilities that seem to have their own marketing campaigns attached, it is as important as ever, to understand the vulnerabilities as well as their risk. In the case of Logjam, there was a lot of media attention on it but the reality is that it is not the end of the world.

The vulnerability to the system is twenty years old and as it has not been seen in the wild previously denotes that it is not something that will show up in the wild soon. It is important to patch for it and manage encryption methods with or without this vulnerability as a standard practice.

	Bill Reyor on Security Outsourcing: A.I. and…
	cinemarriage on Security Outsourcing: A.I. and…
	Krypt3ia on Active Measures
	abdymok on Active Measures
	john hendrix on A Psychological Thumbnail of D…

Archive for the ‘Threat Intelligence’ Category

Rate this:

Rate this:

Rate this:

Rate this:

Rate this:

Rate this:

Threat Intel:

Executive Briefing:

Rate this:

The Election Cycle:

Scenario 1: Trump Wins The Election By The Electoral College Again

Scenario 2: Trump Wins By A “Landslide”

Scenario 3: Trump Loses and Declares The Vote To Be Rigged

Use of the DOJ As A Weapon:

Scenario 1: Trump And DOJ Start Arresting Opponents

Scenario 2: Trump Pardons and Free’s Manafort & Stone

Scenario 3: Trump and Barr Close Cases Against Flynn & Erik Prince

Scenario 4: Trump Starts Removing Non Conforming Justices

Scenario 5: Trump and His Operatives Start Disinformation Campaigns Against Journalists and Starts Arresting Them

Final Assessment:

Rate this:

Rate this:

GLOBAL Threat Intelligence Report – May 2015

Executive Summary

Global Threats

Tiversa accused of hacking clients to extort them:

Analysis:

What’s the difference between a vulnerability scan, penetration test and a risk analysis?:

Analysis:

Criminals stealing money via Starbucks App:

Analysis:

1.1 Million customer records lost to hack on Carefirst:

Analysis:

Stop using painfully obvious security answers:

Analysis:

Malware & Crimeware

Hackers sneak malware into job applications:

Analysis:

Mumblehard turns WordPress sites into spambots:

Analysis:

The return of macro malware:

Analysis:

New ‘Rombertik’ malware destroys master boot record if analysis function detected:

Analysis:

Malware hidden in technet:

Analysis:

Advisories

[SECURITY] [DSA 3250-1] wordpress security update:

Analysis:

Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :

Analysis:

Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:

Analysis:

Apache Cordova vulnerability leaves Android apps wide open to hackers:

Analysis:

Logjam Vulnerability: 5 Key Issues:

Analysis:

Directed Threat Data & Metrics

Analysis:

TITLE:

Rate this:

Blog Stats

Categories

Blogroll

Recent Comments