Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘TRUMP’ Category

Trump Domains Hacked and Shadow Subdomains

leave a comment »

Well now, the worm is turning on our old friend trunip ain’t it? It seems that something I was playing with back last April should have dug deeper I guess because today Mother Jones put up a post on how Donny’s domains had shadow subdomains that all pointed to Russia! Of course in the interim since the post went public two things happened. One, Donny and his people said “We ain’t been hacked! We have the BEST security! Nothing to see here!” and then rather rapidly. some of the domains started to go down and be unreachable on the tubes today! Well, I did some more digging after reading this Mother Jones post and while I was not seeing the same IP addresses used in the stuff that was posted today, the malware I was seeing back in April still had some commonalities to ranges in the same region of the world.

Back in 2014 Trump was hacked and credit cards were stolen by the attackers. It seems though that perhaps it wasn’t only credit cards that were hacked but also a persistence to the network may have occurred as well as access to the Trump domains registrar as well. In the Mother Jones piece they show how sub domains or “shadow” domains had been created with interesting domain names that usually involved random letters. These domains, once you start looking at them show a couple of things. First off, that these domains were all created under the Trump umbrella’s account and second the IP’s that these pointed to resided in Russia. In looking at these domains myself I noted a few other interesting factoids that I will share here for context.

First off, the hackers used the same registrar as Donny did (more likely his minions) using the “Trump General Counsel” moniker as the owner of the domains;

These domains were registered with Godaddy and then pointed to other IP addresses later on. Also, the sample I just pulled randomly show both being created in 2009 on 5/22/2009 to be precise. So the question for me is this, were these created by the trump org themselves as a means of stopping domain squatting or were they owned (Trump networks) earlier than we assumed from the article by Mother Jones? It is kinda of hard for me to think that Trump and his org would have been creating such domains as donaldtrumppyramidscheme.com to prevent squatting. Trump ain’t the sharpest marble on the internets and certainly Barron wasn’t an uber hacker back then right? Curiouser and Curiouser, but maybe they were being overly litigious and decided to take up all the permutations right?

So, looking at the IP addresses that the domains were pointing to also adds some interesting context here…

When the domains were created they sat on Godaddy from 2009 to 2013 when the IP changes. In the case of both of these domains on GoDaddy, the IP has a long storied history of having bad actors attached to it.

…But that is GoDaddy for ya right? They aren’t the cleanest of the orgs out there so meh. However, in 2013 the IP was redirected as Mother Jones showed to another IP; 184.168.221.41 which is also a GoDaddy IP. Now, looking at this IP in VT and in ThreatCrowd, you can see it also has a pretty dirty history as well.

So was the change made by Trump or Godaddy? Or was this change made by the actors in 2013 to a host they owned in Godaddy? Now historically I am not able to see the malware history for the IP or the domain name for 2013, which would be a nice feature for VT and Threatcrowd to offer right? Anyway, the point is not all of the addresses were pointed to the Russian addresses in the Mother Jones piece. Over the whole of the domain space it is likely that the IP’s used by the actors who had access to the Trump registrar account were not only focused on the Russia space as C2’s go. In fact the second sample I pulled also was changed to another GoDaddy IP as well that has some dirty history as well.

So maybe these were moves by the trump org or maybe it was the attackers moving these around per their needs for each campaign? Inasmuch as I can tell many of these domains never had sites attached to them and were in fact just parked domains. However, in the case of donaldtrumprealty.com I see a lot of action moving this around the globe for IP pointers over the years. So what is the deal with that? Looking at the Wayback Machine for this domain shows the following activity over the years.

It’s been parked since inception but that parked page has some redirects and popups to potential scams. What does this all mean? Well, that Trump has not been paying attention to his domains and that what has been laid out is exactly the case. The only thing I can maybe say is that the activities have been going on longer than we are led to believe in the Mother Jones piece from the samples of IP changes I have seen in Domain Tools. If that is the case what else has been going on with Trump domains and perhaps their internal networks?

See, this is the question that the Trump admin will not want to touch with a very long poll but it may also lend credence to the DNS stuff that was happening with the Alpha servers as well. If there was traffic going on that was amiss, and it was perhaps as others suggest, spam traffic, then maybe it was indeed the same actor using their domains and network systems to route traffic and not a secret plot against America huh? We do know that Trump Hotels had been popped back in 2014/2015 as they have admitted it. What we really don’t have any idea of was the level of compromise that occurred and just whether or not they were able to get them out of the network. What I am seeing here is that maybe they did not and in fact the adversaries used them for even more things.. And it may still be going on.

Imagine that kids… Trumps networks owned and he may still be using them for things while in the White House?

*shudder*

Just remember that Ivanka and Jarred were using that secret email server on that personal domain too!

Anyway, there are over 3k domains and I am not spending all that time on all of them to track the IP changes over the years. Others can do all that leg work if they want to. For me, this just shows that there may be much more that has happened with Trump networks and domains than we are aware of. Russian IP space does not imply KGB or GRU access but let’s just spin it this way; We know that the Russians use the criminal hacker groups to do their work as well as the actual operators from KGB and GRU so there is that. If the actors using these shadow domains for malware deployment, they may also have used them for other activities right? Maybe propaganda spam? Other stuff? Who really knows right?

As for the malware involved with the cited IP’s and urls we see .zip files that only are seen by one or two vendors on VT (Kaspersky being the one continually) I am told that the files were in fact not zip files but jar files and java infrastructure to deploy malware. Which malware? Well, no one really knows at the present time that I am ware of. I could not get a sample of the alleged zip files and all the domains were non responsive and not in Wayback Machine to gather so there is that. It could be that these guys were using this infrastructure for Locky or they could have been passing out RAT’s so until we have some solid telemetry and samples it is once again, hard to say what went down. The interesting bit is that most of the RU I space I looked at all had stuff going on last August.

Just in the middle of the election huh?

Hmmmm….

Welp, I am done looking at this for now. You kids have a look and lemme know what you all see. Just remember to ask this one question; “Just how compromised are Donny’s networks today?”

K.

Written by Krypt3ia

2017/11/03 at 15:12

Posted in Malware, TRUMP

GDD53: A Russian Hosted i2p Site That Claims Trump’s Email System Had Ties To Alfabank (Russia)

with 3 comments

screenshot-from-2016-10-08-15-35-46

Recently a page showed up on WordPress (10/5/2016 to be precise) that has an interesting albeit hard to prove claim. The site is named gdd53 and the claim is that Donald Trump’s email systems were set to have a direct connection to servers in Russia for Alfabank, a Russian bank. Alfabank I caught wind of the site when someone asked me to look at an i2p address that they couldn’t figure out and once I began to read the sites claims I thought this would be an interesting post. While the site makes these claims, I cannot, as I don’t see any concrete examples of data other than the screen shots on the site and the assertions of those who put this up. In looking into the facts all I could come up with was some truths to the IP addresses and machine/domain names but nothing really solid on ASN’s being pointed between the Trump email servers and Alfabank nor Spectrum Health as is also claimed.

i2p Site:

However, there are some interesting twists to the page. First off, the i2p address in the WordPress site is wrong from the start. Once I dug around I found that the real address was gdd.i2p.xyz which is actually a site hosted on a server in Moscow on Marosnet. This site in the i2p space was a bit more spartan, however, it had much more data to offer on the whole contention that Donny had a connection to Russia. There is a claim that a NYT reporter asked about this connection and then server changes were made yadda yadda, but why is this on a Russian server? Why i2p? Why is the site gone now? Why was the address only half there on the WordPress site to start?

So many questions…

screenshot-from-2016-10-05-14-30-44i2p site main body text (part)

screenshot-from-2016-10-05-14-38-53Alleged network map of how the system “would” look

screenshot-from-2016-10-05-14-52-53A traffic map that shows alleged history of peaks and troughs in data between the alleged servers

screenshot-from-2016-10-07-15-16-59Maltego of the servers

screenshot-from-2016-10-07-15-30-38Onionscan of the i2p site

screenshot-from-2016-10-07-15-31-02WHOIS of the i2p site

screenshot-from-2016-10-07-15-31-26Only one ping Mr. Vasiliy

screenshot-from-2016-10-07-15-31-42Nmap of the site while it was up

After poking around and doing some historic WHOIS I came to the conclusion that I cannot prove out their claims because really I would need to have access to the server in order to see the direct routes for mail being put in there at the time this was alleged to be happening. I did however in my searches come across some interesting things concerning the company that hosts Donny’s email systems though. Cendyn is the name of the company and in their business history you can see how maybe a connection can be made to Russia at least. Certainly you can begin to see why ol’ Donny boy would use Cendyne as his go to but no smoking gun here.

Cendyne:

As stated above Cendyn hosts the servers for Donny’s email. I looked into Cendyn and the closest thing I can see without doing a real in depth on them is that they do CRM for hotels and that maybe some of the hotels in Russia may use it? No confirmation there though. Mostly though Donny uses Cedndyn for his hotel businesses as well so I guess since this company also does some hosting he had them do this for him. If anyone wants to ask Cendyn for their records perhaps we can get some clarity on this whole thing. I doubt though if asked will they give up logs/configs on the systems in question. I also have to wonder about this whole allegation that a NYT reporter asked about this.

Say, any of you NYT’s people out there care to respond?

screenshot-from-2016-10-08-15-41-55 screenshot-from-2016-10-08-15-42-26

screenshot-from-2016-10-08-15-42-42

At the end of the day, in a week of old dumps of data by Wikileaks and Guccifer2.0, I am unimpressed with this attempt unless someone can come up with something more concrete. One does wonder though just who might be trying this tac to attempt to cause Donny trouble. It seems a half assed attempt at best or perhaps they were not finished with it yet.. But then why the tip off email to someone who then got in touch with me? Someone I spoke to about this alluded to maybe that was the plan, for me to blog about this from the start..

Ehhhh nah I don’t buy that.

However, what has my attention is that this is just one attempt in a sea of attempts to manhandle the US election process. A series of hacks and leaks by Russia (if you believe the DNI) attempting to cause our election cycle to melt down and perhaps let the tiny handed orange Hitler win the election. Jesus fuck what a scary time. I mean sure, I lived through the 80’s and the bad times with Reagan and the nukes but Jesus Fuck all of this is balls out destroy the system by pushing the idiots to the boiling point!

Meanwhile Donny is not preparing for the next debate because it’s “annoying”

BAAAAHAHAHAHAHAA fucking chucklehead.

Interesting times kids…

K.

PS… Feel free to investigate for yourselves and let me know if you find anything interesting!

UPDATES

After posting this yesterday there have been some revelations. First off, someone in my feed put me in touch with the NYT and a reporter has confirmed to me that what the site says about NYT reaching out and asking about the connections, then the connections going bye bye is in fact true.

Ponder that one kids…

So I decided to use my eagle eye and look for another eepsite to pop up and sho-nuff it did yesterday at some point UPDATED with new and fun data! The “Tea Leaves” person(s) have added logs that they allege came from the name servers for Cendyne.

screenshot-from-2016-10-09-08-13-22

screenshot-from-2016-10-09-08-35-31

screenshot-from-2016-10-09-08-35-14

screenshot-from-2016-10-09-08-34-48

These are the key files in the new dump but the problem I have is that they are just text files. Anyone with the know how could re-create these to look legit enough but yet still be questioned. I see no actual login to the shell and queries being run here so really coulda just done a find/replace on another query on any server you have access to.

I have to say it though, these guys are trying to get the word out but in a strange way. I mean this eepsite is now hosted in Czechoslovakia, staying with the Baltic flavor but why not broadcast this more openly? Why does the WordPress site have the wrong address to start and then the other eepsite disappears after a little poking and prodding?

krypt3ia@krypt3ia:~$ whois 46.36.37.82
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the “-B” flag.

% Information related to ‘46.36.32.0 – 46.36.63.255’

% Abuse contact for ‘46.36.32.0 – 46.36.63.255’ is ‘abuse@gtt-as.cz’

inetnum:        46.36.32.0 – 46.36.63.255
netname:        CZ-GTT-20101025
country:        CZ
org:            ORG-Ga241-RIPE
admin-c:        LM1397-RIPE
tech-c:         LM1397-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-GTT
mnt-lower:      MNT-GTT
mnt-routes:     MNT-GTT
created:        2010-10-25T13:24:34Z
last-modified:  2016-05-19T09:42:08Z
source:         RIPE # Filtered

organisation:   ORG-Ga241-RIPE
org-name:       GTT a.s.
org-type:       LIR
address:        Hornatecka 1772/19
address:        180 00
address:        Praha 8
address:        CZECH REPUBLIC
phone:          +420261001179
fax-no:         +420261001188
admin-c:        LM1397-RIPE
abuse-c:        AR14420-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-GTT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-GTT
created:        2010-10-04T15:25:45Z
last-modified:  2016-05-20T10:04:31Z
source:         RIPE # Filtered

person:         Lukas Mesani
phone:          +420-725-793-147
address:        Czech Republic
nic-hdl:        LM1397-RIPE
mnt-by:         MNT-FRODO
created:        2006-06-07T13:57:53Z
last-modified:  2014-02-11T22:58:02Z
source:         RIPE

% Information related to ‘46.36.32.0/19AS51731’

route:          46.36.32.0/19
descr:          GTT-NET
origin:         AS51731
mnt-by:         MNT-GTT
created:        2010-12-09T01:08:59Z
last-modified:  2010-12-09T01:08:59Z
source:         RIPE

The biggest takeaway is that the NYT confirmed that they asked the question and shit happened. They are still looking into it.

Oh Donny shit’s about to get worse in your dumpster fire world.

K.

 

UPDATE TWO OR THREE….

Dear Tea Leaves,

Answer my questions in email sent Monday. Stop muddying the waters with information that cannot be proven.

Yours,

Dr. K.

screenshot-from-2016-10-11-10-59-16

 

screenshot-from-2016-10-11-10-59-26

Above was emailed to me Sunday. I responded and asked specific questions. This comment is useless static.

Written by Krypt3ia

2016/10/08 at 20:27