Archive for the ‘Uncategorized’ Category
Back when the Russian hacking revelations started around the DNC hack people started to ask questions about Trump’s connections to Russia. Personally for me one of the more spooky connections was in fact Paul Manafort. His connections to Russia come from his connections to Ukraine and Viktor F. Yanukovych. Of course I had heard about Manafort before he had become the campaign chairman for Trump so once he was installed I had to wonder about those ties to Ukraine and it’s leader, who fled to Russia because he is Putin”s boy. What flashed in my head though when this all started was the fact that some documents had come to light about Manafort’s access to monies by proxy of Yanukovych (and being paid about 12 million dollars for his services there) which as it turns out, once his (Yanukovych) files were searched a slush fund was found and the fact that Manafort had access to that slush fund as well.
Fast forward to today and now we have leaks talking about a “number” of Trump acolytes talking consistently with Russian intelligence officers and Manafort making the comment that “How should I know if they are Russian intelligence? it is not like they wear badges!” Well Paul, it seems that maybe you should just have assumed they all were because you were working for Yanukovych in Ukraine during the last days before he fled to Russia, an unstable place because Russian intelligence and the army have made it so. See, the whole point of Putin’s plan is to destabilize Ukraine and take it over. So yeah, you were surrounded by Russian officers man. So Manafort was there, working with the Putin puppet and he claims he had no knowledge of Russian intelligence being close to him… Right. Who knows what kompromat they have on you and since you were placed at the right hand of Trump for this election (until the heat came on over your ties) you were perfectly placed to run Trump and his minions as a de-facto case agent.
Then today I am trawling the Darknet, as is my wont, when I come across a tantalizing dump about you! On February 8th on a darknet site to be named later, Anon’s have given us a taste of their hacking of your daughter it seems. From the look of the data presented, they owned her phone and they owned some other SQL system with data as well. (pics below) In the dump there are allegations of someone using a mail.ru address and a mail.pravda@icloud email address sending messages to your daughter about your misdeeds in Ukraine. Allegations of monies being taken and things like that. I have looked at these and for what it’s worth these look to be potentially real, but there isn’t much else to go on than some screen captures and then there is the SQLi dbase. In the screen captures though, we can see your daughter responding to all the allegations on the iPhone and then we can see in the dbase dump phone numbers for her and others as well as an email address.
I have withheld the images with the phone numbers in full for obvious reasons but to those who dumped this, I would like to see more if you have it that can prove that these are bona fide dumps. I also contacted someone who has hacked the Ukraine government in the past and asked if they had had any additional data in their dumps concerning Manafort and I am waiting on more. It would be interesting if more dox showed up connecting Manafort to the FSB in Ukraine huh?
Well I would be interested….
PS, since the kerfuffle with Politico (who just copies shit) as a bona fide check my next post on this debacle which has more interesting tidbits.
Sit down kids and let me unfold to you all how idiotic I think you all are. As someone who has been doing research low these 15 years that we have been in the GWOT I have to just say my peace concerning your so called “war on Isis” The short and simple get off my lawn statement is you have no idea what you are doing. The longer more thoughtful commentary will follow shortly.
Honestly, you all mean well I am sure and I am also sure that many are in it not for the moral faggery but more so the attention seeking narcissism that fuels all of your breathless narratives given to any and all hack reporter that will listen and then fill in the blanks per their own clickbaity needs. In either motivation you all are doing a poor job at trying to prosecute a so called war with horrible OSINT and a plan that only annoy’s the da’eshbags more than stops them communicating.
A great Twitter war of Whack A Mole is pointless and in reality the government and Twitter have only shut down accounts that were not only confirmed to be spewing da’eshbag materials but also were real players. The blanket approach that you all have taken drift net like, and capturing not only some real accounts but also others who are just innocent Muslims, Iranians, Palestinians, etc does nothing for any cause save your own attention seeking. Pay attention! Twitter is not using your data. The government is not using your data! Your data is bad and you are an impediment not great warriors in the greater battle against radical jihad.
Either work smarter or stop.
I have sat in on your pirate and other “pads” and even given you direct information that some of the people you have targeted have nothing whatsoever to do with jihad. You all never seem to listen so I stopped. I am sure nothing I say here will matter either really so you will continue to go on and be a hindrance while making the headlines. Frankly the hardest thing for me lately is to be tagged together in reports on your little war with the story if my locating the dark net site recently that was a feed of da’esh propaganda. I really want nothing to do with you but the media, though I block them, still cannot seem to get their shit straight and report on what is really important over the lede of ERMEGERD ANONYMOUS WILL WAGE WAR ON DA’ESH!
Let me just give you the same cautionary that I gave you on OpCartel…
You aren’t ready for this kind of real warfare. If da’esh finds out who any of you are and they are able to, they will kill you. Maybe even behead you for the camera because they too need the media cycles to pimp their ideas and propaganda.
It’s that simple.
Work smarter or leave the battlefield.
Today I found myself looking at a tweet from my stream and saying just that. The tweet was posting a paper that had been written by another person on my feed who works for Kaspersky. The paper that it linked to was on how the threat intelligence companies out there needed to grow up a bit and learn that not only might they not be doing a service for their clients with their work, but also that nation states who’s malware they are actively reporting on and stopping seem to be unhappy with them.
Stunning I know….
So there I was mouthing the words “Well duh” and I thought maybe I should write something about this. Welp, here is what I have to say to this revelatory pdf…
“When you play spy games with real spies you often end up getting dead”
Should it be a surprise that malware researchers might in fact raise the ire of those nation state actors who they are thwarting or calling attention to? If you had to think about that one and you are a threat researcher you might want to re-consider your career choice. Espionage has truly moved into the digital age and yes, you guys are the new front lines so plan accordingly. You dear researcher are now a target in the ongoing war that is being waged by the nation states of the world and some of them would not think twice about whacking you creatively and folding your dead body up in a gym bag.
Other issues in the paper and a subsequent article in an online news outlet begs the question on where all this threat intelligence is going. Are the private corporations now becoming organs of the state by doing this kind of work? Are these orgs only reporting on APT activities primarily (I can think of more than a few names off the top of my head CROWDSTRIKE/MANDIFIREYE that pretty much just trade on that shit) doing anyone a service in really preventing if not more to the point, educating companies that they serve on the threats and how to detect and deter them?
In a word… No.
While APT actors are all the sexy and they make the news cycle the marketers friend, so far in my estimation many of these TI companies aren’t doing dick for the companies out there that hire them. Sure they have feeds and they have really really cool code names but really, at the end of the day just how much of that applies to the average corp? Not much really. So yes, there is too much a focus on APT and now these companies and researchers are beginning to realize that they are targets up to and including perhaps attacks both physical and other to discredit if not hurt them.
Welcome to the ‘Great Game’ kids! Remember though, you ain’t James Bond and no, that is not Pussy Galore in your bed.
Meanwhile might I point you all in the direction of 大鸦 / The Raven who recently was reported to have had a sudden case of death. He had no autopsy because he was hastily cremated and some mystery surrounds why he died and how. Why you ask is this important? Well, let me tell you a story about a guy who poked his dick in the eye of not only China but the DPRK and jihadi’s since the late 90’s. Vlad was a known quantity and I used to use his site back in the day too. Now he is just gone. A report came out in a certain portal of his demise and leaked information that Vlad had in fact been the guy who helped finger the 4 PLA players that the US put on their most wanted list.
Are you seeing my drift here?
The story on the street is that Raven met up with an unnatural death because he had been a player. Frankly my bet would be on DPRK for a whacking because Un is just that crazy but given that there is no news out there on this and the only report comes from a portal, I am going to lend this some more credence even with the source which I don’t like.
Oh and Vlad.. If you are about lemme know and let’s get that cleared up… Cuz I would rip the source a new one *wink wink nudge nudge*
Anyway kids all of you today who are in this line of business (threat intelligence) have to consider that you are targets. Maybe someday you will go on a trip somewhere and some strange will come your way at the hotel. Next thing ya know you are being blackmailed or your shit is being copied while you shower. In extreme cases you could end up like this guy who now it is alleged got whacked because he learned about some SVR moles in GCHQ. Of course this guy worked for GCHQ but hey if your company is now liaising all the time with the NSA how far removed are you?
Keep your wits about you.
PS… the mail man always rings once then fires an uzi.
I stand corrected
GLOBAL Threat Intelligence Report – May 2015
In the month of May 2015 we saw the advent of “stunt hacking” with the claims of one researcher being able to hack a plane’s engines while in flight. While this event was the talk of all the media the real point of the thing was that nothing is secure, not planes, not trains, not automobiles, and certainly not your networks.
The common factor here is that security is an ongoing process that never stops. It is not a static thing and must always be perpetually worked on to hopefully prevent a breech or more than likely, to detect one that is or has happened and to react to it properly. The following document covers some of the events in the security sphere that took place in may and are commented on to give direction as to their importance in the scheme of things.
Please use this document as a means to an end to enlighten yourselves on the current threatscape out there and as a guide to a process with which you can grow your own practice to a maturity where this information cycle becomes your own.
Tiversa accused of hacking clients to extort them:
When you hire a firm to take care of your cybersecurity, you’re hiring a team of experts whom you assume you can trust. But one such firm allegedly used the trust of its clients to straight-up extort them with made-up “data breaches.”
CNN Money gives us a rundown on Tiversa, a still-operating cybersecurity company that offers up digital security services to other companies. According to a whistleblower who worked there and is now testifying in federal court, Tiversa was running a very simple and clever scam.
The importance of this story cannot be overstated today in a world where often times security is checked by hiring an outside firm to test it. In the case of Tiversa, the extreme is that they were extorting companies with false data or worse, by hacking firms and then extorting them into buying their services.
It is important to not only vet the companies you are doing business with but also to have security functions within the org that can vet the data being presented as well. If there are any questions on the findings they should be called out and researched to insure their validity in cases where companies offering these services may not be doing their due diligence.
It is also important for the executive management to understand the importance of the findings presented in these types of assessments as well as the differences between a vulnerability scan and a penetration test. All too often this key difference is not apparent to the C-Suite.
What’s the difference between a vulnerability scan, penetration test and a risk analysis?:
You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?
Don’t get hacked!
An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.
The differences between a vulnerability scan and a penetration test is a key point to understand for any organization to effectively secure an organization. The above article does a fair job at describing the differences and is a must read for any C-suite or middle manager who has a security function. In turn, this information should be imparted to those in charge to comprehend the differences and the needs for both to secure a company.
Even today after years of having these types of assessments available, often times you will find companies selling what they call ‘penetration tests’ when in fact they are not testing by penetration of exploits at all. On the flip side of this coin, many companies shopping for these services are much more comfortable with just a vulnerability scan without actually exploiting their networks due to the FUD (fear, uncertainty, and doubt) that surround such activities.
If your org is only having vulnerability tests run and not having penetration tests carried out as a real world test of the security of the org, you are only setting yourselves up for an eventual compromise and the fallout that comes with this. Both of these functions are integral to the hygeine of any security program.
Criminals stealing money via Starbucks App:
Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.
Starbucks, like many other companies today allows for the connection of bank accounts to honor cards that can be used to pay for services as well as give that user perks when they do use them. As smartphones take on the physical replacement of the honor cards we create a new vector for attacks against the user.
In this case the users passwords to the Starbucks application and system may have been weak but this does not discount other types of attacks against the mobile phones and the applications like the Starbucks app itself. In either case, the attack can allow for connected cards and bank accounts to be siphoned off rapidly by these events.
It is important to understand that this story can apply to you personally as well as perhaps organizationally if you have honor cards or deal with them. Honor cards specifically attached to bank accounts as well, can be hacked and the personal data as well as the banking data can be stolen.
Additionally, companies should be aware of these situations when potential applications have been compromised on users who may also have corporate data on phones as well. If an application is compromised, just how much access does it have to the phone’s operating system and thus the users data?
1.1 Million customer records lost to hack on Carefirst:
For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making security upgrades, the company discovered that it had actually already been breached—in June 2014.
1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.
While this attack has the hallmarks of potentially being nation state instigated, it is important to note that even with a security program in place, compromises may be missed if the adversary is skilled. On average, according to Mandiant, most orgs are compromised for up to about a year before they are usually informed by someone else that they had been breeched and this is an important statistic to be mindful of.
It is not clear just how well the Caremark security program runs from the story nor is it possible for every security team to catch everything, but it does show that without indicators of compromise it can be difficult to spot when a company has been hacked and when data is leaving the network. Thus it is important to consistently strive to have a firm grasp on your network, it’s traffic, and any possible anomalies that may in fact be indications that you have in fact been compromised and data is being stolen.
Organizations should have mitigations in place such as IDS/IPS as well as robust logging and correlation in tandem with a SIEM product to watch the traffic in and specifically out of the domain to detect and potentially stop an incursion in process.
Stop using painfully obvious security answers:
We all love pizza, but that doesn’t mean you should be using it as a way to keep your data safe online.
In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.
For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.
This article may be aimed at end users but it should also be aimed squarely at companies that use these types of questions as a means of authentication for their paying clients. These questions and their easy answers are not a feasable security layer today and could lead to compromise not only of end user systems but also corporate networks if they are not using more robust authentication techniques.
This article concludes that it should be taken even further to disallow the questions to be asked as they are too easy to guess from the start. This is a correct assessment of these kinds of questions. If you or anyone else is using a household pets name or a birth date of a child as a password you are already behind the security 8 Ball because these are easily obtainable bits of information on the internet today for adversaries to find.
A two factor authentication system today is a better way to secure your network and this usually consists of a user ID, A pin, and a password. As these systems are more costly many organizations try to avoid them, but they are the best way we have today of securing a network that is accessed by end users remotely.
Hackers sneak malware into job applications:
Hackers are slipping malware into resumes submitted through the job posting website CareerBuilder.com to infect businesses, security researchers have found.
Attackers are browsing open positions and attaching malicious documents disguised with the name “resume.doc” or “cv.doc” to applications, according to the Sunnyvale, Calif.-based security company Proofpoint. The attack sends malware directly to hiring managers and interviewers because CareerBuilder automatically emails job-poster notifications and attachments with resumes when candidates submit applications.
With the rise in phishing and the attendant rise in awareness on the part of corporations and their employees, the tactics needed to evolve to work. While phishing exploits still work pretty well on average, this pivot to sending resume’s pre-loaded with malware to specific targets was only a matter of time.
The upshot of this article and this analysis is that even with AV often times malware makes it through the defenses and is activated by internal users. When this happens you may have started the domino’s falling on a larger compromise to the whole of the network through one infected doc file or pdf.
Companies should take the extra step of having a sandbox technology on top of AV/Spam systems that can be used to open documents and test them for malware before being introduced into the common network environment. As seen with the attack on Target, the criminal elements (i.e. Russian carders) are using similar tactics to advanced persistent threats now and anyone who handles PII/PCI/HIPAA or any other kind of data that can be sold is a target.
Mumblehard turns WordPress sites into spambots:
The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.
Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.
Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a “full-featured spammer daemon” process, which is launched via a command received via the backdoor.
Not all hacking attempts are used to compromise networks and not all malware is used to steal data. In the case of Mumblehard, the malware was created and used to turn your system into a slave to be used as a means of making money via spam. This type of attack may seem more a nuisance but it really is a problem especially if the compromise could lead to further compromise of your network down the line.
As WordPress sites have had a track record of vulnerabilities in the past, it is important that if you have WordPress in your environment you keep up with patches and alerts concerning the application security of your sites. Anyone who has WordPress as a working part of their infrastructure, especially if it is internet facing, should be on the distribution lists for patching that wordpress puts out and be a regular part of the patch cycle.
The return of macro malware:
Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.
The majority of the macro-malware attacks have taken place in the United States and United Kingdom.
Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.
Success of course requires the email recipient to fall for a social engineering technique and open the attachment.
Within the realm of malware and phishing attacks this old malware attack has come back to the fore with a vengeance recently. Relying on the social engineering portion heavily to get the user to open the email first and then to turn on macro support has been partially successful in many instances.
Once opened the macro will then contact a download site and install other tools on the compromised system thus finishing the attack cycle. In many cases these phishing attacks and the files attached are not being seen by AV applications and thus passed to end users for them to open.
It is important that your organization have a good grasp on awareness for phishing/social engineering attacks and the different means that an attacker will try to get an end user to compromise their system and allow the adversary in. If you are not carrying out awareness on an ongoing and repeated basis it is highly likely that an end user(s) will be the arbiter of a compromise at your org.
New ‘Rombertik’ malware destroys master boot record if analysis function detected:
While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.
Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.
This malware spreads through spam and phishing messages sent to possible victims.
While the Rombertik malware has made a splash in the news this month it is not necessarily novel in that it has a MBO (Master Boot Record) deletion program within it. This type of attack has been around for nearly eighteen years, however, the triggering of this piece of the malware is interesting.
As counter detection methods goes though, this is an extreme case and as such may not end up being all that common in the long run. However, the fact that this malware had it and that it was a purchased piece of malware being used by an individual and not a nation state is important to note.
(please see attribution article below for context of last statement)
Clearly the bar is being lowered on malware and phishing attacks and organizations should be cognizent of this fact. It does not take a nation state with resources and human assets to carry out an attack on a company that could possibly shut it down with such malware as this on the wrong computers.
Malware hidden in technet:
In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.
According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.
While this article shows that the nation state hackers had been using Microsoft’s own Technet site as a means of command and control it is important to understand that this can happen with any site. Small changes within code can be used to trigger malware to carry out actions as well as they can also be the arbiter of a drive by attack on users systems.
Given that the bar to access is being lowered as code can be bought and more savvy adversaries (both nation state and criminal) are getting in on the game, organizations should pay more attention to telemetry. As mentioned earlier in this document, the use of technologies to monitor traffic and their destinations should be a key part of any security program today.
[SECURITY] [DSA 3250-1] wordpress security update:
Multiple security issues have been discovered in WordPress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.
These attacks are key to much of the kinds of attacks that are mentioned throughout this report. It is important to keep up with the patching for any WordPress site in your DMZ and these sites should be monitored for activities that may show indicators of comproimse.
In the case of this advisory, the attacks could be the first step in an internal compromise to the back end as well and as such could lead to a major breech.
Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :
Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof user interface elements.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code on the target system [CVE-2015-1152, CVE-2015-1153, CVE-2015-1154]. The code will run with the privileges of the target user.
While Mac and OSX has a history of seeming to be less prone to vulnerabilities, the reality is that OSX, like any system that is popular, will be attacked to gain access to people’s systems. In the case of this vulnerability, the main browser (Safari) is the weak point and may lead to drive by attacks on users systems.
It is important that any org that has a complement of Mac systems also be up to date on the patches and vulnerabilities to this platform and not consider it more secure because of the perceptions that Mac would like people to have about their products.
Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:
A local or remote user can obtain elevated privileges on the target system.
Silverlight does not properly allow applications intended to run at a low integrity level (e.g., very limited permissions) to be executed at a medium integrity level (e.g., permissions of the current user) or a higher integrity level.
A remote user can create a specially crafted Silverlight application that, when executed by the target user, will execute arbitrary code on the target system with the privileges of the target user instead of with limited privileges.
While Silverlight is a defunct language today it is still used by many organizations. This vulnerability may be mitigated by end users not having escalated privileges on the system that is attacked. However, there are still places where people have administrative privileges on systems and where this type of attack can cause root compromise of the system.
It is important to be aware of the use of Silverlight in your organization and to understand the vulnerability matrix where a compromise to this might lead within an org.
Apache Cordova vulnerability leaves Android apps wide open to hackers:
Security Researchers at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.
While this 5.6 percentile figure may seem small, this is an important vulnerability as are many others if you are using Android systems within your BYOD program. Without the right mitigations (sandbox/separate identities/systems) on a phone today you could potentially compromise a network as well as a smartphone.
Application hacks could lead to compromise of the OS itself as well as any applications you may have (i.e. touchdown and others) on the phone that facilitate access to your internal network or mail systems.
Logjam Vulnerability: 5 Key Issues:
While the “Logjam” vulnerability raises serious concerns, there’s no need to rush related patches into place, according to several information security experts.
These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive ‘Logjam’ Flaw Discovered). And given the age of the flaw and absence – so far – of publicly documented exploits, experts say organizations do not need to rush related fixes into place.
With the advent of vulnerabilities that seem to have their own marketing campaigns attached, it is as important as ever, to understand the vulnerabilities as well as their risk. In the case of Logjam, there was a lot of media attention on it but the reality is that it is not the end of the world.
The vulnerability to the system is twenty years old and as it has not been seen in the wild previously denotes that it is not something that will show up in the wild soon. It is important to patch for it and manage encryption methods with or without this vulnerability as a standard practice.
Word doc for you to download and edit for your own use is here
On November 25th 2014 Sony acknowledged that they had been hacked. Since then a group calling itself the GOP has been leaking Sony data online a gig at a time to start and now at a rate of 27 gig in one dump. According to the hackers they have about 111 tb (Terabytes) of Sony data that they plan on dumping if Sony did not capitulate to demands that they had transmitted to the company. It seems that since the dump of the 27 gig of very proprietary data, the case can be made that GOP did not get their way and Sony did not capitulate to whatever their demands may have been. The scope of the data being released though shows just how well owned Sony was but the whole incident just creates many more questions around how this happened, who did it, why, and where Sony can go next.
GOP (Guardians of Peace)
The GOP or Guardians of Peace alleges that it is a group somewhat like Anonymous that has been working toward human rights and other equality issues, which is kind of vague but then again their email responses (which seem to have been copy and pasted to numerous media outlets) have been pretty stilted and come off as maybe just a façade for other motives. To date, there is no evidence online of there ever being a GOP other than various groups of online Star Wars gamers who play a group of Jedi Knights with the same Nome de Guerre. So this looks to be either a “new” group or perhaps more so, just a smoke screen for other actor(s) who performed this attack against Sony. An attack that given the amount of data and some confirmation from the alleged group, took a year to perform.
Note the stylometry that implies a non English as a first language speaker/writer
It does seem to be the goal though of this attacker set to really destroy Sony as much as they possibly can. If you look at the data being dumped and the complete compromise to their collected networking infrastructure, it will become apparent that this attack not only will take a lot of time to fix on the network side, but also to repair Sony’s financial and reputation as well. After all, who is going to trust Sony with loans or want to do Hollywood deals when the data of those paying in or making those deals with could also be at risk from another attack like this in the future should Sony not learn from their mistakes?
It remains to be seen just what the alleged GOP is really all about but at this time I am going to say that from what I have seen in emails and actions, their goals never were to get a deal out of Sony. Instead I surmise that they just wanted to hit them and hit them hard for whatever reasons they have personally. As stated in the email above, they have an axe to grind and they claim that they helped disgruntled individual(s) to carry off this hack. Could this be the case? Sure. However, I am not going to say anything is irrefutable in this debacle.
Physical Security & Insider Attacks
GOP claims from the start that they had someone on the inside who got them in and that Sony’s physical security was non existent. I personally have talked to people who have intimated the same thing about the lack of physical security at the Sony offices in recent past. It seems to some, that post the other attacks on Sony the corporation doubled down on tools but not so much on people with talent to protect the network. While doing this Sony also just did not think one bit about the physical security needed to protect their computer networks and thus it was easy for the attackers to carry off this hack.
While malware was inserted into the networks at Sony, I have yet to see a real bit of intelligence on how it got there and when. Was it inserted physically from a USB into an email? Was it a phish from outside? No one will know until Mandiant releases anything IF that ever happens. Given the nature of all of this and Sony I suspect we will all be asking questions for a good long time. However, once the systems were compromised just how was the 111 tb of data ex-filtrated from Sony? That is a lot of data to be pushing through a pipe and if they in fact did this over a year I can see maybe a slower approach but jeez! Where do you store it all after you get it anyway? Is it distributed at a gig a piece somewhere in the cloud? On personal tb USB drives? Was it in fact carried out that way over a period of time as well so as to not be seen in netflow? I guess we may never know. In the end though it seems that Sony got caught with it’s pants around it’s ankles where insider threats are concerned and this has been what others have been saying of late post this attack.
Interestingly the malware though seems to have started a fire-storm of theories and accusations (more of which I cover below) but the gist of the tinfoil theories begins with the wiper malware found at Sony. The malware seems to be a variant of the type that a group called DarkSeoul used on South Korean banks last year. This fact though does not make it a lock on it being the same actor though and this will bear much on the section below as well. However, let’s look at the details we have now. The malware once inserted into the systems looses a trojan dropper and downloads more fun for the exploitation to move on.
Malware Analysis Sources:
The last link there shows the malware with the same MD5 listed by the FBI as being the malware found at Sony. It attempts to connect to shares on numerous IP addresses in Japan (see below) at what seems to be a Sony facility.
FBI FLASH for SONY Malware/Wiper
The Japanese hosts as well as the C&C’s listed by FBI
One more C&C not mentioned usually
Two more C&C’s in strings from malwr.com 12/3/2014
“Berlin” user offering proxies in 2012 with one of the C&C’s listed
Latest iteration of the malware sig is beaconing to the following IP in NY
Sony Music Div is in location of the IP’s in Japan seen in Malware hosts
Destover-C variant of the malware wiper (SOPHOS)
Addresses in SOPHOS sample that the malware was looking for shares on in Japan
SNORT SIG: alert tcp $HOME_NET any -> [18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168] any (msg:”ET TROJAN Sony Breach Wiper Callout”; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:2;)
Summary of Data:
Overall the malware attempts to map shares as well as connect to C&C’s in a host of different countries for updates and exfil. Could the Japanese IP’s mean that this was a source of this malware in their networks to start? If so, the idea of a Korean language set on the malware might make more sense as there is a HUGE Korean dissident population in Japan. This too would also make sense if a Korean actor was acting out on what they considered “equal rights” and other beef’s with a Japanese conglomerate. Why? Well one has to know Japanese politics and their issues with Koreans. It is well known that Koreans are considered second class citizens in Japan so maybe this is a motivation? Has anyone taken the time to think this one out? Mandiant? Anyone? Helllooooo? Say, you guys do know that Japan is close to South Korea right? Map anyone?
Ok so anyway, the malware does it’s thing and the rape and pillage of Sony goes on… Maybe for a year undetected.
Speaking of Koreans… Enter the theories about DPRK and Kim Jun Un. So about a day or two after the Sony breach was in the news I saw the first mention of DPRK as the attacker. Where might you ask? Well, in VARIETY of all places. This struck me as really really odd that it would be in Variety you see this but hey, it’s Hollywood right? Since then the news media, spurred on by the likes of RE/Code have been perpetuating the idea that the DPRK tasked it’s CYBER Army (128) to attack Sony and deal it a death blow! *snerk* This of course came without any real backup data from the hack, no evidence, nothing but suppositions and innuendo. Why would DPRK hack Sony? Well, OBVIOUSLY KJU doesn’t want anyone to see “The Interview”, a movie about two reporters asked to kill KJU. Did I mention that this was a comedy?
Well anyway, now the media has gone FULL GAGA over this and Re/Code has made it even worse with their false reporting from alleged “inside sources” that it was MOST DEFINITELY DPRK!
Nothing so far other than a language setting on the malware, a malware that likely has been online in places for download since 2013, has been the main attribution point thus far.
HELL SON! THAT’S A SLAM DUNK IN THREAT INTELLIGENCE!
One just has to hang their head here.. Or maybe more to the point just hit it against the desk until the pain dies down. While one can see KJU doing such a thing because he is “the cray cray” I doubt that the time frame here for the exfil of 111tb of data fits. That’s my take on this anyway. I would also like to say that this all lacks some finesse and that DPRK has been learning from China about the cyber wars so really… Meh.
Lemon-Aide from Cyber Lemons
At the end of the day though the whole “DPRK DID IT!” thing seems more to me like people just jumping to conclusions over keyboard and language settings that is pretty ill thought out and full of cognitive bias. I had one creeping thought though since the Variety piece and that was how well a PR person might think the scenario could be used to pimp a new film. Just go with this for a bit and let it marinate in your brain. If you were a Sony PR guy/girl and you had a horrible hack after DPRK complained about your new movie where you kill the premiere wouldn’t you say “Gee, maybe we could at least use this to get people interested in the film!”
Ponder that. I mean.. It’s Hollywood! We have seen some spectacularly bad ideas come out of there more and more over the years! So why not? Make cyber lemon-aide from the hack. Some of you are rolling your eyes I am sure but hey, it’s just as much a valid theory as the whole DPRK hacked Sony dialogue ain’t it? Let’s see the returns on the film when it gets released after all this hoo ha eh?
Time will tell if we ever find out who did this… In the meantime get your popcorn kids!