Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Uncategorized’ Category

From Russia With Love: Hunter Biden Laptop Shenanigans Again

leave a comment »

Here we are again, it was inevitable really, these characters just don’t quit with all these shenanigans over the ersatz Hunter Biden laptop. This morning I logged into my cutout account on Telegram and dove into the thick, gooey, derp that is Qanon/Boogaloo/PatriotParty/MAGA leftovers and came upon a string of posts by “The True Great Awakening”

This account strated dropping more images of images allegedly taken from the Hunter Biden Laptop (henceforth HBLT) The images included things I had not seen before, but I guess I was not looking in the right place, until today that is, to find them. The images were of no forensic value because they were manipulated into pages of images, or collages if you will, and thus the metadata and EXIF data was nil. However, the narrative that was being played up here was of some interest and is a pivot I had not anticipated.

What was being selectively dropped on Telegram was data showing that the Russians, were in fact, running Hunter Biden, and by proxy, his father, POTUS is now an asset of Russia.

*blink blink*

Now, I had thought that the main ideas within the Q-verse and the spillover into the new “PatriotParty”, was that China owned Biden, right? Well, the winds of change are here and now, thanks to a slippery charla… I mean, “character” named Yaacob Apelbaum (yes, yes, errily close to Jacob Appelbaum of other ill repute) who claims to be the CTO of an AI/Facial Recognition firm called XRvision.

Appelbaum has a whole blog full of crazy conspiracy theories and alleged dirt that has been spotted in places like, coming out of the mouth of Matt Gaetz just post the insurrection and in the Washington Post. In fact, the whole flap with Gaetz has made the rounds in the news after Matt Binder (NYT) did a little digging with the Google (like five minutes worth) and showed that XRvision and the whole drivel that Appelbaum had been spewing was bunkem, which now has Appelbaum screaming about “Cease and Desist”

I did a bit of digging on XRvision as well as Apelbaum and details are rather sketchy, as you can see from the LinkedIN, he say’s he’s done a lot, but, scrutiny of those claims leaves a lot of blank spaces really. Also, the company itself seems to have an inflated sense of importance and not much can be proven out on the claims that are made. In addition to this, the location of the firm in Singapore is, interesting, and the finances that seeded the startup as well all lead back to Asia and Luxembourg. It is the Asian money though that interests me, and some searches on the companies that seeded them could have ties to Chinese money. There is one site that has a picture and article showing XRvision winning some kind of award in China, so, *shrug*

Anyway, yeah, Apelbaum’s blog is chock full of Qanon crap and in fact, seems to have been pimped by Q themselves as well as other cutout accounts on Twitter that have since been banned from the platform. All of this singularity activity makes me wonder just how connected this guy is to the whole Q thing in the first place, as he was posting stuff on his flickr account in 2008 about child abuse and other strange art works that show a rather hamfisted artistic quality.

Hell, this cat even claims that Apelbaum was the CTO of Homeland Security? Which is cleverly mirrored on his LinkedIN but doesn’t really say that outright. He was though, evidently, CTO at Dunn & Bradstreet for less than a year…

Hmm….

Well, the HBLT, has not seen its end in the Q-verse now with this new retcon of “RUSSIA OWNS POTUS!” and I am wondering just how much more we will see of this narrative as well as the hoked up images that Apelbaum seems to have a plethora of. I mean, I do not remember a lot of these being out there before, but maybe I was just living under a rock. for the last year in particular. The locus here of Apelbaum and so much of the Q/Biden/Mueller/Russia/China/ disinformation is rather interesting, and one has to wonder where he is getting all this stuff, and why is his site being cited, as well as himself, in all this alt-right media?

So, gentle readers, buckle up, cuz I expect to see more out of this cat and his blog showing up on Telegram, Gab, ThePatriot.win, and all of the other dark and derpy corners of the internet. It will gurgle up I am sure and appear as talking points by the likes of Boebert and Marjorie Taylor Greene on the senate floor, and we all will want to just hit ourselves in the head with a hammer until the pain diminishes.

Smoke em if you got em.

K.

Written by Krypt3ia

2021/01/23 at 20:50

Posted in Uncategorized

Perilous Times

leave a comment »

Earlier today I posted a long thread, but I wanted to make a more cogent post for those of you not on Twitter. My tweet thread went something like this…

Militia site proposing and architecting the 4k militia action against the inauguration of Joe Biden and Kamala Harris

The events of January 6th, 2021, were I fear, just a prelude to an ongoing threat that will culminate in actions against not only the inauguration, but also across the country at capitols in most of the states. These actions, basically more insurgency and insurrections, will be a turning point for the United States more so than what has already taken place within the space of four years of Trump degradation to the values the Constitution upholds.

What I have been monitoring online in the open and places more dank, has been the first time since monitoring Islamic Jihad, that I have felt that we have finally reached a point where domestic terrorism was the larger threat to the nation than Islamic Jihad and all the various flavors of that there are. Specifically, since 9/11, I have never felt that internal forces could come close to wreaking the devastation that the 19 attackers did on September 11th, 2001. Now though, I am worried that the first skirmish at the Capitol of our Democracy, will not be the last, nor will it be the bloodiest.

The forces of the Alt-Right, are now, it seems, the totality of the Republican base, and within them are a melange of unstable individuals and groups:

We have the Qanon folks, who are outright paranoid delusional individuals or grifters, mostly though, they comprise of true believers with mental instability and ideations that lean toward violence when their world view is challenged.

We have the MAGAheads who also cross pollinate with the Qanon true believers as well. These are the people who are just drawn to the strongman in Trump.

We have the ProudBoys, who, well, are much more oriented toward hate and are often times bridges between Neo Nazism. The Nazis are all over the place too now in amongst the sheeple that are the MAGAheads and the Qanon’s, and they are something to really be concerned about.

What is really happening here is that as things play out, it is becoming increasingly clear in the Telegram channels for the NaziProudBoy set, is that they are planning on using the MAGAheads and the Qanon’s as cannon fodder in their own putsch for their own goals. These people have another more hate filled agenda and that is of the kind that you saw some in the crowd at the events on Capitol Hill. The kind who wear shirts like this and believe that eleven million Jews killed in the holocaust were not enough.

The net effect though, is that there are forces at work in the open at first, but now scattering to the darker parts of the internet, plotting and planning actively, another series of attacks because they have been empowered to do so by the likes of MAGA and Qanon. This canon fodder, are their diversion to carry out more focused and dangerous attacks like what was attempted at the Capitol. They failed last time, but only just, and now, if they can rally their canon fodder along with Trump, then they will have another few bites at the apple.

Also, if they succeed, even marginally, then they will be empowered further in recruiting and planning for more later on down the road. All of us should be concerned by this, just as much as you should be concerned in how many of these people of like mind, already sit within the government, military, and police forces of the United States.

As the date approaches for the next insurrection, we should all concern ourselves with idea that Washington DC and in fact many places in the United States (e.g. capitols, state buildings, federal buildings as well as corporate buildings) may become the new American Kabul or Palestine. With fighting in the streets by pseudo guerilla forces of Trump America. They will plan all their actions in private chat rooms on Gab and Telegram, or create new venues that likely will rely on services from places like Russia, where they will not deplatformed, because these sites and these forces, plotting and acting out, are a boon to Putin.

As if this all wasn’t bad enough, last night the Joint Chiefs felt moved to put out a statement memorandum admonishing sedition and re-iterating that the military is not a political body and that their directive was to protect the Constitution and the people. The fact that they had to say this in this way, is a troubling thing and we all should be concerned about just how many in the military and other forces like the police, are in fact believers in Trump and these other doctrines being put out there by Qanon, Alt-Right, Nazi’s and Proudboys.

One of the biggest concerns out there that you all should be aware of, is just how much sway someone like Flynn might have on these same people. Also, just how many connections and loyalties he may still have, as he is now the titular leader of Qanon, the public face of Q, a man in the “know” as he was in the IC proper and held a high position.

Here he is before the insurrection at the capitol, basically pointing at the stadium seats and saying “go for it, I got your back and Q has all the answers as well as Trump” This is a dangerous man, who is now free to carry out Trump’s and his own grifter agenda after being pardoned by his master. This man, who worked as an agent of Turkey, willing to rendition a US citizen to the Turks for money.

We are through the looking glass ,people.

Be afraid, because if Trump continues to be a chaotic and psychotic force, whipping these people up, we will be seeing more of this in the coming years. Unless the states that have criminal cases against him act, we will not see the last of Trump. Without him being charged and perhaps incarcerated, he will continue on this path and it seems, attempt to run for high office again.

This will not end well.

Keep your wits about you.

K.

Written by Krypt3ia

2021/01/13 at 12:50

Posted in Uncategorized

Enemies of The People: An Information Operation

leave a comment »

Yesterday, I saw an article on the news wire that had Krebs lawyer mention a site (enemiesofthepeople) and decided to do a little looking. Going down the rabbit hole, I used Google Domains to do some searches to see what iterations of the site were already taken and found a list of sites that I began investigating. Once I located the main site, it became clear that the creators had also taken out a bunch of sites to post the same content and and were actively putting them online even as I was digging.

The sites are registered all over the place, including non domain named sites in Russia and Germany as well as a domain in Singapore and a presence in the darknet. Many of them are behind DoS protection with CloudFlare, and all are hosting the exact same content. The content is in fact the personal details of people that these actors are seeing as “enemies of the state” including Chris Krebs, Gretchen Witmer, and others in the government (state and federal) that they deem need to be assassinated.

The site also has a host of social media outlets including a now defunct Twitter account and a VK, as well as Gab and of course, Parler. In taking a more nuanced look at all of the domain data and links, I have come to the conclusion that this is probably an information operation, but the question is, by who? The domain data is littered with Russian addresses, names, and email addresses for Yandex, but, nothing in all of this data has shown to me a slip up, instead, this is all deliberate and methodical. A means to an end to make this look like, for all intents and purposes, this is Russia’s GRU putting this out on the net to cause a stir, and to enthuse the Trump/Alt-Right base to talk to each other directly about the “”next steps” post SCOTUS denial of the case to overturn the election in favor of Trump. This also tracks with the timing of the postings of these sites as we JUST heard last night that SCOTUS denied the case in a one sentence ruling in thirty four minutes.

Details of Domains:

pcp6uxkzhavhxnwb.onion
pcp6uxkzhavhxnwb.onion.ws —> Clearnet gateway to access onion
enemiesofthenation.com
enemiesofthepeople.mx
enemiesofthepeople.ca —-> Hosted on monovm VPS/Hosting

enemiesofthepeople.us
SUB DOMAINS:
cpanel.enemiesofthepeople.us
cpcalendars.enemiesofthepeople.us
cpcontacts.enemiesofthepeople.us
enemiesofthepeople.us
mail.enemiesofthepeople.us
ns1.enemiesofthepeople.us
ns2.enemiesofthepeople.us
webdisk.enemiesofthepeople.us
webmail.enemiesofthepeople.us
http://www.enemiesofthepeople.us

donttouchthegreenbutton.us —>Ties to AZ movement and had it’s own site on WayBack
enemiesofthepeople.us
donttouchthegreenbutton.net
enemiesofthepeople.org
donttouchthegreenbutton.org

Non Domain Named Sites:
2.56.242.22 —>Russia Hosting
193.56.255.179 —> Russia Hosting

Email addresses:
info@enemiesofthepeople.us

mailto:EnemiesOfThePeople@protonmail.com

mailto:EnemiesOfThePeople@hotmail.com

Domain contacts:
voychik-7923@yandex.com
ivan0v.pi@yandex.com
onzayt@yandex.com
Kulkov Ei
viladiof@yandex.com

Social Media Links:

https://vk.com/id628343065

https://twitter.com/Pe0pleThe

https://parler.com/profile/EOTP

https://gab.com/Enemies0fTheNati0n

FULL REPORTING of Domain Data HERE

As I said above, so far, the searches I have done show no real mistakes that would lead to the real people behind the sites, and that is going to have to come from the FBI getting warrants on the US entities (the .us domains and the sub domains likely will bear fruit) and track how the domains were paid for. Much of the other data gleaned from email addresses and names listed are pretty much dead ends on a cursory evaluation of them. Which, once again, leads me to believe that someone really wants you to think that this is Russia, but their tradecraft has been too good so far to make me think that these sites are all the work of the would be Trump acolytes, who for the most part, have shown themselves to not be tacticians.

I have yet to log into the social media sites, but I did look at the VK and it is brand new with no followers I could see. Overall though, this is something I will keep an eye on to see what develops and will report what I see when I see it.

For now though, the information operation is afoot, and, from what I have seen in chatter elsewhere, this will be a moth to the flame kind of thing for the more idiotic of the Trumplings. Here’s hoping that they all get rounded up for plotting assassinations and captures like the idiots who went after Witmer a while back.

K.

Post Script:

They also just added a jpg file of an alleged “SECRET” memo that alleges that Krebs (who ostensibly wrote and signed this document) stating that there was a hack that happened on the election systems from Dominion. This is a pretty bad attempt, and because they did not even take the time to fake up a PDF file, I am gonna just say they may be getting a little more desparate…

Updates:

Since wordpress is a fucking hot mess on editing, I lost some stuff so here it is again…

The sites keep getting updated with names and bios to attack now including Chris Wray

Meanwhile, the sites have started soliciting for Bitcoin with a wallet that at last check had about 6K in it and was zeroed out recently:

I also started a Maltego mapping session on the sites and all data:

Bitcoin transactions:

Written by Krypt3ia

2020/12/12 at 17:03

The Biden October Surprise is Here

leave a comment »

This morning I was pinged by someone after seeing a Tweet that went by on my feed from Maggie Haberman (NYT) linking a lurid New York Post story claiming the smoking gun has been found on Hunter Biden.

This story is riddled with holes and innuendo but, may have some kernels of truth. But all a good disinformation warrior needs to carry out a disinformation campaign, is that Russian formula of 80/20 disinformation to real information, so this story certainly fits that model. The story line thus far, is that some unnamed computer repair store owner received a mac laptop for repair in April of 2019.

The customer who brought in the water-damaged MacBook Pro for repair never paid for the service or retrieved it or a hard drive on which its contents were stored, according to the shop owner, who said he tried repeatedly to contact the client.

The shop owner couldn’t positively identify the customer as Hunter Biden, but said the laptop bore a sticker from the Beau Biden Foundation, named after Hunter’s late brother and former Delaware attorney general.

NY Post 10/14/2020

So, yeah, a laptop of uncertain provenance, in the hands of an anonymous computer repair guy, say’s he found incriminating data on the hard drive, and it was subsequently taken by the FBI. Of course the laptop, who brought it in, and who it belonged to are all quite unknown as the anonymous computer guy fails to give any details such as he should have, ya know, like a reciept or a write up of who it belonged to and at least the number he tried to call right?

Say, while we are at this point, would you like to buy a bridge I have for sale? Perhaps a nice piece of swamp land in Florida maybe? Going cheap!

But, I digress… Anywho, yeah, this guy only thinks that this could be Hunter Biden because there is a Beau Biden sticker for the charitable orginization that was set up after his death. Pay no never mind to the fact that this alleged computer repair guy had the WHOLE HARD DRIVE to access and he couldn’t maybe tell who it belonged to just by looking say at the documents folder?

COME ON!

So, yeah, this anonymous guy somehow see’s some nefarious emails (OH LOOK, HE’S IN THE EMAILS ON THE HARD DRIVE AND STILL DOESN’T KNOW WHO THE LAPTOP BELONGS TO?) from Vadim Pozharskyi and BOOM we have the coverup of the century! But wait, it gets better. So this guy calls the FBI and then makes a copy of the hard drive and passes that ILLEGALLY to Rudy Giuliani’s lawyer?

But before turning over the gear, the shop owner says, he made a copy of the hard drive and later gave it to former Mayor Rudy Giuliani’s lawyer, Robert Costello.

Steve Bannon, former adviser to President Trump, told The Post about the existence of the hard drive in late September and Giuliani provided The Post with a copy of it on Sunday.

New York Post 10.14.2020

Wow! That’s some epic shit right there! So, are your spidey senses tingling too? Cuz mine are just screaming here. What’s more is that all this began only on the NY Post, in an “exclusive” which means the Post is all in for Trump it seems. That aside, I also had to ask myself why Maggie Haberman was flogging this on Twitter (pssst hey NYT, what the fuck?) without as much as a howdy do on doing any leg work to rebut these allegations. Anyway, if you look further into the article though, you see some screen shots of things like the alleged email from Burisma and photo’s alleged to be of Hunter Biden (from the hard drive? It is not clear) along with a nice picture of the alleged subpoena that was served to the computer store guy that has been “redacted” according to the naming of the file.

HUNTER BIDEN DOCUMENTS

Of course this alleged picture has a few issues. First of all, no court case number is conveniently there to look up. Of course no name of the person to be deposed, and then there is the EXIF data that they conveniently left in the photo for people like me to find…

This photo was shot on an iPhone and it has the geolocation still in it. Once you extrapolate that, you get a tavern in Delaware where the photo was snapped.

So, someone with an iPhone took a picture of an allegedly redacted grand jury subpoena in Jessop’s Tavern on January 11th 2020. And this is just popping up now, in October 2020, conveniently a couple weeks from the election of a century… Right… Oh, and there are a couple of Mac specialists with in easy drive of this tavern, so, it may be possible to guess who it may be.

So far, this story has only been getting traction on Fox and Bloomberg other than being on fire, then quickly put out by removal by Facebook. A removal mind you, that has many people in the Trump camp gnashing their teeth about, boo hoo. I would expect this story to get more traction though as I have already seen on Fox one Senator demanding more information from the now defunct Barr/Durham investigation that managed to charge no one with a crime.

Convenient eh?

Lastly, let me just say this, all of this story screams no chain of custody, and a large probability of tampering, hacking, disinformation creation and propagation by forces yet to be seen. The rest of the photos in the story on the post all lack any EXIF/Metadata, which is kinda suspicious, so there is that too. I would not put it past Russian assets and the Trump camp from being central to the creation, curating, and release of this disinfo campaign against Biden now for fullest effect.

I don’t buy it, and neither should you.

K.

Written by Krypt3ia

2020/10/14 at 19:15

Posted in Uncategorized

2019 Krampus List!

with one comment

 

Written by Krypt3ia

2019/12/05 at 12:30

Posted in Uncategorized

Existential Angst

leave a comment »

In the face of the daily news from all sources, the Twitter-sphere, and the rest of the internet, it seems that we all are facing numerous existential issues. In the news cycle alone lately we have more and more proofs with data that anthropogenic climate change (ok ok destruction) leaves us with an expiration date for life on the planet of 2050. Meanwhile, the Trump administration (if one calls it that and not shit show) is busily destroying Democracy and seemingly trying to move that 2050 deadline to, oh, next year. No wonder why generally the populace, and in particular the youth today (Millennials and Z’s) seem to be losing their collective minds and more often infantilizing themselves into a stupor.

Yes yes, of course the parents of those millennials also sculpted, wait, bulldozed, their psyche’s into this mess but after that, I cannot blame them looking at the world and just wanting to check the fuck out. I mean, look at all this shit today? How the fuck did we get here? No, it wasn’t just Russia either! No, we did this to ourselves and it’s only gonna get worse I fear. It will be a combination of fucked up elders and dysfunctional governments (mostly the US in this post) just spinning the cylinder on the .38 snub and hold it to our collective heads like that famous Vietnam war photo…. At least it can feel that way at times. We just have no control do we?

All of this and likely future fuckery that is to come makes me just postulate that we are in for a worse time down the line and that many of you out there will just go all YOLO and give up. I for one often think about this on a grander scale and since I am in my later years, I often just have to settle with; “well, at least I did not have any kids” because fuuuuuuck are they going to have to deal with all this shit when the bill comes due!

Which brings me to my next topic, as we move through all this and still do not do anything to really address the more existential issues that we all must deal with or die, I suspect more and more people will just resign themselves to it all and let apathy take them away. Some will be cognizant of it all and steadily lose their minds, showing many manifestations of mental maladies and perhaps take up behaviors like drugs, or other hobbies to just not deal with reality. It’s easy to get lost in the cyber now right?

Game away your pains and dull your senses with some drug or whatnot right?

Lately I have wondered and pondered at the people in this hacking/infosec community as well and why they seem so fixated on all this or that shit, lacking any broader ability to converse about things or experience things. Perhaps they already feel this, perhaps they are all spectrum…

Who knows.

Ugh, whatever… Just deal with your mortality kids.

K.

Written by Krypt3ia

2019/06/12 at 17:39

Posted in Uncategorized

Ryuk Ransomware Threat Intel Report

leave a comment »

I cobbled together some stuff on Ryuk in case you all want to have a report you can re-purpose.

K…

PDF is here

 

 

 

Ryuk Ransomware Threat Intelligence Report

1/4/2019

Table of Contents

    1. Executive Summary:

The Ryuk variant of ransomware is a new type of ransomware that first appeared in August 2018 and has been used since then in an targeted attack scheme by unknown actors online. The evolution of the attack has taken shape to mimic some of the attack methodologies used by the SAMSAM group (Iran) in locating vulnerable enterprises/organizations through reconnaissance and phishing to then gain a foothold in as a first phase of their attack.

The Ryuk actors then escalate the incursion by loading the ransomware (Ryuk) onto servers in the enterprise and thus locking that business down completely from daily business. The attacks have been seen recently (Dec/January 2018-2019) in attacks against publishing and media corporations such as the LA Times, Chicago Times (Tribune Group) as well as DataResolution Cloud Service. The financial damages to those companies has yet to be determined but due to the attack on the Tribune group, printing of newspapers was degraded or stopped for a time.

The Ryuk actor group uses two probable means to gaining access to internal networks:

1) phishing to infect systems with EMOTET (trojan variant using PowerShell via doc files that use macros to start ps.exe) and then pivot laterally to gain more access.

2) Locating vulnerable systems online using Shodan and other tools to find open RDP sessions and exploits them to escalate the attack.

In both attack vectors the second stage of the attack is to use the access gained to recon the org to locate systems (servers) to infect with Ryuk. The Ryuk infection will then encrypt all data, delete shadow copies and leave a message that the systems have been encrypted and where to send bitcoins.

The malware campaign to date (Aug 2018 to today) has accrued approximately $2,680,077.93 in bitcoin transfers from affected organizations. The average demand for money per each attack, is per the organizations tolerances judged by the actors estimate of what they can afford. This method is a lot like the SAMSAM group.

    1. Recommendations:

Threat intelligence on the malware and the tactics of the group provide the following recommendations for response to this threat:

  • Put all IOC’s into HIDS/NIDS

  • Block known C2’s

  • Assess for vulnerable RDP sessions to the internet (Shodan)

  • Block all hashes and C2’s for EMOTET campaigns

  • Be aware of ps.exe (powershell) sessions going to the internet

    1. Technical Details:

The malware immediately begins by shutting down A/V systems and specifically SOPHOS and McAfee as well as other processes focusing not only on A/V but backup programs. Early Virus Total assessments as well as Hybrid Analysis online show some signs that the actors had tested early versions of the malware and that it had been detected by SOPHOS and McAfee.

Strings:

stop “Enterprise Client Service” /y

stop “Sophos AutoUpdate Service” /y

stop “Sophos Clean Service” /y

stop “Sophos Device Control Service” /y

stop “Sophos File Scanner Service” /y

stop “Sophos Health Service” /y

stop “Sophos Safestore Service” /y

stop “Sophos System Protection Service” /y

stop “Sophos Web Control Service” /y

stop “SQLsafe Backup Service” /y

stop “SQLsafe Filter Service” /y

stop “Veeam Backup Catalog Data Service” /y

stop “Zoolz 2 Service” /y

stop Antivirus /y

stop BackupExecAgentAccelerator /y

stop BackupExecAgentBrowser /y

stop BackupExecDeviceMediaService /y

stop BackupExecJobEngine /y

stop BackupExecManagementService /y

stop BackupExecRPCService /y

stop BackupExecVSSProvider /y

stop EhttpSrv /y

stop EPSecurityService /y

stop EPUpdateService /y

stop MBAMService /y

stop McAfeeEngineService /y

stop McAfeeFramework /y

stop McAfeeFrameworkMcAfeeFramework /y

stop MSSQL$BKUPEXEC /y

stop MSSQLServerOLAPService /y

stop ntrtscan /y

stop PDVFSService /y

stop ReportServer /y

stop ReportServer$SQL_2008 /y

stop ReportServer$SYSTEM_BGC /y

stop ReportServer$TPS /y

stop ReportServer$TPSAMA /y

stop SAVAdminService /y

stop SAVService /y

stop SepMasterService /y

stop Smcinst /y

stop SmcService /y

stop SMTPSvc /y

stop SntpService /y

stop SQLAgent$BKUPEXEC /y

stop SQLAgent$CITRIX_METAFRAME /y

stop SQLSafeOLRService /y

stop swi_service /y

stop tmlisten /y

stop TrueKey /y

stop TrueKeyScheduler /y

stop TrueKeyServiceHelper /y

stop VeeamDeploymentService /y

stop VeeamTransportSvc /y

TerminateProcess

Currently a high number of A/V client engines now see the Ryuk malware by hashes. It is assumed that the actor may in fact re-pack the malware to avoid such detection’s if not upgrade functionality to have a wider ability to succeed and avoid HIDS/NIDS detection as well.

The malware also requires ADMIN to perform all it’s functions. This need for ADMIN is the reason that Ryuk is a second stage and not a one and done attack. EMOTET infections attain the ADMIN level access and allow the actors to recon the enterprise and determine where to attack as well as what they can access to load Ryuk and encrypt files.

    1. IOC’s:

IP(s) / Hostname(s)

  • 104.199.153[.]189

  • 104.239.157[.]210

  • 187.17.111[.]103

  • 195.20.45[.]185

  • 200.98.255[.]192

  • 23.253.126[.]58

  • 68.168.222[.]206

  • 89.119.67[.]154

URLs

  • bedava-chat[.]com

  • bestinfo[.]vv[.]si

  • digiturk[.]adsl[.]com[.]tr

  • freshmirza[.]tk

  • ibrahimreb[.]com

  • infocommsystems[.]com

  • jaragroup[.]com[.]ar

  • klkjwre9fqwieluoi[.]info

  • kukutrustnet777[.]info

  • kukutrustnet777888[.]info

  • kukutrustnet888[.]info

  • kukutrustnet987[.]info

  • lavanyacreation[.]com

  • natufarma[.]net

  • radiantjewelcraft[.]com

  • sets-hm[.]tk

  • veddagroup[.]twomini[.]com

Associated-file-path:

  • C:\Users\Public\cjoZX[.]exe

  • C:\Users\Public\window[.]bat

Associated-email-addresses:

  • WayneEvenson@tutanota[.]com

  • WayneEvenson@protonmail[.]com

  • stevkramer@protonmail.com

  • johnfraz@protonmail.com

  • stevkramer@tutanota.com

  • johnfraz@tutanota.com

  • kurtschweickardt@protonmail.com

  • kurtschweickardt@tutanota.com

  • wayneevenson@protonmail.com

  • wayneevenson@tutanota.com

  • steveedelman@protonmail.com

  • steveedelman@tutanota.com

  • andymitton@protonmail.com

  • andymitton@tutanota.com

  • kaykienzler@protonmail.com

  • bennidiez@protonmail.com

  • kaykienzler@tutanota.com

  • bennidiez@tutanota.com

  • dustinloose@protonmail.com

  • dustinloose@tutanota.com

  • AdamasVorms@tutanota.com

  • AdamasVorms@protonmail.com

  • RcsonanaGemmaran@tutanota.com

  • RcsonanaGemmaran@protonmail.com

  • dfvdc@protonmail.com

  • khgvkh@tutanota.com

  • yu66MarsellBlan@protonmail.com

  • yu66MafrsellBlan@tutanota.com

  • BruceSmithh@protonmail.com

  • BruceSmithh@tutanota.com

  • vejoydyLunde@tutanota.com

  • vejoydyLunde@protonmail.com

  • RichardsonStan@tutanota.com

  • RichardsonStan@protonmail.com

  • WillysFranks@tutanota.com

  • WillysFrank@protonmail.com

  • KangCheonSoo@tutanota.com

  • KangCheonSo@protonmail.com

  • RaulDrake@protonmail.com

  • kaidrake@tutanota.com

  • fgbfs@protonmail.com

  • fgbf@tutanota.com

  • ElaineDeaVille@tutanota.com

  • ElaineDeaVille@protonmail.com

  • TinaHahn@tutanota.com

  • TinaHahn@protonmail.com

  • ChrisJohnes@protonmail.com

  • ChrisJohnes@tutanota.com

  • DeborahPATINO@tutanota.com

  • DeborahPATINO@protonmail.com

  • CristopherBrandstrom@protonmail.com

  • CristopherBrandstrom@tutanota.com

  • DANIELEdEBLOIS@tutanota.com

  • DANIELEdEBLOIS@protonmail.com

  • petterSpurier@protonmail.com

  • petterSpurier@tutanota.com

  • arWalagnCuad@tutanota.com

  • arWalanCuad@protonmail.com

  • degrv@tutanota.com

  • fhnf@protonmail.com

  • taigrizalsec1973@protonmail.com

  • arturDale@tutanota.com

  • CamdenScott@protonmail.com

  • eliasmarco@tutanota.com

  • MelisaPeterman@protonmail.com

  • MelisaPeterman@tutanota.com

Associated-bitcoin-address:

  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

  • 1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ

  • 1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ

  • 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

  • 1LKULheYnNtJXgQNWMo24MeLrBBCouECH7

  • 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

  • 15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4

  • 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

  • 1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH

  • 1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt

  • 1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu

  • 162DVnddxsbXeVgdCy66RxEPADPETBGVBR

  • 12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau

  • 1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs

  • 18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G

  • 19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op

  • 1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS

  • 12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx3

  • 1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr

  • 13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi

  • 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

  • 12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

  • 1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw

  • 1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt

  • 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

Malware Hash (MD5/SHA1/SH256)

  • c0202cf6aeab8437c638533d14563d35

  • d348f536e214a47655af387408b4fca5

  • 958c594909933d4c82e93c22850194aa

  • 86c314bc2dc37ba84f7364acd5108c2b

  • 29340643ca2e6677c19e1d3bf351d654

  • cb0c1248d3899358a375888bb4e8f3fe

  • 1354ac0d5be0c8d03f4e3aba78d2223e

  • 5ac0f050f93f86e69026faea1fbb4450

  • 1b465c0e12523747f892b48fa92a30f82e5027199a2aff06587c5269bd99f69a

  • 3c8531fc54eca31a79a23bf16d4f528067c89a5e58e1e745a2c5b1b05140f5a8

  • 95b228b664dca2e18935444c67c7c7dbda9da7450a18d429cb04f7e311af5fe9

  • 46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e

  • 8d50d9fe17eb36edc9945a2673c1594f58a6e653f5a794058ee42e46d24d83d7

  • f21f222d8f62f2223faec375e834efb76f96b73ef70e0ef09024586cf9eef638

  • b7e945a8dafc91ebe8c8717ee3107498afc1ad5461599611d2fb07aaa7700aa1

  • 88d491bb73d509aacca103919d3a7418f9c6b611ce7dc453e1cacffed9c0f0d5

  • 5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28

  • aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83

  • 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac

  • 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20

  • 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17

  • 695a716f2c43a69bdd03e74058fa23fb77e596bb4f1f3a021d529c85e9564f7d

  • 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619

  • 965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26

  • 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

  • 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4

  • b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8

  • 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2

  • 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

  • 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

  • c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e

Dropped Files:

details

“gimap.jar” has type “data”

“org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“Download_on_the_App_Store_Badge_fr_135x40.svg” has type “data”

“PIXEL.INF” has type “data”

“close.svg” has type “data”

“com.jrockit.mc.components.ui.ja_5.5.1.172852.jar” has type “data”

“org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“javaws.jar” has type “data”

“org-netbeans-modules-options-api.jar” has type “8086 relocatable (Microsoft)”

“org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar” has type “data”

“ADEBASE.MSI” has type “data”

“org-netbeans-core-io-ui_zh_CN.jar” has type “data”

“org.eclipse.help.ui_4.0.100.v20140401-0608.jar” has type “data”

“VeriSign_Class_3_Code_Signing_2001-4_CA.cer” has type “data”

“org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar” has type “data”

“org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar” has type “data”

“com.jrockit.mc.browser.ja_5.5.1.172852.jar” has type “data”

“org-openide-loaders_zh_CN.jar” has type “data”

“com-sun-tools-visualvm-host-remote_zh_CN.jar” has type “data”

“org-netbeans-modules-queries.jar” has type “data”

source: Extracted File

Virus Total Assessments:

Hybrid Analysis Assessments:

    1. Appendix:

URL’s:

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-involved-in-cyberattack-stopping-newspaper-distribution/

https://niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Aug_2018_Edition_2.0.pdf

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf

https://resources.malwarebytes.com/files/2018/12/Malwarebytes-Labs-Under-The-Radar-APAC-1.pdf

https://research.checkpoint.com/wp-content/uploads/2018/08/Threat_Intelligence_News_2018-08-27.pdf

https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/

https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27951/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryuk_v2.pdf

http://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ryuk-evolves-as-a-new-targeted-ransomware

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/ryuk

https://www.maltiverse.com/sample/8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

Written by Krypt3ia

2019/01/04 at 18:24

THE 2018 INFOSEC KRAMPUS LIST

leave a comment »

THE GREAT AND TERRIBLE KRAMPUS PROCLAIMS!

On this night the following INFOSEC girls and boys are in need of his utmost sadistic attention for their transgressions!

 

Threat Intelligence Threatleaders:

Sweet Jesus stop with all your “I KNOW EVERYTHING ABOUT INTEL” because you fucking don’t! A majority of you that I have run into have no real IC background and couldn’t red team your ideas out of a wet paper bag never mind be able to determine what is and is not a nation state operation! Lemme give you a hint. The one’s who really know shit DON’T FUCKING TALK ABOUT IT ALL THE TIME TO  ANYONE WHO WILL LISTEN OK?

PLEASE take your artisanal hand crafted BULLSHIT threat intelligence elsewhere and shove it up your collective chimneys!

 

Nord VPN: Masters of MILITARY GRADE ENCRYPTION!

Dear Nord, Krampus has seen your useless ad’s on CNN too much lately and wants to tell you here and now that; THERE IS NO SUCH THING AS MILITARY GRADE ENCRYPTION WITHOUT A HARDWARE LAYER SPECIFICALLY FOR THAT PURPOSE AND EVEN THEN IT MEANS FUCK ALL!

YOU, Nord, are on my list FOREVER now. Stop trying to scare the grandparents into paying for your shitty VPN!

 

The Hacking Community Writ Large:

Krampus has a lot to say about the hacking community. Most of what he has to say cannot be translated into human language but understand that ALL of it is not good.

What the fuck is it with you people that you need to be the center of fucking attention all the time?

What the fuck is it with you people that you always think you are the fucking smartest people in the room ever?

What the fuck is it with you people to even THINK you have so many problems including, and Krampus cannot even fathom mouthing the words, PTSD from working in INFOSEC?

Get over yourselves and maybe go outside once and a while and talk to people outside your personal bubbles would ya?

Oh, and GROW THE FUCK UP!

Krampus say’s this every year and still you keep on keepin on being asshats!

EDIT! Krampus just also remembered the hubris of you all complaining about security and privacy in hotel rooms in Vegas. WHAT the FUCK were you people thinking? Were you thinking at all? There is no 4th Amendment right here. Sure, coming in on you naked and all is bad and scary but THINK THE FUCK AHEAD! YOU ARE SECURITY PROFESSIONALS RIGHT?

STOP WHINING.

 

NATSEC and INFOSEC Talking Heads:

Krampus watches a fair bit of news in his off hours between Krampusnachts and FUCK does he really hate all you fame whores seeking attention talking about shit you really have no idea about. If you are out there just to be on TV talking about shit ad nauseum to pimp your service or your new book…

Fuck you.

The people who do the things are off doing them and you are just masturbating on air.

 

The Grugq:

Speaking of people out of their lanes.

Just fucking stop man. The IC giggles and points when you talk about shit.

Stop.

Every time you say anything about OPSEC google that photo from the magazine of yourself with the pile of money and the drink.

There’s some OPSEC.

 

Blockchain Fuckwits:

NO BLOCKCHAIN IS NOT MY SAVIOR! NOR IS IT YOURS! DUDEBRO’S IT’S ALL FAKE MONEY!

STAHHHHHP!

 

Cyber War Salesman:

If Krampus get’s another pitch with the words cyber and war or cyberwar in it he will personally donkey punch you all.

There is no such thing. Stop trying to use it as a sales pitch for your shitty shitty products.

 

To All The Reporters I Have Loved Before:

Krampus still loathes you. You all will pay for your shitty deeds.

 

The “Cyber” Warriors:

See “cyber war salesman sic: it doesn’t exist”

 

Well, that’s it kids. Krampus is old and tired of all your fuckery but these were the winners this year. Of course damning a WHOLE “Community” is pretty epic and you guys never fail in letting ol’ Krampus down.

Till next year!

Krampus

Written by Krypt3ia

2018/12/05 at 21:46

Posted in Uncategorized

Who’s Ian Smirlis or Giannhs Smyrlhs and Why Were They Hosting and Domain Owner of cicada3301.org in 2015?

leave a comment »

From Reddit /r/cicada3301:

  • On April 19, 2015, cicada3301.org went live, displaying the ASCII Cicada emblem seen in some of 3301’s tor sites and a countdown clock heading to August 17 2015, 10:33 AM, calibrated to the user’s clock. The metaheader of the countdown page reads “Willkommen” – ‘Welcome’ in German.
  • Upon reaching 0, most people report that the clock begins counting back up from 10:33 on August 17. (This is the case for this author.) It is unclear if this is intended or a default function of the basic countdown script used.
  • The index loads only for certain users – for those unable to view the index, see these screenshots. (imgur link)
  • Besides the index, there are four pages in the site’s navigation: an overview of the Gematria Primus, a description of the “technomystical” Cicadian order who hold 3301 sacred, the entire translated portion of the Liber Primus, and a description of Cicadian “broods” (which seem akin to congregations.)
  • No part of the site’s HTML or Javascript seems unusual in any significant way, though further investigation may yield some break on this front
  • No PGP has been found anywhere on the site.

Lately I have been in a mood to look into the more darker and deeper corners of the darknet and one of the more interesting goups/puzzles/mysteries is the Cicada3301 group. While I was messing about with the Liber Primus and such, I decided to poke around cicada3301.org, which was a domain and site that popped up in 2015 and purported to be a part of the whole thing. It has been determined by Redditor’s that this is a fake site not part of the official 3301 and later on in fact 3301 said that all messages will be signed with a pgp key, and this site did not have it as far as I know. So this site is ostensibly just someone who is enamored with the whole thing or, maybe, someone affiliated. If you look at the site you can see some content that makes me wonder if they aren’t somehow a part of it. One of the things that I kinda key on is the whole “brood” discussion, but I could just be a bit crazy and not know when the term first came out in the public eye after one of the solvers talked about how cicada3301 is alleged to work as a group with “broods” of intelligent individuals working for the higher ups doing… “things”…

Wayback cicada3301.org_1

Wayback Cicada3301.org_2

Anyway, having stumbled on the site because I have not been paying close attention all these years, I decided to take a look at this site in Domain Tools because the Redditor’s seem to lack an account on this service. What I was able to determine was that the site was originally started/owned by a guy named Ian Smirlis, or Giannhs Smyrlhs out of Athens Greece. Now, this is interesting because once I started digging in on the names and the email address I started to find some odd things about our pal Ian.

Screenshot from 2018-06-15 16-21-13

Ian Smirlis is a kind of enigma on his own. Looking online for traces of the name you only come up with a few and what you get are, well, odd. For starters, one of the first hits you get is for a YouTube channel that he has out there. When you look at that channel you see five uploads and not much else. In fact, when you look closely, there is no bio page at all. Nothing else about this channel leads you to any further information about Ian at all. No favorites, no comments, no email address, nada. Now, if you look at the videos he has uploaded the first one in the group turns out to be the most interesting of the lot, save for a weird interest in “The Elephant Man” that he has. The first video is called “SCIgen talk

The SCIgen talk is the story about three MIT students who “fooled the world of scientific journals” using a program called SCIgen which is a paper generator intended to fool CFP judges and audiences. The video is really funny and the article linked here is a good read. Clearly these MIT kids are tricksters and it turns out that all three of them are now working in the tech area with jobs that concern information security and encryption technologies. It certainly is funny to me that this Smirlis character, also in the software and engineering field has their video as a direct upload to his pretty information free YouTube channel.

Watch the video and see just how amused these guys were with pulling off the talks they did with at least one audience member in attendance. However, ok, you might say, what do these guys have to do with Cicada3301 and this Smirlis guy’s alleged fake Cicada site? Well, if you look deeper at the article linked above about how these MIT guys fooled the establishment, there is mention at the bottom of the second gen of the SCIgen program called SCIpher that will steganographically hide messages in “innocuous scientific conference advertisements

ORLY?

Gee, isn’t there a lot of hidden messages in the whole Cicada3301 thing? Oh yeah, there are. In fact, to me this all seems to click a bit. I mean, these guys took on the scientific establishment and, well, they all have the chops to pull off a lot of what we have seen in the Ciacada3301 arc right? Also, what if a group of MIT students, not content to fool with the scientific community decided to move on to bigger and better things by fucking with the “internet” with hidden messages and a story line to get some giggles? It does kinda sound like an MIT prank in a way to my mind.

…But back to Ian Smirlis…

The thing that keyed for me is that maybe this guy isn’t real or that the name was an anagram. I spent some time on that idea and so far he seems real enough but still kinda sketch. The other name on the domain registry definitely turns up even less on the net. Giannhs Smyrlhs has a Google+ page and not much else on the Goog. He has some followers and I went down that rabbit hole a while and decided it was chaff.

Alrighty then Giannhs…

So, what am I left with here? Well, I find it interesting that these characters are so sketch and that but for a fuck up on the domain reg, the site would have remained anonymous unless you pay Domain Tools a chunk of dough for the service to look at historical WHOIS.

TAKE THAT GDPR!

The connections with the MIT guys and the whole SCIpher and SCIgen thing also kinda makes me wonder. Also, the fact that there is so much mythos around the Cicada in Greek history as well kinda makes me wonder. See for yourselves if you feel like reading up:

Cicada’s in Ancient Greece: Orkin

Cicada Mythology: Wikipedia

All of it is interesting to say the least. Whoever Smirlis is, whatever he is up to, he is pretty serious about Cicada3301 at the very least. Now with these other clues, I just wonder if he is somehow involved or has some knowledge and is tipping the hat ever so subtly to the MIT guys on this one…

Just something to make you go HMMMMMMMMMM….

K.

UPDATE: I got an email from Ian and well, he says he has nothing to do with Cicada3301, he was only interested in it and wanted his information taken down. I have smudged out his personal info from the WHOIS image but the post stands.

K.

UPDATE 2: So I was in the darknet looking at Hunchly’s scrape of urls and came across the following address: http://honmnaapxzpk2rg7.onion/blogs/3301.html on there I see at the bottom of the page something interesting…

Screenshot from 2018-06-26 09-40-00

Whaaaaat? Some rando guy in the darknet is saying that 3301 is really a group of MIT students who wanted to play with people and ciphers…

NO. WAY.

UPDATE 3: Sooooo it turns out the snippet I found in the darknet is paralleling a post on Reddit two years ago by someone named “Dave” The post was made on Reddit 1/7/17 and was deleted soon after (comments are here)

Screenshot from 2018-06-26 10-15-59

So what Dave is saying here in 2017 is that Cicada was 4 guys from MIT who decided to troll the internet and it got outta hand. Gee, why does that sound familiar? Oh yea, I said as much by looking into this fake Cicada site and the links to the three MIT guys video that Smirlis made.

Please note I came to this independently and am now finding out more by looking at links sent to me by Switch’d on Twitter. It also is interesting that Smirlis posts the link to the video of the MIT students troll in 2014.

Screenshot from 2018-06-26 10-26-13

Does this mean Smirlis knows something or that he was making a guess? Does it mean that he is “Dave” ?? It is amusing to see all the comments where people are like “NO WAY MAN, THIS IS ILLUMINATI LEVEL SHIT!”

But wait, now can anyone confirm the vulnerabilities that Dave speaks of in the pages that they put up? Also, it makes TOTES sense they would use a VM for all this and that it all gets out of hand so they back off.

All I have to say is that this is all rather interesting. Especially since we have not seen the Cicada for a while. Oh, and yeah, in my traversing the players here I also did come across a connections DeviantArt page and her drawings look kinda like the same hand as that which made the grand grimoir “Liber Priumus” so there is that too.

What do you guys think? I already know the Redditor’s thought rather little of my last post…

Evidence kinda mounts.

HEY DAVE! SPEAK TO ME!

K.

Written by Krypt3ia

2018/06/16 at 12:38

Posted in Uncategorized

Ethics In Hacking and Dropping Code

leave a comment »

With the release of Autosploit, a tool for automatically scanning and exploiting hosts located via Shodan.io, a shit storm erupted on the ethics of releasing a tool like this. The problem has become just how easy it may now be to automate the attacks on vulnerable systems en masse that this tool could potentially provide. In an age where IoT devices as well as SCADA and ICS are sitting online in vulnerable states makes the possiblity of great damage to large networks more probable with such a tool. It also brings to the table the idea that the barrier to success on such attacks has been lowered to a new class of individuals with a limited knowledge base and creates an asymmetric threat model of a single individual able to wield greater attack capabilities with one tool.

Many arguments have been made on Twitter about the efficacy of releasing code like this but most have not focused on tools per se but instead on malcode or 0day’s. Now that there are bug bounty programs and companies that sell vulnerabilities we are living in a more dangerous time where the few with the money could buy exploits and do mass damage or commit mass surveillance and espionage. This also applies to countries willing to pay for 0day exploits to be in control of the attacks and have the upper hand. Think about that, our politics and our lives are at the mercy of code being sold to the highest bidder. We have weaponized code and tools made from it on a medium that was supposed to enlighten and bring us all together. Instead our baser nature has made the internet and everyone’s devices a tool for repression or subversion.

After the release of Autosploit, the hue and cry went up, and rightly it did. In a time where we have people releasing code and remarking “Let the world burn” I think it is time that we began to talk about the ethics of doing these things. Ethics kids is a philosophical discipline where you consider the moral responsibilities of what you do and the effects your actions could have. I think that too many people of a certain age group have had little to no training on ethics and this has helped to lead us to where we are today. In this specific case let’s talk about the ethics of releasing any code or tool that would lead to potential disastrous effect.

Many tools over the years have been dropped for free by hackers out there that could and were abused by others who downloaded and used them for their own desires. I have been exhorted to mention things like BackOrifice or L0phtcrack in the past and, well, there you go. Both tools were used for bad purposes as well as ostensibly good in the hands of penetration testers. Of course these were just placed on the net for free for anyone to have at first and this is where the quandary starts right? Did L0pht or CDC consider the potential damage that could be done with their tools? Did they put them out there with some self awareness that they may in fact be complicit in crimes because the tools that they created and distributed, for good or for ill, could be misused?

I point you all to Alfred Nobel, the inventor of Dynamite. He created a tool that would help in mining but in the end that tools devastating effects were used in other ways to hurt people and wage war. In an obituary that was accidentally run about him instead of his brother, he learned what the world perhaps thought of him regarding his invention. This bothered him so much that to atone for his actions he created the Nobel Prize to further science and other pursuits that do not further the harm of others. The idea that his inventions use for ill and how he would be perceived by history prompted his ethical response.

Today, we have people creating tools that could be misused and in some cases are for the sole purpose of misuse. The Autosploit tool may be a boon for some penetration testers, but the reality is that it is just another mass scan tool that seeks out vulnerable systems throughout the whole of the internet and loads the exploit potential to just break into them. This is not a refined tool for a scoped penetration test, this is a tool for mayhem. This is why I think others have made comments about the way it was released and the dangers in doing it so. The ethics though seem to have been glossed over concerning this release. What are the ethics of Autosploit’s creation and release on a Git repo? What is the morality behind doing so? Are there arguments for either of those or is it just another hacker saying; “Let the world burn” with no thought or accountability because it is the internet?

The problem we have today is that there are no ethical demands being placed on these coders and hackers. In fact, the whole notion of hacking has a very troubled side where illegal activities are the norm because the ethical and moral question of “should I do this” has not even been contemplated over the desire to know things. Sometimes I personally think that there is a fair bit of sociopathic behaviour in this community to begin with so that actually kind of aligns with the argument that ethics have not even been contemplated in some of these works. So as we move forward into a world of cyber warfare we have to care for the ethics and morality of what we do just as we have in all other forms of warfare in the civilized world.

While people like Katie Moussouris advocates for penetration testing tools being classified in ways that they are not declared illegal, we too have to look at the ethical concerns of the tools and how they are released to the world at large. Wassenar is a great idea but I feel that it is a myopic approach to larger issues in our ever more connected world. If you look at the actions of the Balkanization of the internet, you can see the actions of China and Russia joining together in a pact to repel the US hegemony in the internet you have to follow that all the way back to the tools that make such issues possible. The tools that you all create for hacking and exploitation that you should have some ethical concerns over when they are used perhaps in ways you did not intend.

Thus, take the ethical pause before you just dump them online …Unless all you care about is watching the world burn.

K.

Written by Krypt3ia

2018/02/02 at 20:12

Posted in Infosec, Uncategorized