(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Two More Da’eshbag Darknet Sites Popped Up

leave a comment »

Screenshot from 2016-04-29 08:48:34The Cyber Kahilafah

 A couple more daring Da’eshbags have decided that the darknet is the place for them to spread their propaganda. The sites just popped up and aren’t quite finished. The Cyber “Khahilafah” خِلافة “Caliphate” has a total of 5 main pages with links off of those to other internal and external pages.The main page has the following text:

Screenshot from 2016-04-29 10:54:27

Fight in the cause of God those who fight you not transgress Allah loveth not aggressors} Al-Baqarah: 190}

————————————————– ———-

The books you dislike it, and it may be that you dislike a thing which is good for you, and that ye love a thing which is bad for you. Allah knows and you do not know the cow} 216}

————————————————– ———-

Very soon will be open all sections

We hope to collect the largest number of individual wolves

Cyber kahilafah

!Beware no joking here!

Overall this page is really quite simple and reminds me of just about every other page on the darknet (some remnant from Geocities got loose in the darknet and multiplied!) it’s kinda ugly and simple. As the site is not finished there isn’t much to look at right now but I thought I would archive it and pass it along before the kids hear about it and DD0S the crap out of it or hack the node and take it down. Of course if someone hacks it and somehow get’s a raw IP that would be interesting huh? *hint hint NSA*

Anywho, this site is different from the last one because it is not really pulling a whole lot from the clearnet and it is certainly not at this time like any of the other jihadi boards out there but it seems to me that is what they may be aiming at later on down the line. I am sure it won’t be around that long anyway but it’s amusing to see them try.. Ok on to the data and further below the second site!


The sub pages consist of the following headings:


Screenshot from 2016-04-29 10:27:03with sub categories of /bomb/ for redundancy?


which seems to be a version of Keffeyah which is a scarf, head dress common to the region.

Screenshot from 2016-04-29 10:29:21

Both of the downloads fail and the domain they point to are:

Now the 00-up domain is interesting because it has a long stories WHOIS history and the present owner is a Mohammed Ezz out of Egypt according to the data.

Screenshot from 2016-04-29 10:32:08

Screenshot from 2016-04-29 10:33:00/army/

Screenshot from 2016-04-29 10:44:15/army/ only has “coming soon” in Arabi on it at the moment


has the following single page with a link (Infantry Mechanisms In Desert Operations)

Screenshot from 2016-04-29 10:45:15

Screenshot from 2016-04-29 10:45:54

The desert operations piece is pretty much a re-hash of the desert war tactics from WWII. It’s an interesting read if you are in to desert warfare but I am not sure why they have put this up there because it is specific to the Sahara.


Isdarat we saw the last time and refers to so maybe these are the same guys?

Screenshot from 2016-04-29 10:44:15Another “coming soon” image


Screenshot from 2016-04-29 10:51:59

“Kalashnikov Weapon” which links to some videos that don’t work

Screenshot from 2016-04-29 10:53:11

That’s all she wrote for this site. The next one though is a stand alone with the same name as this one but really is just a shingle for the Da’esh Cyber Kahilafah Al Bayan (popular news paper in the region) radio link. This link is not working but there were some interesting links that were offshoots to this.

 Screenshot from 2016-04-29 09:52:20Cyber Khaliafa Radio (non functional)

Now Al Bayan is the radio station that the da’eshbags started when they took over a station in the region. It is on FM and cannot be heard here unless you get it online. Thus this page and links. As they are not working it may be that they only post things or make the link live at certain times. In any case, the links on this page led to the clearnet and some interesting people and places (see below)

Screenshot from 2016-04-29 11:25:43

Screenshot from 2016-04-29 10:10:54


Screenshot from 2016-04-29 10:11:18


Screenshot from 2016-04-29 10:19:22

Screenshot from 2016-04-29 10:21:29

I have yet to try and give a listen but when I get a working link I will. Until then, you kids have fun with these guys in the darknets! Once again they show that they have some sophistication in being able to set up a tor site but then they completely lack the ability to really program it or keep it online. These are not the cyber warriors the media would like you to think they are.

Dr. K.

EDIT: There is a THIRD site evidently. I have found the “creator” of the site and located yet another page he/she/they are looking to link from. This one will eventually have the bomb making tutorials for making phone bombs.

Screenshot from 2016-04-29 13:12:15


Written by Krypt3ia

2016/04/29 at 15:28

Posted in Da'esh, DARKNET

Book Review: Among Enemies Counter Espionage for the Business Traveller

leave a comment »



It is not often that I find a book that I just want to read right away and put everything else in my busy reading schedule down for. In this instance I have to say that this book looked good right out of the gate for me so I put everything else on the back burner. At 150 pages give or take, it was a quick read yet quite informative on topics of espionage and counter-espionage tactics and techniques for the lay person. What really got me thinking though was that this book really could and should be a part of every companies security awareness program and not just for executives.

Of course with the prevalence of today’s electronic spying (by hacking or by outright hoovering of all data by nation states) one tends to think that old school HUMINT (Human Intelligence) is no longer as useful as it once was. This is not really the case though and I want you all to consider that as you think about your security programs or your personal security. Not everything has to be some technical HIDS/NIDS/AV/Firewall end run to get you into the network today and much of the time in today’s world you can see this at play with the simplest of attacks against end users with phishing and spear phishing. Truly the human element is the weakest and the most powerful at the same time when it comes to the success or failure of security machinations. In fact you will hear it often spoken as an aphorism of sorts but it is true that the “insider threat is the biggest threat” and it is literally true. This is where HUMINT is still useful in not only gaining access to a network let’s say, but also much more if you can leverage an asset into doing your bidding.

The book covers all the bases on how differing types of “collectors” aka spies both private and nation state can and will attempt to elicit, recruit, or blackmail the would be asset into working for them. Bencie also covers the issues of personal security around yourself and your technology that you carry (e.g. laptops, phones, tablets, etc) that are leveraged for theft and access as well. If a collector doesn’t need to recruit the target because the target left their laptop in their hotel room, on and logged in, well then no need right? Suffice to say that today we carry as much information and access on us as much as in our heads and this is what the industrial spy or nation state spy craves.

Now, one might at this point be asking one’s self “Well, what would anyone want from me? I mean, I am not that important, just a cog in my company that’s under appreciated, no one would send a spy after me.” … and you would be wrong to think this. Access is access and if a collector can get access to you and your technology (e.g.your network by hacking your laptop or phone) then they will. While there is a sniff test that a collector will make on people as they watch them, much of the math here is how vulnerable is the target and how easily could they be manipulated into what is needed to succeed. Bencie covers many scenarios that may seem like spy thriller pulp but take it from me, these things have happened and still do. In fact he uses real stories to back up the scenarios from the people that they really happened to. These are not just the things of spy thrillers and film and the general populace should be aware of this especially if they are on travel for work, more so if they are in a foreign country while doing so.

Finally though, as much as this book is something I am going to recommend to executives, I would also like to turn my eye inward to the community *cough* that I currently am in. That community is the information security community specifically. We INFOSEC people are probably the ones that I would consider to be some of the juiciest targets in today’s technical world where everything is network oriented. Whether you are a red team person or a blue team person, you all have information inside your heads and on your hard drives that the adversaries would love to have. As we are moving into the con season (Defcon and BlackHat to be specific) we all will descend on Las Vegas for serious convention learning and exchange of info… Oh who am I kidding? It’s a party festival of drunken debauchery and shenanigans right? If you have not considered just how many corporate or nation state collectors (spies) are also there looking at you dear con goer as a possible asset, then you just ain’t thinking straight!

I am hereby recommending that everyone going to these con’s read this book and take it to heart that YOU are a target at these two con’s if no other. Take heed of Bencie’s suggestions on controlling the drinking as well as what information you share with anyone. I also implore you to read and learn about the methods of elicitation that the spies use to get information from you when you may have no idea they are doing it. If you work in this field and you hold what we would consider secret information on the vulnerabilities of companies you have hacked in a red team event, or have been trying to remediate as a blue teamer, this book is important for you. But hey, Defcon is all a good time! Until you wake up in the desert with a note threatening to release the pictures of you to everyone unless you do what they say.

Just sayin…

Go buy this book. Read it. Live it.

All business is warfare so don’t be the next dead foot soldier.


Written by Krypt3ia

2016/04/14 at 19:03

Posted in Espionage, Tradecraft, TSCM

Da’esh Terrorism As Advertising

leave a comment »

Screenshot from 2016-04-11 13:26:22


Someone on Twitter recently passed along this little email from ZENEDGE to me in hopes that I would have something to say. That someone was right and what I have to say is not going to be nice. The email, a marketing email, purports to be selling cyber services because “Terrorism” for all your cyber security needs. This frankly is one of the more craven and baseless marketing emails that I have seen of late and I agree’d with the sender that it warranted my special attention. So Leon Kuperman, and ZENEDGE, here’s your special attention!

First off, I would like to take the time to extend my sympathies to anyone who has been touched by terrorism and specifically to those in Brussels as they are used as a pastiche for this tissue of marketing bullshit you see before you. The article, and I call it that quite loosely, starts off claiming that “terrorists” and names da’esh (ISIS) are in it for the “terror” and that terror is able to strike anywhere! Anywhere to ZENEDGE means *gasp* online and you gentle reader are in danger of being cyber terrorized.

The past several months have brought a string of terror attacks and violent incidents, which not only claim lives but cause worldwide feelings of fear and vulnerability. It seems that groups of terrorists like ISIS can strike when and where they want.

As the authorities ramp up surveillance, such attackers simply adapt and change their tactics. They have learned to be patient and to leave few traces.

Stopping terror groups and other bad actors requires an evolving approach. Because these attackers don’t rely on yesterday’s methods for launching the next strike, authorities can’t rely on yesterday’s surveillance and intervention methods if they want to stop the attacks before they happen.

This is especially true as terror groups take their fight from the streets to The Street.

Oh my god, the terrorists can strike “The Street” Wait, what? What does that even mean? Are they going to attack Wall Street? Mulberry Street? So da’esh can strike anywhere anytime? Really? Like in my office here? My bedroom? ..*gasp*… My bathroom? What a crock of shit. But wait, it gets better! Because of “surveillance” the da’esh masters of terror are evading yesterday’s surveillance! They have gone DARK!

*gong sound with ominous portents*

Terror attacks serve a dual purpose: They not only harm or kill people, they send psychological shock waves throughout the world. After the rubble is cleared, fear and insecurity persist. This is what the attackers count on. For this reason, it is certain that terrorist organizations will increasingly bring their attacks to the online world, where ideologically motivated players — like Anonymous and New World Hacking — have already made a splash.

That’s right anonymous like entities will be committing the cyber terror in a place near you soon! They will either scar you psychologically or they will outright CYBER KILL you! Honestly this is one of the most egregious marketing mails that I have seen with it’s bated breathy scare tactics. It goes on and you can go read it for yourselves. I will not belabor you with it all here but I felt moved to call this kind of bullshit out. They continue on with the usual bugaboo’s of the scary darknet and operators therein being paid by da’esh to attack all our networks and maybe even a dam or YOUR NETWORK!

*insert scar balaclava da’esh hacker imagery here* BOOGA BOOGA!

Ostensibly this marketing blast is out there to sell ZENEDGE’s wares, whatever they may be because it really doesn’t give you a menu or anything to look at. It only says that you need to be proactive to stop the terrorists. So is password management with 2FA and having a good security program in general proactive enough to stop da’esh? Frankly, yes, in fact da’esh isn’t a cyber threat here and never will be. Let me set you straight Leon da’esh is not a hacker collective, their online propaganda is just that and their hackers, if you want to call them that loosely, are not a threat to much of anything but a poorly configured web page. Your using them and the events in Brussels as a sales pitch are in point of fact craven and the lowest form of marketing I for one have seen.

Leon, buddy, stop with the scare tactics bullshit and just try to sell your wares elsewhere. Stop trying to use tragedy as a sales and marketing tool you tool.

Dr. K.

Written by Krypt3ia

2016/04/11 at 18:16

Posted in Cyber

Insider Threats: The Most Dangerous Threat

leave a comment »

Screenshot from 2016-03-14 07:58:00

On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?

All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.

The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.

Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.

At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.

Think about it.


Written by Krypt3ia

2016/03/14 at 12:10

“The Red Room” A Chamber of Horrors on The DarkNets?

leave a comment »


The Mikado: MillenniuM S03E13

I often like to take little trips into the dark seedy underbelly of the internet called the Darknet. Well today was just another day for that kind of thing until I came upon a site that claims to be a “Red Room” A “Red Room” is really a composite urban legend where snuff films and extreme BDSM meet in a dark corner of the internet. Up until today there have been many rumours of sites and often times one can find alleged “Snuff” films on the internet and darknet. This site though has a twist to the old rubric, this site wants you to sign up and pay a fee in BitCoin in order to watch content live in the future, 136 days in the future to be precise (see image below)

Screenshot from 2016-03-07 14:27:24

The spooky bloody countdown!

Now I don’t know about you all, but well, I have come across various sites in the corners of the net and of course in the darknet that, shall we say had unsavoury content in the past. You can imagine the kinds of things one see’s on the net especially if you consider “Rule 34” and have been around long enough *shudder* Anywho, this site piqued my interest because it reminded me a lot of an episode of MillenniuM back in the late 90’s. This episode pretty much presaged this site’s intent with an early online site that could not be traced being run by a serial killer who was killing people live online according to the number of hits the site got (see image at top, the number is how many hits he wanted before killing her)

Now I remember thinking that this was all bogus back then, particularly over the tech speak that they tried to use with the hacker trying to capture the location of the kill site. I tell ya, it was hilarious up to a point but I really had to wonder at the time whether or not this kind of thing would eventually become a reality. The site that I located today might be the real deal, but I really tend to think this is a little scam on the part of some enterprising Germans. I mean come on! Give me some content to start with that will make me WANT to give you Bitcoins guys!

Anyway, this site claims the following as it’s hook:

Three people will die … just one will survive. You will decide who is the lucky one. Livestream from 4 diffrent locations in this world. You decide what each person deserves. Choose between 67 diffrent torture methods. Whether physical or psychological pain, you choose by voting. All four camera livestreams on one site with a chat for each camera. Interested? Register now! More information after registration. Important! Access is limited to 300 registrations! Login will be possible 3 days before it starts.

So three unknown people will die after torture and the viewers are to choose the one who will live. With a wide array of torture methods (what we don’t know) including psychological torture how can one resist this? Frankly this reminds me of a recent “Castle” episode with the school room and the tortured kid (now grown up) who started killing people off with puzzles and terror.

Oooh… Ahhhhh…

Screenshot from 2016-03-07 14:27:14The registration page

Screenshot from 2016-03-07 14:38:03Confirmed accounts (notice the 176/300) ORLY?

The site is kinda poorly coded and leaves too much of a trail for someone to follow back to the creators. The BitCoin wallet was created recently it seems and has no transactions at all. So if there are people who have signed up where are their Bitcoins? According to the site out of 300 spots to view the murder/torture of unknown people 123 were taking up already. Would this not mean that there should be a substantial amount of Bitcoins in the wallet? The net here if 300 people actually paid the Bitcoins would net the creators about 300 Bitcoins (today $123,591.00) which is a tidy sum. If you then believe the site and not the Bitcoin wallet taint then 123 Bitcoins given already would total $50,672.31 Now if you look at the second page that you can access via code, you see that 176 people have allegedly signed up. Well, that would be how much in Bitcoin? Oh yeah: $72,506.72 so where are those funds HMMMMMM??? I am sure some Treasury or DEA agent would love to steal those eh?


Screenshot from 2016-03-07 14:28:33Blockchain Taint


Screenshot from 2016-03-07 14:43:21German language in the code

Another fascinating fact that I alluded to above is that this site was likely created by “Zose vacky Germans” as there are German words in the code and the video (oh yes, there is a video but in reality there is only text in it so cool down!) It figures that the cultural reference that ran through my head was the Cartman’s mother in Scheise videos here! Yep yep, German BDSM Red Rooms on the darknet! I can see the headlines now on Vice! Breathless stories about how the world is coming to an end and that the cause will not be something like an asteroid or a nuke, nope, it will be a Red Room that will drive our civilisation over the edge!

Alrighty, this was amusing. I will chalk this up to Slenderman and the other internet born Red Roomy urban legends. While I would not discount this kind of thing going on and being only something the Illuminati get to see, I seriously doubt that this is a real thing. If you decide to part with a bitcoin gentle reader, let me know how that goes for you. I will keep an eye on the site to see if anything interesting happens in 136 days.




Written by Krypt3ia

2016/03/07 at 21:58

Posted in DARKNET

“Прикарпаттяобленерго”: The “First” Attack On Infrastructure

leave a comment »

Screenshot from 2016-03-04 11:21:42

The Attack:

Well there has been a great hubbub about the “first” true cyber attack on an infrastructure system(s) in Ukraine and while I agree that it may be the first (admitted to) it is not something that is on par with the attack on Natanz frankly. As the reports keep coming out and feeds like Wired write kitschy articles about the super scary world we now live in, I thought it would be interesting to cut the bullshit and just put some data out there with some commentary on this event.

So yeah, 225k people were without power for a little while and overall this attack does in fact show us all just how probable this is on select targets, it should also show just how much work it takes to perform one of these. It should also show us all how segmented the systems are and how hard it would be to have an apocalypse event ala “Lights Out” happen anywhere in the world never mind America. The fact that the power was restored fairly quickly and that even when the attackers had tried to keep them down for longer, the systems are also resilient enough and manual enough to keep the lights on. It’s not all cyber and nor should it ever be.

What should be surprising if not galling is that the pre-attack work carried out by the adversaries (*cough Russia cough*) was easily successful and allowed access for the teams to recon the facilities, gain further access, and launch the attack in the end without every being detected and perhaps stopped. Why was this the case? Because this company, even with “robust firewalls” was not doing the due diligence is watching it’s network and did not have a SOC (Security Operations Center) that could monitor the traffic to determine bad actors within. What should worry you even more is that in talking to insiders in the power industry and from personal experience, these people were much better at security than the majority of the companies out there today including many in the US.


At the end of the day some of this is interesting but the majority of this attack is pedestrian in the grander scheme. This was a soft target and it was more than likely that it was Russia, a nation state at either the behest of Putin or Putin at the behest of his oligarch pals that did this. This is to say that any reasonably monied group could hire hacker teams to do the same anywhere else. This was a big fuck you to the power company and to Ukraine. It had thinly veiled Russian connection(s) and it has yet to be seen what if any response this will garner from Ukraine and the companies involved who may or may not be seeking to diversify their power generation and transmission.

There will be games…


So what happened in this attack?

  • The adversary foot-printed the power company and went after the weak points (users in the network) with phishing emails
  • The phish consisted of MACRO based word documents (VBA) that connected to C2 and got modules to further compromise the networks
  • The adversary then mapped the network and performed recon
  • The adversary gained access to VPN’s as well to remotely connect to ICS systems that lacked 2FA
  • The adversary planned their attack and set the stage to not only shut down the power but also to DoS the call center in an effort to muddy the waters and extend the attack


  • The adversary launches the attack
    • They take down the power systems by controlling systems with stolen creds (RDP)
    • They over-write firmware with garbage to further prevent the attack from being thwarted and to cause a longer outage
    • They DoS the phone system (call center)
    • They killdisk things to make it harder to come back up
    • Basically they tried a fire sale but they failed because of manual systems

While this attack was effective and is a cautionary tale, once again, this is not an extinction level event here. It was well planned and it went off pretty well but remember that the target made it easy and I am afraid that that is the state of affairs everywhere today. So that should be something for you to mull over as you think about this attack.

My Own Recon:

I wanted to know just how easy a target the “Прикарпаттяобленерго” systems were or should I say are? I went out and did some recon of my own with some tools to see and I was not surprised by the results. For the most part this company shared a lot of information through metadata and an open network infrastructure. I did not attempt to run any other kind of vulnerability scan but you can see from the data below that it would be easy enough to profile the company, their security posture, and their network just from tools like Foca.

Screenshot from 2016-03-04 15:41:38Users and naming conventions


Screenshot from 2016-03-05 06:51:17System types and vulnerabilities


Screenshot from 2016-03-05 06:35:22186 documents downloaded via Google with metadata


Screenshot from 2016-03-05 06:34:28Users


Screenshot from 2016-03-05 06:34:09File structure and folders

Screenshot from 2016-03-05 06:33:42Email addresses

Screenshot from 2016-03-05 06:33:33Systems by OS (note Xp)


Just by using Foca I was able to really get an idea of what they had in the network and how I would formulate an attack to get inside and map things out some more. This type of information is not uncommon to find on the internet and frankly I could have honed in more by using things like LinkedIN and VK to search people and work the OSINT. Let’s just say that this was an easy target and they were unaware of the OSINT they were just giving up by placing all this stuff online.


I also downloaded reports from numerous sources out there trying to get market share by putting together these pdf’s on the malware and C2’s used in the attacks. Once again, really nothing new here kids. Sure they re-packed the malware to have new hashes that would not be easily detected but for the most part nothing novel here. They phished people with common doc and excel files that we all get in our daily lives in the corporate security world. Honestly these attacks could be mitigated by just taking admin away from the users and now allowing them to run macro’s when asked to in broken English (or Russian) but hey, who does that kind of security today huh?







FileHash-SHA1     c7e919622d6d8ea2491ed392a0f8457e4483eae9
FileHash-SHA1     a427b264c1bd2712d1178912753bac051a7a2f6c
FileHash-SHA1     166d71c63d0eb609c4f77499112965db7d9a51bb
FileHash-SHA1     be319672a87d0dd1f055ad1221b6ffd8c226a6e2
FileHash-SHA1     502bd7662a553397bbdcfa27b585d740a20c49fc
FileHash-SHA1     f3e41eb94c4d72a98cd743bbb02d248f510ad925
FileHash-SHA1     b05e577e002c510e7ab11b996a1cd8fe8fdada0c
FileHash-SHA1     069163e1fb606c6178e23066e0ac7b7f0e18506b
FileHash-SHA1     e5a2204f085c07250da07d71cb4e48769328d7dc
FileHash-SHA1     20901cc767055f29ca3b676550164a66f85e2a42
FileHash-SHA1     84248bc0ac1f2f42a41cfffa70b21b347ddc70e9
FileHash-SHA1     16f44fac7e8bc94eccd7ad9692e6665ef540eec4
FileHash-SHA1     4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c
FileHash-SHA1     1cbe4e22b034ee8ea8567e3f8eb9426b30d4affe
FileHash-SHA1     1a716bf5532c13fa0dc407d00acdc4a457fa87cd
FileHash-SHA1     4bc2bbd1809c8b66eecd7c28ac319b948577de7b
FileHash-SHA1     2c1260fd5ceaef3b5cb11d702edc4cdd1610c2ed
FileHash-SHA1     e40f0d402fdcba6dd7467c1366d040b02a44628c
FileHash-SHA1     a9aca6f541555619159640d3ebc570cdcdce0a0d
FileHash-SHA1     bd87cf5b66e36506f1d6774fd40c2c92a196e278
FileHash-SHA1     e1c2b28e6a35aeadb508c60a9d09ab7b1041afb8
FileHash-SHA1     1a86f7ef10849da7d36ca27d0c9b1d686768e177
FileHash-SHA1     2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1
FileHash-SHA1     6d6ba221da5b1ae1e910bbeaa07bd44aff26a7c0
FileHash-SHA1     72d0b326410e1d0705281fde83cb7c33c67bc8ca
FileHash-SHA1     cd07036416b3a344a34f4571ce6a1df3cbb5783f
FileHash-SHA1     896fcacff6310bbe5335677e99e4c3d370f73d96
FileHash-SHA1     672f5f332a6303080d807200a7f258c8155c54af
FileHash-SHA1     aa67ca4fb712374f5301d1d2bab0ac66107a4df1
FileHash-SHA1     0b4be96ada3b54453bd37130087618ea90168d72
FileHash-SHA1     d91e6bb091551e773b3933be5985f91711d6ac3b
FileHash-SHA1     8ad6f88c5813c2b4cd7abab1d6c056d95d6ac569



You all can comb through the C2’s and the PE files yourselves. It’s pretty common and certainly is not on par with Stuxnet. It did however do the job and once again I have to remind you that this shit should not really work in a properly secured environment with awareness for employees and some semblance of a SOC and some HIDS/NIDS right? I mean the C2’s are well known for being dirty so they should have been caught or blocked already. Take a look at the C2’s in the Netherlands and elsewhere and they have quite the bad history. Once again, this adversary did not have to work that hard.


Now on to the big “attribution” game that everyone likes to play. I looked at the C2’s and at the data around them with a jaundiced eye. It is clear that whoever did this had some money for teams of people to do the work but maybe they got the access from spammer/phishers already out there who maybe sold the access to start. It became clear though that two of the C2 addresses had quite the past with romance scams and pharma schemes online over the years.

Screenshot from 2016-03-04 15:10:04Euegene and Andrey (both pseudonyms) registered sites out of the UK


Screenshot from 2016-03-04 15:36:41Romance scammer emails found used circa 2012


Screenshot from 2016-03-04 09:41:39All the pharma attached to Eugene


Screenshot from 2016-03-04 09:37:31Eugene’s addresses all point back to a brownstone in the UK


Screenshot from 2016-03-04 09:27:13malware reported by drive by at C2 address


Screenshot from 2016-03-04 09:07:55A poor bastard being targeted in the Romance scam on VK

I will say that all of the backstop data seems to imply a Russian connection and if you look at the politics of the region as well as the fact that the Oligarchs and Pooty are in charge, it is not hard to make the conclusion. It is a conclusion though and not proof in any way. So, this attack likely was Russia but no one, let me repeat, no one, can tell you for sure. I am sure that in the RSA week last week many a vendor was trying to make a sale with sure-fire attribution that it was Russia SO BUY MY PRODUCT!

No.. Just no.

What Have We Learned?

What have we learned? Well, I learned that this is nothing new, nothing spectacular, and nothing really to write home about. I know that I could probably hire someone like Nickerson and his team to do the same thing to a like target so really this could be nation state or it could be some person with money or a grudge. What you all learn from this depends on the level of investigation and thought you put into it. As many of my readers are in the business, you are likely coming up with much the same assessment as I have. This was bad but it was bad because the security was lacking at the facilities. A soft target is a soft target so really this should not be some hyped up story for a new Kim Zetter novella.

Here’s what you really should learn from this:

  • Generally today infrastructure security sucks
  • An all out fire sale like you saw in Die Hard is not likely because of manual systems still in place and segmentation
  • You should have a backup plan for power just like you should if you live in an area that gets snow and ice that knocks out power

Everyone seems to be all worked up about cyber war and frankly the gleam in too many people’s eyes makes me kind of sick. Lately I have been mulling over in my head the fact that no matter the technology humans always seek to weaponize it or use it against one another and that just sucks. We are our own worst enemies because we create this stuff insecurely, we manage it insecurely and we leverage it against one another for personal, political, or monetary gain. In short; “This is why we can’t have anything nice”


Written by Krypt3ia

2016/03/05 at 22:12

1984… 1993… 2016.

with 2 comments


I remember seeing the Apple commercial back in the day when it came out that depicted 1984 as the catchy advertising plot point for the Mac computer at the time. If only Woz and Jobs has known just how prophetic those images would be today. I remember too back in 1993 when the idea was floated and a governmental movement began to have a back door (aka a clipper chip) inserted into systems to allow access by the government *cough NSA cough* to be able to see the “evil doers” and stop them. I also remember the sane stopped that from happening. Well, that was then and this is now, well past 9/11 and nigh on 16 years later, we are faced with not only a government toying with the idea again but a federal body demanding through writ of law that a company break the system they have created for what is being touted as the greater good.

Friends while I agree terrorism is bad (I was there a day after 9/11 and worked with the red cross there) I have to stop short at believing that the GWOT needs for us all to give up ALL semblance of personal privacy to fight the terrorists. In fact, I would like to call bullshit on the FBI’s and Comey’s desires to break the systems of cryptography for an alleged boon to the fight on terror. It has become clear that the director of the FBI is not a tech guy and does not understand crypto very well but that is no excuse to continue to leverage the courts to try to induce a company to break it’s system for one phone let alone the notion that this one instance would not be re-used and re-packaged to do so again whenever they (the FBI) liked. This is precedent time, not just a one off issue with a terrorists phone that may or may not have any data on it concerning other actors who may have radicalised Sayed Farook and his wife.

Clearly we are at a precipice here in our digital democracy that has been building for some time. I have attended more than a few seminars by the ACLU and the Electronic Frontier Foundation on the 4rth Amendment and the digital domain and I have to tell you we are all behind the 8 ball on this one with the way the government lawyers tend to think. I have seen people compelled to give their passwords against the 5th Amendment as well and folks it’s time for you to be rather concerned about this. This is the time to really fund the EFF and to bone up on your own rights where these matters are concerned. It is also time for the cypherpunks out there to double and triple in numbers. I hate to say it but I will put it in the common derpy vernacular that is all the rage now…

We are all at cyber war.

When you are at cyber war with a nation state you will lose.

Now, the US and the FBI are becoming the definition of a Nation State Actor. Though, not on a foreign nation. They are targeting you too.

Over reach by the FBI has been a thing for a long time and if you just Google it you will be able to read quite a lot about it. Now consider all of the machinations of the TAO and all of the legal wrangling their lawyers have done to make what they are doing rationalize as legal. Remember John Yoo? Well you should and if you don’t Google him up. It’s easy for lawyers to fuzz the legalities and the moralities into an ethics-less pile of phrases that only allow them to get away with things. I am going to guarantee you now that if this order goes through and Apple is forced to back door the iPhone at a base level, it will be re-used and it will be abused just like the use of STINGRAYS have been lately and it won’t stop there. Once the precedent has been set in law, the legal bar has been set and then it is just a matter of how long until the rights we all have been granted in the US under the Constitution get even more eroded by slick ideas and arguments by those with an agenda of fear.

Honestly, if you look at the history of the terrorism that has occurred these people are known quantities already and that is without the use of back doors or breaking hacking and negating rights. This is not a crypto issue but more so a law enforcement issue of not being able to keep up with their own databases. Please people, don’t buy into crypto being a clear and present danger to you and yours. Crypto is no existential threat, instead the abuse of the laws we have on the books is. Ordering Apple is just the next worst step on the slippery slope to becoming that which we have seen in the 1984 commercial.

Dr. K.


Written by Krypt3ia

2016/02/18 at 20:39

Posted in Crypto


Get every new post delivered to your Inbox.

Join 228 other followers