Post #2 Intelligence Life Cycle – Collection

fl0x2208Leave a comment

The collection phase helps respond to Intelligence requirements (including PIRs) and supports decision-makers and the Intelligence team. In this phase, the Intelligence team can develop a strategy to collect data directly related to the requirements. The data can either be sourced internally or externally.

QuestionPIRIRSources
What or where will a cyber-criminal target or attack ?YesInternet facing applications/systemInternal
What methods can a cyber-criminal use to target those systems ?NoYes. Here we are looking for TTPs. The HowExternal
Which cyber-criminals have capabilities to target those systems?No Yes. The who. Financially motivated threat actors, nation state actors External
Do we have historical data of the attempts against those systems?NoYes. Known exploitation attempts – includes The What, The How and The Who (if there was a successful attribution) Internal

Requirements Mapped to Sources

The following table shows some examples of Internal vs External sources.

Internal sourcesExternal Sources
Internal business units – if applicablePeer Industries
Configuration management database (CMDB)Government sectors
Security Operations team Vendors
Internal technical support teamLaw enforcement agences
Accounts and payroll teamClosed sourced communities

Sample Data Sources

Using the above table, we can infer the following.

  1. Intelligence team are to collect information on all internet facing application from internal sources,
  2. Intelligence team then looks for known methods (TTPs) used by the cyber-criminals known to target those systems from external sources.
  3. Assess the TTPs and disseminate the information to relevant teams with context responsible to protect internet facing systems.
  4. Repeat in identifying further IRs associated to given PIR.

Above is just one PIR mapped to sources. An organisation can have multiple PIRs provided priority is attached to it and relates to the organisation or business unit’s mission statement. 

Side Note: Recently, I was asked how to select vendors. Vendors are considered external sources. Based on the above example, we can see that the Intelligence team should map their requirements to sources they will require when designing their collection strategy. Once they are mapped, the Intelligence team can evaluate vendor offerings (must do a Proof-of-Value) and rate the content against the requirements. Remember vendors will give you data (a good starting point); it is up to the intelligence team to make sense of it and provide organisational context for decision-makers.

Take care and be safe!

Post #1 Intelligence Life Cycle – Planning & Direction – Intelligence Requirements

fl0x22081 Comment

Happy New Year to all, and let’s hope the year 2022 brings us good things. Unfortunately, 2021 was a bit hectic, which impacted my blog writing. So with this new year, I wanted to keep writing and start with one of my favourite topics – Intelligence.

The post (hopefully others) is to assist individuals or teams looking to start an in-house intelligence program. I will begin with Planning and Direction as the first part of the Intelligence Life Cycle. Intelligence analysts follow the Intelligence Cycle when a mission statement from senior/executive management is executed. This process ensures the analyst do their job accurately. These five steps are Planning & Direction, Collection, Processing, Analysis & Production, and Dissemination. Let’s take a closer look at each step:

  1. Planning and Direction: When TI analyst or team is tasked with a specific job, they begin planning what to do and how. As a team they should move in a specific direction to get the job done, listing what we know about the issue and what we need to find out. We discuss ways to gather the necessary intelligence. This is where we start with intelligence requirements.
  2. Collection: Based on requirements TI team collects information overtly (openly) and covertly (secretly/closed source). Reading public articles, newspapers and social media posts and blogs, listening to foreign radio, and watching overseas television broadcasts are examples of “overt” (or open) sources for us. Other information sources can be “covert” (or secret), such as information collected with sources on dark web forums, direct access to law enforcement etc. . For instance, TI analysts could actually become a part of a underground forum or a group discussing ways to target a bank.
  3. Processing: TI team takes all the information that they have collected and put it into an intelligence report. This information could be anything from a translated document to a description of a threat.
  4. Analysis and Production: During this step, TI team take a closer look at all the information and determine how it fits together, while concentrating on answering the original tasking (identified during intelligence gathering in planning phase). TI team is to assess what is happening, why it is happening, what might occur next, and how it affects banks interests.
  5. Dissemination: In this final step, TI team gives their final written analysis to a decision-makers (stakeholder). After reading the final analysis and learning the answer to the original question, the decision-makers may come back with more questions or act per recommendations if any. Then the whole process starts over again.

Planning and Direction is a phase where I strongly suggest considering human elements. Yes, I am talking about getting expertise, especially with an Intelligence background with a technical understanding of Cyber elements. Yes, giving a chance to fresh grads, fewer experienced individuals is ok, but still, seek out talented individuals who can assess an event thoroughly without bias and anchoring.

What are Intelligence Requirements and why are they required?

As per my LinkedIn post, Intelligence requirements are time-phased, mapped or tied with a single question and help make a decision.

Firstly, let’s understand what Intelligence requirements are, why we prioritise certain ones, and how they differentiate. For any Intelligence operations, an objective or, say, a mission statement (in the form of a question) is required, which helps determine requirements.

To have a working (different from successful), Intelligence program or, say, operations, a team or an organisation needs a way to measure it. One of the most crucial attributes of measuring the framework is the requirements. Once all these requirements get mapped and fulfilled, we can say that the Intelligence program is successful. With this blog article (first of many, hopefully), I hope to share what I know and how I believe an Intelligence program is established, starting with requirements gathering.

As we know, requirements typically come from decision-makers which may be mapped to some kind of mission statement. These requirements help them make a decision and help on a strategic level, usually towards reducing the organisation’s overall risk posture. However, I always had questions such as

  1. So how many decision-makers can be in an organisation?
  2. And do you ask each and every stakeholder?

Many teams do follow this path. Talk to all department heads and get multiple responses labelled as requirements. I would personally label them as “wants” rather than “needs” as they are mostly “I want to know all X targeting us”. The flaw here is that the answer to the question is precise to the unit or stream they manage. Converting them into something actionable that can defend the organisation becomes tedious, resulting in a non-effective intelligence program.

NOTE: Any vendors/organisations or entities who have already developed the program and are working should continue to do so. I am not saying they are wrong or not the way they should be. However, the following can be used as a reference or just a good read.

Here, you may see I have separated business and organisation as I believe their threats can be different and overlap. For example, consider a financial institution vs a government body. A financial institution has customers who use their commercial services, while a government body such as the one issues driving licenses are citizens and is not considered customers.

If the same exact type of cyber-attack (e.g. Denial of Service Attack) successfully takes the public-facing site of a financial institution and driving license site, it impacts

  1. Both organisations reputation that leads to trolling on social media, news articles etc which can impact company shares (for financial institution) if downtime is prolonged
  2. For financial institutions possibly loss of customers and in some cases investors if the event is not managed properly.

For financial institutions impact is more on customers due to their inability to access their data or account, which can channel into complaints, overload on technical support teams and complaints on social media. Yes, the organisation has to manage this; however, a business continuity plan kicks in this scenario.

Although the weapon of choice was the same, the impacts were different, and therefore, the responses were diverse. These responses are, in most cases, approved by decision-makers most likely influenced by the requirements mapped to their mission statement. It is highly likely, Intelligence team was not involved; however, a mission statement should be the same and can be taken as a priority intelligence requirement to begin the Intelligence cycle.

There is a possibility that a threat can impact both business and organisation, but I think threats can impact them individually. Therefore, these individual threats should be treated separately, and the underlying requirements that a business unit or an organisation requires should also be different. The following table is a rough representation of the type of threats and their impact.

ThreatImpacts BusinessImpacts Organisation
Denial of Service Attack against customer facing applicationsYesYes
Internal system compromise – MalwareNoYes
Insider leaking informationPartially Yes
Ransomware – depending on the extent of compromiseYesYes
Customer PhishingNoYes

Threats that can impact business and organisation

Based on the above table, decision-makers within a business unit or an organisation should align with their mission statement, which could be business continuity or protect the organisation from illegal activities.

Now, let’s dive into the type of questions that decision-makers should ask, which can assist the Intelligence team in assigning priority and initiating further steps of the Intelligence life cycle. Alternatively, a decision-maker can give a priority itself.

From Questions to Requirements – The What, The How and The Who

  1. What or where will a cyber-criminal target or attack? A decision-maker can ask this question which then can be categorised as a Priority Intelligence Requirement. The answer to the above question will most likely start with internet-facing applications/system, and therefore Intel team now have to rely on their Collection strategy.
  2. The corresponding Intelligence requirement follows that the Intelligence team either answers them or looks for more information, which is part of the collection phase discussed here.

I will end the blog as I want to keep it short and informative. I will be taking the further leap into phases of the Intelligence lifecycle in the coming blogs.

Take care and be safe!

Marketplace Update #1 – An Australian logs based Fraud Store

fl0x2208Leave a comment

Readers! Its been almost a year so apologies for not being proactive. Will now try and publish at-least once a week.

Recently, I came across a marketplace or a store called A1 FRAUDSTORE offering multiple compromised/stolen data related to Australian individuals.

  • Drivers Licence/Medicare/Passport Scans – Used heavily for identity takeover
  • Bank Logins – self explanatory
  • Debit / Credit Card + Fullz – Slang for data that usually contain an individual’s name, Social Security number (USA), birth date, account numbers, phone, address email etc.
  • Fresh Bank Drops
  • Physical Debit
  • Homemade Methods&Guides
  • Various Login Details (Email/Facebook/etc) – Did not find a section for these
  • Australia Post Lockers
  • NatWest phishing kit by Kr3pto

Identities

The stolen identities are used for account creation to apply loans, generic scams however mostly to act as drop accounts. Drop accounts are where fraudsters can send proceeds of crime usually collected by malware or phishing. One of the most known use of such drop accounts are via money mules working with Business Email Compromise actors.

Banks logs

These are banking credentials which allows initial login however, based on post-authentication controls actors may or may not be able to transfer the funds out. However, once actors logs in, they can get their hands on significant personal information that can be further use for fraud. At times, if a card is connected, they can perform online transaction without users knowledge.

In the screenshot, actor has advertised, 86400.com.au, Westpac and NAB account. Although, he does mention in the details that only Commonwealth logs are available which the drops down confirms.

Full package Bank drops

According to actor these are custom packs with has account access, associated card, identities used, associated sim card and email address. Advertised screenshot actor shows cards from

  • CUA bank
  • ANZ bank
  • NAB
  • Westpac
  • ING
  • 86400

This readily available account information is than used to receive fraudulent funds.

Australia Post lockers

Lockers are used to receiving unsolicited and illegal parcels – in many cases individuals uses this to get drugs.

NatWest Phishing Kit by kr3pto

kr3pto is an alias of a threat actor known to create multiple phishing kits – more can be read at https://www.wmcglobal.com/blog/threat-actor-update-kr3pto

Store information

Link > meows://aaa111.company.site

; <<>> DiG 9.10.6 <<>> https://aaa111.company.site
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2136
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;https://aaa111.company.site.	IN	A

;; ANSWER SECTION:
https://aaa111.company.site. 59	IN	A	3.223.246.100
https://aaa111.company.site. 59	IN	A	3.225.248.13

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 27 15:43:16 AEDT 2021
;; MSG SIZE  rcvd: 88

Whois suggest range is assigned to Amazon and on ASN – AS14618 – AMAZON-AES

Final Words

Selling such data over marketplaces and over messengers is very common however, a dedicated store suggests increasing demand with success of getting hands on compromised data. Return on investment of these data is easily calculated as certain information can be used multiple times and one single success can provide thousands of dollar.

It is advisable for banks that once these drop accounts are identified it should be shared with agencies that can relay this information further to other financial institutions. It is also recommended to have proper KYC check right when an account application is being filled – whether online or in branch or via post application. A check against a known blacklist to reduce number of such drop accounts is recommended. Another option is to enable multi-factor right on login page – meaning only username and password even phishing will be of no use. One might debate the feasibility and usability but that’s banks call however, I do believe if actual survey is done account holders may pick security over them. a new change will always see some friction but if its towards improvement the positives will be eventually seen.

Banks can use above screenshots or monitor the store to identify victims and should be also able to pivot in how the actor got the data which could be mostly via phishing (could be malware) and login times and usage etc which can then be acted upon.

Fake New Order on Hold serving Formbook Stealer

fl0x2208Leave a comment

Our research team has identified a campaign in wild serving Formbook stealer. Based on the email content and sender it seems targeted towards UK. Below is the screenshot of the email body.

Screen Shot 2020-04-21 at 8.16.03 pm

  • Email Attachment – Scan 1722020 pdf.zip
  • Hash – e5eb58f54fa93643b576611712afcf27
  • Zipped Exe – Scan 1722020 pdf.exe – Any.Run
  • Hash – 2c30459f114032b16470666e7010e770

Infection Flow

Screen Shot 2020-04-22 at 2.11.52 pm

GET/POST Requests:

  • hxxp://www.pabloms.com/wtm/- 54.36.201.100
  • hxxp://www.briartekinternal.com/wtm – 192.0.78.25
  • hxxp://www.nwrefacing.com/wtm/ – 50.63.202.47
  • hxxp://www.nacemo.com/wtm/- 63.250.33.106
  • hxxp://www.dinezonekuwait.com/wtm/ – 216.239.34.21

 

 

 

Gozi ISFB RM3 and Me : A Diamond Model Approach

fl0x2208Leave a comment
Readers!
Few weeks back I was invited to present at Malware and Reverse Engineering conference (MRE) and topic I chose to present is my understanding and research of Gozi ISFB over the years that is being noticed globally, with specific concentration on threat group operations in Australia.
Purpose of my presentation was to understand and learn about Gozi ISFB RM3 which is highly different from what we have seen in other regions. I have seen many analysis and articles on ISFB but very few provided information about following :
  • Gozi ISFB footprint
  • Adversaries
  • Capabilities
  • Infrastructure used
  • Target victims
The presentation was less technical and highly towards providing awareness on group operates and how we can protect us against the threat and can we? Lets start ..

Overall Statistics

Currently there are 38 individual groups (based on botid they use), across the globe,the table shows top 3 that are seen in Australia.

Infrastructure

    Infrastructure Overlap with Danabot

Above screenshot shows config from Danabot used by Affiliate ID 5 (zeus like) and Gozi ISFB RM3. Here, we can see that same inject server demo[.]maintrump[.]org is being used. This is clear indication that our adversaries are sharing infrastructure and working together.

Keitaro TDS

Keitaro TDS is a traffic distirbution system which is known to be used this group for web traffic filtering and distribution based on geo-location, user agents, device info etc.

BlackTDS

BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. BlackTDS offers a variety of services to its clients that they collectively refer to as a “Cloud TDS.” The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sandoxes. BlackTDS also includes access to fresh domains with clean reputations over HTTPS if required – https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds

Capabilities and Operations

 

With regards to monetization of stolen information we have seen new methods compared to just fund transfer to mule accounts. Few known methods are buying Bitcoins, buying products and resale once received, buying giftcards, cashapp transfer, transfer to paypal etc.

Mule recruitment Sample email

Above screenshot is a sample job advertisement to hire mules. Majority of times these mules are not aware that posters are part of such group. The mules are mostly looking for jobs from several days to weeks and are known to be in less fortunate demographics including students and immigrants. My next blog will concentrate on such environment that is responsible to fuel such activities.

Victims based on Configuration

47 banks on the target config and counting

Sample of Gozi ISFB RM3 configuration

RM3 Loader

When the initial loader (executable) is debugged we can see its version and build. Adversaries are calling it as RM3 – Full form is not known yet. Thanks to Vitali Kremez for the analysis.

Stage 2 inject code to send login info

Storing Victim Data

 

Hypothesized Operating model of the Adversary Group

  • Overlord – the one who looks after complete operations. Possibility they are part of organised crime. Very few evidence on what they are doing with the money beside living life of luxury. P.S. the name overlord is given by me
  • Operations
    • Coders
      • Senior Developers
        • Custom loaders
        • Bot developments
        • Writing banking injects
    • Junior developers
      • QA/review
      • minor updates
    • Botnet managers
      • Hosting providers
      • Traffic distribution system managers
  • Researchers
    • Target research and information gathering : Group of people that either had an account with targeted financial institutions or a disgruntled employee who may share information about target
  • Spammers
  • Phishers : This group is responsible in getting information or login details collected via generic credential phishing who accounts can be use to host initial delivery documents or send out email from
  • Recruitment
    • New coders
  • Sellers : Either sells data or advertised the service on forums
  • Accounts/Finance
    • Mule Operators/recruiters
      • Local
      • fly-in and fly-out
      • fraudsters to create fake business accounts
  • Finance managers : Either receives money from mules or responsible to buy other data/tools that can be used in the operations

Final Words

  • Understand our adversaries motives and intentions and make it hard for them to achieve their objectives.
  • Target what hurts them the most – which is money – if we make it harder for them to get what they want, in long run either they will stop or move else where
  • Another one is sharing – we do talk about sharing, creating standards, do lot of presentation, attend conferences and we have been doing this for years – however, do we need more ? Are we sharing information that useful or actionable ?
  • More involvement of Local authorities and giving them information to help in their investigation instead acting on the information and close out the doors because you did your job.
  • Look at a bigger picture in future – rather than a quick win in present.
  • Emerging technologies seems to be assisting cyber criminals more than organisations due to ease of availability and deployment within their infrastructure. Does these technologies vendors have some kind of compliance or standards or as long as they getting the money. Do organisations understand and assest these technologies and have some logic to detect them based on its footprint ?
  • As the group targets financial organisations, they do access the information via digital channels. Understand how they are accessing, baseline good traffic and monitor their digital identities/footprint. Keen eye will see difference which can be used a detection of such anomalies.
  • Bulletproof hosting providers and their abilities to mask adversarial activities with competitive rates assist further to accomplish objectives which is mostly financial gain.
  • Create mindset towards what these actors are doing and what kind of information they have at their disposal. With this we can answer what can happen. In intelligence, we gather information and assess it and based on that we find something to action on.
  • Lack of cyber laws within a region and corruption to certain extent also assist these cyber criminals to go on without any repurcusions. Can this change ?
  • Organisation concentrate on in-house awareness training and improving security contols and reducing risk by implementing various best practices, however most of the victims are non-employees and unaware of such existent threat. There should be programs to make sure these portential victims are well of an existent threat. Think beyond just a updating a website with known bads.

Cyber Threat Intelligence. Is it for me?

fl0x22082 Comments

Readers!

I have been working as a Cyber Threat intelligence area from quite a long time and today I want to talk about a question that I often get asked.

Do we need Cyber Threat Intelligence?

With this article I will try to answer as much as I can based on my personal experience.

Firstly, one must understand Cyber Threat intelligence and how it can help your organisation. But before we venture into Cyber world we must know Intelligence has always been there before Cyber was even a word. Simply, put Intelligence is ability to acquire certain knowledge and skills and apply where applicable or where they fit. However, as we know Intelligence is a very broad and there can be multiple answers to the question, how can we select one single answer?

Article from Martin T. Bimfort evaluates multiple definitions and perceptions of the person who is defining Intelligence in there own context with the knowledge and skills they have gathered in there field.

SANS CTI course generalized the definition as following:

Intelligence is the collecting and processing of information about a competitive entity and its agents, needed by an organisation or group for its security and well-being.

So, meaning of Intelligence for military individual and a chess player can be completely different and they both be right. However, is it possible they can have same goal? Yes. We all want to win!

Who are we are trying to win against? Enemies, nation state attackers, rival organizations or someone sitting next to you. Let’s call them Threats – internal or external. So does this threat existed before Cyber? Of course they did. However, the threats themselves were limited with their knowledge and skills compared to now.

From the beginning of the world, there has been war, where Intelligence helped to prepare against enemies. However, this was mostly HUMINT – Human Intelligence, where one of your trusted individual would go around enemy states and give the information back. We didn’t had emails so Falcon, dove were used to transfer messages. Than came ciphers to hide actual messages, morse code etc. From then to now we have seen tremendous uptick on tools and technologies that aids us in defending against these threats. Main point still remains, our threats have same tools and technologies. As time went by, Cyber Intelligence came into existence and now everybody wants to do it.

Note: Intelligence is a field of expertise and not everybody can do it. Steer away from those who claims, we provide Cyber intelligence or Threat intelligence services and just sharing IP addresses and sending email notification without context.

So coming back to the main point what should organizations consider if and when they require Cyber Threat intelligence services and what it actually is.

For me main reason to have a Cyber Threat intelligence program is that it provides actionable outcome or information that helps any organization to understand their security posture, how to deal with current threats, fills any security gaps and assist in reducing over all risk. For any organization that is planning to get into Cyber Threat Intelligence following are my prerequisites:

  1. Have a management agreement|vision|understanding in why they want the Cyber Threat intelligence program.
  2. Make sure its not a checkbox that needs to be ticked because of a compliance or insurance or its just cool to have it.
  3. Understand current Risk model of your organisation and works towards a strategy that aligns to your risk model.
  4. Understand Intelligence have different categories and they all require equal attention. Will discuss more in coming articles.
    1. Operational
    1. Tactical
    1. Strategic
  8. Hire expertise – being blunt, companies do tend to transfer or promote internal staff who lacks knowledge and experience in cyber intelligence including adversaries tools and techniques and believe it will yield positive results but actually steers the team to never ending ocean.

Organization may have more or less prerequisites, however I have seen some organization will just implement a program without considering any of the above points.

Consider following DONT’S:

  1. Do not believe that Cyber Threat intelligence is achievable by getting a platform or a service. It will help but they are just to supplement an established Threat intelligence program and assist in finding missing pieces.
  2. PowerPoint presentation IS NOT EQUAL TO expertise in Cyber Threat Intelligence. There are lot of vendors now jumping in Cyber Threat intelligence that believes a nice platform with indicators going to SIEM is the intelligence. They are just pretenders and one should stay away from them.
  3. Peer pressure : Do not think that your peer has Cyber threat intelligence program|vendor|platform, we should have that as well. Many organizations have done that mistake by just following what peers do or are doing, but forget the most important part to understand their own organization requirements, threats etc. This leaves them starting their journey with somebody else’s goal.

Once we understand our prerequisites and what is required we take a step further and understand what and Cyber Intelligence program should do. I have created my own Pyramid of Cyber Threat Intelligence and hope it can help others.

So how I read this. The bottom tip of the pyramid is where Intelligence provides actionable information which can be one or more shown under the line.

Screen Shot 2018-08-13 at 8.59.38 am

Threats are known to the organization via social media, vendor posts and direct notification and/or news articles. Information gathering starts from there and multiple phases that are shown in the pyramid.  Assessing and analyzing available data and identifying actionable information and disseminating the same to the relevant teams within organization to prepare our defenses against the identified threat is an output of Intelligence.

I also use the Pyramid to set my priorities. Closer to the intelligence section higher the priority it is. Organizations can take similar approach but may have different pieces that makes the pyramid. Remember the pieces should align to your organization Risk model and/or managements vision for what Cyber Intelligence team are supposed to do.

So answer to the question do I need Cyber Intelligence program is YES. Following points summaries my ideology that organization may want to follow when you want to start with the program:

  1. Gather requirements from your management and understand their vision of the Intelligence program.
  2. Understand current Risk model of your organization.
  3. Identify key people in your team with expertise|experience in Cyber Threat Intelligence and if not available consider hiring them.
  4. Once requirements are set, plan to put the requirements into action. This involves creating processes. Processes should be created keeping your audiences in mind. Audiences are the people who will receive this actionable information.
  5. Identify current tools and technologies already in place that aids the team in providing the information.
  6. If provided tools are not able to assist Intelligence team in their tasks look for alternatives. Alternatives firstly should be in-house development or an open source tools. However, these alternatives although has no direct cost involved, one must understand there is an indirect cost involved such as maintenance, hiring expertise to build the tool and managing the tool etc.
  7. Collect evidence for what is working and what is not. The evidence can help the team to prepare case to the management if there is any chance of asking more finance if/when required.
  8. If the team is decided to get external help identify which gaps are you trying to fill. Convert the gaps into use cases and the evidence collected will help us in the stage And if we decide external help is required, following are the few point to identify vendors:
    1. Identify vendors
    1. Convert the gaps into use cases. Provide the use cases to about 3 vendors.
    1. Check with your peers. This helps in to understand why they choose certain vendor.
    1. Do a bit of research of known vendors with expertise in your line of business
    1. Look up there external presence such as public articles, intelligence reports, known work with law enforcement etc.
  14. Once identified give them the use case and see the outcome and verify whether it is actually filling your gaps.
  15. If yes take it to the management
  16. Cross Fingers 🙂

Before finishing DO NOT consider following vendor types :

  1. Vendors with no public presence or any evidence of helping community.
  2. Consultancy firms who just talks about in social media and conferences with no actual work in intelligence.
  3. Vendors who are not in expert and does multiple things and thinks adding Cyber Intelligence service on the brochure is the way to go.

I would still like to name few vendors that one should check out. This is purely based on my personal experience and their assistance to community.

  1. GroupIB : Good with their malware and carding information. Been known of IR in multiple countries.
  2. Proofpoint : Good with their malware intelligence.
  3. Recorded Future : Good with their public blog articles and presentations.

Also, wanted to thanks Robert M. Lee, instructor in SANS for Cyber Intelligence course.

Final words:

Intelligence should assist in making decision to assist organization in improving its security  posture. Intelligence starts with your logs so make sure you listen to them what they have to say. Intelligence should sit in the middle of all other teams and can assist at every stage within organization so transparency and sharing of information helps.

I hope the article is useful. Thoughts and feedback are welcome.

Gathering Information about targets

fl0x2208Leave a comment

Part II

Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.

As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:

  • Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
  • AutoSploit
  • MetaSploit
  • PowerSploit
  • Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
  • XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
  • Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
  • Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
  • Cracked vendor tools
  • Tools/Project available on Github.

Few underground marketplaces :

  • exploit.in
  • antichat.ru
  • cop.su
  • zloy.bz
  • hackersoft.ru
  • darkweb.ws

Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.

More about information gathering can be found on my previous blog entry : https://fl0x2208.com/2015/11/28/information-gathering-then-now-and-why/

Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.

  1. Motive : Financial Gain
  2. Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
  3. Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
  4. Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
  5. Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
  6. Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.

The cycle continues with number 1 for same scenario or different.

What can we do to stop this?

This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.

Following are some links showing some phishing examples:

 

Profiling the adversary : Target Determination

fl0x2208Leave a comment

Readers!

As mentioned on my recent LinkedIn update, this is the first blog article in this series about what our adversaries do and from their objectives/actions how a target can learn.

Executives or higher management asks mostly following questions :

  • What is current threat landscape ?
  • How do we protect our organisation ?
  • What is targeting us ?
  • What are our current cyber security risks ?
  • Are we getting return on investment from the the products we have ?

Mostly the executive summary is trying to answer these questions – sometimes other. We always looks for the answers to these questions from our vendors, internal teams etc. However, are we asking right questions ? How about,

  • Why are they targeting us ?
  • What kind of information they are after ? Why ?
  • What kind of data/information they are leveraging ?

To answer these questions we need a combination, to profile what adversaries are doing and what we know about our own organisation.

Based on my experience, I have noticed that there are very few documentation or approaches out there with regards to what Targets (organisations not individual users) should be doing before and after any adversary targets and attacks them. Normally, vendors or organisations follow a framework or a model that is out there.

Lockheed Martin’s Cyber Kill Chain is a good model to understand attackers actions  and understanding their objectives and how an organisation as a victim can defend themselves. However, in my hypotheses before targeting an individual or an organisation or a nation, one must first determine the target. This determination is based on INTENT, MOTIVE and CAPABILITY of an attacker/adversary.

Mission of the blog is to understand what steps does attackers/adversaries take, profile them based on the steps taken and as a target what we are suppose to do. Seems like we perform reconnaissance ourselves. Many organisations put this under Reconnaissance phase (Information Gathering), which is wrong. Consider you are traveling :

  • Target : I have 4 days of holidays I will go to place A.
  • Reconnaissance : How do i get there, means of transportation, which hotel to stay in etc

You can see clear differences between the two.

At the end of series, the goal will be to profile attackers, their objectives and what tools, techniques and procedures they use and how we can defend ourselves or at least be pro-active in our incident response. Of what I have mentioned, likely is known globally but, still hoping to spread the word. Later, will also try to match with Diamond model which is very useful in understanding an Attacker and their capabilities.

Every attacker/adversary has an INTENT and MOTIVE to perform an attack or target an entity and for a successful attack their capabilities are also important. From highly sophisticated to script kiddies they have certain objectives. However, intent and motives are majorly used in law and justice field and not on threat report. At-least the reports that I have seen does not mention it. In my opinion, the fields is not only when we have to go to court, but we can also use it to understand our adversaries and  prepare ourselves.

This being said, for me the first phase should be Target Determination or Determining a target, that fits attackers/adversaries objectives. Recently, MITRE has updated the TTP matrix with Pre-ATTACK. The matrix provides the ability to prevent an attack before the adversary has a chance to get in.

We can distribute attackers/adversaries into two groups :

  1. Insiders – Disgruntled employees,
  2. Outsiders – Ex-Employees, Nation State attackers, cyber criminals, script kiddies, hacktivists etc.

Few motivations/intentions :

  1. Financial gain
  2. Fame or generate vouches – Require to gain trust of underground or group of hackers
  3. Intellectual challenges
  4. Damage or disrupt services
  5. Cyber espionage
  6. Personal grievances.
  7. Political motivation
  8. Terrorism

Intentions are sometimes hard to prove, but mostly our adversaries will have malicious intentions.

Only after deciding a Target, they will perform Reconnaissance or Target Profiling. Now, where the attackers/adversaries look is depending on the target or what motivates them. Target can be a single entity or an organisation or a nation/country that accomplishes their intentions/motivations.

Single entity as a target – Individuals are mostly targeted for their personal data. Their personal data such as credentials of their email address, online banking, medical data etc. These information are normally sold on forums and/or marketplaces. Other example is targeting individuals with high positions in corporate places or an institution.

Organisation as a target  An attacker have varied intentions in targeting organisation. Damaging reputation, personal grudge, financial gain or sometimes part of conspiracy and/or nation state attacks.

Nation/Country as a target – This is mostly politically motivated and intentions are mostly malicious towards harming the nation or a country and its infrastructure. Disrupting day to day services that affects human life is also an intent. Recent example – NotPetya malware attack to Ukraine. Here, attackers/adversaries understood their target and profiled them and launched the attack.

In all cases, the better an attacker/adversary profiles their target the better the attack will be.

For individual users, beside security awareness, being careful is the key here. The information that they share or provide can be used to target them. During a presentation I came up with the following tagline.

“Charity begins at home and intelligence begins with your logs”

So attackers/adversaries spend days, weeks or months to collect information about their target, as an organisation for example, you already have this information but,  not using to gain tactical advantage over our adversaries. So what should a targets do ?

  1. Take time to understand your organisation. Understand what information do you have floating on the network and sitting on the systems.
  2. Should know type of information available publicly and understand the risk and how it can be used by an attacker and type of attacks that can leverage these information.
  3. One must take this into consideration that attackers will use available tools to assist them. Mostly these tools are available or sold in underground marketplaces. Being aware of the tools is good way to start. These tools are their weapons and we must know how an enemy weapons work to defend against them. For every poison there is an antidote.
  4. Further action on any successful breaches and data exfilteration beside incident response and BAU activities. If email address were seen on pastebin don’t just change credentials but also understand that these email addresses will be used for phishing or spoofing. Ideal is to change email address and convert the breached one into honeypot email addresses. This will help understand type of attackers targeting your organisation. If not feasible have a mechanism to monitor those email address and profile the incoming spam if any.
  5. Brand monitoring and domain registration – Organisation should be monitoring their brand mentions and/or any domain registration that can be used for phishing or a fraud or to launch attacks.
  6. Phishing is wildly used to lure users and entry points of malware. Organisations should also have a team looking for phishing sites and pro-actively perform takedowns.
  7. It is also ideal to share information of any attacks or compromise within peer industry to understand the possible exposure of an organisation.
  8. Understand your service providers and contractors as they can be a exploited to launch the attack.

Following points are few examples of what kind of information gets out or available that aids an attacker in launching the attack:

  1. It is important to know how your security controls are responding to inbound attacks. The information that they send back (for example a reconnaissance attempt) can also be used to map the network or understand type of device that is stopping adversaries. For example inbound scan blocked by firewall and responding with ICMP network unreachable message.
  2. Websites such as Google and Shodan can be used to collect lot of information about a target and therefore should be monitored. Especially accidental upload by internal employees. Eg – Employee uploading an excel sheet with organisation data on VT, just to make sure there is no malware. Pro-actively monitoring this can assist us to contact respective parties to take the data offline before entities with malicious intent get there hands on.

A Threat Intelligence and/or Hunting team must have this kind of approach. Organisations where there is budget limitation, can also engage their security operations or security service providers to perform these actions on their behalf. Frequency depends on organisations capability to invest in resources.

With this I will end part 1.

Yet another WanaCry Ransomware – Analysis

fl0x2208Leave a comment

Recently, organizations are being targeted with new ransomware labelled as WanaCry.

Being curious, I downloaded the sample to understand how the malware actually behaved. The tests were performed on VM connected to internet and NOT connected to the internet. In both tests, machine was successfully infected.

Sample analysed : 84c82835a5d21bbcf75a61706d8ab549

As seen in the screenshot the executable is “Wana Decryptor 2.0”.

Following screenshot shows the process tree.

Screen Shot 2017-05-17 at 3.03.50 pm

In the screenshot above, the malware creates taskhsvc.exe which contains TOR data and the CnC server addresses :

  • 57g7spgrzlojinas.onion
  • gx7ekbenv2riucmf.onion

Looked at the dump file for @WanaDecryptor@.exe and identified same domains with additional .onion sites

  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Malware using .onion domains for CnC communications is a technique to stay resilient.

The sample, in my opinion, is a packer/installer that unpacks files shown in below screenshot and also creates @WanaDecrypto@.exe that continuously runs as a process. It is worth noting the folder “msg” and “TaskData” were created when VM was infected connected to internet connection. I will explain each file in the later section.

Executable when connected to internet creates two additional folder
called “msg” and “TaskData”.

Below are MD5 of the files that were in the “TaskData” Folder.

MD5 (./TaskData/Tor/libeay32.dll) = 6ed47014c3bb259874d673fb3eaedc85
MD5 (./TaskData/Tor/libevent-2-0-5.dll) = 90f50a285efa5dd9c7fddce786bdef25
MD5 (./TaskData/Tor/libevent_core-2-0-5.dll) =
e5df3824f2fcad0c75fd601fcf37ee70
MD5 (./TaskData/Tor/libevent_extra-2-0-5.dll) =
6d6602388ab232ca9e8633462e683739
MD5 (./TaskData/Tor/libgcc_s_sjlj-1.dll) = 73d4823075762ee2837950726baa2af9
MD5 (./TaskData/Tor/libssp-0.dll) = 78581e243e2b41b17452da8d0b5b2a48
MD5 (./TaskData/Tor/ssleay32.dll) = a12c2040f6fddd34e7acb42f18dd6bdc
MD5 (./TaskData/Tor/taskhsvc.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/tor.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/zlib1.dll) = fb072e9f69afdb57179f59b512f828a4

Folder “msg” contains language packs which also gets encrypted and gets
extension “.wnry”.

Below are the files that were created :

  1. @Please_Read_Me@
  2. @WanaDecryptor@.exe
  3. 00000000.res
  4. c.wnry – contains links to .onion sites and tor browser
  5. f.wnry – List of random files that are encrypted
  6. u.wnry – @WanaDecryptor@.exe decrypter file
  7. b.wnry – bitmap file containing decryption details
  8. r.wnry – some more information about decryption and instructions for the decryption tool
  9. s.wnry – Tor zip file
  10. t.wnry – encryption format instructions
  11. 00000000.eky – Infected machines private RSA key
  12. 00000000.pky – Microsoft public key – RSA 2048
  13. 00000000.res — Data for C2 communication
  14. taskdl.exe – file deletion tool
  15. taskse.exe – enumerates RDP connection and executes malware – TOR process runs underneath
  16. msg – language packs. See screenshot below.
  17. TaskData – TOR browser executable and other files. See screenshot below.

When the malware got executed it queried following domains :

– tor.relay.wardsback.org
– tor.ybti.net
– javadl-esd-secure.oracle.com
– belegost.csail.mit.edu
– tor1.mdfnet.se
– zebra620.server4you.de
– maatuska.471.se

System also communicated to 212.47.241.21 which resolves to sa1.sblo.ch. Ran the malware again and this time it went to different domains :

– tor.dizum.com
– tor1e1.digitale-gessellschaft.ch
– lon.anondroid.com

This could likely be due to malware using TOR. Analysed TOR process and saw multiple IP addresses hard-coded. Here you can find all the directory servers used by TOR.

Extensions that are getting encrypted :

Screen Shot 2017-06-11 at 1.10.12 am

Extract from PE Explorer :

Screen Shot 2017-06-11 at 12.58.42 pm

Extract from Sysmon can be found sysmon logs.

WannaCry Fact Sheet – Here.

Kill-chain Phases – Here.

Final Words :

  1. The malware was not delivered via phishing, but rather via EternalBlue Exploit, taking non-traditional way of infecting systems.
  2. No obfuscation was done – meaning when you open the executable you can see the functions.
  3. Exploit such as EthernalBlue, suggests that getting access to vulnerable systems with user interaction is available. The only we detected this was attacker actually use EternalBlue exploit for financial gain – WannaCry ransomware – however, others can just gain access to the system and perform other tasks. Motive, based on evidence, is financial gain.
  4. Although, patching of systems would have definitely helped, however, we must understand the exploit was only used after dump by Shadow Brokers. Although, the intention of the group would be to expose NSA and its tools, the exploit was used for financial gain. So, may be intention to expose NSA may have been for good, it just did more damage.
  5. Number of articles says that creator of malware made mistakes and they just earned 55 K. However, one must understand all those money are paid ransomware and one must also understand the affects/impact of the malware attack. Although, we cannot quantify the time spent to patch the systems, re-image infected systems, people not being in production globally, it is not small. Although, some analysis suggests that attackers were not sophisticated, but it worked.
  6. Can host based security controls would have helped? Controls such as Application whitelisting, no admin rights to logged in users, use of AppLocker in Windows may have helped in reducing the impact. However, how feasible is to apply this in a corporate environment ?

 

PowerShell : Tool for Admins and Adversaries

fl0x2208Leave a comment

Readers!

From last couple of weeks I have been doing some analysing of malware. Mostly, are via phishing attempts. What our adversaries are doing is to first gain easy access to the machine via phishing and creating background processes that calls the compromised domains that downloads the executable, packed with malicious payload. Below is basic timeline of a phishing email with attachment.

timeline

The technique is neither new or unique, however if we are to come up with a trend we can see that most of them have similar tools and procedures.One such tool is PowerShell. The blog is not about what PowerShell is, but how our adversaries are using the tool that was just created to automate admin tasks within Windows environment. As automation is was one of the key points PowerShell was given scripting. The scripting allows to automate admin tasks such as configuration management etc. Here I go explaining what PowerShell is.

Microsoft definitely didn’t intended the tool to be security aware, and therefore till this date one can use PowerShell to perform malicious activities. However, certain controls or functionality within PowerShell can assist us in controlling type of scripts that can run on the systems.

There are indeed multiple security controls that we will discuss later in the blog but first let’s see what our adversaries are doing. I will not be going in specific analysis of a malware as I am trying to reach out to the teams which are responsible to detect/prevent these type of attacks by placing feasible and actionable security controls with regards to PowerShell.

Below is a sample PowerShell command seen in most cases :

ps-command

Frequently used parameters :

  1. ExecutionPolicy bypass – Execution policies  in  PowerShell determines whether a script can run and what type of scripts can run and also sets default policy. Microsoft added a Flag called ‘bypass’, which when used bypasses any currently assigned execution policy and runs the script without any warnings. There are 4 types of Execution policies:
    1. Restricted
    2. Unrestricted
    3. AllSigned
    4. RemoteSigned
  2. windowstyle hidden – This parameter is used when PowerShell script requires to be run in background without the users knowledge.
  3. noprofile – PowerShell profile are set profile or commands (it is actually a PowerShell script), normally for current user and host. Setting -noprofile will just launch any script and will not look for profiles.
  4. DownloadFile – For downloading the file via web

Tools, Technique and Procedures:

  1. The attachments as shown in the first screenshot, are mostly Word/Excel doc with Macros or zip files with JavaScripts.
  2. The Macros or JS are heavily obfuscated and sometimes lightly. For heavily deobfuscated scripts I rely on dynamic analysis(the best way to know what malware is written for). Some scripts, due to practice, I can deobfuscate within minutes.
  3. PowerShell command to download the file are mostly on sites with HTTP rather on HTTPS (there are some sophisticated adversaries created/compromised HTTPS websites). Sometimes, also have noticed use of cmd.exe /c being used which will invoke specified command and terminates it.
  4. File on the compromised domain are mostly windows executables with ‘.exe’ or sometimes the extension is hidden. This depends on the adversary and the packers that they have used. Sometimes, you can unpack the ‘exe’ via 7zip.
  5. Based on the commands the file will be first downloaded and executed. In certain cases I have seen the file gets deleted after execution. Again, it depends on the command.
  6. Most malwares that I have analysed were either ransomware or trying to steal information and sometimes combination of both.

Above TTPs are very simple to understand however, implementing security controls, lets say for each steps to detect and prevent, is much harder. We as a team or individual are working towards reducing the impact of the incident. Consider the phases of cyber kill-chain and perform an analysis of incidents within your team, and understand at which phase you are able to catch the adversary and can you do that earlier?

Observables such as IP addresses, domains, URLs and file hashes with context are the IOCs that normally we look for and use it for detection and prevention. Some people call that Threat Intelligence. Darwin would have gone here Seriously?

download

Security controls such as Endpoint solutions, Proxy, IDPS and FW can help us but they are heavily dependent on what they know and history has shown us that they can be bypassed. However, they are indeed very good controls to either reduce the impact and/or preventing the known attacks or IOCs.

What we need is security controls based on TTPs. So let’s see some of the following controls that can be implemented to either detect and/or prevent such attacks :

  1. DO NOT give admin privileges to the local account. If required based on their role give have a Admin pass generator with User Access Control (UAC) enabled, that will prompt to enter password for Administrator every time a system change such as installing a program, running an Admin task etc is created.
  2. Group policies to have certain tasks especially script execution and writing to registry and windows directory only allowed by Administrator. Can use Administrative Templates.
  3. Group policy to not allow any executables in TEMP directory to be saved/executed.
  4. Sign all PowerShell script. If not possible or the team not willing to sign at restriction placed via above mentioned points can assist.
  5. Can also set the Execution Policy to Restricted, PowerShell can only be used interactively to run the script. Organisation who are not pushing any policies via PowerShell can choose this option.
  6. Application whitelisting – Windows AppLocker. The tools can assist to define what level of access a user can have on the system with regards to executables, scripts and DLLs.
  7. Having AppLocker in Allow Mode can assist the team with a rule that only scripts at trusted location can run on the system. A attacker can re-write the rule provided, he/she has access on the system with Admin privileges.
  8. PowerShell Language Mode – Admin can setup the language modes to Constrained Language Mode that permits all Windows cmdlets and all Windows PowerShell language elements, but it limits permitted types. It has list of types that are allowed within a PowerShell script. For example, New-Object type cmdlet can only be used with allowed types which does not contain system.net.webclient.
  9. Logging of PowerShell is also important. Here, in my opinion Sysmon is a must have. The logs can be forwarded to SIEM for correlation. If Sysmon is not feasible, enabling PowerShell Module logging is highly recommended. Enhanced logging is always recommended and will  write another blog on that.
  10. Organisation proxy to be configured properly to detect/prevent web request invoked via PowerShell. Have tested with command Invoke-request that can show WindowsPowerShell within User-Agent. However, no User-Agent string is noted when above mentioned to DownloadFile is used. May be Proxies can be configured to disallow any traffic without User-Agent – still have to verify whether such functionality exists. If not a SIEM rule can be used to alert on web traffic that has no User-Agent string, going to external sites and downloading files.

Please note, that AppLocker and Powershell constrained mode are not security feature but another layer of defense which can help to reduce the impact of the attack and in some cases completely prevent the execution of foreign scripts.

When making a business case to the board or C-Level executives to make any changes in the organisation the presenter should use language they understand. As part of the evidence it highly recommended to show actually incidents where current security controls failed which impacted the productivity of the user, loss of data and hours spent to recover and restore systems. They want to know how any new mentioned or suggested changes will help in reducing impact to the user or business.

If there are other methods that other organisations are using please let me know.

A good read – PowerShell for Blue Team