"The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.
"Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.
“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”
first there is still some hesitation to really attack the critical infrastructure of other countries
secondly the importance of the Active Directory and its security is shown another time
third without double authentification you have no real secure authentification
read this 80page report http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
"Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users. http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...
If you know how P2P or bittorrent works than you know that if you don't delete the torrent in your client after you have downloaded it, you are sharing it with the whole world. You are becoming a publisher, a website in fact.
In this case it makes it enormously difficult for Sony to get the data off the web, but it seems that some operatives (it is hardly Sony itself because this is illegal in some countries even if you can't file a complaint because you are hosting illegal stolen files) are using the DDOS weapon to slow down the computers or sharers of their files to limit the spread.
This is an interesting development in the Torrent world because it can inspire others and because it will also have effects on routers and other installations not only of ISP's but from customers. You can start a DDOS but you will never because of the nature of the internet control all the fall-out of a DDOS attack
the advantage of having a snort on your network - or if it is too big on the most important part of your network - is that it can discover botnets and viruses before the identities of your antivirus have been updated and distributed
there is for the moment no virustotal check for the file so there is no way of knowing if your network was attacked with it
"“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.
Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:
Alert tcp any any – > [184.108.40.206, 220.127.116.11, 18.104.22.168] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...
but that you understand it rightly
if that kind of traffic arrives than you have to take down the machine immediately because the beacon has started destroying all data on that disk and you are not sure that you will be able to recover it - there is absolutely no guarantee
and this is as important for your servers as for your desktops or laptops
There was a massive DDOS attack but nobody is sure where that came from.
There were infections through emailattachments
There seems to be some physical penetration.
There seems to be some employees that have helped the hackers.
before reading the quote you have to remember the following thing before jumping to conclusions
If this comes from North Korea, than it is an intelligence operation.
If this is an intelligence operation, than the operative methods of intelligence operations have to be taken into account.
One of the most important aspects in this is to hide your sources, your methods and your identity.
Secondly if by sending false information you can get an organisation to become totally paranoid and begin investigating every possibility and so to lose attention for the real sources, methods and you because they are investigating tens or hundreds of internal employees looking for the mole - than you have hit the organisation a second time and this time big time because it will be gone into purges and paranoia and even in total disintegration (like MI5 when they were hunting for the 5th Russian spy who was never found if there was ever one)
so this is the quote, but it can be just a diversion
I hope some people helping Sony have some intelligence background and are capable of playing the mindgames that the hackers seem to be playing
nevertheless, the physical security has to be integrated into the total securityplan of your organisation and people should wander freely around the building or offices (as is the case in some military headquarters.....)
"In a statement to The Verge, 'Lena' referenced the need for equality once again, adding that Sony didn't want such a thing, and that it was "an upward battle."
"Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can't say more, safety for our team is important [sic]," 'Lena' told The Verge.
"If the claims are true, and the GOP had help from the inside in order to accomplish their aims, this is a disaster for Sony. It's one thing for an attacker to gain access from the outside; it's another when they can physically touch the environment. http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html
in the article the claim is that some disgruntled people from Sony helped the hackers because she wanted more equality which means that probably some female employees are really pissed off and were manipulated by the hackers (intelligence operatives) to lend them some information (without really knowing what the impact would be and probably thinking it would be like another lulzsec attack). That is, if this is not a diversion.
if you take one and one together, you are at disgruntled female employees with high credentials who can bring external people inside the building without being double checked and with access to the backup
if this is the case, than some-one has taken or a server of a number of tera of several harddisks and copied this directly (at the high rate of the internal networks and not through the firewall so this explains why they didn't see it) If this is the case (I repeat, to be sure).
in such environments you would have to work with the information you have and make some assumptions about the possible scenario's and sometimes you can eliminate some of them immediately while other continue to be working scenario's for which you are looking for evidence to close it down as a dead end or something that is still plausible
if we go from a multistrategy attackplan than it is even possible that the infectionattacks are seperate from the copying of the backup and the intranet - even if they seem to be done by the same group
"another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.
now leaking on TOR makes it very hard to destroy the data online because it is being hosted on hundreds or thousands of computers
now it is possible to contact the people in several western countries to destroy that data because of the legal issues of sharing publicly such data but that can't be the case for the computers in other countries
you can also easily repackage the data in another file or make it a secret torrent that you only share on certain networks which makes cleaning it up very difficult
this means that it is impossible to do anything else than to consider it definitely lost and that for the respective persons they will have to get new numbers, new accounts and so on and that the cost of this has to be taken on by Sony
it is clear that it is the clear intent of the hackers to hurt and eventually destroy Sony who can do little to stop the leaking and the disastrous effects of it
as so much information has been copied Sony will have to consider that all internal information is compromised and will have to take these measures for all their employees which had any kind of information on the affected networks and installations
this distinction hasn't been made by the Belgian privacycommission in her guidelines of january 2013 about dataleakages and I am not sure that the European directive also makes this distinction.
"In the documents viewed by Salted Hash, the sales items were for airing rights to various shows such as Dr. Oz, Judge Hatchett, Outer Limits, and Stargate, SG-1. The documents also disclose details related to syndication rights for sitcoms such as King of Queens, Seinfeld, and Rules of Engagement.
While internal sales data is bad enough, the data dump has the ability to make Sony's situation worse.
It includes an internal phone list and organizational chart, complete with names, titles, departments, phone extensions (with outside line dialing information) and cellular phone numbers. The phone list was created in 2009, but it covers the company sales teams in Los Angeles, Atlanta, Chicago, and New York. http://www.csoonline.com/article/2852982/data-breach/sale...
The full first package is only 25 GB ..... out of the 11 terabyte that was claimed first
now they claim to have more than 100 terrabyte and they say they will continue to publish information
but the files are old - which means that they probably have gotten an hold on backupservers (also) which is interesting because those are not always (very rarely in fact) encrypted and the access is not always controlled that strictly. It also explains why so much information could have left the company because it could be that a big filetransfer is totally normal in the backup process
* hey jan what is this enormous surge in data traffic
* oh, it is the backup processes
* do we do a backup now ?
* don't know have to ask the backup people, they change all the time when they do backups
* okay, let's go on to the next incident, attack, malware
"Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:
"We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.
"Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.
"The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."
if you read it you will see that this is typical propaganda newsspeak tactics
The action is not against the Film because the film is against North Korea but because it harms the regional peace because the dictator in North Korea is so mad about the film that he is capable of doing anything (saying that more attacks and even military incidents can be expected) and so the film harms regional peace and for this reason this film shouldn't have been made because is angers the great dictator. Sony should only have made films that the great dictator likes personally so he isn't so mad that he wants to turn his anger into a destructive attack - cyberwise or military
so we can expect more such attacks, military incidents and threats from the Great Dictator in the coming weeks
the only question is how the Chinese will respond or if they will try to calm it down
at the other side, don't be surprised if the film gets a limited distribution and only in specialised festivals and so on and if paychannels won't program it in their library
with the same reasoning we shouldn't have made any film about Hitler and the Nazis because we would be afraid of his reaction and the same about Ukraine (even if we are holding the same discourse to the Ukraine people all the time, that they shouldn't anger Putin and should try to negotiate something with him instead of resisting)
"Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.
The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.
The memo warns that once the beacons start, the process of wiping the files has begun http://www.csoonline.com/article/2853893/disaster-recover...
this is like most of the APT attacks that are described are very 'professional attacks and code only available to ...blablablabla'
but if you follow the same logical examination as any forensic investigation and you ask how the file came on the PC (even before asking yourself how it is possible that those workstations have so many administrative rights and so little protection .... behind that socalled firewall and other securitywalls)
than the answer is in most cases always the same
"it came as an attachment from the mail" or as a "download from a link in the mail"
but why do we accept that these attachments in the mail are downloaded and placed on the computers or our internal networks ? Why don't we place them on a sandboxed server (with no connection to the internet or even the intranet) where people can open them, read them and eventually sanitize them before placing them on a server in the network (that you can secure much harder than the rest of your servers (for example no networkconnections for files).
Ideally you should be able to let those files be analyzed every so many days by a number of antivirus, antimalware etc products and block all those where there are suspicions
this would be the cheapiest solution that would in fact be very easy to set up and add to your mailserver and network.
it is impossible to say who protects against the file because virustotal doesn't give any answer, nor on the MD5 nor on the filename
maybe this is done at the demand of the FBI to make it impossible for the attacker to discover which networks can be attacked easily because their antivirus isn't uptodate yet - even if in the other cases it doesn't mean that all the antiviruses on all the machines in the networks have updated libraries and protections
it is also clear that this virus is generic, it isn't build for a specific machine or model or version, it just attacks all the boot processes so it makes it much harder to protect against and much more dangerous to protect against once it is inside your environment (because if it had been written specifically for a specific machine you could calculate how many more of such machines you had and where they were located and what was the risk of each machine and concentrate immediately on those that are of most value to the organisation, business or network)
Size: 249856 bytes (244.0 KB)
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean
normally the name of the software would have let it pass through process controls
igfxtray.exe is a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset.This program is a non-essential system process, and is installed for ease of use via the desktop tray. http://www.processlibrary.com/en/directory/files/igfxtray...
the virusfile was uploaded yesterday to this sandbox (with connections to Tokio)
This file was already called malware in 2011 by this site (and it was attributed to the TRUECRYPT organisation but it isn't digitaly signed (well as long as such software can be placed into the boot or root of a pc without any digital signing we are just riding in the dark without lights - and if they were signed they have to be checked)
virustotal has for this file an analysis but some antiviruses didn't protect against it
this was an 32bits version - one that shouldn't have worked in an 64bits environment
2011 seems to be a very difficult year for the rootkit-bootkit developers as they have to migrate to 64bits :)
The reason for the attack is political
"Yet the technology news site Re/code reported that Sony was investigating to determine whether hackers working on behalf of North Korea were responsible for the attack as retribution for the company's backing of the film "The Interview."
The movie, which is due to be released in the United States and Canada on Dec. 25, is a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an act of war" in a letter to U.N. Secretary-General Ban Ki-moon in June.
The technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
"The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the report said.
Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process. http://news.yahoo.com/exclusive-fbi-warns-destructive-malware-wake-sony-attack-002204335--finance.html
we have seen the hundreds of pages with all the sites and information that has been downloaded and now seems destroyed. It are whole intranets with intranetsites (and their code) and databases and internal applications and passwords and files and personal mailboxes and so it goes on for hundreds of pages
now it is clear that all the harddisks on which this data was found were virutally destroyed and I hope they have good external backups and that these were isolated from the network so that the hackers couldn't delete those at well (which was done in several hacking incidents)
by using destructive bootkits you also make i very hard to do some very professional forensic analysis because it will be very hard to find that evidence in the destroyed hard disks - eventually you will have to destroy it yourself to be able to recuperate some other data (instead of the eventlogs and other proof)
we already had viruses that blocked your data with an encryption key but this is a whole new ballgame..... they are just out to copy and publish your internal network and to destroy it totally afterwards with the only intent of making you pay by creating chaos
but the big question naturally is why Sony wasn't better prepared for this after its attacks and leaks in 2011
fanning : some kids lost their digital virginity online and some online firms should protect them better
yep this is one screenshot ..... and the most innocent part of the fanning collections that were downloaded from icloud because they had forgotten to active the most active defense against passwordguessing being prohibiting bruteforce attacks in which thousands of passwords could be tested without any alert
but you have to see the files to understand the real disaster is that these are youngsters who will find some of these files on all kinds of fileservers and pornservers (there is pornographic stuff in it although not that much even if I didn't look at or downloaded each of the thousands of files)
maybe we should demand from online organisations that they protect the files of our kids higher than our own. if we make a stupid sextape than it is our own fault, we are adults - but we can't control them every minute of the day or control every contact or movie they make - so it is up for the online organisations to give them a safer and more secure online environment
and really this is innocent stuff
once digital, it can travel anywhere anytime and once it is out there or with someone else it is gone - out of control - out of your control
The minister of Security (as he calls himself) proposed to the minister of Defense of the same party (NVA) to let military patrol the streets in Belgium.
They have done already that once but than we had at the same time the attacks from the Bende van Nijvel and from the CCC which was creating the strategy of tension in Belgium voluntary or not as not all information about that will be declassified before I die
He refers to France but France started with military patrols at certain historic and strategic places after some real big terroristic attacks and because from time to time they arrest terroristic cells before they can attack. This is not necessarily a good strategy (in Great Britain it are just heavily armed policemen - but still policemen)
If the minister wants to put the military to any good use, he should place them at and around our nuclear installations where we have already lost one due to internal strategic sabotage and have lost another for two days because of a fire in an external electrical installation that is not protected by any wall or defensive installation
if we lose any of the other nuclear installations we will be in a real blackout and the only thing you have to do is to blow up some electrical installations outside the installations which are totally unprotected
oh, no not only I am saying this, it was on the journal of RTBF (http://www.rtbf.be/video/detail_jt-19h30?id=1975146 from minute 16) and in France there are also calls to militarise the protection and security of our nuclear installations (shortly after 9/11 there were military and missiles around our nuclear installations)
Clouds of tear gas filled the streets of Ferguson, forcing demonstrators to run for cover. Standing among broken bottles and shop windows, one woman doused herself in Milk of Magnesia to relieve the symptoms.
and all those commentators who thought that the protests were over and dying are wrong again
each time they think that the Chinese have won, everything changes again and we are back to square one
there is another thing that is important
just as with the Euromaidan protests the majority of the protestors came after work to the camp
this was also the case in Ukraine and kept it alive because most people need an income and expect if you can win in a few days than they can't just stay away from work day after day, week after week, month after month
look at that (and you didn't see that in the news, you only saw some scuffles but not the mass of people behind them)
the first malware that targeted POS point of Sale systems was built for specific software and hardware and wanted only the credticard information
now from a specific malware it has grown into a platform to attack any vendor system for any reason
"Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems. One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.
but the infections are only starting (one in Holland, one in France but none in Belgium for the moment)
it also means that the period of security by obscurity is over for these systems and that anti-cocal hackers will give us free coke (or none at all) or free busrides or just want to get pincodes on any access system (to have some physical penetration afterwards ?)
they are only part of the internet and they are becoming more and more irrelevant
we will work on that in the coming weeks by preparing more specific searches to bypass this censorship
(how do I know it is censorship because when I search for the names of spies that are in my books about the latest espionage scandals of the last years (to understand Snowden) it is clear that information has been deleted because it is mentioned under the first page with the search results)
for the moment some say that you can find the urls's that are being abolished in Europe in other versions of the Google search machine
but meanwhile the effect is enormous (and it is bigger than the millions of urls's to pirated content because this is about legal content but that some people for some reason don't want you to see anymore in Google)
"Google was the first company to publish a form to make such requests, and has so far received more than 174,000 requests covering more than 600,000 URLs, removing 41.5% of them from its search results. Now it has been joined by Bing and Yahoo.
for those who have known the internet before Google
we are going back to local searches and linkindexes and keeping information you have found online because you never know how long it will stay online
"The cybersecurity company FireEye has unearthed a team of email intruders that snoop through the correspondence of company executives who may possess market-moving information.
FireEye said the team has carried out attacks against nearly 100 publicly traded companies or their advisory firms in possible attempts to play the stock market. Most of the targets are health care or pharmaceutical companies. It noted that the shares of those firms can move dramatically after the announcement of clinical trial results, regulatory decisions or other significant developments.
FireEye has labeled the group FIN4 and says it focuses on capturing usernames and passwords to email accounts, which gives the group access to private email correspondence. The group does not use malware, which helps it evade detection.
they send emails from friends or contacts that ask you to fill in a form with your email credentials
than they use those email credentials to read over your shoulders your email
and this you can only end when your company emailservice does the same location control as Google and Yahoo - except when they do it from the same location or through a hacked site or a local proxy that gives the same protection
information is much more important than showing off that you have hacked or defaced something
the best solution is double authentification