Petya…let us take a breath…

Hello All. So most of you know what is going on in the cyber security world…Petya. If you have no idea what I am talking about, then you may want to read a website or turn on the TV. Petya is a form of malware, more specifically ransomware. Although it has bubbled to the surface a few days a go, it has actually been around since 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.

As per Wikipedia, “Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, it is unable to actually revert its changes.”

Some further valuable analysis findings:

Distribution methods

The malware is distributed via phishing e-mails.
For further distribution within the network the malware uses:

  • MS17-10 vulnerability (like WannaCry).
  • Remote access to WMI (Windows Management Instrumentation)
  • Command line:
  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”.
  • The malware also uses «PSEXEC» toolkit or some similar tool (we are currently investigating this as well as the source of credentials used to infect remote systems via WMI).

Encryption

  • The malware clears system logs using the following command:
    «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» to make further analysis more difficult.
  • It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands).
  • After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted).
  • If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
  • In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

Recommendations

  • Recommendations that we have pulled together still indicate the same remediation as Wannacry, with the following:
  • Install required Windows updates (MS17-10): – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Turn off SMB1:
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • It is also advised to block the execution of «PSEXEC.EXE» software on potentially compromised machines and block remote access to WMI.

Report Accuses BT of Supplying Backdoors for GCHQ and NSA

snowdenHello All. Article carried by CSO Magazine (Steve Ragan) regarding the involvement and methods used by British Telecom (BT) to supply backdoors for the GCHQ and the NSA.

A paper released earlier this month by a group of security researchers has outlined the technical details behind a potential Computer Network Exploitation (CNE) program likely used by the U.K. Government Communications Headquarters (GCHQ) and their American counterpart, the NSA.

Moreover, the researcher’s say that one of the largest telecom providers in the world, BT Group (formerly British Telecom), ships hardware to the home and office with firmware that enables this secretive surveillance on a massive scale.

In a paper titled The Internet Dark Age the researchers say that BT is shipping hardwareBT brand identity with backdoors that allow secret government access in order to make network compromise easier. “BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the U.K.,” the paper states.

The authors of the paper, (who stated that while they wish to remain anonymous, are ready to appear in a court of law and present their findings) claim to have discovered a key piece to the global surveillance puzzle, addressing several questions that have gone unanswered since documents leaked by former NSA analyst Edward Snowden started appearing this summer. The researchers said that they made their discovery in June, but held the report for an additional six months in order to do additional research and study.

The most critical question in the wake of the Snowden leaks centers on the technical details of how the NSA and GCHQ perform CNE operations on residential and Small Office and Home Office (SOHO) networks, as well as global enterprise.

Weeks prior to the release of The Internet Dark Age it emerged that the NSA and the GCHQ had infected more than 50,000 networks globally as part of their CNE efforts. But the reports on such actions never explained how this was accomplished. Prior reports on the existence of agency hackers and network penetration specialists also left the details of their actions to speculation. The public knows they exist, but not how they operate.

The information in the anonymously published paper doesn’t come from access to classified information. Instead, the details come from forensic analysis of private SOHO networks located in the U.K., which the researchers say was conducted “legally, and on private property using privately owned equipment.”

Click here to read more. Really interesting article. I do recommend reading The Internet Dark Age on Cryptome’s website.

Security Intelligence for the Enterprise

Just read a great article by Rafal Los (aka Wh1t3Rabbit) from HP Enterprise Security regarding security intelligence. The blog post talks about collecting the appropriate security intelligence to enable organizations to better prepare and deploy their defenses. He refers to what is known as actionable intelligence or data that is useable and will assist building meaningful defenses:

“There is a lot of talk about having the right data, and being able to turn it into knowledge in a timely manner to make decisions or take meaningful action. At the center of that discussion is the idea of “actionable intelligence,” and what it really means. In my opinion, and after watching several organizations attempt to operationalize intelligence reports/feeds, in order for anything to be actionable it must be able to quickly be converted by your organization from bits to meaningful action. Actionable intelligence can be as broad as a memorandum that alerts the banking industry that there has been chatter by “cyber terrorists” of creating a large botnet in order to DDoS banking websites. Even if this doesn’t provide immediate detail, it can provide a sense of direction and urgency from which your organization can then derive action.

On the other end of that spectrum is an automated feed that takes data generated from human interaction and is packaged for consumption by an automated mechanism. More concretely, a feed from a security research organization that produces IP reputation data that is then fed into your firewalls and IPs to make more intelligent — alerting and blocking decisions is a great example.”

If you want to read more, have a look at the part 1 posting on Rafal’s blog site: http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/Security-Intelligence-for-the-Enterprise-Part-1/ba-p/6087063#.UbBuVJy41aQ

Mandiant APT1 Report

mandiant

I very much enjoyed reading Mandiant’s APT1 report. They highlighted some very interesting observations regarding how they were able to come to the conclusion that APT1 is in fact the Chinese military.

From the Mandiant’s report:

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. The scale and impact of APT1’s operations compelled us to write this report. Highlights of the report include:

  • APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
  • APT1 maintains an extensive infrastructure of computer systems around the world.
  • In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
  • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
  • In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
  • Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

Mandiant_APT1_Report.pdf
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix.zip
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154

Osama bin Laden Compound Raid Mock-up

You seriously got to love the fact that the US government (and other governments for that matter) can no longer keep secret from the public satellites orbiting overhead. In No Easy Day, the book written by the Navy Seal about getting Bin Laden, it was stated that the infamous Seal Team 6 trained in North Carolina. If you go to Google Maps and put in these coordinates at Harvey Point Defense Testing (CIA training facility) there is nothing but an clearing in a field. If you go to the lower link in Virtual Globetrotting and look at the same location it appears to be the mock-up training facility for the Bin Laden raid. It is not completed in the photo, but there is enough built to say it is an almost exact copy of Bin Laden’s compound.

From the cryptome.org site – Construction and Demolition of the Bin Laden Compound Mock-up, Harvey Point, NC

The one month period of the top two photos indicate the facility was constructed quite quickly, perhaps after confirmation of the target required speedy construction for training.

The first photo (below) was taken two days before the raid on May 1, 2011, thus training had been completed. It appears trees and vegetation in the garden had been added to simulate the actual site, perhaps to avoid helicopter landing there.

The left courtyard of the mock-up does not match the actual site’s courtyard size and location. A model of the site was more accurate and was likely based on information gathered after that used for the mock-up.

With the careful attention to raid preparation No Easy Day describes, there could have been an expectation that the facility might appear on a public image site or details leaked by a construction worker, some mock-up features may have been constructed to differ from the target compound. Moreover, there may have been one or more mock-ups elsewhere as decoys and/or for training the multiple teams described in the book — the book’s author says a run-through practice took place at an unnamed base with a mock-up for VIP observation — and “out west.”  No Easy Day excerpts below.

There is no certainty that the book’s author told the whole truth (he admits to being sketchy about aspects of the training and the raid), more likely some (maybe all) of the book is customary CIA/DoD/SEAL cloaking and disinformation about operations.

It is clear that Google Earth omitted the sensitive images — the site’s historical imagery jumps from March 17, 2010 to January 30, 2012 — as an instance of its cooperation with governments worldwide. That Microsoft’s Bing did not is to be commended. even if an oversight.

Bin Laden Compound Mock-Up, Harvey Point, NC, Under Construction, February 15, 2011. Bing.com/Maps.

Bin Laden Compound, Abbottabad, Pakistan, After the Raid, May 11, 2011. Google Earth/GeoEye

Bin Laden Compound Mock-Up, Harvey Point, NC,  After Demolition, January 30, 2012. Google Earth