(C)0ld Case : From Aerospace to China’s interests.

Via the events collected mostly from passive DNS records, I’ll highlight that threat actor(s)/ group(s) were using since 2010 a “DNS highjacking” tactic which is here observed as replacing victim’s zone authoritative name servers, by their controlled one, for small period of time. This could result in interception, espionage or sabotage by these means. The victims profiles found, strongly align with China’s interests. Various areas of activity are concerned, from Fortune 100 to cultual or religious organizations :

  • France: Safran, Snecma (now Safran Aircraft Engines)
  • Korea: Microsoft, Adobe, Honeywell, Nintendo, Logic Korea (Video game), KFTC (Financial payment service), Minghui (Falun Gong organization), Shinchonji (Evangelists)
  • Australia: Australian Postal Corporation, Guangming (Falun Gong organization)
  • United States : Makerbot (3D Printing company).

US DOJ & Aerospace

Referring to the indictment by the U.S. Department of Justice (DOJ) of ten Chinese intelligence officers for espionage  (2018-10-10), cf:

DOJ

And according to this indictment :”Beginning in at least December 2013 and continuing until his arrest, Xu targeted certain companies inside and outside the United States that are recognized as leaders in the aviation field. “

NB: You can read this link too, that summarize also well these recent events.

I decided to look what I can find on a (c)old case “linked” to this indictment. My starting point was this CrowdStrike article from crowdstrike_article

The events (publish and/or occurring were around the same period too..) i.e at the end of the 2013 year and beginning of 2014 :

French Aerospace          VFW                         CrowdStrike Article
2014-01-11                        2014-02-11              2014-02-25

We know that Safran, Snecma (a Safran subsidiary) and the French aerospace industries association : the “Groupement des industries françaises aéronautiques et spatiales” (GIFAS) were concerned.

I decided to start from what we know, and lookup into Passive DNS data, mostly.

secure[.]safran-group[.]com

First thing was that Safran let one of his RR pointing for more than two months to a malicious IP. (?!)  The two other domains were a contrario malicious domains, crafted for, and not directly related to the victims.

173.252.252.204.png

(Source DNSDB)

Safran Name Server

From the CrowdStrike article :

Of particular interest was secure[.]safran-group[.]com. Safran is a France-based aerospace and defense company with a focus on the design and production of aircraft engines and equipment. The company owns the safran-group[.]com domain, and the fact that one of its subdomains was pointed at a malicious IP address suggests that the adversary compromised Safran’s DNS.

The second point is bold text above : “(…)the adversary compromised Safran’s DNS.” I didn’t find something thus that could help to understand how it was accomplished. By searching the Internet I found a UC San Diego thesis with title : “Investigating DNS Hijacking Through High Frequency Measurements” which seems well informed on the incidents :

DNS_Highjacking_snecma

Snecma Name Server

What we can read in CrowdStrike article, is that a number of domains were added to the “host’s” file of victim machines, but :

“the purpose of this component is unclear. It does not map these domains to malicious IP addresses because the 217.108.170.0/24 range belongs to the company”

By looking at the snecma.fr Name Servers I found some weird ones at the moment : ns1.acfine.net and ns2.acfine.net

NS_snecma

Time first seen was the 20th of November 2013  : Did the attack occur first ? Idem from 2 days in August 2013.no id
ns1.acfine.net_A
If we look at the domains now that were using these Name Servers, we see interesting points :
Domains_NS
What is interesting here with these domains/sites is the mix of targets profiles and China’s Interests  :
  • snecma.fr was previously indicated and was China’s interest without any doubt at that time. We have covered briefly this above.
  • guangming.org seems to be a “Falun Gong” information website, this is of the utter interest in China’s policy. We can see multiple references to this “organization”, and China see it as a cult (see this official Chinese governmental link e.g). NB: The website may be related to their practice in Australia.

falun

 

  • auspost.com.au

aus_post

This is the website of Australian Postal Corporation. Maybe linked to the previous Falun Gong possible supposed targets ?
  • makerbot.com is a 3D Printing company, based in New York.

Could this be another objective from attackers, or another group inside a team ? APT could be composed of several groups/teams, with different goals, and sometime using the same architecture or sharing the same TTPs.

Some open line of investigation on this… but I found on the website that a Lockheed Martin’s Senior Research Engineer was using their product since 2014 : It could be interesting for attackers to target this company to correlate different data.

ex: Lockhed Martin Blueprints + robotic mechanisms & Engineering

As correlating two different databases could reveal useful information,

ex: Office of Personnel Management (OPM) wich handle SF-86 form to obtain a security clearance + Anthem (Health Insurance) permitted to find the CIA agents by doing a diff between the data…

makerbot

Linkedin profile :

engineer

Airbus & Microsoft Korea

While I was reading this article on Sakula from Cassidian (Airbus) from 2015 I saw :
update.microsoft.co.kr_cassidian
Sample (0237f92714f28d755025fa6ba0f4759c7797edd73c4ccbd544495941ae0e0bcd) contacting the Microsoft domain :

source VT :

compil_timestamp
NB: The compilation timestamp 2012-11-21 07:17:31 from the above sample is consistent with the DNSDB timestamps too, see below : 2012-11-11 to 2012-11-22
ms_kr_sample
Here are the contacted URLs : (Source VT)
ms_kr_http
A victim contacted a Microsoft domain ? A legit one ? I did a little research and yes microsoft.co.kr redirect now to microsoft.com/korea for its corporate’s website.
I did a search on Farsight DNSDB passive DNS records and looked at all records for this domain : microsoft.co.kr .
ms_co_kr_NS
Same as previously, for a few time period in 2010 : 1 day, and more than 11 days in 2012, Microsoft Korean Name Servers were directed to what I immediately found suspect, resp. ns21.dollar2host.com / ns22.dollar2host.com and ns0.nscomdomain.com / ns1.nscomdomain.com.
NB: ns2.msft.net (an ns3, and 4..) were not suspect because legit Microsoft domain, but NOT the others…
Microsoft in Korea was pwned 2 times, in 2010 and 2012 and as far as I know I didn’t see these information well documented.
caprio_curiosity
What could possibly go wrong ?
Same tactic ? DNS highjacking, Let’s see…

ns21.dollar2host.com / ns22.dollar2host.com (NS)

What domains were using these Name Servers ? First of all there are a LOT of domains.. crappy or legitimate ones. While trying to look around the time of usage for my microsoft.co.kr domain, I found several others corporate domains :
  • microsoftstore.co.kr
  • adobe.co.kr
  • nintendo.co.kr
store_adobe_nintendo.png
Ex for Nintendo today’s website for nintendo.co.kr domain :
nintendo.co.kr.png
I discovered while sweeping through the pages and pages (…) of domains other financial & banking domains but I suppose they answer to another objective because the time they were using the NS is longer : Few months and not hours/minutes and didn’t check if domains were legit at the time of if they were mimicking their target’s name.
fincancial_banks.png
NB: chryslerfinancialinfoservice.com from 2010-08-23 to 2010-11-28 not represented above.
This could be what I call a batch process used by threat actor, look at the exact same timing. In these groups, they need to “stick to the rules” to protect (Compartmentalization) the information for security, and their registration process may reveal batch operations.

2018-11-24 Update : Continuing on ns21. I saw that microsoft.kr was usign briefly this NS in 2010 too :

microsoft.kr

I found also ns1.dqtec.com (and ns2.dqtec.com) who where using too this NS in 2010, e.g with ns1.dqtec.com below:

ns1_dqtec.com

What was the IP resolution of these records ?

ns1.dqtec.com  ==> 67.212.186.170

ns2.dqtec.com ==> 67.212.186.171

cf:

ns1.dqtec.com

and :

ns2.dqtec.com

Now What?

 

Ecuador

If these IPs used for bad things at the moment (no idea..), some other records may have been pointed to.. Again pivoting :

Ecuador

Source: DNSDB

I have no idea if these records were legit at this time. First thing first, referring to Wikipedia, .gob.ec was replaced by .gov.ec :

ec_tld

For the domains :

  • hanm.gob.ec was “el Hospital Provincial Alfredo Noboa Montenegro”.

 

  • cnecarchi.gob.ec was la “Delegación Electoral del Carchi”, depending from Ecuador National Electoral Council for “la delgacion de” (translate to approx. “district of”…)  Carchi, website at the moment (2012-05-25) :

carchi

Nowadays the website :

carchi2

 

  • sevfae.mil.ec : We can interpret the function as globally : Ecuador’s Air Force virtual education system. It’s a Military website and domain.

At the moment website was :

sevfae.mil.ec

Nowadays :

sevfae.mil.ec2.png

AGA is “Academia de Guerra Aérea FAE” which translate to Ecuador’s Air Force war academy. This is also “similar” with the last domain below :

  • academiadeguerraaerea.mil.ec 

Illustration nowadays (not same domain..) :

academia_guerra2

 

 

ns0.nscomdomain.com / ns1.nscomdomain.com (NS)

Same process. What domains were using these Name Servers ?

Here when I search for ns0, there’s less domains, in fact, only 6, including our microsoft.co.kr. All information was from 2012 :

2_ns0_nscomdomain.com.png

Examining these domains I was really surprised to find that minghui.or.kr was linked to “Faloun Gong” too ! Do you remember at the beginning of this blog post “guangming.org” ? That could reveal the same kind of interest by this/these actor(s).

minghui.or.kr.png

  • shinchonji.kr is another religious/cult (Evangelists as far as I understand) organization that may represent an interest too for China’s monitoring policy.

shincheonji.png

  • logickorea.co.kr A Korean Company, in the Video Games business.  I immediately think about the APT that targeted Video games industry (Winnti) . As Kaspersky noted noted in its report “Winnti. More than just a game”, South Korean video games vendors were targeted :

Interestingly, the digital signature belonged to another video game vendor – a private company known as KOG, based in South Korea.

logic_korea.png

  • kftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser (CD) Network,  Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network connects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an electronic currency. The K-CASH would be a target for any Intelligence service on earth, including the Ministry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT Network revealed in 2017 ?

kftc.or.kr

  • honeywell.co.kr

I know that one 🙂 Honeywell, not because I’m a ICS/SCADA guy but because Shodan ! 😉 Anyway, this Honeywell Korean website was in the list too… NB: honeywell.co.kr website redirect to http://www.honeywell.com/worldwide/ko-kr

honeywell

Conclusion

Starting from public indicators and passive DNS data, and by looking at the domains, their zone authoritative name servers, and the other domains using the latters (pivoting) we discovered victims.

The volume and diversity of domains names suggest that it is likely that multiple threat actors were involved. This is also likely that China’s interests are in line with these operations, especially because of the cultual/religious aspect, which was of utter interest from China at the time of these events. NB: The same kind of interest is e.g from NetTraveler which specifically targets Tibetan/Uyghur activists.

Actors could use a service like a “DNS highjacking” tactic broker (as Elderwood project was in comparison an APT 0-day-broker), or they are likely to used a shared process for this tactic.

By understanding actor’s tradecraft, we also shine some light on China’s policy, supposed Intelligence services (MSS/Guoanbu), and business needs since 2010 from APT actors (sometime named Turbine Panda / BlackVine & Winnti) where one of the central and common capacity is the Sakula malware.

Advertisements

Now imagine !

Abstract: Practical (Cyber) Threat Intelligence case essay.

Let’s imagine now you’re engaged now in a Threat Intelligence “process”. We need to define first the requirements. Basically I have to answer a question, there is a need for something… Without requirements and some question to answer it’ll be information analysis, and not threat intelligence analysis.

So let’s take an “example”, don’t be mad … it’s a learning blog post, for educational purposes.

 Scenario

Your XYZ company, is an energy company in Europe and didn’t suffered a major incident/intrusion (yet…or didn’t know it). Thus, the board wants its internal threat intelligence team to answer this question,  as a PIR (Priority Intelligence Requirement) :  What defensive measures XYZ company can take to detect/protect against Dragon Fly/Energetic Bear ?

Also, other requirements example : What are Dragon Fly/Energetic Bear’s emerging capabilities ? (included in the report.)

To qualify the first Intel requirement : “What defensive measures XYZ company can take to detect/protect against Dragon Fly/Energetic Bear (DF/EB)?

We have to collect the means that satisfy those requirements :

Is company XYZ a potential target ?

  • Company XYZ profile
  • Comparison of XYZ company to other known public victims (it’s complicated as companies are not going to shout they were hacked but we can assume

Collect: Estimated victim list, Comparison of victims profiles to XYZ company

What other “similar” companies did ?

  • Liaison with other companies.
  • Same industry best practices.
  • Potential known victims feedback.

Collect : Monitoring, Reports, MISP events.

What DF/EB is searching for ?

Collect : Events/ Reports, Assess. Rince & Repeat.

What is its modus operandi / TTPs ?

  • Study the tactical moves inside companies to reach its goal
  • Study the “procedures” the actor used to understand their dynamic.

Collect: Known Kill chains of intrusions based on (public) reports . What I started to do previously in some parts, extend, generalize… i.e Industrialize Threat Intelligence to known intrusions.

Illustration :

KC_DM

What are estimated “good” defenses against DF/EB TTPs ?

  • Expert analysis : It’s as complicated as: “How would I stop hackers to hack ?” , but there are some studies, experts points of views on APTs, and also what we observe, categorize and try to protect with (in this case the actor used a lot of common pentesting tools (sqlmap..etc) and techniques (smb trap, smb outbound, kerberoast, GPP Passwords ..etc)
  • Deconstructing the Kill Chain : In front of each Kill Chain phase, propose a solution (standards/best practices).

Collect : Intrusions kill chains phases with known tactics, techniques used, propose solutions.

Try to be useful

Intelligence is, as far as I understand, a support function :

https://www.army.mil/e2/c/images/2016/03/31/429146/size0.jpg

It can :

  • Facilitate decision makers ==> Support to situational understanding.
  • Adapt defense measure ==> Support to force generation.
  • Try to answer questions
  • Reduce uncertainties

…etc

The Intelligence “product” has to be :

  • Timely
  • Relevant
  • Accurate
  • Predictive
  • Tailored

Report

https://keepthetrailmuird.files.wordpress.com/2011/10/polar_bear_desert.jpg

I What was the question we were trying to answer and what are our findings ?

Technical and Tactical analysis of this actor’s intrusions illustrate a move to common tools (sqlmap, nmap, SMBTrap, commix…etc) to potentially blur the lines of attribution to this specific group. This behavior is valid on approx. all phases of the attack : SpearPhishing, Exploits, Tools, Infrastructure, Command and Control, Post-Exploitation with a varying degree and interest for actor’s OPSEC.

Kill Chain analysis revealed that intrusions where observed between phases 2 (Weaponization) and 6 (Command an Control). The phase 7 (Action on objective) was not well publicly detailed.

Actor’s strategy is to establishing a foothold (“pivot”) then use this as a pivot point to achieve its goal. For reference, this from US-CERT report :

Sélection_046

On actor’s modus operandi, we can compare e.g the waterholes (ref Kaspersky’s last report) as “or geographically or target audience relatedto be the closest point near the victim : Ex: In Russia Football’s club Waterhole can be used to target a certain category of male, working people using computer’s day to day in Russia ? It’s a filter grained definition to target Russia’s companies employees later. Same example was used in 2014’s campaign with France weather website : meteo.orange.fr to reach French assets and persons. Later in post exploitation a fingerprinting could be used to select interesting targets. This behavior in dump sites/tools could be interesting to identify the actor against several campaigns ? (interesting in my humble opinion 🙂 This TTP could be also actor’s worst ally.

We assess with medium confidence that authentication data seems to be of major interest. This aim align with 2014’s campaign (cyber espionage) focused on identification (ICS) and reconnaissance inside victims organizations.

Defense

https://cyberthreatintelligenceblog.files.wordpress.com/2018/01/c8e66-abb9cdb8a524387744fb57ebe9a4a076.jpeg

For companies and potential victims, proposing a series of counter measures to apply tailored defense to each identified attack phase would help increase the chance to detect it.  We can recommend e.g  :

1. A deception approach that can use canaries in :

  • Infrastructures (fake or ghost services, especially the one that are receiving AD NTLM hash of a canary account on corporate OWA…). Fake OWA or VPN Portal services. Fake webmail with honey-javascript which, when cloned will pop-up and alert.
  • Networks (honey nets)
  • Honey Files (documents, folders..etc)
  • People (fake VPN and AD honey accounts : Enable auditing on these AD account usage, and pop an alert.)

2. Last approach, coupled with tailored detection on tools usage (see “Pyramid of Pain” i.e to detect tools and TTPs more than specific instances of a tool binary/hash), ref :

The actor is not restricted to use only the tools already identified, so monitor for alerts on known up-to-date pentest & malicious tools & techniques (Kerberoast, GPP Passwords, NTLM Relay were used). Metrics of detection on these type of tools can be established internally and thus give an estimation or a “try of detection” by your defense team, ex: 150 tools usage traced (each mapped to a killchain phase) only 75 are readily monitored by internal SOC/CSIRT, so our defense effectively to this actor is 50% rate. It’s basic and need to be in fact more oriented to techniques and attack methodologies (like the “pivot point usage” above, than tools usage. Defense should search to detect behavior via Windows event logs coupled with IDS and AV signatures to be effective.  Editor’s Note : NSM approach is preferred to have an holistic view (netflow, full packet capture, suricata, bro, logs, and sysmon). That’s not black magic.

3. Monitoring the tactics, e.g asking internal CSIRT to be informed by law agencies, local CERTs of national victims closed geographically or from same industry. Ex: Oil and Gas association website in your country, monitor instantly for the proxy logs to this potential waterhole. Ex2: National CERT informed that a news website or online shop is hacked, quickly investigate for potential traces of waterhole if possible or individuals accessed to it. Monitoring (sandbox e.g) the received candidates CV, or any external documents, that reach internal people (as well as these internal people doing outbound connections via SMB) must trigger alerts. Editor’s Note : This is an example. A huge attention should be ported to internal traffic (workstation to workstations, ntlm relay attack, generally all tactics used by the adversary in fact).

Monitoring the moves ” : Webshell, dumps, rdesktop, tools, pivot thing could be a defender’s advantage.

II   Details

Adversary’s activity

Group Name

Berserk Bear, Energetic Bear, Dragonfly, Havex (malware related), Crouching Yeti or DYMALLOY, and Group 24.

Victimology, incidents & known campaigns (past & present)

Ref to my previous blog posts (in summary…) : Estimated Victims with public sources. NB: This is a test..

Last Campaign (2016-2018 approx) :

geocimenta

Adversary’s Capabilities :

Modus Operandi : TTPs. (Kill Chain & Diamond Model)

(see last blog posts with Diamond Model and Kill Chain on *some* events.)

 Threat Evaluation / Impact

Trying as possible to evaluate the adversary by its “business process parts”: [Operators, Sysadmin, Developers], Support, Analysis staff, Management, Infrastructure. ref.

Evaluation : As the team seems to be searching for information on economic sectors, the actor is de facto a Economic espionage team. Adversary is well funded and capable to sustain long campaigns. Impact may be as serious as US-CERT and UK National Cyber Security Centre published reports …  Convinced ? In fact, what is observed from our external point of view sustain the idea that the actors is well prepared, but the problem is inside networks what can they did to achieve their goal. Look at this below from US-CERT report. It’s a beautilful piece of MS windows hacking …disable firewall, open Remote Desktop, suppress limitation on Multiple Concurrent Sessions and roll on ….

Sélection_064

Sophistication

What is the threat on an evaluation scale as low, medium, critical, and why ?

We estimate that this threat is medium. Medium doesn’t mean actor is not effective it’s a characteristic. The group seems to be moderately funded (no 0days or costly procedures/moves) but compensate by social engineering means, and or common techniques and tools. Re-tooling. Editor’s note : This is the exact definition of an APT (adversary is “advanced” (team, tasking, goal) but NOT its tools. A contrario, what we called “Planting a pivot” is a curious move but an effective one, in its procedures, that will make this a distinctive element of this group in its operations. This is interesting and confirm this actors is serious. Other sophistication are malware capabilities (Goodor and Dorshell are especially well crafted when operated. The actor is also capable of handling many (dozens…) hosts in its infrastructure or easiness to use endpoints from common multi-infected hosts.

Adversary’s Intent & Opportunity

Context. Geopolitics, News.

Control Engineering, Industry, Oil & Gas, Geociment, Quartz mineral and other minerals, especially in Africa, seems to be really interesting for any actor with strong business either in this area (Africa), or in this domain (Industry / Minerals).  We can imagine that mine projects and industrial processing represent a targeted sector. The concerned sectors ( Industrial Engineering, Mines, Quartz) may take serious detection measures with an “assume breached” position in mind.

The Oil & Gas seems to be an ‘old’ target sector (last campaign 2014 approx…), but actually the group is tasked again to get results in this domain too.

The group seems to be tasked for economic purposes, but the sectors targeted are strategic (Oil & Gas, Industrial Engineering in critical sectors).

US counter part is different on adversary’s intent (someone said SCADA/HMI) and no trace of this has been investigated obviously. DHS did it. But does it reveal that the actor is either (a little bit) opportunistic  ? or (may be) too much multi-tasked on the domains searched ? In my opinion its more that the actor is agile and able to adapt to fast paced missions.

Timely events.

(see last blog posts with Diamond Model and Kill Chain on *some* events.)  A timeline would help < INSERT TIMELINE > …

Estimated intent / motive.

Cyber reconnaissance, tasked to get credentials (espionage as further goal). Plant a pivot (locally or then operate on Energy (especially Engineering either as a motive or a goal) or Technological/Mine sector. Oil and Gas (Prospection ? Technologies ?). Africa and minerals/mines. Imagine rare metals used in modern technologies?

 

 

 

 

Threat Intelligence Report Template

I was reading Sergio Caltagirone’s article on what is Threat Intelligence and wanted to capitalize on my findings (previous blog posts). At the moment I didn’t provide stricto sensu CTI, only the beginning of investigation. So it was time for me to think about it.

Here below the tweet about the article :

sergio

NB: Here the link of the article.

 

Key Elements

Some key elements I gathered, and how I interpreted them, from the article and from the discipline :

  • Goal is to reduce harm ==> the unknown unknowns 🙂
  • Goal is to answer a question ==> Same as Intelligence Cycle.
  • Goal is to think with a model, to be able to have a level of abstraction ==> Kill Chain, Diamond Model may help to present, visualize, and think. Structured analytic techniques too.
  • Goal is to analyze (Human analysis) ==> cognitive science.
  • Goal is to enhance ==> completeness, accuracy, relevance, and timeliness (CART).
  • Goal is to produce Intelligence on Adversaries ==> i.e Threat Intelligence.
  • Goal is to be the cherry on the cake of Defensive approach ==> Strategy.

Most of the work is to adapt your investigation, trying to characterize the adversary to present, in a timely manner your findings to the correct audience, thus : Strategic, Technical & Operational.

Editor’s note : Referring to the Pyramid of Pain, may help to disrupt adversary and reduce the dwell time.

 

Template’s Report proposal

I liked the way US-CERT present the Kill Chain in TA17-293A as :

The model identifies what the adversaries must complete in order to achieve their objective.

Ref : https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

Sélection_017

US-CERT in some alerts chose to describe the adversary’s modus operandi as a chain. They “merge” actions and capabilities. Actions are the consequences of the capabilities, and they could be represented in several kill chains. Anyway keeping a “chain of actions” is helping to characterize adversary’s behavior but could not be reduced to it.

Editor’s note: I hope to be clear, sorry for my bad English. I try to write to in this language to be able to reach as many people as possible.

Continuing on this idea, I’ll prefer to characterize the events as part of multiple cycles  (Kill Chain) and contextualized actions with several factors : Diamond Model (Adversary, Capability, Infrastructure, Victim).

Finally if I had to take these notes & ideas as part of a CTI report and use a template for it, I’ll go with :

 

I    What was the question we were trying to answer and what are our findings ?

ex: Did the Threat actor XXX may impact our organization ? Are they a threat ? and if so how can we protect ?

 

 II   Details

  • Adversary’s Capabilities :
  1. Modus Operandi : TTPs. (Kill Chain & Diamond Model)
  2. Threat Evaluation / Impact : Trying as possible to evaluate the adversary by its business process parts: [Operators, Sysadmin, Developers], Support, Analysis staff, Management, Infrastructure. ref.
  3. Sophistication : What is the threat on an evaluation scale as low, medium, critical, and why.

 

  • Adversary’s Intent & Opportunity :
  1. Contextualization. Geopolitics, News.
  2. Timely events.
  3. Estimated intent / motive.

 

  • Adversary’s activity
  1. Group Name
  2. Victimology, incidents & known campaigns (past & present)

 

 

 

US-CERT TA17-293A – Waterholes

Today I decided to investigate on the domains involved in the US-CERT Alert TA17-293A. (work in progress…)

These domains are  mentioned as FQDN in the csv with the alert :

fqdn

All are legitimate websites, cf:

“According to DHS and FBI analysis, this is a legitimate domain which may have been used as a watering hole for the purpose of compromising victims.”

All websites seems to be linked to a company named “CFE Media LLC”, founded in 2016 and based in Chicago, Illinois.
cf:
https://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=104863078

CFE Media LLC

cfemedia.com.png

Waterholes

VirusTotal release a visualization tool built on top of VirusTotal’s data set :          VirusTotal Graph. We can see there the malicious things detected; On left : cfemedia.gcnpublishing.com and on right from grand-central.net

vt_graph

Searching on archive.org for traces of infections making them waterholes.

http://www.oilandgaseng.com

I found this one :

https://web.archive.org/web/20170603010057js_/http://www.oilandgaseng.com/fileadmin/templates/Redesign_2013_V2/js/loginbox_og.js

oilandgaseng.com

The IP 184.154.150.66 is located in US, and reverse DNS lookup is server102.pentagonalmuriae.com.br. This seems a Brazilian insurance company :

pentagonalmuriae.com.br

Editor’s Note : Probably hacked ? to serve as part of the infrastructure (smb listener).

By quickly searching on the internet, RiskIQ already did an article on these waterholes :  https://www.riskiq.com/blog/labs/energetic-bear/ on November 2, 2017, by Yonathan Klijnsma. Anyway I’ll continue trying to find different/new things 😉

This IP is used as a SMB listener, and zoomeye Indexed the open tcp/445 port on 2016-11-11 18:08, cf :  https://www.zoomeye.org/searchResult?q=184.154.150.66

184.154.150.66

If we search for this IP “reputation” VT and hybrid analysis have some reports, but we need to re-contextualize the events.. Anyway in August 2017 e.g this look like a Word attack trace :

184.154.150.66_hybrid

Some traces on VT for the IP :

184.154.150.66_vt.png

OFF/ The file ce.pn (ce.png ??) was scanned on http in 2017-09 and what seems (to be confirmed) a Word template injection attack in 2017-10. maybe the server was used in this campaign, in others, by other groups too. By searching a little bit there seems like a lot of activity on this host…

ref link : https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/

Here below the 3 waterholes in the RisqIQ article :

riskIQ

I found them too :

http://www.plantengineering.com

https://web.archive.org/web/20170602214445js_/http://www.plantengineering.com/typo3conf/ext/t3s_jslidernews/res/js/jquery.easing.js?1307039544

www.plantengineering.com

http://www.csemag.com

https://web.archive.org/web/20170602214546js_/http://www.csemag.com/typo3conf/ext/t3s_jslidernews/res/js/jquery.easing.js?1307039544

csemag.com.png

NB: This website wasn’t in the US CERT Alert, but is linked to CFE media.

http://www.controleng.com

https://web.archive.org/web/20170603005506js_/http://www.controleng.com/typo3conf/ext/t3s_jslidernews/res/js/jquery.easing.js?1307039544

controleng.com

 

 

A quick Look at US-CERT TA17-293A – Round 3

Editor’s Note : Two important points on these previous blog posts :

  1. I’m aware it’s not stricto sensu threat intelligence because no previous requirements have been established, thus it’s more information analysis/investigation…
  2. I consider some events are acceptable without verification or evaluation. This is not acceptable and this blog is more a “What will I do if these events were occurring in my perimeter ?” … This blog is a learning-on-process notepad for me. So don’t be mad.

 

Now let’s play with the events and what I can find 🙂

Update November the 6th : Did you look at awesome work from Roberto Rodriguez on his blog, and Github ?  Especially I liked the TTPs usage on Energetic Bear v1.0

Sélection_025

Here above, it’s Tactics, Techniques and Tools (not Procedures). In my opinion, and as I understand it “Procedures” can include “Tools”, but not only. Procedures is more generic. Anyway, isn’t it great?  I’ll try to map new TTPs and send them to the author for review.

Let’s continue our little investigation on Round3/Kill Chain 3 events :

Sélection_026

This part is not really clear for me 😦  In my SANS578 course notes I’ve got : “KC3 is mechanism in which payload gets to target”, it describe :

all of the tools and infrastructure used to pass the weaponized object to its intended target“.

  • We can look at SP emails to look at the headers, hoping to find some characteristics, but no mail is available.
  • The PDF document may reveal in its metadata the software used to create it. (KC2)
  • The actor’s methodology (TTP) which is switching from common “active” exploitation to no exploitation : More a SE (Social Engineer) approach, i.e : “Why use an exploit (whith all the costs…) when you can get what you want by politely asking for it” ? SP mails were  previously referring to control systems or process control systems, and messages include references to common industrial control equipment and protocols, which seems legit.

The only PDF document I can see in the US-CERT alert is indicated in MIFR-10135300_TLP_WHITE.pdf which contain e29d1f5d79cd906f75c88177c7f6168e hash.

pdf

 

  • VT first seen on 2017-03-23  In PDF metadata we can see  Author: Dan Richards, which for these event is an adversary (persona).  The CreatorTool is set to Microsoft Word. 

 

  • 3 IPs are associated with the PDF in MIFR report, and their corresponding links :

67.199.248.10 (bitly)       –> http[:]//bit.ly/2m0x8IH
104.20.219.42 (tinyurl)   –> http[:]//tinyurl.com/h3sdqck
192.81.76.117                   –>  www[.]imageliners.com/nitel

The last one 192.81.76.117 looks like crap, some domains  were associated with it and VT found :

(…)
http://www.imageliners.com
(…)
imageliners.com

We also found many other information related to this IP : Malwares, phishing “resources” i.e URL, several other domains, websites, cpanel, roundcube and dovecot services/software …Etc In fact a lot of information….too much information indeed.

Here’s the Maltego graph I built : On the left the bitly IP, and tinyurl, then on the right the big mess of information found on 192.81.76.117 :

192.81.76.117

Here’s the associated DM of these events :

DM_''document.pdf

You’ll note that I prefer to place the “PDF document event” in KC4 as the 3 IPs associated (bitly, tinyurl and imageliners.com) are not related to the delivery of the PDF document (which SMTP servers were used e.g) but more on the Exploitation phase (Kill Chain 4). I may be wrong feel free to send me an email via the contact page ! 🙂 I assume that this explitation phase has a context materilazed by the social engineering technique used. The 3 IPs above are more architecture elements used in this phase imho.

Concerning the website http://www.imageliners.com

Refering to RisqIQ passive DNS information, It was : 

First Seen 2017-03-02
Last Seen  2017-12-02

 

On thing that catch my attention was the “/nitel” ressource… If you remember my first post there were 2 ressources in Africa: One in Angola and the second one in Nigeria..

ref:

nigeria_cwg

by the way NITEL could be a phishing attempt to Nigerian Telecommunications Limited ? No idea, simple assumption.. Was it the first target to reach (above) energy company as their final goal ?

NitelLogo

Refering to Wikipedia :

Another Nigeria Telecom Company (Ntel) was launched In April which took the place of Nitel, Ntel is the newest reincarnation of the now defunct telecoms company, NITEL. The Nigerian government handed over NITEL/Mtel assets over to NATCOM (Ntel’s parent company) in a deal worth $252 million last year.

The cwlgroup has a lot of services open on the internet, refering to shodan (here)

cwlgroup.com_shodan

I wont enumerate all the services and potential vulnerabilities but this list seems a pretty good panel of services… to target. An adversary could have catch the above services quickly.

…and dnsdumpster.com (here the spreadsheet : cwlgroup.com-201712061050)

cwlgroup.com

Some of them are insecure, and could represent an beach head to other ressources/networks and companies…

We can note too that the same websites was possibly hosting phishing schemes on 22-06-2017, regarding VT :

dentsuaegis_phishing

Dentsu Aegis Network is Innovating the Way Brands Are Built for its clients through its best-in-class expertise and capabilities in media, digital and creative communications services.

cf:

dentsuaegis

dentsuaegis2

Was this company targeted ? Was it linked to our group ? Or did the group only used the same infrastructure/service to phish Nitel/Cwl Group ? No idea but this probable phishing scheme is 4 months earlier than the Nitel one…so no need to rush on assumptions…

 

 

 

A quick Look at US-CERT TA17-293A – Round 2

Update on 22nd of November

I totally do it wrong on my Diamond Model originally. Or I maybe totally doing it wrong now, dunno ? Anyway it’s clearer to separate on the attacker’s perspective the different phases of the KC and recontextualize them with the DM… I mixed a couple of phases following the original US CERT alert… I don’t find their way of classifying the KC phases really “compartmentalized”. Anyway I submit to readers my new events in KC/DM modifications.

Update on 23rd of October

  • I don’t know if its an ongoing campaign but it can be an effective way to burn researchers time (I’m not a researcher) and distract from (other) attacks 😉

 

 

  • A quick reminder on this excellent article from  Koen Van Impe who created two mindmaps based on open source information.

 

Let’s continue our little investigation

The US-CERT Alert indicate :

Stage 2: Weaponization

From the alert :

KC2

So we need to find email attachments, indeed Microsoft Office documents that include “file[:]//<remote IP address>/Normal.dotm” as an example… So maybe other techniques may have been used ? Dunno.

ThreatConnect has imported the US-CERT Alert indicators too.

My goal is now to find the documents used in the KC2 phase…

A quick look at additional documents from the alert seems to identify MIFR-10128327_TLP_WHITE.pdf as the one I’m searching :KC2_MIFR-10128327_TLP_WHITE

Iterating on all the .docx above…

Only 8 hashes on 11 were valid (3 duplicates) :

038a97b4e2f37f34b255f0643e49fc9d
31008de622ca9526f5f4a1dd3f16f4ea
5acc56c93c5ba1318dd2fa9c3509d60b
65a1a73253f04354886f375b59550b46
722154a36f32ba10e98020a8ad758a7a
8341e48a6b91750d99a8295c97fd55d5
99aa0d0eceefce4c0856532181b449b1
a6d36749eebbbc51b552e5803ed1fd58

Regarding these hashes, thanks to the very useful Google sheet :

google_sheet

 

 

Hash : 722154a36f32ba10e98020a8ad758a7a

I can find online information on hash 722154a36f32ba10e98020a8ad758a7a

  • JoeSandbox.com give freely some reports (but not the sample… need a paid account) :
  1. Full Reports : A HTML Full report  – A PDF Full Report
  2. Reduced Report : A HTML Executive report
  3. Secondary Analysis : XML Incident Report and Network PCAP

  • Malwr.com has some analysis too (but uploader didn’t share the sample…) on 2017-06-24 13:53:16
  • Sophos , first seen on 2017-06-24.
  • ThreatMiner on 2017-07-07 13:01:28
  • Netresec company (Sweden) twitted about it.
  • US-CERT give an analysis of the file. NB: In this report we learn that the email message has a X-Originating-IP, 91.183.104.150.  This could be an indicator aligning in KC2 Weaponization phase.

91.183.104.150

NB: This is not a proof of anything, I’m not a technical expert but I suppose that this field can be spoofed easily.

I suspect some “spammer trick” that spoof “real” SMTP Originating IPs, as this one. Shodan show that there’s an SMTP Service available on it :

91.183.104.150_shodan

However this trick if confirmed (X-Originating-IP of a legitimate domain) to send spoofed emails, could characterize actor’s TTPs. 

       Only on this document, and ongoing little investigation the DM maps to :

KC2_Weap_7221

KC3_Deliv_7221

KC4_Exp_7221

NB: I know KC is an event, but because I’m lazy and don’t have all the info I put doc name & hash at the center, referring to this event. Modified version on 22nd of November…

 

Hash : 8341e48a6b91750d99a8295c97fd55d5

I found information on this hash on US-CERT MIFR-10128327.

This time the malicious word document attempt to authenticate to the malicious SMB server at 62.8.193.206 and this one NO X-Originating-IP.

I could have tried to identified (If i could) the KC of events where occur this attached document, and draw this DM “context” :

KC2_Weap_8341

KC4_Exp_8341

 

Hash : 99aa0d0eceefce4c0856532181b449b1

Idem as previous one.

 

Hash : a6d36749eebbbc51b552e5803ed1fd58

Idem.

 

  • Alexandre Dulaunoy tweeted about correlation on events related to this alert : Correlation graph, based on hash correlation to see common tools (like PsExec) used among MISP events. Note from the author: They’re not related to KC2… just indicated here for information.

misp

 

I tried to take only discovered hashes/IP related to KC2 in Maltego (I need a license…) and use threatminer.org transforms (which is GREAT..please support them. Donate !) Here are the results :

dragon_KC2_threatminer

We can see that most of the hashes are present in Talos and/of US-CERT Alert, except one at the bottom of image :

MD5 57dbd7ca35448b94a63512d99bb42e25
SHA1  e7e6c7cf8bc5d4467d5c4f645eb06ee2efb31f3e
SHA256 ae24b4521c68d52a349dce95d89d5ac2137292ec1a539df11960eb2938fceb3d

Submitted On Malwr.com : 2017-05-30 13:38:13   FILE NAME UPS-Delivery-03543370.doc.html

Hypothese : The date above, in red, for this hash/sample are among the oldest I could find. (I may be wrong..) and the name is aligning more with Cybercrime bait than, with an APT targeting energy, so we can suppose the APT actor used this already existing infrastructure (?)  This “aligns” (let me take a wild guess) with the actor’s TTP, if so,  (and more generally with some other APT groups) to use common or already existing tools, as maybe in this case already existing infrastructure (previously used by cyber crime actors to deliver other kind of malware ? or used by cyber crime actors, as a service offered by a 3rd party ?). This is seriously blurring the lines.

 

 

 

 

 

A quick Look at US-CERT TA17-293A

Abstract: Energy & other sectors.  US-CERT Alert. Kill Chain/Diamond Model. Shodan Services. ICS organisations (?). Small Investigation.

On October 20, 2017 US-CERT published this alert :

TA17-293A : “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors”

us-cert-alert

 

I decided to have a look. I wanted initially to map with the Diamond Model all events in this report which are organized by following the Cyber Kill Chain :

Using Cyber Kill Chain for Analysis

DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of activity within this framework.

 

  • So I started with events in KC1 Reconnaissance:

reco

.. nothing to see here…

  • KC2 Weaponization : We’re trying to look in this phase at events that let us know caracteristics on the indicators : What, who, how the threat actor built the payload. How can we detect metadata about the tool e.g that permit to send the spear Phishing emails ?  In the alert we can see the actor used Spear-Phishing emails with a not so common technique :

(…) Threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol

I tried to map the DM to some “events” described in the alert (unfinished):

KC2_DM

I remember immediately of this article from Chris Gates : Embed an HTML Link to an smb share into a word doc :

cg

 

It’s an “old” concept but very effective. It’s a trap that make you initiate a connection to an external SMB service (e.g MSF auxiliary/server/capture/smb)

Some examples and references on this technique are e.g :

 

I remember that Talos previously identify usage of (probable) Phishery toolkit in their blog post from July the 7th 

FUN: With Phishery : RelID is 1337 which is l33t 🙂

One of the document analyzed by Talos seems to be a resume from someone working in PLC – SCADA …. which is a great bait to send to ICS companies.. and is aligning with the US-CERT alert on this point :

resume

and in the US-CERT Alert :

resume2

We can see that Related IP Addresses in Talos’s report, in blue below
184[.]154[.]150[.]66

5[.]153[.]58[.]45

62[.]8[.]193[.]206

Are also present in the US-CERT Alert … DragonFly/Energetic-bear is also evocated.

 

I jumped directly  …..

RickandMortydotcom

…to searching on SMB services open on the IPs present in the report, thinking first they may be able to identify which IP is used in which KC phase… and finished thus there my DM mapping & contextualisation of KC events 😦

Hint for US-CERT : Calling an “indicator” and IP with a context as “IP watchlist” is not useful… An indicator as an IP has context if… eg: IP is a C2. IP is used in KC3 (delivery phase) as webserver delivering a payload…etc

 

Shodan SMB Services

Shodan services from IPs in the US-CERT report. Here are the results in green :

  1. shodanI thought that some of the IPs may have been used (or not) as malicious SMB server to receive the credentials of victims. Bonus: Some SMB services have authent disabled. Omg.

Shodan SEPM (Symantec Endpoint Protection Manager) services

  1. In yellow above several of the IPs are configured with this Symantec service open to the Internet.
  2. In the US-CERT alert several usage of Symantec script were used at a moment, but not in KC2 Weaponization ( KC 5: Installation)

 

ICS Hosts / Organizations ?

In red I noted two “interesting” IPs :

41.205.61.221 (Angola)

  • Symantec publish a writeup on Backdoor.Goodor and this hoste was hosting one of them. cf: [http://]41.205.61.221/aspnet_client/system_web/4_0_30319/update/DefaultF[REMOVED]

 

  • In shodan several other services are open and for the 8443/tcp Symantec one we can see a SSL Certificate with  ocpengenharia.co.ao

41.205.61.221

Using DNS Dumpster ocpengenharia.co.ao show these results and especially hosts in Angola :

dnsdump_ocpengenharia.co.ao

 

  • ocpengenharia.co.ao translate (imho) to OCP engineering in Angola.
  • mail.geocimenta.co.ao is present in dnsdumpster image above, it align more with an industrial target that all other IPs/artefacts. In fact geociment sector may be targeted by the group (?) Here below an image on some Geociment machines in Angola :

geocimenta

In fact it may be (assess with medium confidence) that this is the most “promising” target that align with a group interest like Energetic Bear/DragonFly : Spy/get information/then pilfer strategic sectors like geocement.

 

By searching in Google on ocpengenharia.co.ao it seems that it’s an Industrial Engineering company in Angola (?) No idea at the moment if it’s linked to the Brazilian company or a subsidiary ? 

Editor’s note : That explain why the blog post/little invest is accessed from Brazilian IPs ?  😉

ocp

 

 

41.78.157.34 (Nigeria)

We don’t see any services represented in the spreadsheet above, but, other services are available and some are processing presented metadata information as e.g :

DC=hubservices,DC=cwlgroup,DC=com

DNSDumpster results of cwlgroup (below) indicate working items in Africa too.

nigeria_cwg

CWG seems to work in ICT sector in Africa.

cwg

 

 

 

Raw Information

And now raw information (no value.. some notes only), maybe I’ll discover some links/information later  ?

 

2.229.10.193

  • Shodan show too a Symantec EndPoint Protection Manager (SEPM) “profile”, with open ports/services : 80, 443, 445 (why?) (Authentication enabled and SMB V1) , 3389 (RDP) and 8443.
  • Symantec said that host was hosting Backdoor.Goodor C2 :

2.229.10.193_backdoor_goodor.png

cf:

symantec_backdoor_goodor

 130.25.10.158 (Italia)

  • Another host hosting Backdoor.Goodor, cf Symantec :  [http://]130.25.10.158/aspnet_client/system_web/4_0_30319/update/DefaultF[REMOVED]
  • On threatminer, there’s a sample associated.
  • Have a look for this hash on VT

167.114.44.147 (Canada – Montreal)

  • VT indicate last detected URL with “/A56WY” . This seems to be related to Backdoor.Dorshel considering Symantec technical details.

Regarding STIX file: “According to DHS and FBI analysis, this IP address is associated with a callback for s.exe (also named svcsrl.exe) within SSL traffic.”

 

 

 

  • VT indicate several DNS resolutions (passive DNS) from last July to November 2016. Look at the date of 13th of July 2017… NB: Was it an immediate popping ? Like vulnerable machine hacked (or installed) immediately ? attributed by another customer and thus quickly used/hacked for purposes ?

176.53.11.130_passive_dns

  • It seems there to Emerging Threats signatures in hybrid-analysis report that “Backdoor.Goodor Go Implant CnC Beacon 1″ popped up, see:

176.53.11.130

  • According to DHS and FBI analysis, this IP address is associated with a callback string in ntdll.exe :

176.53.11.130

  • But what is ntdll.exe ?
  1. It seems it is again Backdoor.Goodor (refering to Florian Roth sheet on samples) : hash: 8943E71A8C73B5E343AA9D2E19002373
  2. McAfee: Generic .i / ESET-NOD32: a variant of Generik.GSOZLWO / Symantec: Backdoor.Goodor / F-Secure: Gen:Variant.Razy.188651 / Sophos: Troj/Agent-AWTV / GData: Gen:Variant.Razy.188651
  3. First submitted on VT : 2017-05-10 08:37:18 UTC  and Last Submitted on VT : 2017-08-11 01:57:17
  4. VT link of this analyzed sample.
  5. Hybrid Analysis of the sample.
  6. Refering to Symantec, it’s one of the C2s :  [http://]2.229.10.193/aspnet_client/system_web/4_0_30319/update/Default[REMOVED]

 

By searching on ZoomEye  for this IP :

176.53.11.130_innora

Editor’s note : Investigate a little bit more : Was this host/domain (2016-11…quite a bit old…) concerned  ? Is it linked to http://www.innora.gr/ ? Absolutely no link but it’d be interesting 😀

innora_gr

 

184.154.150.66 (US)

  • Seems like related to Report03-23-2017.docx refering to threatminer
  • Reading the US-CERT Alert : “Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm).” It look like this in VT :

184.154.150.66_template

187.130.251.249 (Mexico)

187.130.251.249_cisco

193.213.49.115 (Norway)

“According to DHS and FBI analysis, this IP address is associated with a callback string in ntdll.exe.”

 

195.87.199.197 (Turkey)

“According to DHS and FBI analysis, this IP address is associated with a callback string in ntdll.exe.”

 

 

2.229.10.193 (Italy)

5.150.143.107 (Italy)

By enriching the IP with Threatcrowd there was a reverse DNS resolution on 2017-10-11 :

wasteapp.sostenya.it

 

From RiskIQ passive DNS we get:

Resolve First Last
wasteapp.sostenya.it 2016-07-08 2016-08-04

I suppose Waste Italia App (application?) , and Waste Italia is part of the Waste Italia Group, an investment holding company operating in the environmental industry, listed on MTA market of Borsa Italiana, itself owned by Sostenya PLC

cf:

waste_italia

This is interesting because http://www.sostenya.it (website down) is redirected politely to www.sostenya.co.uk and this company/group has activities in Energy :

  • Renewable energy : Photovoltaic, Wind, Bio, District Heating
  • Environment
  • Energy Efficiency

sostenya_group

sostenya

5.153.58.45 (Netherlands)

  • //specific malicious word document PK archive is indicated in US-CERT Alert
  • VT indicate URL scanned {template (word?) docs/analysis} :

5.153.58.45_vt

 

62.8.193.206 (Germany)

  • “MS Word trojan downloader” indicated several times in threatminer
  • In US-CERT Alert: “//specific malicious word document PK archive” too…
  • VT indicate URL scanned {template (word?) docs/analysis} :62.8.193.206_vt

 

82.222.188.18 (Turkey)

  • Backdoor.Goodor (via Symantec)
  • Several URL scanned via VT :82.222.188.18_vt

 

91.183.104.150 (Belgium)

 

85.25.100.104 (Germany)

  • US-CERT alert STIX indicate :

85.25.100.104_stix

85.25.100.104_stix_grizzlysteppe

  • Several services open on the internet, and indexed by Shodan. Interesting to see (e.g SMB without auth indexed on 2017-12-09 .

 

96.126.116.217 (USA)

  • Has some related samples referring to ThreatMiner.
  • By following VT information, corp_rules(2016).docx is
    351de762b4a3f600a30b291a467af3d3988b6343c6671b1678676444a0981ee8
  • Hybrid Analysis has also information on this sample, and is also linked to another IP :351de762b4a3f600a30b291a467af3d3988b6343c6671b1678676444a0981ee8

 

203.113.4.230 (Thailand)

  • Some samples from ThreatMiner (“Trojan-Downloader.MSWord”)
  • VT information on this IP.

 

149.210.156.198 (Netherlands)

  • STIX data with US-CERT alert indicate KC6 phase which is C2, and the “usage” of the IP :

149.210.156.198_stix

Same as next/below IP : If the IP was used to RDP into a victim network and to gain unauthorized access into OWA, it’s more a KC7 AoO (Action on Objectives). We can “understand” that the victim network was the company itself ? (or not…)

Did McAfee take that understanding considering this case ? That can explain why they say “financial, and accounting industries”.

cf:  Operation Dragonfly Analysis Suggests Links to Earlier Attacks 

mc_afee

cf:

randzaak

  • Censys.io indicate a certificat with CN=RA-RDS.ra.randzaak.nl :

149.210.156.198_cert

151.80.163.14 (France)

  • KC6 event(s) i.e C2 where IP is indicated, refering to US-CERT stix :151.80.163.14_stix

Hmm, if the IP is a source IP to a webshell it’s more a KC7 AoO (Action on Objectives), anyway here’s the information to the webshell in the alert :

autodiscover_webshell

  • ciklon_z webshell … I only found a github repo/project referencing all webshells… A user/login is ciklon-z (see below). Notes from editor : Were the two webshell referenced there and US-CERT give it the “name” ? Are there existing ? forked ? I dunno… 

ciklon_z_webshell

  • Alienvault has also information on it :

151.80.163.14_alienvault

  • Referring to DomainTools, this IP looks like a shared server (?), cf network name.

 

 Backdoor.Goodor

Some notes on IPs present in Symantec Backdoor.Goodor details : 9 C2 IPs are present. All of them were investigated aboce in raw information.

 

Conclusion

  •  The US-CERT Alert report seems linked with previous Talos report.
  • A lot of services on some IPs are open… sometime willingly (smb), sometime not.
  • Shared IP with GRIZZLYSTEPPE report.
  • Only two IPs in IOC seems related directly to Industrial world : Geocement in Angola and ICT solutions in Nigeria : This align more with Energetic Bear/DragonFly group’s possible targeted sectors : Geocement. 
  • One IP was identified as Backdoor.Goodor, passive DNS linked to wasteapp.sostenya.it (probably Waste Italia, part of Italian Sostenya group energy company)
  • One IP in Netherlands used in malicious action, may be related to Accounting & Financial industry company: Randzaak. Probably a target (McAfee jumped on it?), or an infrastructure part. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reading List

 Abstract: My links and links to links of resources. Constant Improvement.

I-love-books

Blogs

http://www.activeresponse.org Sergio Caltagirone

http://detect-respond.blogspot.com David J. Bianco

https://ctianalys.is Michael Cloppert

http://www.robertmlee.org/blog/ Robert M. Lee @RobertMLee

https://grugq.tumblr.com/

https://www.digitalshadows.com/blog-and-research/profile/rick-holland/ Rick Holland @rickhholland

https://medium.com/@sroberts Scott J Roberts @sroberts

https://sourcesandmethods.blogspot.com

http://www.cyintanalysis.com Christian Paredes

Documents

Operations Security INTELLIGENCE THREAT HANDBOOK

A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis

Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution

 

 

Twitter

Costin Raiu   @craiu

J. A. Guerrero-Saade   @juanandres_gs

Thomas Rid @RidT

Aleks Gostev @codelancer

Kurt Baumgartner @k_sec

instacyber  @instacyber

Sergio Caltagirone @cnoanalysis

David J. Bianco @DavidJBianco

Michael Cloppert @mikecloppert

Robert M. Lee @RobertMLee

Rick Holland @rickhholland

Scott J Roberts @sroberts

Christian Paredes @CYINT_dude

Unit 42 – Palo Alto   @Unit42_Intel

Medium

https://medium.com/@thegrugq

 

Other reading lists

http://maxsmeets.com/cyber-references-project/   –  Essential Reading

Fundamental Intrusion Analysis Reading List – Sergio Caltagirone

@CYINT_dude ‘s resources page

 

APT

https://apt.securelist.com/#!/threats/  – Kaspersky Lab’s Targeted Cyberattack Logbook chronicles all of these ground-breaking malicious cyber campaigns that have been investigated by GReAT.

https://securelist.com/  –  Kaspersky securelist, look at tags:  APT, Cyber espionage, Cyber weapon.

https://github.com/kbandla/aptnotes/  –  Various public documents, whitepapers and articles about APT campaigns

https://www.fireeye.com/current-threats/apt-groups.html  –  A group list of threats APTx…etc

http://apt.threattracking.com   –  APT Groups and Operations online spreadsheet, collected and organized by contributors/researchers.

 

……to be continued

 

 

 

(Cyber) (Threat) Intelligence (really) ?

Abstract: My notes and quotes on Intelligence, (Cyber) Threat Intelligence : Definitions, usage. This is theoretical. A CTI practical case will follow in next blog post.

 

Intelligence

 

  • Mr Caltagirone definition, (ref)

(…) Intelligence by definition attempts to illuminate the unknown and works by making judgments with imperfect data – errors are natural to the domain.

 

  • Mr Lee definition, (ref):

“The process and product resulting from the interpretation of raw data into information that meets a requirement.”

 

  • By following the Intelligence cycle you are able to define (with a customer who express needs/requirements), collect, analyze information referring to the question you were asked to answer or “tasked” and thus…generate intelligence. NB: On Intelligence cycle, I’d recommend reading SANS Gold paper by Brian P. Kime, that focus on one of the 5 steps : “Planning and direction”. From my understanding (as a novice!) Editor’s note : Intelligence cycle seems to be “Goal driven analysis”,  based on previous requirements. The trap analysts should not fall into is “Intelligence for Intelligence” i.e analyzing information without pre-established requirements, which is more “Data/Information driven analysis”.

 

  • In my humble opinion, Intelligence cycle is *really* important and can lead to wrong judgements, but this is in theory. In practice, policymakers are not quite “good” to formulate clear requirements. For an excellent paper on requirements read this article from Mr Roberts. If requirements are not correctly defined, the results is that, the initial point that’ll drive all the results of the intelligence cycle may be flawed. I encourage the reader to watch this video “TR17 – Surprise Bitches! – The Grugq” for his experience.

 

  • Intel generation is not the role of most of organizations. In fact they consume intelligence, asking for answers, to take better decisions, e.g Business, Economic Intelligence. To understand this concept of generation/consumption of intelligence refer to Robert M. Lee’s video.

consume_generate_intel

 

  • Intelligence, is also “Thinking about thinking“, cf chapter 1 of Psychology of Intelligence Analysis,  by Richards J. Heuer, Jr . One of the pillar of Intelligence Analysis :

Of the diverse problems that impede accurate intelligence analysis, those inherent in human mental processes are surely among the most important and most difficult to deal with.

Critical thinking is “linked” to this by its definition (ref) : I put in bold these terms I wanted to emphasize : The thinker must think about his own mental process AND at the same time of his judgment :
In other words, critical thinking is both a deliberate meta-cognitive
(thinking about thinking) and cognitive (thinking) act whereby a person
reflects on the quality of the reasoning process simultaneously while
reasoning to a conclusion. The thinker has two equally important
goals: improving the way she or he reasons and coming to a correct solution.
  •  Intelligence is “Thinking with a model” : Structuring your mind, putting things in different buckets, organizing and sorting them. In recent psychological research and cognitive sciences, two systems of decisions have emerged: System 1 which is intuitive, fast , efficient, and often unconscious, and System 2 which is analytic, slow, deliberate, conscious reasoning. Structured Analytic Techniques can help to counter one or more cognitive biases associated with System 1.  NB: Read e.g first  “A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis“. Some examples of very popular techniques are : ACH (Analysis of Competing Hypotheses), Key Assumptions Check, Red Team analysis….and more.

 

  • On Intelligence Analysis, I encourage you to register (FOR FREE) to Mr Robert Folker‘s course on Udemy which I found extremely useful.

 

 

 

Threat Intelligence … is mostly Intelligence… on threats

  • Threat Intelligence is” knowledge of the adversary”. I like this definition because it’s one of the shortest. Listen to this podcast (ref).  For clarification purposes I did this useful mindmap  😉

threatintel_mindmap

  • Another definition : Threat intelligence is  (ref) Robert M. Lee :

It is generally analyzed information, meaning to some level of interpreted data and information relating to an entity that has the intent opportunity and capability to do you harm.

 

  • But how to define a threat ? Robert M. Lee, ref :

A Threat has 3 key components :

Threat = (I)ntent x (O)pportunity x (C)apability

If one of the three parameters is missing, the threat simply does not exist.

 

  • On the difference between Data, Information and Intelligence : In a CTI (Cyber Threat Intelligence) context, trying to answer to some  customer’s requirement on a threat actor :
  1. Data : Something raw. ex: an IP.
  2. Information : Data with a context, with something useful on it, so the data was processed in some way, ex: IP which is a C2 is an indicator. It’s information.
  3. Intelligence : Act of analysis by an human, finally with a useful, timely product (e.g a report). ex: I took these sources of information and disciplines/reasoning/models, to gather all domains, and IPs related to this threat actor. I’ve analyzed their caracteristics related to whois, hosting, registrars, and I’m able to do some sort of assessment with this level of fiability, on […] of this group.

 

Before thinking you’re “doing” (generating/consuming) threat Intelligence, it’s better to do your own research first (ref) :

Editor’s note : Follow Robert M. Lee SANS FOR578: Cyber Threat Intelligence

 

You said Intel ?

In fact, CTI is more a …counter-intelligence job. (ref). You know… cops & robbers game, they’re the robbers and YOU are the cops. In other words :

Track them, Find them, Kill them !

metallica_seek_and_destroy

Organizations can (but few are..) generate Intel about adversaries e.g based on past intrusions sets. Why is it useful ? Because it directly hit the organization. Organizations can investigate, then apply Intel cycle, models (like KillChain/Diamond Model) on events to gather Intel.

Finding evil is utterly important, capitalizing on what (tried to) kill you is vital. (LOL).

 

  • Real experts already defined Intelligence & Threat Intelligence. One of the post must-read in ref.

 

Threat Intelligence, what it’s NOT

 

  • The classical “IP/Threat Intel Feed” : Even with context which are de facto indicators, e.g IP of.. a C2) … feeds are only … feeds. Data or Information. Thank you X vendors for planting in people’s minds this blurry line…

 

pew_pew

 

  • Leaked data is not threat Intelligence, it’s… leaked data. Dark web/net, Social networks, forums monitoring for leaked accounts, brand monitoring, typosquatting…So if a company call their service “Threat Intelligence” for leaked data detection, it’s surely a good service but it’s not Threat Intel. Why ? because Threat Intelligence is Analysis on threats based on requirements and involve Human.

 

 

 

Conclusions

  • Intelligence has deep roots in Analysis, cognitive sciences because it’s mostly through the human lens that the problems are examined. The analyst has to understand how he think, as much as what he think.
  • Intelligence must be timely and useful, answering to some requirements (question). Its so, a process (the steps to realize) and a final product (a report e.g).
  • Threat Intelligence is Intelligence on Adversaries.