Red Sky Weekly: We're STIX!

I'm happy to announce that we are now providing indicators in the STIX format.

https://stix.mitre.org/

Two weeks ago we pushed our first STIX package to the Red Sky portal. While not perfect, we received some good implementation feedback during our threat day this week. Next step? TAXII. I'm a huge fan of sharing information machine-to-machine, so this is very exciting!

Why'd we do it? Let me tell you a story. I promise, it'll come back to STIX!

About a year ago, we happened upon the entire active directory structure for a very large European company. Like a drunk who drives the back roads throwing their cans out the window into the woods as they drive, some sloppy cyber litterbug dropped a bunch of stuff on a couple of open nodes --that we then picked up as we walked along the road looking for clues. 

The data we'd acquired suggested that the company was compromised --and I mean completely compromised --caught, cleaned, and gutted, and had been so since probably mid-2008. There was a lot of stuff. Some of the information we saw suggested also that this company had sold an application to another ...and when this application was used, it was sending data from the application to computers outside of the company. So we tested the encryption with passwords we knew to be used in previous APT events, and were able to view enough files to know that the company used the application to make big things that float, fly, and sink themselves intentionally. 

Neither of the companies were involved with Red Sky Alliance, but we knew who they were, so we thought we'd be a good neighbor and let them know that we'd found their stuff on the endpoint of a command and control (C2) node. The European CISO was nowhere to be found. We know the company has one; we know they participate in security forums, but nobody would take our call. The second? We visited them in person. I know the CISO. We showed them (quietly) our story, but alas, their team is small. 

That was a year ago. In the last two years we've done victim notifications with private companies, federal agencies, supply chain partners, K-12 school systems, manufacturing/machining companies, security companies, universities, and more. Companies range from global in size to very small, in hundreds of industry segments. Our smallest notification - four people doing a half million dollars per year in business. The funny thing is, the smallest company that we notified hung up the phone with us and called the FBI (not on us!). We referred a local incident response company (a known - a Red Sky Associate Member) to assist with the clean-up, and I believe that as we speak, they're well into their get-well plan. 

So why do I tell this story? A year later? We're moving into the era of full automation. While I'm not necessarily a fan of full automation, I am a fan of stripping any and all barriers to a company's use of protective information. STIX puts data into format. TAXII moves it from company to company. The next step is moving data from that company repository directly to defensive tools. In every case where we've done victim notification, if we had this automation in place I could have simply shared data to the compromised company. They'd receive our indicator bundle, push the 'easy button', drop it into their defenses, and move along. Of course it's not that easy, but you get the idea. 

We're moving in the right direction!

BT BT

What's happening in Red Sky this week?

• First, as mentioned, we're now STIX! Members (and Wapack Labs subscription customers) can now get their indicators in .csv or STIX format.
• We issued a warnings this week to about a dozen companies. They're targeted, and we believe they'll be hit in about two weeks. The warning also included an analysis of the tools that will be used, and how to protect against them.
• We had our quarterly threat day in Tampa this week. We had cocktails and food at the Pebble Creek Country Club, with a day of meetings at a member location on Tuesday. What a great two days!
• Last, we continue tracking cyber activities between Russia and Ukraine. You just can't make this stuff up. The Christian Science Monitor ran a story on this as well. Since our original post, we've authored several more blog posts inside of Red Sky, and issued three priority analysis reports aimed at offering good situational awareness and defenses to our members who have business interests in the area. 

Last but not least - I just heard that the days will start getting shorter after today.

So please, enjoy the solstice! 

Until next week,

Have a great weekend.

Jeff

Red Sky Weekly: Reflections on a great career...

I spent Thursday morning at the retirement ceremony for an old friend - CWO3 Eric Slater, USMC

And while it didn't hit me then, in the quiet of that afternoon, when my email finally settled down, smoking a cigar on the back porch, I had the opportunity to reflect on what an amazing career this has been. And the idea that his and mine intersected made it only that much better.

Eric and I worked together at the Office of Naval Intelligence (ONI) in Washington in the late 90s. We've stayed in touch over the years, occasionally over a beer and cigar at a local watering hole, but today, when I think back, it hit me like a ton of bricks. For those who started in this field -this amazing field of information security, like Eric and I (and many others), the realization that many of the things we did in the late 90s really shaped many of the things we do today. This was a time of massive experimentation, a lot of failures, a lot of successes, and best of all, a WHOLE lot of FUN!

At the time, we were one of the few places in the DoD allowed to partner with Carnegie Mellon's Software Engineering Institute. Our entire team were signed on as Visiting Scientists (I think the correct term was Resident Affiliate??), regardless, during this tour we worked with many great folks, but one in particular impacted the world of cyber in the most profound way. We worked with this really cool old guy -Suresh Konda (Dr. Suresh Konda), who was building the prototype of SiLK --or for those of you who don't know SiLK, think Einstein. This small invention was a means of monitoring and analyzing network flow information. For the uninitiated, think 'cell phone bill'; a detailed list of who called who, how long the session lasted, and a few other tidbits of information.  Our role in this was the behavioral analysis of roughly 3500 intrusion cases where we systematically coded the motivations, behaviors, and actions taken during an attack. Think LM's Kill Chain, only 15 years ago. If you've heard me say it once, you've heard me say it a thousand times, What's old is new again and temporal connectivity to map interception and defensive locations is not new. The idea at the time was this -we could temporally connect a bunch of disparate attacks and then code them into SiLK, and when an attack occurred that matched one of our profiles, we'd have the ability to know --quickly. And although early versions were mostly manual, those (then) manual processes are now automated and built into almost every network security device. And our first victory, the one that worried us most at the time, was the low and slow attack... one packet daily over the course of several months.. and yes, we tracked several. 

At the same time, many of those behaviors that we coded were used in ways that (then) were cutting edge --but today are considered routine. And the best part? That was only the beginning.

Eric worked with another Marine in Pittsburgh with the early malware guys and analysts. Gil (another teammate) and I worked with Suresh. We took those models and built them into processes used in Intrusion Detection Systems, behavioral analysis tools, and more.

Eric went on to build the Marine Corps schoolhouse that taught many of those techniques, how to recognize them, and then, how to mitigate those risks. So this morning, after a cutting edge career, I was proud to watch him retire. He retired as the Ops Boss at Lima Company. For those of you who know what this is, you know its pretty cool. For those of you who don't.. we'll I'll tell you, it's pretty cool!

BT BT 

While I was off playing Marine, the team was busy. 

In one of the pieces published this week we told a story (actually not just a story, but a great piece of analysis!) about the Tunisia Hacker Team. The story developed because a source gave us a tip and that tip turned into a question and that question turned into a really great story. Today, we know far more than what was previously known in open source reporting because we had data that was begging to be asked questions.

Often, the answers to a problem are there but it requires a bit effort, a little luck, and a lot of patience to discover them. Behind every hack, breach, and DDoS is a story. So what story does your SIEM going to tell you? Your firewalls, IDS, and systems are full of stories to be told. Maybe the story is one of a really good security team or may one of team that is in need of assistance. Often, at Wapack Labs, we run into organizations that never asked the questions in the first place!

Fact is, story telling takes time, which is something most security teams don't have the luxury of having. Maybe you know the "what?" or maybe even the "why?" but when it comes to the "who?", things start getting a little fuzzy.  

So here's the deal. I had a great week fly fishing in Tennessee last week. During one of our late night bourbon lubricated conversations, we talked about spend strategies for CISOs worried about risk. We described it differently, but the thought process is the same. Spend money to defend against the threats to your company first. Spend money to defend against threat to your industry second, and spend money on the broad based cross sector threats next. 

Where does this information come from? Red Sky Alliance members are cross sector. You get everything from industry happenings to broader trends. Wapack Labs gives you focus. Are you a banker? We know a little bit about banking. Manufacturer? We can do that too. Heck, we did a piece on counterfeiting not that long ago. 

The "bringing together the meaning of why we care, and what story the intrusion tells" is something we do well, really well. What does this mean to your business? Every question can be answered with data and every piece data is waiting to be questioned. 
And if you thought I'd walk off without talking current events...

• Certainly, the Tunisia Hacking Team is banging the heck out of the Brazilians right now.
• Cyber Berkut is running a new DDoS tool against Ukrainian targets.
• I'm dying to see how ISIS is using Cyber in Iraq.
• What do the WEBC2 indictment confirm about the Chinese operational procedures?  
• And where is Edward Snowden? I miss that guy! I've gone almost two whole weeks without my Snowden fix. What's he gonna leak next?!

We're watching it all. And having a hell of a lot of fun doing it. Hell, you can't make this stuff up! The truth is SO much better than fiction! I love my job!

And last, but certainly not lease, our Threat Day is coming up this week. We're headed to Tampa for happy hour at the Pebble Beach Country Club, followed by a day at a member location talking security. If I don't see you there, maybe I'll see you at Gartner the following week. I'll be the one with the Red Sky shirt!

Want to talk Red Sky Alliance? Wapack Labs? Are you taking over as a new CISO? Think about a baseline assessment. Send us your logs and we'll tell you what we know. It's a great starting point for a new CISO (I promise... you'll get your budget!). Drop me a note. We're here to help.

Until next time,Have a great week!Jeff

Red Sky Weekly: Cryptolocker down! Simplocker up! - Early open to summer hunting season.

It was a great week for the good guys in the fight against cyber threats!  On Monday, the Department of Justice announced the takedown of the Gameover Zeus Botnet, the sole distributor of Cryptolocker, a particularly nasty ransomware that has bilked organizations and individuals of millions of dollars.  That said, like anything else in cyber, the wins are short lived.  Two days later, The Guardian reported a new strain of ransomware targeting Android phones named “Simplocker” that could prove even more devastating than Cryptolocker, but this ransomware has an interesting twist – it’s confined to the Ukraine, a region we are closely watching at Wapack Labs as being heavily targeted by cyber hacktivists and criminals.

As of right now, it is unknown who is behind Simplocker and I would hesitate to draw any conclusions.  The implications of what Simplocker could mean to the Ukraine are hard to determine but one can speculate.  It wouldn't be a far leap for many to suggest that the Russian government may be behind Simplocker simply to inject itself into Ukraine’s mobile phone network.  True, this would give Russia some control over social media outlets, but this is highly unlikely.  Apple’s iOS represents a significant share (55%) of the Ukrainian data traffic as opposed to Android’s 35%.  It is unlikely Russia would risk infecting its own data services in a reverse attack for such a small gain.

The answer of who is behind Simplocker may be found in the encryption algorithm it uses. Initial reports suggest Simplocker’s encryption used to encode victim data is much weaker than what is (was) leveraged by Cryptolocker.  This may suggest the hacker(s) behind Simplocker are not as skilled as one would expect from nation state sponsored activity; however, like we’ve seen before, these first generation offerings by hackers tend to be proof-of-concepts of better (or worse) things to come and this activity is on par with an increase of ransomware targeting the Android platform over the past few months.  Android attacks are not the only upward trend in cyber threat activity we’re seeing in the lab.

Last week, our lead analyst took a closer look at the recently reported Saffron Rose activity.  Our examination proved fertile and we were able to provide the Red Sky membership additional details on attribution not cited in open source reporting.  This new context resulted in tailored signatures for the Stealer malware family and protocols.

Saffron Rose is a group of hackers we follow closely at Wapack labs.  Normally involved in website defacements in support of anti-Israel and anti-American causes, Saffron Rose is thought to be behind recent watering hole activities targeting the Aerospace sector.  We know Aerospace is a highly targeted sector right now, and why not?  Advancements in drone and stealth aircraft make for highly coveted and sought after technologies by opportunistic and state sponsored actors worldwide.  With ties to the Middle East, any successful attack by Saffron Rose may have far-reaching consequences to the security of the region.

Watering hole techniques used by groups such as Saffron Rose appear to be on the rise.  Wapack Labs’ analysts are seeing upswings in this activity by both Chinese and Russian threat actors.  As one Wapack analyst said, “It would appear that summer hunting season is open early this year!”  If he’s correct, I predict a long summer for security teams. But turnabout is fair play, because we're hunting too!

Watering hole activity isn’t the only thing on the rise.  Wapack has several honeypots that we are continuously monitoring and evidence is pointing to a much more active threat environment and targeted activity across the board appears to be increasing significantly.   As Jeff has mentioned in his previous blogs, we currently have several honeypot projects, the most unique of which is a project that allows us to look at targeted activity as it develops.  From attack orders to the hackers, to the malware received by the victims themselves, this unique perspective allows Wapack Labs to see trends in targeted cyber threat activity one doesn’t normally see.  

It’s hard to say why targeted activity is on the increase as of late. I did some research and really didn’t find any correlation to summer as being an uptime for hacker activity but the perception remains.  Regardless, there have been a lot of theories over the years why this is a busy time for activity. From actors knowing datacenters will be minimally manned during the summer vacation season to students at Universities on summer break with lots of time on their hands and little to do. Despite my research, and whatever the reason, it is clear that the targeted threat problem appears to be growing.

BT BT

As the Director of the lab, I get the opportunity to work with really talented people who look at the cyber problems in a very different way.  What make us unique is our cultural, business, and technical diversity and how we effectively apply that to a problem.   When asked, “What makes you different from other threat intelligence shops?” I confidently tell them that my phone is on my nightstand.  When you call the number on my business card, you get me, not a help desk.  We sell relationships, not just indicators and reports.

Wapack Labs is truly a custom threat intelligence team.  We’ve worked on some of the hardest problems plaguing some of the largest organizations in the world and we’re proud of that fact.   Everyone has problems in cyber and I want our team to have the opportunity to solve them for you.   Even if you’re mildly curious, reach out to me personally and start the conversation: rgamache@wapacklabs.com

My sales deck is 4 slides and takes 15 minutes to present what we do everyday, assisting organizations of all sizes fighting cyber threats.  Every conversation starts with a simple question, "How can Wapack Labs help you?"  Even if you see no immediate need for our services, the take away for us is hopefully we've made an positive impression and provided a little education as to what cyber threat intelligence is and isn't.

Have a great remainder to your weekend!

Rick

Red Sky Weekly: Did Russia attempt to sway the Ukrainian Presidential Election?

Wapack Labs, under a project named "8-ball" maintains watch over cyber activities between Russia and the Ukraine in an effort to warn Red Sky Alliance and the FS-ISAC members of impending threats to their businesses and interests in the area.  We've authored reports of Telephony Denial of Service (TDoS) attacks and details involving the CyberBerkut group and their tools. 

This week we published a priority intelligence report that demonstrated the ability of the Russian and Ukrainian governments to develop and deploy cyber operations (on the Russian side, aimed at interfering with the election of the next Ukrainian president; on the Ukrainian side, the ability to identify, defend, and arrest). We believe the actions taken by the Russian attackers may be indicative of actions that could be used against other organizations, and identifying lessons learned may help them better understand new threats and defend against future attacks. 

The abbreviated version of the story goes like this...

We all know how television stations broadcast election results throughout the evening, tallying votes, predicting winners. The presidential election in the Ukraine was no different. Russian television (Channel One) broadcasted updates through the evening. Unfortunately, the updates were being taken from a feed from a compromised Ukrainian election commission system.

On May 25, 2014, Russian state TV Channel One reported that a controversial Ukrainian nationalist and leader of the Right Sector, Dmytro Yarosh, was leading in the elections with 37 percent of the vote, when all other sources were showing another moderate candidate’s clear victory and Dmytro Yarosh's results under 1 percent (see Figure 1).




Figure 1: Russian Channel One television coverage of fake election results 

Ukrainian media sources stated that 40 minutes before, the Russian media reported the fake results, Ukrainian cyber security forces neutralized a virus in the Ukrainian Central Election Commission system. The virus was supposedly placed to influence the system that reported election results. This resulted in a reporting of 37% of the vote for Dmytro Yarosh. Channel One was thought to be reporting on activity received from a legitimate Ukrainian Central Election Commission system –a possible (but unconfirmed) unwitting participant in an attempt to discredit the Ukrainian election.

The Security Service of Ukraine reported that it had arrested a group of hackers in Kiev who were working to compromise the electoral system. As reported by the Kyvipost, according to Victor Yagun, Deputy Head of the Security Service of Ukraine (also known as the SBU), “A group of hackers has been arrested in Kiev with specialized equipment intended to rig the results of Ukraine’s presidential election.” This article [in Russian] offered deeper details on the arrest and hacking attacks during the elections.

Additional reporting suggests multiple coordinated tactics used to sway the election. Telephone Denial of Service (TDoS) attacks were used in an attempt to block phones of the electoral commissions Another report suggested redirection of traffic from the electoral commission to a different IP address. A DDoS was run from Ukrainian servers operated by a Russian citizen. And Russian botnets were believed use to deny access to results other than those being shown on Russian Channel One. 

We provide intelligence and analysis to a lot of companies and organizations. Much of it is retrospective in nature, but some of it is also forward looking. One of the best ways to understand possible future actions is to understand how cyber is used during conflict. And there is no better time to learn how government sponsored cyber actions will unfold than by watching the activities between Russia and Ukraine.

Did Russia attempt to sway the Ukrainian presidential election? You make the call. Certainly the increase in cyber activity suggests an attempt to influence. Regardless, at the strategic level Wapack Labs "Project 8-ball" is offering continued Russia/Ukraine situational awareness to Red Sky Alliance members and others. At a tactical level, we've published detailed workings of tools used and indicators/rules that may be placed in intrusion detection systems and other layers of their defense in depth to help protect our members and customers who are operating in the area.

Rick will be posting next week. I'm taking a week off, flyfishing with an old friend in what we're calling "Advanced Persistent Trout". I'm placing my email on 'Out of Office' today. If you need to contact us, please contact Jim McKee or Rick Gamache for membership questions.

Have a great week! 

Jeff

Red Sky Weekly: Happy Memorial Day!

http://www.daviswilliamsfamilytree.com/?page_id=974

I wrote a blog this morning, but after reading it and re-reading it, I just didn't like it. So I thought I'd keep it simple. 

Thank you to all who've served. I am a vet. Many of my friends are vets. Most of the Red Sky Alliance and Wapack Labs team are either vets or currently serving as reservists. Enjoy the long weekend and please, in between activities marking the official beginning of summer, take a moment to remember those who are serving, have served, those who've stopped at Walter Reed on their way home, and those who've paid the ultimate price. At the same time, don't forget the families. They've supported us on deployment, and probably much harder, when we returned. 

Happy Memorial Day!

From the teams at Red Sky Alliance and Wapack Labs

Red Sky Weekly: Uptick in Dark Comet RAT?

Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators. And in most cases, I have stories of VPN drivers, and newcomers pinning on their first oh sh*t badge who get hit first with the old stuff. This week, we had a great example of why old indicators must be kept up to date with a story of an old RAT being used in a slightly different way... Dark Comet, labeled by Symantec as "backdoor. breut" had been credited by CNN for its use by the Syrian regime against those who opposed them.

This week, Dark Comet RAT appeared on our radar. And although available for years, Dark Comet remains popular among hackers. Recent activity observed by our lab indicates an uptick in the use of this tool and it’s not showing any signs of slowing down... and sporting a new twist --Mobile Command and Control (C2).

Geolocation of DarkComet RAT Mobile C2 nodes

In a new edition, analysts at Wapack Labs observed the use of what we are calling "Mobile C2s". A couple recent variants leveraged No-IP domains that showed historical resolutions to dozens of IPs. Upon closer inspection it was revealed that the majority of them were mobile service providers hosts. This would suggest that the attackers are running the C2 controller on a laptop with mobile broadband and a No-IP client. During our research we also discovered a number of DynDNS clients for mobile apps however to our knowledge there are no Dark Comet controllers compatible with mobile devices. Either way, this may be signaling a new trend.

While it may represent a convenient option for the attacker to have a mobile C2, it does offer some interesting data points for tracking. Using historical resolutions for one C2 we identified 26 separate mobile provider hosts with resolutions starting from late February to present. The majority of the hosts were geo-located within a two-mile radius in London, however on 11 April we see a hit for Stevenage, which is an hour north of the primary cluster.

Despite the relative anonymity of using Mobile infrastructure for C2 it does clearly allow for higher confidence tracking of actor movements and activity. Wapack Labs is keeping a close eye on these networks and the continued use of this TTP.

BT BT

For me (written by Rick), the thing I learned this week is I learn something every week, not matter how challenging the week may have been, even if I felt like I've not accomplished much, if I'm not learning something, I'm static. 

The point I'm making is really simple, we're always busy doing the multitude of tasks we have to fit into an ...ahem...eight hour day but if you're not keeping your eyes on what's coming around the corner, you may walk smack dab into someone and break your nose.  We talk about the "wolves closest to sled", which is appropriate when your spend is limited you're often just worried about today, the hear-and-now, but what about the wolves that lurk in the darkness, the ones that are just beyond your vision waiting for their opportunity?

"White Fang" author, Jack London, once said, "The proper function of man is to live, not to exist."  The function of security in any organization should be not to get through the latest crisis, fending off the wolves on your sled, but also be on the hunt for the wolves you've yet to discover that are hunting you.  How do you do that?  Intelligence.

BT BT

I'm keeping this one short. I completed a whirlwind trip to St. Louis and San Antonio about two in the morning, so I'd asked the team to author the blog before I got back. So until next week, I've got a wet hayfield to mow when the rain finally stops.

Need intelligence? Drop us a note.

So until next time,
Have a great week!
Jeff