Category Archives: GCHQ

Building A Global Nation State SMB Exploit Honeypot Infrastructure With A £50 Budget #EternalPot

Note to post: All words, IP ownership, analysis, opinions, data, graphs et al are the property of Kevin Beaumont and where altered and extracted are done so remaining true to the original meaning / assertions. From and article by “Kevin Beaumont InfoSec, from the trenches of reality. Email kevin.beaumont@gmail.com | Twitter: @gossithedog on Twitter” titled “EternalPot — Lessons from building a global Nation State SMB exploit honeypot infrastructure” athttps://doublepulsar.com/eternalpot-lessons-from-building-a-global-nation-state-smb-exploit-honeypot-infrastructure-3f2a0b064ffe

Worthy of note before beginning to read this beauty – Mr. Beaumont predicted that this would happen back in April 2017:

Now over to the expert ….

Extracts BEGIN (again full original article here

A week ago I started building #EternalPot, a honeypot for the Equation Group SMB exploits leaked by the Shadow Brokers last month.” (May 2017) – “My entire budget for one of this is £50, as I self fund all my InfoSec research — I work for a company that makes crab paste, so everything is done outside of work, on my own time. I highly recommend working InfoSec for a company where the CapEx tap is turned off temporarily, by the way, as you’ll find out how skilled your workforce are and you’ll get back to the most important part of InfoSec: the basics. Build simple solutions, always…..

.

.

There has been a lot of vendor and press coverage of WannaCry which has been inaccurate. Despite what has been said, WannaCry was not spread via phishing or email — in fact, it was an SMB worm. Seeing a constant stream of misinformation from InfoSec vendors still around this has been depressing — it still continues to this day, long since the major players and initial victims walked back the email line…..

.

.

The EternalPot data has shown advanced attacks, multiple coin miners, remote access trojans and lateral movement attempts into corporate networks — all via the Windows SMBv1 service. One of the exploits — EternalBlue — was used by the WannaCry ransomware spreader…..

.

.

As you can see pre-WannaCry (refer to diagram in article and below), these SMB attacks were almost non-existent. It’s an SMB worm like the ones from the prior decade. Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3…..

SM

.

.

All the WannaCry samples seen so far — thousands delivered in real world honeypots — have two factors:

  1. They are one of two corrupt versions, where they spread but fail to execute ransomware as the PE headers are corrupt.
  2. They contain working killswitches.

If you’re pondering why WannaCry seemed to disappear almost completely, here we are. The authors simply disappeared. The Tor payment pages don’t even exist now. We owe MalwareTech more than pizza…..

.

.

Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3. Here’s Kaspersky’s graph of infected operating systems…..

W

.

.

One thing I will say — I don’t want to name the vendors, but some of the biggest next-generation security productssimply aren’t detecting SMB attacks nearly well enough. Malware regularly infects these systems, and they have to be reimaged as a result. It is amazing seeing next gen, premium tools with machine learning etc running Coin Miners andremote access trojans delivered via old exploits, with the tools not even noticing. It has been very eye opening for me. The marketing to reality Venn diagram here isn’t so Venn. At times it is so bad it is actually jaw dropping seeing certain attacks not being detected…..

Extracts END (again full original article here

ENDS

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon

BothanSpy is Microsoft Windows implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. Gyrfalcon is a CentOS, Debian, RHEL, SUSE, and Ubuntu Linux Platform implant that targets the OpenSSH client not only steals user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic. Both implants save the collected information in an encrypted file for later exfiltration while the BothanSpy implant also implements exfiltration in real time to a CIA server thus leaving no footprint on the target system storage disk(s).

The 6th July 2017 WikiLeaks release overview:

“Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted [sic] file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

There documents were also published alongside this release BothanSpy V1.0 Tool Documentation, Gyrfalcon V2.0 User’s Guide, and Gyrfalcon 1.0 User Manual.

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #14 and #16 synopses are available on WikiLeaks and analysis of BothanSpy & Gyrfalcon at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews – Original Image edited to add extract from BothanSpy Tool Documentation Page 8 Screenshot 07/16/2017.

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise

HighRise is an android (V4.0 to V4.3) implant for SMS redirect to listening posts.

The 13th July 2017 WikiLeaks release overview:

“Today, July 13th 2017, WikiLeaks publishes documents from the HighRise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. HighRise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.”

A HighRise User’s Guide was also published.

Previous Vault 7 WikiLeaks dumps #1 – #15 synopses are available on WikiLeaks and analysis of HighRise at The Hacker News.

ENDS

Image courtesy of The Hacker News – Twitter @TheHackersNews

Related Posts: #WikiLeaks #Vault7 Leak #16: #HighRise, #android implant for #SMS redirect #LP @TheHackersNews

https://airgapanonymitycollective.com/2017/07/15/wikileaks-cia-vault7-leak-16-highrise/

Silencing the Canary & The Key Powers & Reach of The IPA

Please Note: This post is not an advertisement for or an endorsement of ProtonMail 

The Investigatory Powers Bill (IPB) was approved by the UK Parliament and after receiving Royal Assent this week will become The Investigatory Powers Act (IPA) coming into force in 2017. The law gives broad new powers to the UK’s intelligence agencies (GCHQ, MI5, MI6) and law enforcement.

In theory, companies offering encryption services, that are not based in the UK, do not fall under the jurisdiction of the IPA – but that is not actually the reality. Strong encryption isn’t just important for privacy, but also key to providing security in the digital age.

Laws like the IPA pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states but there are tools today that can help protect your digital rights.

Below is a short summary of the most relevant points of the IPA which was written by ProtonMail, a Swiss based firm that offers encrypted email services. The key powers of the Investigatory Powers Act are:

(Start of ProtonMail Summary – Paraphrased)

Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more. All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under the IPA, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPA are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

Impact of the IPA outside of the UK

In theory, the IPA only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK.

Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPA. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPA will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Encrypted email accounts can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, using VPN services that don’t have a physical presence in the UK, and also using apps like Signal for text messaging, or Tresorit for file sharing.

Most importantly, everyone needs to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

(End of ProtonMail Summary)

Silencing the Canary 

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. The canary is a reference to the canaries used to provide warnings in coal mines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period.

A company might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period. NSLs under the Patriot Act come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gags are unconstitutional, that order is currently stayed pending the government’s appeal). When the company who is in receipt of an NSL issues a subsequent transparency report without that statement, the reader may infer from the silence that the company has now received an NSL.

The IPA has a different approach to this Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR .

END

NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity

It is perfectly achievable to maintain national security and manage the security risks posed domestically by extremists without instituting mass-surveillance programs of ones own citizens and corporate entities.

While this would seem like common sense, the continuing activities of authorities in the United States of America and the United Kingdom would suggest otherwise. But the French have also dipped a toe (or rather an entire leg) in these waters when after the Paris attacks they expanded the 1955 State of Emergency law and legislated for a French mass-surveillance program.

The implications of the Snowden revelations were slow to filter through to ordinary people not working in the security domain. The NSA, the PRISM program and the Patriot Act had produced a culture of widespread surveillance of ordinary citizens’ activities with the assistance of many household names and brands.

Shocking news. Huge outcry. Much apologising and “contextualising” and “perspective” setting occurred. “Expediency” and “imminent threat” were debated and on it went.

The collaborators in the form of telco’s, social networks, media organisations and household brands went into overdrive to backpedal from the disastrous PR outcome their involvement created.

At the same time – encryption and privacy software companies made wild claims about the strength of their products and hundreds of new entrants emerged to fill the public demand for Private Messaging, Email Encryption, Secure Voice, VPN’s, Proxy Spoofers and other privacy tools – a space previously reserved for paranoid board room members, activists and some well informed underworld organisations.

It was supposed to have been a watershed  – the worst excesses of intelligence agencies exposed and now oversight, accountability and proportionate measures would rule the day.

Not so.

The Investigatory Powers Bill

The Investigatory Powers bill will become law in the United Kingdom sometime toward the end of 2016. Inside this legal maze of mass surveillance facilitators the UK alphabet agencies can now:

  • Hack any device, any network or any service;
  • Perform these hacks without restriction and against any target;
  • Store the resulting information indefinitely;
  • Maintain databases of private and confidential information on any citizen of the United Kingdom or person in the United Kingdom;
  • Targets do not have to be “persons of interest” nor do they have to be of any interest whatsoever – at this time;
  • It is an omnipresent power to simply gather information on everyone, at anytime, from anywhere – without any reason and store it – “just in case”;
  • In the commercial context the law allows the state to pressure any company to perform decryption on any data that they store – on request – without reason or right to appeal;
  • This in so many words means that un-compromised commercially available encryption products will no longer exist in the United Kingdom after the Bill becomes Law and no company that is based in the United Kingdom  can make that claim to its users and no company that stores its data in the United Kingdom can assure it’s users that it is safe from hacking or more likely simply being handed over to whatever department of the government of the United Kingdom asks for it;
  • It also requires communications service providers to maintain an ongoing log of all digital services their users connect to for a full year.

It has been quite rightly criticised widely and has already been named the most extreme law ever passed in a democracy — because it cements the legality of mass surveillance.

The English Speaking World Is Giving Ireland the Chance for Privacy Leadership 

This blog has already discussed the The “Five Eyes” (FVEY‍) intel‍ alliance many times. The organisation unifies elements of the national alphabet agencies of the United Kingdom, the United States, Australia, Canada and New Zealand and their intel gathering infrastructures.

The AA’s in each member country and the terms of their information exchange mandate is encapsulated in the multilateral‍ agreement called the “UKUSA Agreement”.

This alliance and it’s mass-surveillance capabilities leading to large scale undermining of personal freedoms and civil liberty has really only come into its own with the advent of social networks, big data, the cloud and AI.

Brexit, Trump, US Corporation Tax & Mass Surveillance 

Brexit presents challenges for Ireland but it also presents opportunities. This is one of them.

Trump will shortly be in the White House and he has pledged to end the Irish FDI arrangement of convenience with US corporations. His attitude to surveillance is well known and not categorised by its message of restraint.

Brexit, Trump, The Five Eyes, PRISM, the NSA, GCHQ and now the Investigatory Powers Bill are a frontal assault of epic proportions on the right to privacy of citizens in democracies.

A sort of perfect storm of oppression and suppression tools just standing there waiting – in the wings – for a time when someone will come along and use them for the polar opposite purpose of what they were allegedly created for.

Out of Adversity, Opportunity

The opportunity created by this adversity is not to convince Facebook, Google, Microsoft, Yahoo, Paypal, eBay or the host of other US corporations in Ireland who are either facilitators of the surveillance culture or, like Twitter, engaged in widespread in-house censorship.

But if for once the Irish government showed some spine then the opportunity exists to create an entirely new sector catering to the privacy needs of freedom loving citizens and organisations who dwell in jurisdictions governed by these Stasi like surveillance laws.

And the market size? Well, it’s somewhere around seven billion people and rising.

The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Bill – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.

But Ireland has a long way to go to create credibility – the view that Ireland is a Privacy Advocate for the world whose lives are described on social media sites whose data is located in the Irish jurisdiction is a total myth.

I dearly hope that for once Ireland can take the lead – despite its size and influence – and act even if out of self-interest as a stopgap for the complete erosion of civil liberty and privacy in the Western World.

 

END 

State Surveillance in Ireland Part 4: Creeping Extra-Judicial Law Enforcement Powers

The resources of the Irish police force and military intelligence were traditionally focussed squarely oncounter terrorism ops against militant republicans and loyalists. In that respect their expertise in terms of surveillance, intelligence gathering, the use of informants, infiltration methods and technical expertise was sought out by international colleagues during the 80’s and 90’s.

Terrorism, Gangland Violence & Islamic Extremism

During those years specialised law enforcement in ireland were one of very few Western alphabet agencies who possessed hands on domestic counter-terror threat experience.

In the late 80’s and early 90’s momentum gathered for a peace deal to end the “Troubles” which culminated in the Good Friday Agreement signed on 10 April 1998. This led to a massive reduction in direct hostilities and the associated criminal activities used to fund same.

Thereafter, the degree to which these counter terror resources and general counter-extremist expertise were required in Ireland diminished greatly. The main counter-terror focus was now in dealing with small, isolated dissident republican groups involved in internecine feuds. During this time some “dissident” groups branched out into general criminality.

Dublin and Limerick became the focus of a new threat in the form of gangland and drug cartel violence and in the late 90’s the resources previously deployed against terrorist outfits were partly re-deployed against this emerging threat.

Over the course of the next few years specialised law enforcement evolved in response to changes in the nature of offences being tackled in the courts.

A unique set of legal challenges began to appear when investigating especially in terms of covertsurveillance and technical surveillance methods and the ease (or not) with which they could be sanctioned and deployed – especially in time sensitive scenarios.

It also became clear that gangs and gang members were proving difficult to tackle and gatheringevidence to support trials met with barriers which previous Privacy and security legislation in the Irish statute books made difficult if not downright illegal. (see 2011 Communications (Retention of Data) Act).

The Criminal Justice Act 2006

The Criminal Justice Act 2006, legislated for during the tenure of Michael McDowell as the Irish Minister for Justice, created a new offence of membership of an organised crime gang, or “criminal organisation”, and made it an offence to assist the activities of an organised crime gang.

Evolving this legislation the Criminal Justice (Surveillance) Act 2009 provided for the use in criminal trials of material obtained during covert surveillance. The Criminal Justice (Amendment) Bill further defined membership of a criminal organisation and made it an offence to direct the activities of one.

There were also a host of newly created scheduled offences contained in the legislation which allowed gang members to be tried in the non-jury Special Criminal Court.

The Criminal Justice (Surveillance) Act 2009

In Section 8 of the Bill a declaration was made that the ordinary courts were inadequate and were not in a position to effectively administer justice as there was a pervasive threat of jury tampering and intimidation.

Despite this there was no evidence that the ordinary courts had previously failed repeatedly to justify such a sweeping alteration of the normal rules of habeas corpus, the right to silence (removed by the introduction of “inferences”), the right to trial by jury and the fundamental right of the presumption of innocence.

To support this general view that the legislation was ill-conceived and introduced to reduce the workload / evidence required in securing convictions in these cases Central Criminal Court Judge Mr. Justice Paul Carney came on record and stated that when gang members were brought before a jury in his court there were no difficulties in securing convictions.

The Radical Islamist Blindspot

Despite the extensive arsenal of covert surveillance (traditional and technical) powers and the reduction in the “body of proof” requirements to secure convictions under these various new powers, little has been done in Ireland to turn this formidable and questionably legal set of instruments toward tackling Radical Islamism.

Ireland is not overrun with Radical Islamists. Salafi Jihadist preachers are not spouting hate and intolerance in the majority of Ireland’s mosques. Apart from some small pockets in Dublin there is not the same level of Islamic ghettoisation in Ireland as opposed to say sweden where so called no-go areas are widespread and the city of Malmö is infamous for radicalisation and general anti-Western sentiment.

G2 Military Intelligence & the Garda Special Detective Unit’s Middle Eastern Desk

These bodies are tasked with monitoring potential jihadists in Ireland and Irish citizens who fight abroad in war zones – specifically Syria and Iraq – for Muslim extremist organisations such as the self-proclaimed “Islamic State”.

Their activities are obviously covert and their objectives and methods are clearly not publicly available or discussed – and rightly so. However, despite numerous attempts by associates it seems that there is no specific publicly available over-arching and non-compromising strategy document (heavily redacted or otherwise) that is available via the FoI Act.

It would be helpful and indeed, in the public interest, to see such a document to determine what level of significance is given to certain potential threats or what the attitude of these units is to the ramshackle approach to some key issues that the public sees via the Irish Court system.

Recent Developments

Islamic State is suspected to have been using Ireland as easy access to the U.K. The Islamic State militant group (ISIS) suspects will now it seem be prevented from using Irish ports as an easy access to get to Britain after the Irish police decided to crack down on the threat after concerns were expressed by their UK colleagues.

GCHQ has been monitoring Irish Jihadists and the ISIS support structure in Ireland including radicalisation threats, money laundering activities, fund raising and funnelling efforts and the use of Irishdocuments to assist jihadis with international travel.

“Sovereign” Ireland & GCHQ

All Irish internet comms cables and internet traffic is monitored by GCHQ in Cheltenham – without the knowledge of the Irish authorities.

Today in a statement it was reported that ‘Operation Mutiny’ began a number of weeks ago after doubts arose that there might be suspects using Irish ports – due to their weak security and surveillance systems– to penetrate the UK to facilitate attacks there.

Security at Irish ports was considered so porous by U.K. authorities that they intervened to reduce therisk that IS terrorists would use Ireland as a staging point for attacks – as the Battle for Mosul escalated – rather than their preferred previous use of Ireland as a soft backdoor for access to Europe.

Ireland has long been seen by Islamic extremists as a country where their support activities for foreignterrorism were largely ignored by the law enforcement community in Ireland in favour of the more highprofile gangland feuds.

An under-resourced Irish police force and domestic intelligence community with a set of IT systems that were woefully out of date did not present a serious threat to compromising extremist comms over emerging encryption and secure communications tools such as Telegram, Hushmail and Tor – despite the sweeping powers introduced to the Irish statute books in 2006, 2009 and 2011.

END

The “FVEY” SIGINT Espionage Alliance

The French, Belgian, Egyptian and Yemeni authorities have all in the last 12 months failed to connect the dots on available data that might have prevented or lessened the Hebdo, Bataclan, Zaventem & Maalbeek atrocities.

Some of their foreign counterparts however are part of an exclusive alliance that shares intelligence that does in many cases provide insights that the individual portions do not.

The Five Eyes intelligence alliance is led by the USA. Often abbreviated as “FVEY” the alliance comprises Australia, Canada, New Zealand, the United Kingdom, and the United States. They are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

STASI - FIVE EYES

FVEY’s origins can be traced back to the Atlantic Charter issued by the Allies to lay out their goals for a post-war world in 1945. During the Cold War, the ECHELON surveillance system was initially developed by the FVEY to monitor the communications of the former Soviet Union and the Eastern Bloc. Later, it was alleged that it was also used to monitor billions of private communications worldwide.

ECHELON’s existence was disclosed in the late 1990’s and it triggered a major debate in the European Parliament. As part of efforts in the so called War on Terror the FVEY further expanded their surveillance capabilities, with much emphasis placed on monitoring internet communications.

Snowden describes the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”. Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The leaked documents also revealed the existence of numerous surveillance programs jointly operated by the Five Eyes including:

  • PRISM – Operated by the NSA together with the GCHQ and the ASD;
  • XKeyscore – Operated by the NSA with contributions from the ASD and the GCSB;
  • Tempora – Operated by the GCHQ with contributions from the NSA;
  • MUSCULAR – Operated by the GCHQ and the NSA;
  • STATEROOM – Operated by the ASD, CIA, CSEC, GCHQ, and NSA.

Despite the disclosures no amount of outrage will affect the Five Eyes which remains the most extensive known espionage alliance in history.

END.