Category Archives: Hacking

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

CouchPotato enabled CIA agents to remotely use the tool to stealthily collect RTSP/H.264 video streams (RTSP/H.264: Real Time Streaming Protocol is a network control protocol designed for use in entertainment and communication systems and is a control mechanism for streaming media servers).

The tool provided CIA operatives with a number of options:

  • Collect the media stream as a video file (AVI);
  • Capture still images (JPG) of frames from the media stream;
    • This function was capable of being triggered only when there was change (threshold setting) in the pixel count from the previous capture;

The tool uses FFmpeg to encode and decode video and images and Real Time Streaming Protocol connectivity. The CouchPotato tool works stealthily without leaving any evidence on the attacked systems facilitated by ICE v3 “Fire and Collect” loader.

This is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

Neither Wikileaks, nor the leaked user guide explains how the agency penetrates the attacked systems, but as many CIA malware, exploits and hacking tools have already leaked in the Vault 7 publications, the agency has probably used CouchPotato in combination with other tools.” – TAD Group

The 10th August 2017 WikiLeaks release overview:

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”

One document was published alongside this release:

CouchPotato v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

In November 2014, Raytheon announced its acquisition of Blackbird Technologies. This acquisition expanded Raytheon’s special operations capabilities in several areas including:

  • Tactical Intelligence
  • Surveillance and reconnaissance
  • Secure tactical communications
  • Cybersecurity

Raytheon stated that their existing capabilities were now augmented by the Blackbird Technologies acquisition “across a broad spectrum of globally dispersed platforms and communications networks”. Blackbird Technologies was synergistic with Raytheon’s existing expertise and capabilities specifically in the areas of:

  • Sensors
  • Communications
  • Command & Control

This document dump contains suggested PoC’s for malware attack vectors. Raytheon Blackbird Technologies acted as a “kind of “technology scout” for the Remote Development Branch (RDB) of the CIA”.

They analysed malware attacks in the public domain and then gave the CIA recommendations for malware projects. These suggestions by RBT to the CIA were in line with the agencies stated objectives. These malware recommendations benefitted from data derived from “test deployments” in the field by other malware actors. Weaknesses in legacy deployments were assessed and designed out in the CIA versions.

The 19th July 2017 WikiLeaks release overview:

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field. Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Forty One (41) documents accompanied this release:

  1. 11 September, 2015 (S//NF) CSIT 15083 — HTTPBrowser
  2. 11 September, 2015 (S//NF) CSIT 15085 — NfLog
  3. 11 September, 2015 (S//NF) Symantec — Regin – Stealthy Surveillance
  4. 11 September, 2015 (S//NF) FireEye — HammerToss – Stealthy Tactics
  5. 11 September, 2015 (S//NF) VB — Gamker
  6. 4 September, 2015 (S//NF) SentinelOne – Rombertik
  7. 4 September, 2015 (S//NF) FireEye – Window into Russian Cyber Ops
  8. 4 September, 2015 (S//NF) MalwareBytes — HanJuan Drops New Tinba
  9. 4 September, 2015 (S//NF) Cisco — Rombertik
  10. 4 September, 2015 (S//NF) RSA — Terracotta VPN
  11. 28 August, 2015 (S//NF) Dell SecureWorks — Sakula
  12. 28 August, 2015 (S//NF) CSIT 15078 — Skipper Implant
  13. 28 August, 2015 (S//NF) Symantec — Evolution of Ransomware
  14. 28 August, 2015 (S//NF) CSIT 15079 — Cozy Bear
  15. 28 August, 2015 (U) McAfee DLL Hijack — PoC Report
  16. 28 August, 2015 (U) HeapDestroy – DLL Rootkit — PoC Report
  17. 21 August, 2015 (S//NF) TW — WildNeutron
  18. 21 August, 2015 (S//NF) NMehta — Theories on Persistence
  19. 21 August, 2015 (S//NF) CERT-EU — Kerberos Golden Ticket
  20. 21 August, 2015 (S//NF) VB Dridex 2015 — Dridex
  21. 14 August, 2015 (S//NF) Symantec — Black Vine
  22. 14 August, 2015 (S//NF) CSIR 15005 — Stalker Panda
  23. 14 August, 2015 (S//NF) CSIT 15016 — Elirks RAT
  24. 14 August, 2015 (S//NF) Eset — Liberpy
  25. 14 August, 2015 (S//NF) Eset — Potao
  26. 7 August, 2015 (U) Sinowal Web Form Scraping — PoC Report
  27. 7 August, 2015 (S//NF) MIRcon — Something About WMI
  28. 7 August, 2015 (U) PoC Report — Anti-Debugging and Anti-Emulation
  29. 7 August, 2015 (S//NF) SY 2015 — Butterfly Attackers
  30. 7 August, 2015 (S//NF) Symantec — ZeroAccess Indepth
  31. 7 August, 2015 (S//NF) CI 2015 — PlugX 7.0
  32. 7 August, 2015 (U) Mimikatz Password Scanning Analysis — PoC Report
  33. 7 August, 2015 (S//NF) TrendMicro — Understanding WMI Malware
  34. 4 August, 2015 (S//NF) CanSecWest 2013 — DEP/ASLR Bypass Without ROP/JIT
  35. 26 June, 2015 (U) Software Restriction Policy: A/V Disable — PoC Report
  36. 26 June, 2015 (U) WMI Persistence Proof of Concept — Supplemental Report
  37. 29 May, 2015 (U) Mimikatz PoC Report
  38. 29 May, 2015 (U) Pony / Fareit PoC Report
  39. 26 January, 2015 (U) SIRIUS Pique Proof-of-Concept Delivery — User-Mode DKOM — Final PoC Report
  40. 29 December, 2014 (U) SIRIUS Pique Proof-of-Concept Delivery — Direct Kernel Object Manipulation (DKOM) — Interim PoC Report
  41. 21 November, 2014 (U) Direct Kernel Object Manipulasiton (DKOM) — Proof-of-Concept (PoC) Outline 21 November, 2014

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. *

Vault7 Projects - Images - AAC Dumbo - PAG

The 3rd August 2017 WikiLeaks release overview:

Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation. Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

Log Excerpt:

Vault7 Projects - Images - AAC Dumbo - LOG

Eight documents were also published alongside this release:

Dumbo v3.0 — Field Guide

Dumbo v3.0 — User Guide

Dumbo v2.0 — Field Guide

Dumbo v2.0 — User Guide

Dumbo v1.0 — TDR Briefing

Dumbo v1.0 — User Guide

Dumbo Epione v1.0 — TDR Briefing

Dumbo Epione v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Welcome to the Jungle – Adolescent Hackers With Very Adult Problems

I won’t try to write about what those who are far better qualified * than me have already written ** or engage in debate about the pedigree of Marcus Hutchins ***. I am not a security researcher, I am not a hacker, I am not a programmer (anymore), and I am incredibly disinterested in trying to compete with far cleverer teenagers and young adults who would have me “pwned” in a matter of minutes.

The New Criminals

What many of the recently infamous hackers have in common, aside from being bright with little relevant experience which would make them capable of handling serious jail time, is that they do not know the way the world really works.

They seem to be unfamiliar with cause and effect. Many of them unknowingly thread the thin line between legality and illegality. In the evolving landscape of cyber-crime legislation what was quasi-legal and unregulated yesterday may be highly illegal tomorrow.

Most “security researchers” stay on the right side of the street but even in doing so they inevitably rub shoulders with those who are not. Something that aspiring researchers should remember is that “ignorance” is never a defence in a court of law. If and when someone chooses to wander across to the shadier side of the street (knowingly or unknowingly) they find themselves way out of their depth.

There is a very big gulf of reality between facing down a virtual opponent in a chatroom and eyeballing a professional interrogator in an “interview suite”. I have sat on both sides of that particular table, sometimes in places that the most intrepid backpacker wouldn’t consider going, and it is not a place that you want to be.

These are kids with very adult problems.

Dmitry Bogatov

Picture: Dmitry Bogatov

Welcome To The Jungle

Being a criminal or a member of an organized crime gang used to involve certain stages or rituals. It was a way of life sometimes forced on people as a result of their environment or poverty or family history or simply a conscious decision. Criminals are not always victims of circumstance.

For serious criminals it was an informed choice of sorts. It normally began with petty crime and graduated into more serious categories of crime as time passed. As the scale, sophistication, and seriousness of the crimes being committed grew so too did the tariff.

But the career criminal was more or less aware of this and the risk-return ratio. Also, to be effective in crime at the levels where it potentially attracted a forty year prison term, one had to have a network, contacts, tools, “pedigree”, and lots of other stuff. Not any more.

Jail sentences of these types for these hackers are not jail sentences, they are death sentences. Warming a concrete mattress in a concrete cage for twice as long as you have already been on the planet leaves these people with few choices.

They find themselves sharing space with men who have committed all sorts of crimes that actually involve leaving their mothers house. All of the lobbying and strongly worded letters from the Electronic Frontier Foundation, Amnesty International, family run crowd funding efforts, and emotional tweet storms will not help them when that door closes.

The phenomenon of the new criminals is highly contradictory. We now see fresh faced “deer in the headlights” types facing the sort of time that would make harder men cry for their mother.

Kimberly Crawley‍; 4th Aug 2017; “MalwareTechBlog and the Cybersecurity Community versus the FBI“; Peerlyst

** Kevin Beaumont; 5th Aug 2017; Regarding Marcus Hutchins aka MalwareTech; DoublePulsar

*** IPostYourInfo; 4th Aug 2017; The Marcus Hutchins I Knew; Medium

ENDS

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

These leaked documents relate to a CIA project codenamed ‘Imperial’, they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions. *

The three hacking tools are:

  1. Achilles – A tool to trojanize a legitimate OS X disk image (.dmg) installer;
  2. SeaPea – A Stealthy Rootkit For Mac OS X Systems;
  3. Aeris – An Automated Implant For Linux Systems.

The 27th July 2017 WikiLeaks release overview:

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Vault7 Projects - Images - HackRead Imperial

Three documents were also published alongside this release:

Achilles — User Guide

The malware has been tested to be compatible with Intel processors running 10.6 OS.

SeaPea — User Guide

This hack was written in 2011. It is listed as “tested” on OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite, and Super-Elite. ** The commands in SeaPea are executed as Elite processes.

Aeris — Users Guide

The coding for the Aeris hacking tool was done in C and it affects the following systems:

Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386). ***

Previous and subsequent Vault 7 WikiLeaks dumps synopses are available on WikiLeaks and also see further analysis of Imperial at HackRead and The Hacker News.

ENDS

Header image courtesy of The Hacker News (Twitter @TheHackersNews) & in-article image courtesy of HackRead (Twitter @HackRead)

* Content courtesy of Pierluigi Paganini “Security Affairs” article  WikiLeaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project

** References from content courtesy of HackRead – Twitter @HackRead

*** References from content courtesy of The Hacker News – Twitter @TheHackersNews

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to external references and sources including The Hacker News (Twitter @TheHackersNews), HackRead (Twitter @HackRead), and Pierluigi Paganini at “Security Affairs”; 
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. How these posts will evolve over time:
    1. The first post will be a generic description of each leak including 1-3 above; 
    2. Content will be added over time and date-stamped to include:
      1. Articles, external resources, and commentary that augment the knowledge base with respect to the basic content of each leak; 
      2. Advice on counter-measures / new research; 
      3. Analysis and examples of the subsequent deployment (in the original form or altered) of these hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;
      4. Other information that does not emanate from generic or main stream media sources; 

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  

ENDS

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS