Category Archives: Incident Response

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Leave a reply

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

Russia Crowdsourcing It’s Cyber Security Strategy: Clever Experiment or Solicitation of Internet Restriction Freedoms?

Leave a reply

On November 29, 2013 the Federation Council (CF) of the Russian Federation held parliamentary hearings on the draft of the Concept of Russia’s Cyber Security Strategy. Participants of the hearing, recognizing the significant security implications of the proposed cyber security strategy, offered to submit the draft online for public discussion. The main concerns of the draft concept were gaps in the overall cyber security posture for Russia, incorporation of both state and private-sector entities, and establishing clear incident response models for individuals, businesses and the state.

On January 10, 2014 the CF published a 10-page draft of the Concept of the Russian Federation Cyber Security Strategy and allowed commentators to personally email one of the lead senators overseeing the concept’s development. The senator, Ruslan Gattarov, is the head of the Federation Council Committee on Development of Information Society which established a working group of experts to work on the cyber security strategy a year ago. Several other Russian government organizations also contributed to the final draft, including the Security Council, the Ministry of Communications and Mass Media, the Federal Security Service (FSB), the Ministry of Internal Affairs and the Ministry of Foreign Affairs.

(Pictured Above: Senator Ruslan Gattarov)

However, the FSB criticized the draft strategy pointing out the use of incorrect terminology: the term “cyber security” as used in western countries primarily encompasses the protection of equipment and communication channels. The term “information security”, which the FSB insists on, has a broader meaning and includes Internet content.

On January 13 of this year, RBK-TV, (currently Russia’s only 24-hour business news television channel), aired a report on Cyber Security (2:32 – 9:28) in Russia and invited two subject matter experts to express their opinions about the subject. During this broadcast RBK-TV stated that the Concept of the Russian Federation Cyber Security Strategy offers seven key directions, in particular, the improvement of the legal framework in the field of information technology. The authors suggest that for crimes committed on the Internet, there should be harsher punishment, including criminal prosecution. Furthermore, among the general objectives of the strategy is to increase “digital literacy” of the population and improve the culture of information security. The strategy also proposes to abandon the need of foreign programs and computers and instead rely on domestic products. However, the strategy does concede that technical support and consultation from foreign experts is still necessary for the protection of strategic resources.

Yuriy Gatchin, Chair of the Computer Security Systems Department at the St. Petersburg National Research University of Information Technologies, Mechanics and Optics (St. Petersburg NRU ITMO) disagrees with the draft strategy’s proposal that Russia still needs outside technical support. Mr. Gatchin argues that there should be no such need of foreign experts since there are plenty of “competent and smart professionals” within Russia and that Russia “needs to rely on its own strength”.  Another expert, Artem Kozlyuk, one of the leaders of the Pirate Party of Russia and also the head of the project “RosKomSvoboda“/RuBlackList.Net, sees this document as mostly “focused towards the domestic market”. Kozlyuk clearly identifies the Russian government’s recent trend of fostering fear and then responding with quick policy solutions issued through the State Duma.

According to Mr. Kozlyuk, cyber security responsibility should lie on private companies’ and structures’ self-regulation as well as individuals self-policing their online activities instead of relying on the government’s implementation of an information blocking directive.  Although the draft strategy currently welcomes public suggestions, Mr. Kozlyuk is pessimistic about what influence the commentators will have since there is no legal framework to support any type of publicly determined policy.

In a separate interview with Systemnyi Administrator / System Administrator, Mr. Kozlyuk offers his outlook on the future of Russian Internet:

“The Future of the Internet – is blocking, censorship under the pretext, aggressive defense of copyright, widespread identification and criminal liability for the comments. In short, the state, with some delay, but still came to the Internet”.

(Picture Above: Artem Kozlyuk)

“Personally, I think that the next year will be a turning point for Runet (Russian Internet): either State will choose “Chinese version” of Internet regulation with the Ministry of censorship, total information control, burdensome sanctions for Internet business and the introduction of thousands of army pro-government bloggers to refute negative impact of censorship on civil society. Or perhaps our efforts will not be wasted, and the process of integrating adequate public interests and the leveling of the negative impact of laws to limit the information will begin. I’m not saying that everything will be decided within the next year, but I’m almost certain a vector will be given, and all of us will feel what it will be”.

It is difficult to predict if Russia’s idea will prove to be successful. The draft of the Concept will be accessible for discussion, comments and suggestions for approximately one month. We will have to wait until all the results are in to see whether the final product of this endeavor will become Russia’s first publicly inspired piece of legislation or simply sputter out of existence.

– by Olga Volcsko, graduate student at the Monterey Institute of International Studies

Profile of Brazil’s Overall Cyber Security Situation

Leave a reply

Brazil is often known for its coastal beauty but sadly it should also be recognized for its prolific cyber security concerns. According to Symantec, Brazil is listed as number 7 on their list of countries with the biggest cybercrime problems. Despite investing significant amounts of money into cyber start-ups and establishing cooperative cyber security agreements with Argentina, India and Russia, Brazil is still struggling to overcome the persisting challenge that cyber-criminals present. On top of this, Brazil has recently taken a hardliner stance against the U.S. following the revelations of Edward Snowden. Brazil has actively supported the U.N.’s Cyberprivacy Agreement and begun taking steps to bypass the U.S.-operated underwater cable systems in order to reduce their dependence on who they now perceive to be false friends. It appears that Brazil, however, is focused on the wrong issues as they still need to overcome large numbers of internal banking Trojans and substantial gaps within their cyber security dynamics. Some experts even claim that Brazil’s current security posture is so poor that they are wide open to cyber-invasion. Brazil has also taken steps to introduce cloud technology into their government networks which could magnify problems in their current state. On a positive note, Brazil is now realizing that effective policy and law for responding to cybercrime is necessary. Hopefully Brazil will follow-up these legislative acts with improvements in their cyber security practices to provide some teeth for their new resolve.

For another recent summary of Brazil’s cyber security situation, check out the National Center for Digital Government’s whitepaper Brazil and the Fog of (Cyber) War.

– by Ben Volcsko, Research Assistant

Successor to Blackhole Exploit Kit May Take Years to Emerge

Leave a reply

The arrest of Paunch shut off the flow of updates to the highly popular crimeware infastructure support tool, the Blackhole Kit. Since then there have been a number of contenders for the lucrative crown. A new article at Threatpost speaks with analysts at Kaspersky labs about the prospects for newcomers as they come into the market. Thus far, no single product has shown it can dominate. This may indicate that taking down people like Paunch may have a real and lasting impact on the cybercrime milieu.

The Internet of Things – A Cause for Concern?

Leave a reply

Bruce Schneier, the Chief Technology Officer of Co3 Systems and well-known security blogger, offers his two-cents on modern day security concerns for today’s interconnected world of computers. His article raises a lot of good questions and identifies some of the key concerns that we should be considering for big-data going into the new year.

– by Ben Volcsko, Research Assistant

Understanding How the Feds Handle Incident Response

Leave a reply

Ever wondered how DHS, CYBERCOM and other federal cyber security agencies handle specific incident response? Well, you are in luck. Jason Healey, author of Above My Pay Grade – Incident Response at the National Level, explains the challenges and successes in tackling cyber incidents from the federal government’s perspective. Healey, director of the Cyber Statecraft Initiative of the Atlantic Council and creator of the first Computer Emergency Response Team that coordinated the response to incidents affecting the finance sector, provides an outstanding written account of the obstacles for today’s incident response handlers.

– by Ben Volcsko, Research Assistant

Anonymous Unmasked

Gabriella Coleman, one of the preeminent researchers of “Hacker” culture and of the nebulous group known as “Anonymous” has published an excellent paper describing the history, origins and and elements of the group. She correctly places the seminal nexus of the group in the various imageboards centered on 4chan.org (and the previous “trolling” groups of somethingawful.com). Importantly, she incorporates the role of various IRC chat rooms as being influential in the development of the activist character that the group took on in the wake of their operations against the Church of Scientology, a character which further developed during the response to the wikileaks blockade, where Anons ddos’d major credit card companies and paypal, and through the “Arab Spring”, during which an interesting internationalist attitude and user base developed.

My only qualms with her characterization of the group is that she does not explicitly state the nature of anonymous as a discardable identity- something assumed by various actors for various purposes to be left behind as soon as its utility is finished. She concentrates on the groups that clung most tightly to the image, while the actual ecosystem of actors using the common identity and ideological schema was much more diverse than the self proclaimed “Anons”. Anonymous was in many ways simply a convenient mask to be worn for political action.

Dan Gifford – MCySec Media Manager