Monday, February 4, 2013

Somalia's al-Shabab Opens New Twitter Account

Via BBC -

Somalia's al-Qaeda-linked al-Shabab group has opened a new Twitter account in English, less than two weeks after its previous account was suspended.

A senior al-Shabab official told the BBC that the new account was genuine.

Al-Shabab's previous English-language account was suspended after it used it to announce it would kill a French hostage and then said it had done so.

Twitter's rules say that threats of violence are banned but it refused to comment on the suspension.


The new al-Shabab account has 280 followers, compared to the previous account which had more than 20,000 followers.

It was closed on 25 January, about a week after it announced the killing of a French spy, Denis Allex, it was holding hostage.

Mr Allex, who was kidnapped in Somalia in July 2009, was killed in retaliation for a failed French operation to free him.

Analysts say the US has wanted al-Shabab banned from Twitter for some time, but lacked the legal means to enforce its will.


Research Brief - Violent Jihadism in Real Time: Al-Shabaab’s Use of Twitter

Since December 2011, the Somali jihadist group, Harakat al-Shabaab al-Mujahideen, had been actively using the popular micro-blogging platform Twitter to engage with English-speaking supporters. At the time of this brief’s publication, the organization (@HSMPress) had more than 20,000 followers and had tweeted approximately 1,250 times, before its English-language account was suspended by Twitter Jan. 25, 2013.

This project is part of a broader paper published by the International Centre for the Study of Radicalisation and Political Violence (ICSR), “Lights, Camera, Jihad: Al-Shabaab’s Western Media Strategy,” and seeks to analyze the al-Shabaab’s use of Twitter to better understand its messaging priorities. The findings show that the organization is most concerned with promoting its narrative, which states that Somalia is a front under siege in the war on Islam. The group also highlights its ability to carry out attacks and reject the bias of the Western media.

Tuesday, June 26, 2012

Pwning Posion Ivy Server: Own And You Shall Be Owned

Via Gal Badishi's Security Bits Blog -

While working on Poison Ivy’s communication, one of my students approached me and asked me if the fact that an infected computer can connect to the C&C server means that the compromised host can break into the server. Well folks, it appears that it’s possible. We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server.


It’s important to note that the exploit data following our header never gets decrypted, so we don’t have to worry about PI ruining our values if we don’t encrypt the data.

In light of this analysis, a Metasploit module without encryption is being prepared.

Boko Haram Linking Up with al Shabaab and Al Qaeda

Via -

Three of Africa’s largest extremist groups are sharing funds and swapping explosives in what could signal a dangerous escalation of security threats on the continent, the commander of the U.S. military’s Africa Command said on Monday.

General Carter Ham said there are indications that Boko Haram, al Shabaab and Al Qaeda in the Islamic Maghreb – groups that he labeled as the continent’s most violent – are sharing money and explosive materials while training fighters together.

“Each of those three organizations is by itself a dangerous and worrisome threat,” Ham said at an African Center for Strategic Studies seminar for senior military and civilian officials from Africa, the United States and Europe.

“What really concerns me is the indications that the three organizations are seeking to coordinate and synchronize their efforts,” Ham said. “That is a real problem for us and for African security in general.”

The United States classified three of the alleged leaders of the Islamist sect Boko Haram, based in remote northeast Nigeria, as “foreign terrorist,” on June 20. But it declined to blacklist the entire organization to avoid elevating the group’s profile internationally. Police in Nigeria said members of the group seized a prison there Sunday and freed 40 inmates.

Islamist militant group al Shabaab is active in war-ravaged Somalia and has been blamed for attacks in Kenya. Last year it claimed responsibility for the death of Somali Interior Minister Abdi Shakur Sheikh Hassan.

Al Qaeda in the Islamic Maghreb (AQIM), an affiliate of al Qaeda based in North Africa, is mainly a criminal organization operating in the Sahel region. It kidnaps Westerners for ransom and aids Africa’s drug trade, according to intelligence officials.

Wednesday, June 20, 2012

Syrian Activists Targeted with BlackShades RAT


One of the attackers who has been targeting Syrian anti-government activists with malware and surveillance tools has returned and upped the ante with the use of the BlackShades RAT, a remote-access tool that gives him the ability to spy on victims machines through keylogging and screenshots.

The original attacks against Syrian activists, who are working against the government's months-long violent crackdown, were using another RAT known as Xtreme RAT, with similar capabilities. That malware was being spread through a couple of different targeted attacks, including one in which activists were directed to YouTube videos and their account credentials were then stolen when they logged in to leave comments.

That attack continued with the installation of the RAT, giving the attacker surreptitious access to the victims' machines, enabling him to monitor their activities online. Now, researchers say that at least one attacker who is known to be involved in these targeted attacks also is using the BlackShades RAT in a new set of attacks.

The new attack is being run by spreading a malicious link to dissidents. When a victim clicks on the link, it takes him to a site that downloads a file called "new_new .pif." That file then goes through a long infection routine that includes the installation of several files. One of the files that's installed is a keylogger and the malware also creates a number of registry keys that ensure persistence on the machine, according to an analysis of the attack by researchers at the EFF and Citizen Lab.


For those interested in samples, Mila posted copies of all three RATs used to target Syrian anti-government activists.

Friday, June 1, 2012

Obama Order Sped Up Wave of Cyberattacks Against Iran

Via NYTimes -

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.


The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.


For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.


Those looking for a deeper look, can grab Flamer/Skywiper samples from Mila Parkour at the Contagio blog.

China Arrests Security Official on Suspicion of Spying for U.S.

Via Reuters -

A Chinese state security official has been arrested on suspicion of spying for the United States, sources said, a case both countries have kept quiet for several months as they strive to prevent a fresh crisis in relations.

The official, an aide to a vice minister in China's security ministry, was arrested and detained early this year on allegations that he had passed information to the United States for several years on China's overseas espionage activities, said three sources, who all have direct knowledge of the matter.

The aide had been recruited by the U.S. Central Intelligence Agency and provided "political, economic and strategic intelligence", one source said, though it was unclear what level of information he had access to, or whether overseas Chinese spies were compromised by the intelligence he handed over.

The case could represent China's worst known breach of state intelligence in two decades and its revelation follows two other major public embarrassments for Chinese security, both involving U.S. diplomatic missions at a tense time for bilateral ties.

The aide, detained sometime between January and March, worked in the office of a vice-minister in China's Ministry of State Security, the source said. The ministry is in charge of the nation's domestic and overseas intelligence operations.