Wednesday, May 30, 2012

Taking a Bite Out of IXESHE

Via TrendMicro Malware Blog -

We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

•East Asian governments
•Electronics manufacturers
•A German telecommunications company

For further details, please consult the full paper...

Monday, May 14, 2012

Fundamentals of Chinese Information Warfare

The Potomac Institute Cyber Center hosted a special program on Fundamentals of Chinese Information Warfare and Impacts on the Western World on Friday, May 11, 2012. The guest speakers included William T. Hagestad II, author of the new book 21st Century Chinese Cyberwarfare (IT Governance, 2012)

The commentary is pretty insightful and near the end of touches on some possible geopolitical solutions that can be used to change China's behavior.

Hat-tip to Bill and his Red Dragon Rising blog.


Here is the Potomac Institute for Policy Studies lecture and panel discussion on "Russian Cyber Capabilities".

Project Grey Goose - Operation Poachers

I'm pleased to announce that the fourth Project Grey Goose investigation, commencing today, will target the very serious problem of domestic and international poaching of endangered species. I founded Project Grey Goose in August, 2008 as an experiment in crowd-sourcing an Open Source Intelligence (OSINT) effort whose goal was to investigate possible Russian government connections in the cyber attacks against Georgian government websites during the Russia Georgia war. Rather than focusing on hackers, this project will focus on criminals who are viciously taking the lives of rare and beautiful animals for body parts and profit; i.e. poachers. The problem is vast and growing, and it's my sincere hope that Project Grey Goose's unique international collaborative approach to OSINT will make an impact.

I'm particularly happy to announce that my co-manager for this project is Nada Bakos, a former CIA intelligence analyst and targeting officer. I can't imagine a more qualified person to help lead this effort than Nada and I'm excited to have her aboard to help this mission succeed.


Check out the link above to Jeffrey's blog, if you want to know how you can help.

Uighur Leader Accuses China of ‘Systematic Assimilation’

Via VOA News -

Exiled representatives of the Uighur, an ethnic group that lives mainly in Western China’s province of Xinjiang, are meeting in Japan for their fourth annual conference. The World Uighur Congress, based in Germany, opposes what it calls the Chinese occupation of their land, and the group's gatherings routinely draw criticism from Beijing.

Rebiya Kadeer, leader of the World Uighur Congress, and also known as "the Mother of the Uighur Nation," has been living in exile in the United States since her release from a Chinese prison in 2005.

She joined more than 100 representatives of the ethnic group from more than 20 countries, including the United States, Germany and Australia, to elect new leadership and discuss strategies to engage China over the issue of self-determination.

Kadeer said the Uighurs are facing a threat to their existence because of the Chinese government’s policy of systematic assimilation. She also accuses Chinese authorities of committing extra-judicial killings, economic exploitation, and destroying Uighur values.


With that in mind, could you guess who might want to target companies or organization interested in the Uyghur Congress with targeted zero-day malware? I wonder. ;)

APT: A Geopolitical Problem

Sunday, May 13, 2012

South China Sea Spat Goes Cyber

Via The Diplomat -

China continues to raise the heat in its dispute with the Philippines over the sovereignty of Scarborough Shoal/Huangyan Island. On Monday, He Jia, an anchor on China’s state-run CCTV, mistakenly declared that “China has unquestionable sovereignty over the Philippines” rather than just over the disputed island. On Tuesday, Chinese Vice Foreign Minister Fu Ying warned a Philippine diplomat that China was fully prepared to do anything to respond to escalation. Deep-water drilling has begun near islands in the South China Sea and Chinese travel agencies have reportedly suspended tours to the Philippines. Chinese netizens are fully in support of the claims, and have in many instances criticized the Ministry of Foreign Affairs for not taking more assertive action.

As with previous territorial disputes in East Asia these days (see China-Vietnam, China-Japan, and Korea-Japan), the political, diplomatic, and military maneuvering has a cyber component. On April 20, Chinese hackers attacked the website of the University of the Philippines. The next day, Filipino hackers struck back with the defacement of Chinese websites. On the 23rd and 24th, the two sides again traded tit-for-tat attacks (a very useful timeline up until April 30 can be found here). Attacks have continued over the last week; attackers have also pasted the Chinese flag on the website of the Philippines News Agency.

From almost the beginning of the attacks, the Philippines government has called for both sides to stop. On April 22, a Philippines government spokesperson said, “We call on citizens, including ours, to exercise civil temperance.” On April 25, the Philippines’ Department of Science and Technology and Information and Communications Technology Office declared that the attacks were neither sanctioned nor condoned, and on May 10 a spokesman went further in warning that such attacks “will not benefit anyone and could possibly lead to bigger problems in the future for the Philippines and China and escalate the already tense situation at Panatag Shoal (Scarborough Shoal).” This is not a misplaced worry as freelance attacks could make it much more difficult for the two sides to communicate and signal intentions.

Unfortunately, there has been silence from Beijing on the issue. China’s leaders seem to be embracing the conflict, or at least the prospect of conflict, as a welcome distraction from the problems of Chen Guangcheng and Bo Xilai. As Michael Yip and Craig Weber argue, the Chinese government – after years of enrolling students in patriotic education that stresses a history of national humiliation – needs to align itself with and divert away from nationalistic responses to real and perceived slights. Political hacking acts as a diversion – venting resentment away from the regime, focusing web users’ ire on outside actors, and maintaining the government’s nationalistic credentials.

When China’s Minister of Defense General Liang Guanglie was at the Pentagon this week, he talked about how China wanted to work to improve cybersecurity. Beijing could gain a great deal of credibility by doing what the Philippines has done: call on both sides to stop the attacks.

Friday, May 11, 2012

TTPs: Lessons from Today's Amnesty Hack

Via Imperva -

Amnesty International UK's website was hacked courtesy a backdoor dropped on visitors systems. Most likely done by a foreign government, many speculate that it's the Chinese. Websense's blog gives a good technical overview of the attack.

But what does it mean for security teams?

In some cases, hackers don’t want to steal the data from the website but rather want to infect the users who are visiting. This can lead to more access to business critical data which, for example, is often stored as files on a fileserver. In the Amnesty case, the real prize isn't Amnesty's data per se, but the corporate and individual data and files of those who visit the site.


This exact technique has been used by advanced adversaries in previous targeted attacks. Intelligence sources have obvsered this technique being used in attacks against the US defense industry as well.

July 2011 - Attack On Pacific Northwest National Lab Started At Public Web Servers

Thursday, May 10, 2012

Iran's Web Censorship Filters Supreme Leader's Own Statement

Via Ars Technica -

Iranian Supreme Leader Ayatollah Ali Khamenei’s own words have now become a victim of Iran’s massive online censorship infrastructure.

According to Radio Free Europe (RFE), last week Khamenei issued a “fatwa,” or religious edict, confirming that anti-filtering tools and software are illegal in Iran. The decree came in response to a question by Mehr News (Google Translate), a semi-official news agency, which had asked for clarification on the ruling due to the fact that, as journalists, employees sometimes need to access blocked websites and other non-authorized information.

Khamenei, according to a translation by RFE, replied: "In general, the use of antifiltering software is subject to the laws and regulations of the Islamic republic, and it is not permissible to violate the law."

However, his own use of the word “antifiltering” apparently triggered Iran’s own filtering system, making Khamenei’s words inaccessible to most Iranians.

RFE also reported that this filtering episode prompted Tabnak, a conservative news website, to respond: "The filtering of a [religious] order is so ugly for the executive [branch] that it can bring into question the whole philosophy of filtering."

Iran, of course, has a notorious surveillance and filtration system in place—just last month, the Islamic Republic published a "Request for Information" for furthering its so-called "halal Internet."

Tuesday, May 8, 2012

GPS Jamming Affects Ship Navigation off Korean Coast

Via Marine Link -

122 ships, including Coast Guard vessels and a passenger vessel, have reported malfunctions in their navigation systems since the apparent jamming of satellite signals by North Korea last week, reported 'Safety4Sea'.

According to the Coast Guard in Incheon, west of Seoul, a total of 122 ships were affected by the disruption to Global Positioning System (GPS) signals. Among the vessels were eight patrol boats belonging to the Coast Guard, a passenger liner carrying 387 people and a petrol products carrier.

Fishing boats operating near the tense western maritime border with North Korea also reported errors in their navigation systems, although none of them led to accidents, Coast Guard officials said.

The transport ministry said about 250 commercial flights in and out of international airports at Incheon and Gimpo, also west of Seoul, were also affected by the jamming, although they were not put in danger.

South Korea came under similar electronic attacks in March of last year, and in August and December of 2010, all of which were blamed on the North. South Korean Defense Minister Kim Kwan-jin has said anti-jamming programs are being developed to counter the attacks.

The defense ministry has also said the North operates a regiment-sized electronic warfare unit near its capital Pyongyang, and some battalion-sized units closer to the inter-Korean border.

Sunday, May 6, 2012

On The Rebound: Shining Path Factions Vie for Control of Upper Huallaga Valley

Via The Jamestown Foundation -

After the Peruvian army captured Comrade Artemio on February 12 and two potential successors on March 4 and April 3, President Ollanta Humala declared that the Shining Path was “totally defeated”—a prediction that is already proving to be premature. The Shining Path faction in the Upper Huallaga Valley retains a core group of loyal fighters capable of conducting military operations to pressure the government for Artemio’s release, but they are more dangerous for their apparent alliance with Movadef, a rising political movement that the government sees as a “front” for the Shining Path. Meanwhile, the 500-fighter faction of the Shining Path led by Comrade Jose in the VRAE has made clear its desire to expand its international narco-trafficking enterprise into the Upper Huallaga Valley and exploit the power vacuum with Artemio out of the picture. A takeover of the Upper Huallaga Valley would elevate Comrade Jose to the level of one of South America’s premier narco-trafficking bosses. Neither Shining Path faction is near surrender, and questions linger about whether President Humala’s new four-year anti-drug strategy underwritten by millions of dollars of U.S. aid will tame or enflame the country’s narco-trafficking insurgencies.


The Shining Path consists of a 500-fighter faction in the River Apurimac and River Ene Valley (VRAE) led by Comrade Jose and a smaller 150-fighter faction in the Upper Huallaga Valley led until February 12 by Comrade Artemio. The VRAE and Upper Huallaga Valley factions split in 1999 after the capture of then leader Comrade Feliciano (Oscar Ramirez Durand). Comrade Artemio succeeded Feliciano in 1999 and remained loyal to Shining Path founder, Abimael Guzman (Chairman Gonzalo), who was captured in 1992. After Feliciano’s capture, Comrade Jose’s faction disavowed the Shining Path of Guzman, Feliciano and Artemio, who they criticized for alienating the campesinos during the war against the State in 1980s and for offering truces to the government once Guzman was captured.

Both factions officially espouse turning Peru into a Marxist state, but they depend on their capitalist narco-trafficking enterprises for financial survival. It is no coincidence that the two surviving factions of the once 15,000-fighter Shining Path operate in the country’s two main coca producing regions—the VRAE and the Upper Huallaga Valley, which produce 75% of Peru’s coca. With Peru expected to surpass Colombia as the world’s largest coca producer (61,200 hectares) in 2012, both factions stand to benefit.



The capture of Comrade Artemio has weakened his faction, but a core group of his fighters continue to engage in shows of military force to support Movadef’s political goals. There appears to be a low likelihood of a Shining Path merger considering that the two groups operate in distinct areas and harbor contrasting motivations. If Artemio’s faction continues to splinter, however, Jose’s faction may gain control of the major drug trafficking routes in the Upper Huallaga Valley and revive the Shining Path under a model like the FARC—a drug cartel with a nominal Marxist ideology. Both Shining Path factions benefit from the country’s increasing coca production, while they are also capable attracting recruits from the cocaleros if the drug eradication plan moves forward. The drug war can only be won if the cocaleros are provided with a substitute to growing coca, but historically the state has struggled to meet this need.

After the capture of Abimael Guzman in 1992, then President Fujimori said, “Sendero has been defeated. I defeated it.” Twenty years later, President Humala shows similar optimism, but the events on the ground suggest that both Shining Path factions will adapt to the realities on the ground after Artemio’s picture and implement new strategies in order to survive.

Shining Path (Sendero Luminoso in Spanish) is a Maoist guerrilla insurgent organization in Peru. It prefers to be called the "Communist Party of Peru" or "PCP" for short. The Shining Path's ideology and tactics have been influential on other Maoist insurgent groups, notably the Communist Party of Nepal (Maoist) and other Revolutionary Internationalist Movement-affiliated organizations. Widely condemned for its brutality, including violence deployed against peasants, trade union organizers, popularly elected officials and the general civilian population, the Shining Path is described by the Peruvian government as a terrorist organization. The group is on the U.S. Department of State's list of Foreign Terrorist Organizations, and the European Union and Canada likewise describe it as a terrorist organization and prohibit providing funding or other financial support.

Friday, May 4, 2012

Xtreme RAT Used in Targeted Attack Against Syria Activist

Via F-Secure Labs -

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: hxxps://

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address This IP block belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

This would not have been the first case of using trojans for such purposes in Syria, either.

"Right On" by The Roots (feat. Joanna Newsom & STS)

Thursday, May 3, 2012

Microsoft Fingers Chinese Firewall/IPS Vendor In Windows Exploit Leak

Via Dark Reading -

Microsoft today announced that it had rooted out the source of a leak from within its third-party security software firm partnership program that resulted in the weaponization of a bug in Windows -- raising questions about whether the Microsoft Active Protections Program (MAPP) could be vulnerable to other such breaches.

Chinese firewall and IPS vendor Hangzhou DPTech Technologies Co., Ltd., according to Microsoft, was the culprit behind a rapid-fire turnaround of a working exploit for the Windows Remote Desktop (RDP) flaw in mid-March, just after the bug was patched by Microsoft.


Microsoft today was mum on how it ultimately rooted out DPTech as the source of the leak, or on just what Hangzhou DPTech Technologies did. "During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program," said Yunsun Wee, director or Microsoft Trustworthy Computing, in a statement.

HD Moore, chief security officer at Rapid7 and creator of Metasploit, says it couldn't have been simple to trace the leak to a specific company. "[It's] interesting and somewhat surprising that they found it at all," Moore says.

Meanwhile, the announcement by Microsoft appears to raise more questions than it answers. Concerns about a Chinese security vendor leaking Windows vulnerability details before the patch window had closed, and whether this was truly the first breach of the MAPP program, sent a chill through the industry.

"Yes, it is a little concerning that it was a Chinese firm that leaked the Microsoft information. That being said, what did Microsoft really expect was going to happen? The Chinese do not have a very good track record of adhering to NDA and other agreements," says Paul Henry, security and forensic analyst at Lumension. "It is important to recognize that the MAPP program is relatively new, so there will be bumps in the road as Microsoft works out the delicate balance between strategic sharing and safeguarding the distribution of sensitive information regarding its products."


MAPP Update: Taking Action to Decrease Risk of Information Disclosure


Shocker. Kudos to MS for tracking this down to the company. Impressive.