PIR – Discussion of PowerShell Exploitation in China

PRIORITY INTELLIGENCE REPORT (PIR)
Executive Summary: 
Wapack Labs analysts collected information from Chinese hacker and cyber security websites to determine the extent of Chinese research on PowerShell as part of standing collection requirements. PowerShell a comprehensive command line interface and scripting language for Windows. Collection efforts indicate that conversations are taking place in China about PowerShell exploitation, especially over the past year.  Hacker websites did not have many “how-to” articles, first-hand claims of use, or discussion of TTP that would suggest its popularity in the hacker population, but the nature of PowerShell exploitation and various methods of intrusion have been covered in Chinese-language articles. There is more discussion at Chinese cyber security websites and vulnerability databases, indicating that it is considered a serious cyber problem in the Chinese commercial world.  However, no specifics were found concerning Chinese actors using PowerShell for malicious activity either against Chinese or foreign targets.

Publication date: 26 July 2016; information cutoff date: 8 June 2016
Handling Requirements: Traffic Light Protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV. Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Previous Reporting: None
Industries Targeted: Financial, Defense Industrial Base, Multi Sectors

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 26, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

PIR – CTA&I Wekby Lateral Movement TTPs

PRIORITY INTELLIGENCE REPORT (PIR)
Executive Summary: 
This priority intelligence report (PIR) summarizes the known tactics, techniques, and procedures (TTPs) observed with Wekby lateral movement within a targets network and how the group previously infiltrated data. Wekby will likely use these techniques against a highly valued target and analysts believe this represents some of the groups more advanced TTPs. The group’s tactics are extremely effective at evading network controls and detection by seasoned network defenders. The process is customized to the target’s network, tested and fully scripted by the attackers reducing the chance of detection and operator error.

Traditional network defenses will not detect this activity and Wekby takes the time to profile the defender’s controls to determine this. Execution, is quick leaving a defender a small Window to detect the activity.

Publication Date: 25 July 2016; information cutoff date: 8 June 2016
Handling Requirements: Traffic Light Protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV.
Previous Reporting: Window’s Credential Editor Usage and Mitigations Tracking ID: 908481
Wekby and Sparkstation.net Subnets Tracking ID: 908384
Wekby Parite Payload Analysis Tracking ID: 912386
Wapack Labs: Recent Wekby, Pisloader, and C2 over DNS Tracking ID: 922814
Industries Targeted: Defense, Banking, Manufacturing, Information Technology, Chemicals

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 25, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

SITREP –RIO - Fake Wi-Fi Networks at Various Locations Around the RNC

A cyber security company conducted a Wi-Fi collection effort to expose the ease of utilizing free Wi-Fi hotspots.  Collection was conducted last week during Republican National Convention (RNC), in Cleveland OH.  Avast is a Czech security software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.  Avast created a series of fake Wi-Fi networks at various locations around the RNC.  Avast’s team set up several networks, using names such as "Trump free Wifi," or "Google Starbucks," which were designed to look as though they were set up for convention attendees.  Upon connecting, trusting a random and unprotected network they found in a public setting; the users unwittingly gave Avast access to spy on their devices.

Over the course of a 24 hour span, Avast found over a thousand attendees that were completely negligent in their device’s security.  Over 60 percent of the users who connected had their identity completely exposed.  These 1,000 attendees also used the open and unprotected Wi-Fi hotspots to check their mail, used smartphone apps, and even played Pokemon.  

This security based collection exercise exposed how easy it is for criminal actors and or organizations to set up fake Wi-Fi hotspots for collection activity within large events.  Caution is offered to individuals attending large events; to beware of open and free Wi-Fi hotspots utilization.  When possible, use a VPN to help keep your sensitive information safe.

Publication Date: 25 July 2016
Handling Requirements: Traffic Light Protocol (TLP) AMBER
Attribution/Threat Actors: OSINT- Potential Malicious use of Wi-Fi Hotspot Networks
Actor Type: Tier II
Potential Targets: 2016 Olympics & DNC Philadelphia PA

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 25, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

SITREP –RNC Revealed Various Members of the Awakening Media Anarchist Group.

RNC (Republican National Convention) research revealed various members of the Awakening Media anarchist group.  This group links several of the previous names provided by a mid-west police department.  We are providing this information for situational awareness and cross reference.  

OSINT (Open Source Intelligence) collected and reviewed information provided by a mid-west police department regarding possible RNC protest organizers.  The full report includes the gathered information on the protest actors, as well as other information related to the actors and associated groups.  The data in this report is labeled based upon posting date, not date of findings, unless marked otherwise.  This information is being reviewed for situational awareness and event security planning.  Intelligence gaps include whom they are directly recruiting, as well as people with similar interests. Note some names do fall into direct recruitment efforts.

Publication date: 29 June 2016
Handling requirements: Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: OSINT Protest Organizers/Anarchist Group Tier level I for cyber and II for physical.
Potential Targets: City of Cleveland

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on June 29, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

SITREP – Masonic Temple Protester Location.

Current social media has identified, through an “Occupy” organization post, that the “Masonic Temple” in a Mid-Western location, as a convergence center for RNC, (Republican National Convention) protests.  It is unclear of the exact location of the Masonic Temple.  Additionally, influencer and sentiment information is presented for situational awareness.

POST:
OCC North Carolina post :
<<<We have rented the Masonic Temple in Cleveland as a convergence center for protesters and are planning at least one major concert in its 2,000 person ballroom and invite y'all to come to Cleveland to protest at the RNC.>>>

Publication Date: 12 June 2016
Handling Requirements: Traffic Light Protocol (TLP) GREEN
Attribution/Threat Actors: Social Media Collection
Industries Targeted: City of Cleveland

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on June 12, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

SITREP - 2016 RIO – AnonOpsBrazil #OpOperadors vs. Anatal.gov.br

On 21 July 2016, RIO research revealed a potential cyber war being initiated against cyber groups fighting for world-wide Net Neutrality. ISIS cyber warriors appear to have teamed up with various groups in this cause. This is causing infighting which is and may produce future hacking, DDoS and ransomware situations in the country of Brazil. 

We are providing this information for your situational awareness.

Publication date:  22 July 2016
Handling requirements:  Traffic light protocol (TLP) GREEN
Attribution/Threat Actors:  OSINT- Net Neutrality / cyber wars
Actor Type:  Tier II – Social Media operators
Potential Targets:  Rio de Janeiro / Summer Olympics 

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 20, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

SITREP - 2016 RIO – WhatsApp in Brazil / OSINT

On 20 July 2016, RIO OSINT revealed that local and national negative social media sentiment remains high after the Brazilian government suspended service of WhatsApp, a social media communication tool for the vendor’s failure to cooperate with several past court orders. Facebook owns WhatsApp. Brazilian citizens are upset that they cannot use this application to communicate, thus adding to the already negative social media sentiment regarding many public social issues against the Brazilian government. Anonymous has hacked a government court web site and claimed responsibility. Anonymous is posting and urging the public in taking action and providing alternative communication platform ideas; which use encryption. Social media sentiment is a very good barometer on potential social unrest and or protest development as the 2016 Summer Olympic events begin on 5 August 2016. We are providing this information for your situational awareness.

Publication date:  20 July 2016
Handling requirements:  Traffic light protocol (TLP) GREEN
Attribution/Threat Actors: Tier I – Social Media operators

Actor Type: Potential Targets:  Rio de Janeiro / Summer Olympics 

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 20, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.

Risk Assessment: US Presidential Election Cyber Threat Landscape

INTRODUCTION: The American political landscape is complex, and profiling the attack surfaces for any federal political operation is difficult as campaigns adopt new marketing, social media, and fundraising methods. There are also different motivations for each cyber actor that may overlap.

The different categories of political players are diverse as candidates have political action committee (PAC) allies, national political committees, and major events such as each party’s national convention. This is also compounded by the long political and business histories of each party’s nominee: Hillary Clinton and Donald Trump. 

US financial services exposure includes the targeting of Personal Identifiable Information (PII), information of donors to the candidates, PACs, and national political committees. This is possible through the vendors hired by each campaign to managed and report donations. Exposure also includes the organizations involved in targeting the banks servicing the transactions for all of these organizations via business email compromise as well as those who have worked with the business or political assets belonging to each candidate.

This paper is also applicable to non-US institutions as it profiles how to conduct counter reconnaissance awareness with typo-squatting tools, examines how to be aware of politically-exposed persons or celebrity donors and also recommends best practices to prevent fraud through business email compromise.

******************************************

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 19, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.  

OPINTEL – New Black Panthers - Potential for violence in Cleveland

On 16 July 2016, OSINT revealed an announcement from Malik Shabazz, former leader of the New Black Panthers (NBP), that there will be violence in Cleveland during the RNC.  NBP have been involved during protests in Baton Rouge LA, which LE is currently investigating 7 officers shot. We are providing this information for situational awareness.

Publication date: 17 July 2016

Handling requirements: Attribution/Threat Actors: New Black Panthers Actor Type: Activist

http://www.thegatewaypundit.com/2016/07/former-new-black-panther-leader-shabazz-will- violence-cleveland-video/ 

---------------------------------------------------------------------------

What is Operational Intelligence?  Operation Intelligence, OPINTEL for short is the term previously used in the Navy to refer to tailored, all-source intelligence provided directly to naval operating forces. It focuses on a potential adversary's capabilities, his immediate intentions, and the environment. It is oriented more toward combat than long-range planning.  

This OPINTEL report was authored by Wapack Labs Team Jagaer, in support of Red Sky Alliance portal members, law enforcement and protection details in Cleveland area or associated with the National Conventions. We've produced nearly 100 such reports in the last 30 days, distributing them in the Red Sky Alliance portal to members.    

This report was published in its entirety to the Red Sky Alliance portal on July 16, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.    

Analysis of Cerber (Professional) Ransomware

Bottom Line Up Front:  Cerber is a professional piece of ransomware malware that is widely deployed with three major exploit kits (Magnitude, Neutrino and RIG), VBS spear phishing attachments, and popular JavaScript downloaders such as Nemucod. The malware appears to be easily customized to avoid detection on the host system. A Cerber payload was recently observed by a Wapack Labs subscriber as the final payload of spear phished VBS attachment.  Wapack Labs analyzed dozens of recent Cerber samples as well as malicious emails delivering a Cerber download attachment.

Cerber infrastructure operators have previously registered domains (2014) for scams involving fake employment offers under fake Chinese names. The infrastructure is indirectly associated with BART ransomware, Pony/Fareit malware, Android malware and phishing pages.  Malware operators also modified C2 infrastructure in the course of a few months to include a “.win” top level domain in addition to other publically reported research.

Publication Date:  6 July 2016; information cutoff date: 1 July 2016

Handling requirements: Traffic light protocol (TLP) AMBER.  Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: Criminal

Actor type:  Adversary capabilities have been assessed as Tier IV– Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.

Previous Reporting: None

Industries Targeted: Financial Services (US, Germany), Construction (Japan), Shipping (Italy), Education, Pharmaceuticals (Germany).

Indicators will be available Threat Recon: ThreatRecon.co.

---

The full report was posted to the Red Sky Alliance portal on 7/15/16. Indicators are available in ThreatRecon.co. For more information, contact Wapack Labs. 844-4-WAPACK.

Wapack Labs Sinkhole Results - 18 universities

Between 7/4/16 - 7/5/16,  computers in eighteen research organizations or universities were identified beaconing out of their university environments to Wapack Labs operated sinkholes at the Internet Protocol address 23.253.46.64.

A sinkhole is a DNS server that gives out false information, to prevent the use of the domain names it represents, often times redirecting information from one to another, where security researchers capture the data and analyze it for threats.

Wapack Labs monitors several such sinkholes --purchased by the team, these domains are typically command and control nodes that malware will call to, looking for instructions, when installed on a computer.  What a computer is identified on the sinkhole list, we assume it to be compromised. 

The full report was published to Wapack Labs on 7/5/16. For more information, users can search for the domain name on ThreatRecon.co or contact Red Sky Alliance or Wapack Labs for assistance at 844-4-WAPACK.

Universities mentioned in this report in crude Ali, Brookings, Brook Law, Boston University, Clarkson, CUNY, Georgia Tech,  Kean, Khai, Lake Forest, Missouri State, MSU, Najah, University of Rhode Island, UCLA, University of Houston, University of Kentucky, University of Michigan, and the University of Pennsylvania.

OpenBazaar, Bitmarkets, Dropzone and SafeMarket: decentralized markets. Part I. OpenBazaar

Law enforcers are able from time to time to take down deep web black markets servers. But there's a risk that deep web actors will become more resilient with decentralized technologies similar how media sharing Napster took down brought decentralized torrents technology.

In December 2014 we posted reporting about some developments in this field. That post can be viewed in the Red Sky Alliance portal.

In this post I'm looking at OpenBazaar which was relaunched in April 2016 with renewed code. Currently OpenBazaar doesn't actively hide sellers IPs so currently most of the goods for sale looks legal which helps developers to continue their work on the OpenBazaar – many of them are in the US. At the same time I will show here that some cyber items are listed on OpenBazaar which include not only old and "clean" RATs but also DDoS services and manuals for fraud, hacking, carding and stealing Paypal accounts funds.

In future I plan to look into other decentralized markets: Bitmarkets, Dropzone and SafeMarket which use different transaction data storage vehicles: Bitmessage, Bitcoin Blockchain and Etherium Blockchain.

After the Silk Road blackmarket takedown a concept of decentralized market was developed during a hackaton. The idea got funding but was never finished by initial creator. Another team took the concept and released a working version in 2014 under the OpenBazaar name. Soon OpenBazaar was closed due to need to rewrite the code which was done by April 2016.

Since April 2016 Open Bazaar second launch:

• 150,000 downloads of installer,
• ~17k followers of the OpenBazaar store (the official swags store, doesn't include other OpenBazaar stores),
• 6,400 listings online,
• Number of sales is unknown but estimate is ~650 review means ~6,500 purchases.

Being decentralized OpenBazaar doesn't have default search engine and users need first subscribe to a shop to track the listing (also shops do online and back offline). But there are two major search engines for OpenBazaar made by other developers: bazaarbay[.]org and duosear[.]ch.

The full report was posted to the Red Sky Alliance portal on 7/10/16. For more information, contact Wapack Labs. 844-4-WAPACK.

OPINTEL SITREP: Women for Peace to protest at the RNC

What is Operational Intelligence?  Operation Intelligence, OPINTEL for short is the term previously used in the Navy to refer to tailored, all-source intelligence provided directly to naval operating forces. It focuses on a potential adversary's capabilities, his immediate intentions, and the environment. It is oriented more toward combat than long-range planning.  

This OPINTEL report was authored by Wapack Labs Team Jagaer, in support of Red Sky Alliance portal members, law enforcement and protection details in Cleveland area or associated with the National Conventions. We've produced nearly 100 such reports in the last 30 days, distributing them in the Red Sky Alliance portal to members.    

This report was published in its entirety to the Red Sky Alliance portal on July 7th. For more information, contact Wapack Labs at 844-4-WAPACK.      

 **************RAW AND UNEVALUATED INFORMATION****************

On 10-11 July 2016 the Women for Peace organization which is an NGO that

describes itself as a, "grassroots peace and social justice movement working to end U.S.-funded wars and occupations, to challenge militarism globally, and to redirect our resources into health care, education, green jobs and other life-affirming activities." In addition to their focus on anti-war issues, Code Pink has taken action on issues such as drones (including protests, trips to meet with drone victims in Pakistan and Yemen and bringing them to the US), Guantanamo Bay prison (including a delegation that included former prisoners and yearly protests at the White House), Palestinian statehood (including its involvement in the BDS movement to protest Ahava, SodaStream, ReMax, and AirBnB), the Iran nuclear deal, Saudi Arabia (including protests to end U.S. alliance with Saudi Arabia, its airstrikes on Yemen, and its executions of its political dissidents), and Women Cross DMZ.

They will be protesting at Public Square during the RNC1. “The Convention will take place July 15 and 16 at Olivet Church, but will shift to the Masonic Auditorium, 3615 Euclid Ave Cleveland, Oh 44115, on Sunday.” 

Wapack Labs sinkhole activities - 7/13/16

A sinkhole is a DNS server that gives out false information, to prevent the use of the domain names it represents, often times redirecting information from one to another, where security researchers capture the data and analyze it for threats.

Wapack Labs monitors several such sinkholes --purchased by the team, these domains are typically command and control nodes that malware will call to, looking for instructions, when installed on a computer.  What a computer is identified on the sinkhole list, we assume it to be compromised. 

The table below shows the top 25 list from this week is shown below. Each domain is associated with one or more computers that have attempted to connect to a Wapack Labs sinkholes command and control node. The 'domain' column is the domain name of the affected company. The 'description' column shows Wapack Labs' sinkhole type.

The full report was published to Wapack Labs on 7/12/16. For more information, users can search for the domain name on ThreatRecon.co or contact Wapack Labs for assistance at 844-4-WAPACK.

domain	descritpion
checalla.com	putter_panda
aeroproducts.info	mirage
bbconlines.com	mirage
chechire.com	zxshell
cnnonlie.com	mirage
datingysa.com	kazy
dpptw.com	nflog
expobrussels.com	pwsteal
fotobees.net	kazy
graeccorp.com	pirpi
gtishare.com	wekby
idahoanad.org	miniasp
ironybl00dy.net	flower_lady
itunesblog.net	carbanak
kerberts.com	htran
kingdomcer.com	procus
lflink.org	png_downloader
microsoftupdata.com	nflog
msdnblog.com	backdoor_briba
msproduct.us	tabcteng
photogalaxyzone.com	sykipot
rad-waste.org	binanen
suibian2010.info	poison
symantecservice37.com	tabcteng

MNKit & NetTraveler Variants

NetTraveler (also known as “Travnet” or “Netfile”) is a data-stealing utility leveraged by Chinese APT actors against high profile targets including diplomatic officials and military organizations. The malware has been used since 2013 to infect numerous victims in over 40 countries. Recently in April 2016, a new variant of the NetTraveler malware was observed in a campaign targeted against Uyghur and Russian organizations. The attacks also leveraged weaponized Office documents created by the MNKit malicious document generator.

This report provides analysis and mitigations on MNKit dropper and NetTraveler malware.  Wapack Labs is providing this analysis as situational awareness of an ongoing APT campaign.

Attribution/Threat Actors: Hammer Panda, TA459

Actor type:  Adversary capabilities have been assessed as Tier V – State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.

Indicators: 

• https://www.threatrecon.co/search?keyword=FR16-018
• redsky.soltra.com

The full report and previous reporting can be viewed in the Red Sky Alliance portal.

Analyst: Mike Murray

Publication Date: 16 June 2016; information cutoff date: 1 June 2016