Fellas fellas! Hot off the presses! Obama's Proof of Russian hacking!!
https://www.scribd.com/document/33530738...from_embed
I have just finished reading it, so lets go through it together for all the non-hackers out there.
The Breakdown:
Quote:Quote:
Description
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016
One of the biggest issues I have with this report is that they call Russian Intelligence Agencies the same name as malware or trojans. They claim these are alternative names of Russian Intelligence Services.
Like I said before in other posts, Russian hackers/carders modify or use Zeus bot malwares, but that does not make them Russian Intelligence....
If they are just trying to say, APT29 we are going to denote as the group using these tools and malwares in the intrusion on date XXXXXXXX, then that is fine. Just write that out clearly for the reader instead of trying to confuse others with tech-speak.
Also, APT is an American word/coined phrase that came out around 2010-ish, when the Chinese were hacking the hell out of Google and other US companies with Spearphishing. Corporate Execs and private sector though Spearphishing sounded unprofessional and did not accurately explain the targeted nature of the attack well. Most Spearphishes are broadcast spam and can get caught by a Proofpoint or Ironport appliance in front of mailservers. APT is a one shot deal, aimed at your CEO or CFO to click on and looks like it came from the COO down the hall. Most appliances will not block that. So that is why Advanced Persistent Threat was coined more or less.
Moving on.
Quote:Quote:
Description
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets. In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate
domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure. In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
Again more blanket statements, with no tangible proof to back it up. I am certain the CIA/NSA gets into Russian, German, French or Chinese businesses and organizations whenever feasible to collect generic information as well. Writing this as if we don't is not honest at all and hurts credibility.
Again more vague statements.... No hard dates. No IP addresses. No signatures..
Which US political party was compromised? They don't want to say the word Democrat?
If Tom Clancy ever wrote novels on hackers, that second paragraph would sound like something out of his book.
Ok, so they claim this information was leaked to the press. No mention of Wikileaks? No Julian?
Quote:Quote:
Reported Russian Military and Civilian Intelligence Services (RIS)
Alternate Names
APT28 APT29 Agent.btz BlackEnergy V3 BlackEnergy2 APT CakeDuke Carberp CHOPSTICK CloudDuke CORESHELL CosmicDuke COZYBEAR COZYCAR COZYDUKE CrouchingYeti DIONIS Dragonfly Energetic Bear EVILTOSS Fancy Bear GeminiDuke GREY CLOUD HammerDuke HAMMERTOSS Havex MiniDionis MiniDuke OLDBAIT OnionDuke Operation Pawn Storm PinchDuke Powershell backdoor Quedagh Sandworm SEADADDY Seaduke SEDKIT SEDNIT Skipper Sofacy SOURFACE SYNful Knock Tiny Baron Tsar Team twain_64.dll (64-bit X-Agent implant) VmUpgradeHelper.exe (X-Tunnel implant) Waterbug X-Agent
Again, why are they calling various viruses/trojans/malwares, names of Russian Intelligence Services? Does the CIA get their name changed by the Chinese Intelligence Agency, everytime they find a new virus that comes from America?
Why can't they tell us what division of Russian government wrote which one? Would it hurt them to list out which botnets those might use? If they are encrypting email and files (which could be GBs in size), and sending them back to Russia, they likely have a botnet or zombie/jump servers they might be using. I, Mr. Network Administrator would really like to know so that I can add those IPs to my firewall!
Quote:Quote:
Technical Details
Indicators of Compromise (IOCs)
IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
rule PAS_TOOL_PHP_WEB_KIT { meta: description = "PAS TOOL PHP WEB KIT FOUND" strings: $php = "<?php" $base64decode = /='base'.(d+*d+).'_de'.'code'/ $strreplace = "(str_replace(" $md5 = ".substr(md5(strrev(" $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = "isset" condition: (filesize > 20KB and filesize < 22KB) and #cookie == 2 and #isset == 3 and all of them }
Finally!!! Some actual proof or technical details!!! What is this?! some shitty PHP Webkit query?! But that diagram up there said there was some Powershell and other stuff!!! Where are the IPs?! No hashes for the viruses?!
Dude, your average guy in the No Fap thread might have this code somewhere in their internet cache, because they have not flushed it yet! This isn't proof of Russian hacking!
The rest of the report is nothing but tips on how to secure your company or network. I am not bullshitting you. Click on the report and see the hot air for yourself!
Conclusion:
Extremely unconvincing. Complete bullshit to tell the truth. I used to have to read these reports all the time just to do my job in the past and put in countermeasures that are usually detailed enough by IPs, hash signatures, etc. So I have real world experience reading DHS and JAR reports. This one is the worse one I have ever seen, hands down, in all my years reading them.
They basically produced a report full of very high level talk that has one tiny piece of malware code that they claim is proof of an intrusion, with no reference points whatsoever. They then state there is more evidence in the form of IP addresses and hashes, but they failed to provide any. Oversight? No idea, but this report is just too high level and is not different than just making blanket claims.
I may mosey on over to ArsTechnica to see if they are willing to be honest and call out this bullshit for what it is, or will they pander hard because feelings and Trump. No IT professional worth their salt should believe anything in this report. It just does not have enough details. It's fluffier than a pillow. Hillary supporter Brian Krebs probably won't look at this either because he got shitted on by his commenters the first time. There isn't any tangible proof in here to backup his claims that Russians did it, so he will ignore it too, or he will be risking his reputation big time.
Last thoughts. If any of this was true. What this tells me is that my earlier posts were correct that the DNC was very poorly secured. Multiple actors stole data. Sometimes in private sector it is not uncommon for companies that started off small, blew up after a few huge contracts, then become targets for international competitors (China, etc.). A redteam comes in and finds out they had multiple intrusions and mischief from internal staff. When your network is swiss cheese because you had a firewall from when you were 20 employees big but now 300, and the guy that initially set it up does not work for you any longer. It's never been patched and your webserver is running a version of Apache going on 1 year of not being patched. Stuff like this is still common to see in our world.
When orgs don't have steady IT staff and use contractors to come in and set up stuff, it isn't maintained with security and that is what I think happened to the DNC. We know for a fact from the leaks, that the DNC hired contractors to set up all their IT at least once. Also some disgruntled employee grabbed emails off computers and put them in a zip drive and gave it to Julian, because he had intact headers and attachments, which means .PST files were made more or less.