Anyone Using XMPP/OMEMO?

Dear blog readers,

Are you interested in catching up with me in terms of current and upcoming research including possible cybercrime research and commercial threat intelligence gathering services?

Here's my XMPP/OMEMO ID: dancho.danchev@kode.im

Stay tuned! Continue reading →

Join Me on Patreon Community!

Dear blog readers,

I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or not you could make a possible long-term type of financial donation or sponsorship regarding my research and my security expertise.

The current status of the project:
- I'm currently busy soliciting additional input from colleagues regarding upcoming Tier Features
- I'm currently busy reaching out to colleagues to possibly convert them to Patreon Sponsors
- I'm currently busy working on a high-profile Security Podcast
- I'm currently busy working on a high-profile Security Newsletter

Has my research helped you or your organization in the past? Have you been a long-time blog reader? Have you learned something new? Did my active cybercrime and nation-state actor profiling helped you excel in your career path? Are you happy with what you're seeing? Dare to take a moment and refer a colleague or an organization my personal blog including my Patreon Community Page including a possible Patreon Sponsor request confirmation?

Looking forward to hearing from you at - dancho.danchev@hush.com

Enjoy! Continue reading →

Historical OSINT - A Peek Inside The Georgia Government's Web Site Compromise Malware Serving Campaign - 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including Russian and Anti-Georgia supporters.

How come? In this post I'll provide actionable intelligence on what appears to be a currently active Brazilian supporter of the Cyber Attacks that took place circa 2009 with the idea to discuss in-depth the tools and motivation for launching the campaign of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://geocities.ws/thezart/

It's 2010 and I'm coming across to a malicious and fraudulent file repository that can be best described as a key actor that managed to participate perhaps even orchestrate the Russia vs Georgia cyber attacks circa 2009. Who is this individual? How did he manage to contribute to the Russian vs Georgia cyber attacks? Did he rely on active outsourcing or was he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep reading.

It appears that a Brazilian user known as The Zart managed to participated in the Russia vs Georgia cyber attacks circa 2009 relying on a variety of tools and techniques known as:

- DNS Amplification Attacks
- Web Site Defacement Tools
- Targeted Spreading of Vulnerable Legitimate Web Sites
- Automated Web-Site Exploitation - Long Tail of The Malicious Web

which basically resulted in a self-mobilized militia that actually participated and launched the Russia vs Georgia cyber attacks circa 2009.

Related posts:
The Russia vs Georgia Cyber Attack
Who's Behind the Georgia Cyber Attacks?
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks Continue reading →

The Russia vs Georgia Cyber Attack

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week. Continue reading →

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.

Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:

With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting 'Operation Ababil' - an OSINT Analysis

Provoked by a questionable online video posted on YouTube, Muslims from the around the world united in an apparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against YouTube for keeping the video online, and against several major U.S banks and financial institutions.

Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the campaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as the "Coordinated Russia vs Georgia cyber attack in progress", the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites", the "Electronic Jihad v3.0 - What Cyber Jihad Isn't" campaign, and the "The DDoS Attack Against CNN.com" campaign, political sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.

What's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government? Can we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have a strong digital fingerprint?

In this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part of the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups as possible, and actually claim responsibility for the attacks once they took place.

The campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group announcing "Operation Ababil":

The original message left is as follows:
"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the operation was not deal to insults but it had other intentions. 

The officials claimed that certain countries have taken these measures to solve their internal problems.We strongly reject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger be deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all cyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will be large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week' attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters"

Periodically, the group also released update notes for the campaigns currently taking place:

The original message published is as follows:
"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !Down with modern infidels.### Cyber fighters of Izz ad-din Al qassam ###"

Second statement released by the group:

The original message published is as follows:
"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie. 

We will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels."

Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected users who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the distributed DDoS tool that was used in the campaign.

Sample screenshot of the DDoS script in Arabic:

Inside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:

Detection rate for the DDoS script:
youtube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997
Detected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924

Originally, the attack relied on a static recruitment message which included links to the DIY DDoS script located on 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". It's important to point out that these static links were distributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.
Thanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message seeking participation in the upcoming attacks.

Marzi Mahdavi II's Facebook account:

Sample shared Wall post seeking participation in the upcoming DDoS campaign:

Sample blog post enticing users to participate:

Marzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the ongoing recruitment campaigns across multiple Web sites:

Second blog post enticing users to participate in the DDoS campaign:

This very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me to the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with years compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that Iran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into thinking that it's still in a "catch up mode" with the rest of the world when it comes to offensive cyber operations.

Did these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data from the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the low profile DDoS script released by the campaigners.

Sample Host-Tracker report for a targeted web site during the campaign:

Second Host-Tracker report for a targeted web site during the campaign:

Third Host-Tracker report for a targeted web site during the campaign:
 

Fourth Host-Tracker report for a targeted web site during the campaign:

Fifth Host-Tracker report for a targeted web site during the campaign: 

  

Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations taking into consideration the centralized nature of the chain of command in this group.

What's also worth pointing out is the fact that this is the first public appearance of the group that claims responsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in question, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by basically impersonating a what's believed to be an Iranian group.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Hacktivism Tensions - Israel vs Palestine Cyberwars

Oops, they did it again. The most recent case of hacktivism recently occurred :

"Shortly after IDF tanks rolled into Gaza, another old front of conflict was reopened early Wednesday morning, but in this battle Kassam rockets and artillery shells were replaced by worms and viruses as pro-Palestinian hackers shut down approximately 700 Israeli web domains. A range of different Web sites were targeted by the group, including Web sites of banks, medical centers, car manufacturers and pension funds.Well-known companies and organizations, including Bank Hapoalim, the Rambam Medical Center, Bank Otsar Ha-Hayal, BMW Israel, Subaru Israel and Citr en Israel, real estate company Tarbut-Hadiur and the Jump fashion Web site all found their Web sites shut down and replaced by the message: Hacked by Team-Evil Arab hackers u KILL palestin people we KILL Israel servers."

Zone-H has naturally covered the event and mirrored it, in between receiving an official PR release from the defacement group -- guess it's not just terrorists with cheap marketing teams given the badly structured press release. What these folks don't seem to be able to realize is that if they were to deface every web site hosting the infamous Muhammad cartoons, they would end up with a full-time job doing so. What's worth mentioning is the nature of defaced servers, banks, hospitals, private sector companies, my point is that if they were really up to causing havoc, they had the necessary privileges to do so. Let's not think on loud on worst case "what if" analysis though.

Defacements are a great example of PSYOPS , most importantly the indirect way of undermining a country's population confidence in their abilities to win any war or political campaign. During WWII brochures were laying around everywhere, and planes were dropping them across various cities to, either undermine, of influence the opinion of the locals towards their vision. The power of the Internet echo is what they're aiming to achieve, and while I may be whispering their "achievements" even further, the visitors of the affected sites partly got exposed to their propaganda. It's also to interesting to think of PSYOPS in reverse, that is users in countries with restrictive regimes trying to reach out the rest of world through malware -- beneficial malware, or beneficial PSYOPS?

What the current, emerging and future state of Hacktivism? In her outstanding research titled "Hacktivism and the Future of Political Participation", Alexandra Samuel points out some of the key points to keep in mind, and constructively speculates on the future trends.

At the bottom line, what's all the fuss about? No, it's not because an Israeli covert operative was kidnapped and held hostage, but because of an 18 years old "destruction machine" which reminds me of the way we used to argue and wage wars on the sand around the same age. The type of, "the wind has just blown your soldier way beyond the DMZ, and therefore we have no other choice but to attack you with all our forces. Resistance is futile!" conflicts.

Go to school, hell, even go to an ethical hacking one, or else you'll end up like a walking sausage having to squeeze yourself with a belt so tight in order not to have your pants fall down! Automated defacement tool shot courtesy of WebSense. And btw, how was your July Morning?

Related resouces :
Israeli-Palestinian Cyberconflict (IPCC) - the complete coverage back in 2001!
The Israeli-Palestinian Cyberconflict
Activism, Hacktivism, and Cyberterrorism : The Internet as a Tool for Influencing Foreign Policy
The Cycle of Cyber Conflict
Cyber Attacks During the War on Terrorism
Examining the Cyber Capabilities of Islamic Terrorist Groups
Cyberprotests : The Threat to the U.S Information Infrastructure
Analysis: U.S.-China 'cyberwar' fires blanks
Techno Imperialism and the Effect of Cyberterrorism
Cyberterrorism - don't stereotype and it's there!
Cyberterrorism - recent developments Continue reading →