CIA hacking tools and malware frameworks

WannaCry ransomware attacks were just other cyberattacks that it took advantage of systems unpatched. However, I think the leaks published by WikiLeaks are more important than WannaCry because they allow governments, not our government but US government, to have access to our devices. Sixteen leaks have already been published this year by WikiLeaks where we can find hacking tools, malware frameworks, etc that if they are stolen by someone and they are used with malicious intentions, something dangerous can happen worldwide. This week, I want to write about latest leaks published by WikiLeaks.

Last leak was about the Athena project where the CIA, along with Siege Technologies, developed a system to get into Microsoft Windows operating systems (from Windows XP to Windows 10 and including Windows Server 2012) for retrieving files or sending files to target systems and also to unload/load malicious payloads into memory. Two versions were released, Athena and Hera, last one for new operating systems like Windows 8.1 and Windows 10. It means, CIA can have access to most of the Windows devices because there haven't been any Windows update since then.

Athena Concept of Operation

 

Another and recently interesting leak is the two CIA malware frameworks for the Microsoft Windows platform, called After Midnight and Assassin. Both are designed as a backdoor malware which are able to download “Gremlins” into target systems via “Octopus”. Gremlins are Windows exploits for particular tasks that CIA operators upload to target systems on demand, for instance to search certain personal data. While the Octopus system is the HTTPS server or C2 system (Command and Control) for deploying Gremlins and retrieving information. Again, these two malware are for Windows machines.

AfterMidnight malware

 

Man in the middle attacks are well-known by most security engineers and CIA are also developed a tool to attack computers using this technique. This tool is called Archimedes and it is for Windows XP, Vista or 7, while the target machine can be whatever operating systems running on the same Ethernet LAN. Therefore, Windows machines with Archimedes are pivot systems which are able to perform man in the middle attacks to monitor and log HTTP requests from the target machine and even redirect those requests to desired IPs and domains.

ARP SPOOF

 

There are many leaks lately but I would like to highlight too the Scribbles project. It is a document-watermarking preprocessing system that allow CIA to track and identify who has opened or copied a file with the aim of tracking and identifying insiders or whistleblowers. Once a Microsoft Office document is opened, there is an interaction between the tracking server and the file to know if the document is a new one, the same or have been modifications. As a result, the tracking server has records with the IP address of the PC, the files opened, copied, modified, etc.

Scribbles tracking system

 

From time to time we don't know if these projects are for surveillance or espionage but what we do know is that an malicious use of these tools grant a great power.

Be careful, take care my friends!

Troubleshooting network performance issues

Lately, I've come across with network performance issues in some data centers, which is usually a head breaker for networking engineers because when you see the bandwidth is enough but the throughput reached isn't what you expected, something is wrong. This is the time when solid networking knowledge is needed for the troubleshooting process and concepts like checksum, Frame Check Sequence (FCS) or overruns are required to analyse network performance issues and fix them.

Obviously, we can also have performance issues due to the fact that applications and services aren't configured properly or they've had a poor development process but I would like to highlight in this post what we can check with regard to networking.

 

We should look at networking interfaces and looking for the next attributes:

• Errors: This is the first thing we should look for because it counts when there are CRC errors, or we have frames too-short or too-long (CRC, checksum mismatch).
• Dropped: It counts when interfaces receive unintended VLAN tags or are receiving IPv6 frames when it isn't configured for IPv6.
• Overruns: This is another important attribute to look for because it counts when buffer FIFO gets full and the kernel isn't able to empty it. For example, if the network interface has a buffer of X bytes and it is filled and was exceeded before the buffer could be emptied, then we have overruns.
• Frame: It counts only when there are misaligned frames, it means frames with a length not divisible by 8. Therefore, that length isn't a valid frame and it is discarded. For instance, packets are going to fail if they are not ended on a byte boundary.
• Carrier: When we have loss of link pulse, it counts. Sometimes is recreated by removing and installing the Ethernet cable. Therefore, if this counter is high, the link is flapping (up and down), the Ethernet chip is having issues or the device at the other end of the cable is having issues.
• Collisions: This is another typical issue when we can't reach a good performance. Collisions may count when an interface is running as half duplex and the other end is running as full duplex. Therefore, the half duplex interface is detecting TX and RX packets at the same time and the half duplex device will terminate transmission. As a result, there are collisions, mismatch duplex, and we get very bad throughput. It is important to remember that switched environments always operate as full duplex and collision detection is disabled by default.

Next, we can see a mismatch duplex laboratory where Fa 0/1 of ASW1 is working as full duplex and it has FCS-Errors, which means “Frames with valid size with Frame Check Sequence (FCS) errors but no framing errors”. Consequently, throughput between PC1 and SRV1 is too bad.

And we can also see that Fa 0/1 of CSW1 is working as half duplex and it has Late-Collision, which means “Number of times that a collision is detected on a particular port late in the transmission process”. This is a big clue to realise that we have a duplex mismatch which should be fixed to have a good networking performance.

This post is being too long, I'm sorry, but I would like to leave some Linux commands as well like ethtool -S eth0 , netstat -s , netstat -i for troubleshooting network performance:

 

Regards my friends and remember, sometimes we have to go down to the physical layer to fix networking performance issues.

Just another cyberattack

Today, I was thinking to write about errors, overruns, collisions, etc that we could have in network interfaces which are a mess for network engineers and, most times, these issues are difficult to resolve without a good troubleshooting process. However, this weekend has been a little bit interesting because we have seen how big companies like Telefonica, and many others, has been hit by Ransomware and it has been published to the media. Therefore, I must write about this issue.

First, I think it has been another spam and malware campaign, just another, but this time, many Spanish companies have been affected, which some of them are from the stock market IBEX35, and this has been the reason why the media has been speaking about cyberattacks. However, it's a pity that big companies like Telefonica hadn't applied the patch on time. Maybe, they didn't have enough time to test the patch MS17-010 published by Microsoft and they would rather take the risk to be infected. Unfortunately, this time, their internal desktops were compromised.

We are always speaking that small companies doesn't have enough resources to fight against cyberattacks but we can also see that big companies, with lots of resources, have the same issues but on a large scale.

Meantime, we have seen how shares were without any lost, which means investors don't mind this kind of news.

Telefonica shares

 

There are many Microsoft products affected in these cyberattacks like IE10, IE11, Edge, Microsoft .NET Framework, Adobe Flash Player, etc, etc and most of them are installed by default in most of the Microsoft Windows Operating Systems.

Due to the high risk of these vulnerabilities, if you don't want to be infected by HydraCrypter, which is a variant of WannaCry, you should applied next measures to your organization:

• Limit the user connection to Internet and mail while your are applying patches and upgrading systems.
• Upgrade signatures of your security systems like AntiSpam, IDS/IPS and Antivirus.
• Apply security policies to Internet access with IPS and Antivirus profiles.
• Install security monitoring sensors to analyse traffic on the wild.
• Apply patches to fix the bugs published by Microsoft to desktops and servers.
• Make sure you have backups.

More specific recommendations could be:

• We can disable file execution with .WNCRY extension by GPO.
• Isolate UDP 137/138 and TCP 139/445 communication inside the network.
• Disable macros and scripts to mail received. We can use Office Viewer instead of Microsoft Office to open attachments.

If we have done the homework, we shouldn't be worried about this Ransomware anymore. Why? Because most security systems have already published signatures to block and detect this malware like, for instance, Fortinet or OTX from Alienvault.

WannaCry Indicators from OTX

 

Many people are wondering about why last Friday was the day when these vulnerabilities were exploited massively. Maybe, because last Friday was when WikiLeaks published “After Midnight” and “Assasin”, two CIA malware frameworks for the Microsoft platform and, maybe, the attackers have taken advantages of these frameworks to develop this new malware.

Two CIA malware frameworks

Regards my friends, pay attention, protect your assets and keep calm!!

More info:

• Microsoft Security bulletins of May 2017
• Security Update Summary
• Security update deployment information: May 9, 2017

Spanglish & Frañol

From time to time, I speak anglais, autres fois french y algunas veces español. El caso que es día 1 de Mayo, día del trabajador, y aquí estoy escribiendo para planificar una publicación para el próximo lunes 8 de Mayo ¿por qué con tanta antelación? Parce que entre semana con el trabajo, la escuela de idiomas y un poquito de deporte, no tengo tiempo, y para el fin de semana me voy avec mes amis a la despedida de un bon ami, as a result, it's going to be difficult to write something en condiciones.

Además, I'm studying français today et preparando una presentación aussi sobre les régions françaises du Grand Est. Therefore, j'ai très fatigué mais je suis content aussi parce que je suis aprendiendo beaucoup en mi premier curso de francés. Par exemple, ici my last talk:

 

Aún me acuerdo cuando suspendía inglés en el instituto, y la primera vez que salí de España con la beca del ministerio para aprender inglés, allá por el 2007, qué disgusto e impotencia cuando me robaron la cartera con el DNI en Londres y no sabía hablar con la Policía para poner la denuncia. Desde entonces dije “tengo que aprender inglés”, y ahora tengo el título de nivel C1 en inglés por el Instituto de Lenguas Modernas, estoy aprendiendo francés y he estado como voluntario internacional en Turquía, Rusia y la República Checa. Oh my God.

Hoy no me quiero entretener mucho … porque es el día del trabajador, tu ya sabes, así que voy a dejar algunas chuletas que tomé cuando estuve en Rusia y la República Checa, para tenerlas aquí, en el blog, como referencia, por si nos hacen falta más adelante:

Russian and Czech language

I'm so sorry, but I lost my chuleta de Turquía, no me enciende el teléfono móvil donde las tengo apuntadas, que pena que no hiciese esto hace unos años.

Regards my friends; voy a seguir estudiando français, todo será porque me pueda tirar a la bartola el próximo weekend.

The Importance of Security at CUM

Last week, I gave a speech at Merida University in his cultural week for students. It was a pleasure return to the University where I studied IT engineer for three intense and funny years. Therefore, when they told me to give a speech about security to students, I said absolutely yes because I was there, sitting and watching speeches a long time ago, and I liked to see how was the real world at enterprises. This has been an opportunity to tell them that they are lucky because as Merida University is small without many students, they have teachers for them, they can have tutorials and a close relationship with teachers and, as a result, they are not another number.

Speakers at Merida University

I was the first speaker and my speech was called “Attacks to defend you” where I wanted to show that many times we have to know how attackers work if we want to apply security measures for protecting our organizations. Therefore, I chose the last Apache Struts Vulnerability to show them how easy is to attack a web application with just a network analysis tool like Nmap and the programming language Python. After attacking my Hello World application successfully, I showed them two security tools to protect vulnerable systems. The first one was the Intrusion Detection System (IDS), based in Suricata, of Alienvault which alert us when there is something abnormal or network is behaving anomalous. The second tool was the Intrusion Prevention System (IPS) of FortiGate firewall which is able to block attacks and protect us against vulnerabilities, like the Apache Struts Vulnerability. Applying an IPS profile to firewall policies is the the best thing to protect our services while the development team apply patches and fix vulnerable systems.

Ataca para defenderte de dromerotrejo

The second speaker was José Brieba from CPIIEx. He told us about the importance of being together to fight against intrusiveness in our profession. He also highlighted that most IT engineers don't want or don't want to know about this organization because we enjoy with a low unemployment rate, and we think we don't need this kind of organization. I'm totally agree with him and we should, all together, fight for improving our profession.

The next speaker was Pipe Pablos from CPIIEx too. He spoke about phases that an IT engineer has to take for getting evidences, preserving evidences during custody and presenting evidences to a judge. In addition, he remarked the importance of language and behaviour when we have to speak with lawyers and judges in a court of law.

Last speaker was Juan Baeza, researcher at UEx, who show us challenges about forensic analysis to find out who was the bad guy, like CSI series. He used forensic analysis tools like Wireshark to search mails, passwords, nicknames, etc where he explained, step by step, how to get evidence to demonstrate that the bad gay was guilty.

Last 20 minutes was for the Q&A where students asked all kinds of questions. Although speeches were too good, I think this last minutes were very interesting for students because they had many concerns about what to study to work as a security analyst, forensic analyst or to develop software in a secure way.

Regards my friends; the best way to improve will always be to read, study and test.