What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2016-12-30 19:30:10 | FBI-DHS Report Links Fancy Bear Gang to Election Hacks (lien direct) | Joint report “Grizzly Steppe†implicates Russian hacking group Fancy Bear in U.S. election-related hacking. | APT 29 APT 28 | ||
 |
2016-12-29 20:40:33 | Some notes on IoCs (lien direct) | Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.Consider the Yara rule included in US-CERT's "GRIZZLY STEPPE" announcement: What is this? What does this mean? What do I do with this information?It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here [*], or you can view it on GitHub here [*].Once a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at tracking the activity of that hacker, to see which other attacks they've been involved in, since it will find the same web shell on all the victims.The problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes using the YARA signature for attribution problematic: just because you found P.A.S. in two different places doesn't mean it's the same hacker.A web shell, by the way, is one of the most common things hackers use once they've broken into a server. It allows further hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP, ASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor.In other words, these rules can be a reflection of the fact the government has excellent information for attribution. Or, it could be a reflection that they've got only weak bits and pieces. It's impossible for us outsiders to tell. IoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the complexity and context around the rules, often misunderstanding what's going on. (I've written thousands of the things -- I'm constantly annoyed by the ignorance among those not understanding what they mean).I see on |
APT 29 APT 28 | ||
 |
2016-12-29 17:00:00 | FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks (lien direct) | US government dubs the operation "GRIZZLY STEPPE" in new Joint Analysis Report, and says the malicious groups' activity continues. | APT 29 APT 28 | ||
 |
2016-11-27 19:24:01 | Scapy vs. CozyDuke, (Sun, Nov 27th) (lien direct) | In continuation of observations from my GIAC Security Expert re-certification process, Ill focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes preconfigured with Scapy and Snort, so youre ready to go out of the gate if youd like to follow along for a quick introduction. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. This includes the ability to handle most tasks such as scanning, tracerouting, probing, unit tests, attacks or network discovery, thus replacing functionality expected from hping, 85% of nmap, arpspoof, tcpdump, and others. If youd really like to dig in, grab TJ OConnors Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (you should already have it), as first discussed here in January 2013. TJ loves him some Scapy: Detecting and Responding to Data Link Layer Attacks is another reference. :-) You can also familiarize yourself with Scapys syntax in short order with the SANS Scapy Cheat Sheet as well. Judy Novaks SANS GIAC Certified Intrusion Analyst Day 5 content offers a nice set of walk-throughs using Scapy, and given that it is copyrighted and private material, I wont share them here, but will follow a similar path so you have something to play along with at home. Well use a real-world APT scenario given recent and unprecedented Russian meddling in American politics. According to SC Magazine, Russian government hackers apparently broke into the Democratic National Committee (DNC) computer systems in infiltrations believed to be the work of two different Russian groups, namely Cozy Bear/ CozyDuke/APT 29 and Fancy Bear/Sofacy/APT 28, working separately. As is often the case, ironically and consistently, one the best overviews of CozyDuke behaviors comes via Kaspersky">syn = IP(src=10.0.2.15, dst=209.200.83.43)/TCP(sport=1337, dport=80, flags=S)/GET /ajax/index.php HTTP/1.1">wrpcap(/tmp/CozyDukeC2GET.pcap, syn), as seen in Figure 2. ">ls(IP). ">Figure 4: ls() If you">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | APT 29 APT 28 | ||
 |
2016-11-11 01:10:14 | Warning: Beware of Post-Election Phishing Emails Targeting NGOs and Think Tanks (lien direct) | Just a few hours after Donald Trump won the 2016 US Presidential Election, a hacking group launched a wave of cyber attacks targeting U.S.-based policy think-tanks with a new spear phishing campaign designed to fool victims into installing malware.
The group of nation-state hackers, also known as Cozy Bear, APT29, and CozyDuke, is the one of those involved in the recent data breach of the
|
APT 29 | ||
|
2016-11-10 15:55:00 | Russian Hackers Behind DNC Breach Wage Post-US Election Attacks (lien direct) | Less than six hours after Donald Trump was named President-Elect of the US, Cozy Bear/APT29/CozyDuke nation-state hackers kicked off waves of spearphishing attacks. | APT 29 | ||
 |
2016-11-10 11:46:16 | Suspected Russian hackers target US think tanks after election (lien direct) | Hours after Donald Trump won the presidential election, a suspected Russian cyberespionage team was blamed for targeting several U.S. think tanks with phishing emails designed to fool victims into installing malware.On Wednesday, the phishing emails landed in the inboxes of dozens of targets associated with U.S. think tanks and non-governmental organizations, said security firm Volexity.A hacking group called APT 29 or Cozy Bear was behind the attack, according to Veloxity. This is one of the same groups that security experts say was also responsible for hacking the Democratic National Committee and is allegedly tied to the Russian government.To read this article in full or to leave a comment, please click here | APT 29 | ||
 |
2016-09-09 15:53:24 | The Dukes R&D Finds a New Anti-Analysis Technique (lien direct) | Threat actors constantly hunt for evasion and anti-analysis techniques in order to increase the success rate of their attacks and to lengthen the duration of their access on a compromised system. In some cases, threat… | APT 29 | ||
|
2016-08-30 10:30:00 | US Think Tanks Involved in Russia Research Allegedly Hacked (lien direct) | Russia-backed DNC hacker COZY BEAR behind these spearphish attacks on individuals and organizations, says CrowdStrike. | APT 29 | ||
 |
2016-08-29 20:55:31 | Cozy Bear suspected of hacking Russia-focused think tanks in D.C. (lien direct) | The same cybergang that launched attacks against the Pentagon, State Department and DNC is also believed to have targeted Russia-focused think tanks in the U.S. |
APT 29 | ||
|
2016-06-21 13:04:21 | Guccifer 2.0 out - Cozy Bear, Fancy Bear hacked DNC, Fidelis analysis shows (lien direct) | A comparative analysis by Fidelis Cybersecurity of malware samples provided by the DNC supported findings by CrowdStrike that a pair of intrusions were the handiwork of the Cozy Bear and Fancy Bear APT groups purported to have ties to Russian intelligence. |
APT 29 APT 28 |
To see everything:
Our RSS (filtrered)
