Proxie Groups

While tracking a suspected Iran-based cyber-threat group known as Threat Group 2889, Dell SecureWorks’ CTU uncovered an extensive network of fake LinkedIn profiles, which has been created to help the threat actors target potential victims through social engineering.

These convincing profiles form a self-referenced network of 25 seemingly established LinkedIn users. But when analyzing what’s associated with the fake accounts, the CTU found that there were 204 legitimate LinkedIn accounts also in the network. Most of them belong to individuals in the Middle East, while the others are located in North Africa and South Asia—and are likely targets of TG-2889. Most work in the telecommunications, government and defense sectors.

The 25 faux LinkedIn accounts fall into two categories: Fully developed personas (leader accounts) and supporting personas.

“It is clear that TG-2889 invested substantial time and effort into creating and maintaining these personas,” CTU noted.

Leader persona accounts are fully completed and include educational history, current and previous job descriptions, and, sometimes, vocational qualifications and membership of LinkedIn groups. Of the eight identified, six have 500 connections and of the remaining two, one has 275 connections and the other 46 connections. Of the eight leader profiles, five purport to work as recruiters for Teledyne, Northrop Grumman and Airbus Group. The remaining three leaders purport to work for Doosan and Petrochemical Industries Co.

The others are far less developed. They all use the same basic template, having five connections and a simple description of one job.

CTU found that profile photographs for three of the supporter personas appear elsewhere on the internet associated with different, seemingly legitimate, identities. Open Source research on the 17 supporter personas failed to confirm that any of the identities were genuine.

The network allows the threat actors to establish a relationship with targets by contacting them directly, or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network. Five of the Leader personas also claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful.

The CTU believes TG-2889 is the same threat group that security firm Cylance calls theOperation Cleaver team. As the CTU explained in an analysis:

“Based on strong circumstantial evidence, in Cylance’s December 2014 Op CLEAVER report , they documented how the Cleaver team used the TinyZbotmalware (a password stealer, keystroke logger, multi-functional trojan) and  disguised it as a resume application that appeared to allow resumes to be submitted to the U.S. industrial conglomerate Teledyne. According to Cylance, the Cleaver team also used the [certain] domains, which reference companies associated with many of the fake Linked profiles discovered by CTU researchers.Those domains were: Teledyne-Jobs.com; Doosan-Job.com and NorthrupGrumman.net. The CTU believes that TG-2889’s LinkedIn activity is the initial stage of the Op CLEAVER’s fake résumé submitter malware operation.”

Dell SecureWorks notified LinkedIn of the 25 fake profiles, and LinkedIn immediately took the profiles down. Additionally, Dell SecureWorks notified all of the organizations, whose brand, was being used in the scheme and notified law enforcement. However, recent updates to profile content, such as employment history, suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical.

http://www.infosecurity-magazine.com/news/iran-group-uses-fake-linkedin/

A (Secure) Chat with WikiLeaks

The Cryptosphere

WikiLeaks The Truth Will Win via РЕН ТВ | Новости on Twitter WikiLeaks The Truth Will Win via РЕН ТВ | Новости on Twitter

Today’s article comes to us from Interwebs Security correspondent Tyler L. Jones. It is his first appearance in the Cryptosphere.

WikiLeaks is at it again.

This time, in an effort to provide a method of secure communication between themselves and whistleblowers, they have developed what they claim is a secure chat system that anyone can connect to; upon connecting, you will begin a near-immediate conversation with a staff member at WikiLeaks. Today, I tried this new service out. The results were both interesting and hilarious; but, we’ll get to all of that in due time.

Here’s the Facebook announcement that started this adventure.

Immediately upon connecting to their secured chat service, I was met with the following message: “Welcome to our chat system. Someone will shortly join the chat and talk with you. Clicking destroy chat will entirely destroy this encrypted chat immediately. Closing…

View original post 650 more words

Firmware Vulnerablity Injection

>working draft in progress<

Objective: Document the research behind the reason one site was blocked in one CPU.

To begin, it was noted that the site http://www.aspireresourcesinc.com/ returned with the details:

This webpage is not available

Google Chrome could not load the webpage because http://www.aspireresourcesinc.com took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using.
Allow Chrome to access the network in your firewall or antivirus settings.
If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.
If you use a proxy server…
Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don’t believe you should be using a proxy server: Go to the Chrome menu > Settings > Show advanced settings… > Change proxy settings… > LAN Settings and deselect “Use a proxy server for your LAN”.
Error code: ERR_CONNECTION_TIMED_OUT
The internet connection was good, Chrome had access through the firewall, proxy server was not in use.
No other site was being timed out or blocked. Other CPUs within the network could access the site. The suspect box was moved to a different router to test for a router hack. The site could not be accessed from the new router by the suspect CPU.
Nor could the site be accessed when using its IP address,  cookies was cleared, the CPU was scrubbed using CC, and the host file checked.
 A TRACERT was preformed. It showed the site being dropped at

IP address 206.187.112.206

Address type IPv4
ISP Data Research Associates
Organization Data Research Associates, Inc.
Timezone America/Denver (UTC-7)
Local time 07:15:26
Country United States  
State / Region Utah
City Lehi
Coordinates 40.3916, -111.851
By chance we experienced a region wide power outage and stopped work to conserve power. When we returned the suspect site was timing out at:

216.187.112.206 Whois Report

This is the full research report for 216.187.112.206, which is an IP address.

Whois Server

whois.arin.net

Status

ALLOCATED

Contact Email

Registrant

Peer 1 Network (USA) Inc.
75 Broad Street
2nd Floor
New York, NY 10004
UN

Administrative Contact

Peer 1 Network AUP Enforcement Peer 1 Network AUP Enforcement
Telephone: 16044842588 16044842588
Email:

Technical Contact

PEER 1 Network Inc PEER 1 Network Inc
Telephone: 16044842588 16044842588
Email:

216.187.112.206 is the IP address you have a ran a report for on February, 08, 2015.

If you meant to use another IP other than 216.187.112.206, then enter above and try again.

It is 3:01 PM CET when you ran this report for 216.187.112.206 here on our website, IP-Adress.com. When it comes to 216.187.112.206, you can trust that if we have IP Whois information available for it, we will display it further below to assist in your research of this IP address. Feel free to run another search for 216.187.112.206 or a different search.

Timestamp Confirmation:
The IP Whois report for 216.187.112.206 was ran at 3:01 PM CET on February 8, 2015 and the information is provided below if available.

View comments on this 216.187.112.206 Whois IP address report below or add your own comment about 216.187.112.206.

Now you can review additional IP Whois data for 216.187.112.206 below. Things like the status of 216.187.112.206 and the server of 216.187.112.206.

Don’t forget that the server that hosts 216.187.112.206 could also host other IP addresses, so research accordingly.

216.187.112.206 Server Details

IP address:

216.187.112.206

Server Location:

New York, NY in United States

ISP:

Peer 1 Network (USA)

A call was placed to tech support concerning the anomaly being experience by the suspect site. We explianed in detail the series of events. We were told that “some clients have can do anything with their servers and we have no control or ability to help” I restated that in the question, “So a dedicated server?” He did not confirm and he did not deny. We concluded our conversation with mutual understanding.
We took the research for peer review.
We posed such questions as:
How can one site be blocked from one CPU excluding cookies, malware, and the like?
It was during this research that a program request install came from Intell Manageability Engine Firmware Recovery Agent
Fullscreen capture 272015 71114 PM edit The question was raised was that program part of a RAT? Though questioned, this theory was explored.
Research for “Intel manageability engine firmware recovery agent hack” provided some information when coming across this site , which has numerous redflags suggesting this program was in use at one time as a little known hack or a cowing and intimidation hack.
Click picture to view

Click picture to view

Research for intel manageability engine firmware recovery agent uses provided these snippets (not in particular order)

Why the firmware recovery agent is needed in the first place, I don’t know. That is, if we can trust the use of “firmware” in the name, to mean it only deals with IME firmware. The IME Firmware Recovery Agent software is installed by the IME software installation program.

You may not know that Intel still provides the IME software to mother board manufactures,

http://forums.tweaktown.com/asrock/58650-do-i-need-intel-management-engine-drivers-asrock.html

  • Thread Tools
  • Display
  1. #1

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Location
    Victoria, Australia
    Reputation
    10
    Posts
    65

    Intel manageability engine firmware recovery agent?

    I’ve had a program appear in my notifications asking to be installed called the intel manageability engine firmware recovery agent.

    Has anyone had this happen on their G75? And should I install it. I did google it, but being a technophobe had no idea if it was needed or not. I am assuming it checks for updated drivers or such for anything intel on the laptop? I really have no clue. Just not sure if I need to install it or not.

    Cheers!

  2. #2

    BannedArray

    Join Date
    Apr 2012
    Location
    Dubai
    Reputation
    18
    Posts
    192

    This is useless for us…. it is for IT people who want to manage a computer from a remote location

    I never install it or if it was installed automatically I remove it from the Control Panel “Programs & Features”

  3. #3

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Location
    Victoria, Australia
    Reputation
    10
    Posts
    65

 

I un-installed Intel Manageability Engine Firmware Recovery Agent and no agent log file appeared! At least not yet! But I have a feeling that this was the program creating it. And I remember that I got error during its update. So in a way It all make sense now. Hope this is the real deal as I got really tired trying to figure out this agent log issue….

http://www.eightforums.com/general-support/46514-agent-log-file-4.html

That program surfacing along with the above posts suggest that this is a malware ie backdoor that is injected into firmware of a CPU..

It is also suggested that this  Manageability Engine Firmware Recovery Agent is creating log files. Most have reported as empty. However, we have noted when preforming a search for a lost txt file unusual log files. These log files would sometimes be empty and other time show a location and a password. The passwords were always incorrect, but plain text. The files did not raise significant redflags, other than they were labeled logs and had passwords, though incorrect. The anomaly was marked for research at another time and not acted upon at that moment.

With this knowledge, the next question was what data could be transfer by using this backdoor?

What is Intel Manageability Engine Firmware Recovery Agent?
Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.

http://www.shouldiremoveit.com/Intel-Manageability-Engine-Firmware-Recovery-Agent-6378-program.aspx

It is a bootstrap giving access to PCs that do not have remote functionalities that creates logs, some blank some with very limited and specific text. Could the blank logs actually have hidden text?

In concluding we researched “firmware controller data flow”.

Abstract: Burst mode data transfer in emerging wavelength division multiplexing (WDM) and code division multiplexing (CDM) PONs faces major challenges in electronics design. We develop an embedded software solution to enable optical line terminals (OLT) and Optical network terminals (ONT) to process Burst mode data flow smoothly. Our solution implements three important components on an FPGA platform. The first consists of a PCI interface that allows the OLT/ONT unit to communicate with a PC. The second is the PowerPC that manages and controls the data flow. Finally, a burst mode transceiver examines data transaction, synchronization and error correction

http://fac.ksu.edu.sa/sites/default/files/Poster.pdf

Given the sporadic nature of the log files seen was the logs being “burst” out?

Flow control mechanism in a data processing pipeline
US 8526303 B2
ABSTRACT
Herein described are at least a system and a method for regulating data flow in a data pipeline that may be used in a video processing system. The system comprises a processor, one or more data buffers, and one or more processing stations. The one or more data buffers may be used to buffer corresponding processing stations. Each of the one or more processing stations may comprise a switching circuitry that is used to inhibit data transmission when a hold signal is received from the processor. The processor may send the signal in response to a feedback control signal generated by the one or more processing stations. The method may comprise determining if the processing time of a processing station exceeds a specified time. The method further comprises generating a feedback control signal to a processor if the specified time is exceeded.
This abstract lends to the possibility of how the suspect site was timed out. It also gives an possibility that the logs are not empty but a form of hidden information within a video file that is not registered on a norm basis.
Not to be confused with Control flow.

In data communications, flow control is the process of managing the rate of data transmission between two nodes to prevent a fast sender from overwhelming a slow receiver. It provides a mechanism for the receiver to control the transmission speed, so that the receiving node is not overwhelmed with data from transmitting node. Flow control should be distinguished from congestion control, which is used for controlling the flow of data when congestion has actually occurred.[1] Flow control mechanisms can be classified by whether or not the receiving node sends feedback to the sending node.

Flow control is important because it is possible for a sending computer to transmit information at a faster rate than the destination computer can receive and process it. This can happen if the receiving computers have a heavy traffic load in comparison to the sending computer, or if the receiving computer has less processing power than the sending computer.

https://en.wikipedia.org/wiki/Flow_control_(data)#Hardware_flow_control

It is possible that flow control would also be utilized to prevent a sending computer that bursts large data from malfunction or detection under normal means.

That concludes this session of research:

addendum

A netstat was preformed. Noted was programs engaged when should be listening. When those programs were stopped the suspect website went back to being timed out in Utah.

Security risks[edit]

Mark Shuttleworth, founder of the UbuntuLinux distribution, has described proprietary firmware as a security risk,[10] saying that “firmware on your device is the NSA‘s best friend” and calling firmware “a trojan horse of monumental proportions”. He has pointed out that low-quality, closed source firmware is a major threat to system security:[11] “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”.

Researched : how to scan for injectable firmware

General Description The Sequencing SAR ADC component gives you the ability to configure and use the different operational modes of the SAR ADC on PSoC 4. You have schematic and firmware level support for seamless use of the Sequencing SAR ADC in PSoC Creator designs and projects. You also have the ability to configure up to 8 analog channels that are automatically scanned with the results placed in individual result registers. An optional “Injection channel” may also be enabled by firmware to occasionally scan a signal that does not need to be scanned at the same rate as other channels.

http://www.cypress.com/?docID=44475

When Firmware Modifications Attack: A Case Study of Embedded Exploitation

ndss-2013 < The PDF file to above

VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware.

Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress.

AMD’s System Management Unit (SMU) firmware code within x86 processors did not run adequate checks prior to execution, allowing Marek to inject his own commands.

Marek told attendees to ask their mainboard vendors to push the fixed AGESA to BIOSes.

“Tell your vendors for a fixed AGESA (AMD Generic Encapsulated Software Architecture),” Marek said during the talk aimed at encouraging more of the low-level security analysis.

“This is the only way to push vendors to update BIOSes for older platforms.”

Marek did not describe particular attack scenarios created by the lack of a protected code along with further firmware errors.

It took roughly a year to fix the flaws in an exchange he described as “responsible and helpful”.

http://www.theregister.co.uk/2015/01/14/amd_plugs_chip_firmware_holes/

Fault Injection on Firmware Level

Software-implemented fault injection (SWIFI) is an established method to emulate hardware faults in computer systems. Existing approaches either extend the operating system by special drivers, modify the runtime environment, or change the application under test.

The FutureSOC project on novel SWIFI approaches investigates new ideas for adding fault injection as standard dependability assessment tool in modern server environments. One approach relies on the Extensible Firmware Interface (EFI), the BIOS-successor available in latest X86 systems as provided by the FutureSOC lab. Our approach extends the firmware of these systems in order to a) make fault injection completely transparent to the operating system, and to b) support a larger variety of fault types. No modifications to the operating system or the application code are needed.

Our prototype is available for free use in non-commerical usage scenarios. Below you can find installation and configuration instructions. Binaries are provided for download at the end of the page.

In case of further questions, please contact Peter Tröger.

 

Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys

“We don’t think it would take much to turn her into a device to spy on and potentially interact with children. You would be well advised to make sure that she is switched off when not explicitly in use and make sure that the mobile device is secured with a strong PIN, also kept and patched up to date. In  the longer term the manufacturer should apply a PIN for the Bluetooth pairing process, but we don’t think that can be done without a product recall.”

via Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys.

via Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys.

Back Waters – A Note On the Syria Yemen Campaign.

Tides.

A source came forward noting that during the Libya campaign they were approached to carry the campaign on to Syria. They stated that they declined, stating that the campaign was to go to Yeman next. That there was significant want and pull to have an campaign there. They noted that the people asking for the campaign to come to Syria was saying how very much it was needed in Syria and showing pictures of protests, but the protests being pictured out of Syria was not exhibiting a likely anti-corruption campaign. The photos were of women and children with balloons and smiling, not at all looking stressed or down-trodden. The source went on to say the photos had a look and feel like a PR company that had been campaigning against Iran on a Chinese Democracy and anti-Iran centric IRC servers. They also noted that while training an individual on IRC they noted a PR company making changes in obscure African countries wikipedias that were anti-Iran.

The source noted that after they said, no the campaign would not go towards Syria that Syria was not ready or in need for a campaign. They said they were told, “Fine , we are dedicated and will do this on our own.” It was at that time they noted the Yemen campaign ground to a halt due to US involvement, US strikes, and US propping of the Yemen government.