What is a TDS (Traffic Director System)?

8 de May de 2017 Por

The idea to write this post came from investigating multiple cases of infections in computers because of the ubiquitous Exploit Kits (EK). A visit to a website that apparently should not carry any risk ended with the user calling the security service because he could not open his files and said that an image appeared on the screen asking him for money to recover his data. And in other cases not even that, because he had become infected with a RAT or a banking Trojan and was not aware of it.

There are simple redirection methods that are implemented directly on the web server. They are options that allow to manage the visits to this website and adapt its behavior to the preferences or characteristics of the visitors.

[Read more…]

Is your NAS exposed to the Internet?

5 de May de 2017 Por

The widespread use of devices connected to the network, such as cars, medical equipment, industrial controllers (PLCs), appliances, etc., has brought with it a new and extremely vulnerable landscape.

While there has been a breakthrough in connectivity issues (Twitter is everywhere!), the security issue has also been set aside. This is mainly due to the fact that for most users and organizations, Internet security is not a fundamental factor, which is why cases such as Mirai, one of the largest distributed denial of service attacks that has been recorded so far, which is just one of the first cases that we have to face in this new scenario..

The proliferation of interconnected devices has brought many advantages to users (homes, organizations): flexibility, mobility, automation, efficiency, etc., but what happens when we do not take the appropriate security measures and are unprotected by default?

You will then see how a series of small weaknesses can lead to a large leak of information, compromising personal, financial and confidential data, both private and organizational.

[Read more…]

The Russian ICC (VI): SVR

4 de May de 2017 Por

150px-svrlogoThe SVR (Sluzhba Vneshney Razvedki) was the first heir of the KGB with its own entity, inheriting the attributions of the First General Directorate; is responsible for Russian foreign intelligence, providing the national authorities with intelligence that can benefit Russia in different areas that have evolved from the military and defense (especially the 1990s) to technological, industrial, scientific and economic areas. To achieve this goal the SVR is based primarily on HUMINT capabilities, both open and clandestine, theoretically relying on the GRU -which we will see in a coming post- for its signals intelligence needs.

In this SIGINT area the SVR works together with the GRU in strategic intelligence (at least in theory, since the rivalry between Russian agencies is well known: let us remember the “joint” operation of the SVR with the GRU of the SIGINT station in Lourdes, Cuba), as opposed to the more operative intelligence of the FSB; the main objective of the SVR, irrespective of the discipline used, is the acquisition of information and development of intelligence about the capabilities, actions, plans, intentions… both real and potential of third countries against the vital interests of the Russian Federation (as we have mentioned, even economic ones).

[Read more…]

(Cyber) III Cold War: Hack the vote?

27 de April de 2017 Por

As you now, the DHS (Department of Homeland Security) along with the ODNI (Office of the Director of National Intelligence) formally accused Russia of meddling in the past US presidential elections with techniques from the burning information warfare and various cyberattacks. Let’s take a (somewhat delayed) look at this.
It is not the first time that USA launches accusations of this caliber, it did so when it accused China of stealing trade secrets in 2014. An accusation of this kind could involve, officially or unofficially, attacks on Russian IT infrastructures that posed a headache for Putin and his allies. According to statements in the NYT taking this type of action would involve too much risk with elections less than a month away; cyberattacks by a power like Russia against the US electronic voting system could wreak havoc. It should also be noted that the electoral system is still not considered a critical infrastructure of the nation, although it may increase their criticality shortly.
[Read more…]

Abusing corporate webmail for C&C and exfiltration

20 de April de 2017 Por

Let’s assume an organization that has basic security measures: workstations cannot make direct connections to the Internet, only being able to carry out web requests through a proxy server, which is also the only one that can make external DNS queries.

HTTP and DNS traffic generated by this proxy server are properly monitored, and the proxy “breaks” HTTPS, so techniques like the domain fronting can also be detected. Only a few whitelisted websites are accessible. [Read more…]

TLS client fingerprinting with Bro

2 de February de 2017 Por

In this post, we will play with Bro IDS as a client fingerprinting techniques exploration tool.

As is known, during the initial TLS handshake (used, among others, by HTTPS on web browsers), a message called ClientHello is exchanged. In this message, the client specifies the supported cryptographic primitives (the so-called cipher suites).

For example, Firefox 50.1.0 under Linux sends a ClientHello like this, as shown with the Wireshark dissector: [Read more…]

Simple domain fronting PoC with GAE C2 server

31 de January de 2017 Por

In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.

The goal

When we have everything ready, we will have a webservice at myc2server.appspot.com which we can use from a compromised Windows machine in the following way; we will have a command and control channel (on the path /e2e7765b71c1, as an authenticator):
[Read more…]

Camouflage at encryption layer: domain fronting

24 de January de 2017 Por

In today’s post we are goint to talk about a somewhat old technique (although programs like Signal have recently started using it) that I have always found to be a really clever hack:
domain fronting.

For example, let’s take the IP address of the frontal that serves www.google.es:

$ host www.google.es
www.google.es has address 216.58.210.227

If we take a look at the Common Name (CN) field of the TLS certificate returned by the server: [Read more…]

Malware Trends. December 2016

10 de January de 2017 Por

During this month of December we have observed from the malware laboratory of S2 Grupo various threats that we once again wanted to share with you. In this type of entries we will find known threats, seen in other sources or analyzed directly in our laboratory, but the goal of the post is to know what kind of threats have been active throughout this last month.

Here is a diagram with the information collected this month from the lab:

malwarediciembre

First of all, we would like to highlight the break that Locky has at least given us this month, with a tremendously reduced SPAM compared to the previous two months. This does not mean at all that it has disappeared, rather, many have been arriving at emails with texts of “subject:” such as the following: [Read more…]

The Russian ICC (V): FSB

20 de December de 2016 Por

2000px-fsb-svg
As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.

Regarding the cyber domain, the FSB has a wide range of technical and regulatory powers: although it is a service dedicated to internal intelligence, it has authorization for external intelligence actions, theoretically coordinated with the SVR. Among others, he is responsible for the security of information at the federal level, something similar to a police force to use or at least to the Information Services -with the corresponding name in each case- of a police force. In this area it has the attributions – and obviously, capacities – SIGINT operative for the interception of communications in the State: since 1995, it has the legally constituted right to monitor telephone lines, open mails and monitor Internet traffic ([1]). The FSB operates the system called SORM for this purpose, to which Russian Internet service providers must facilitate the work by deploying capabilities that they must also pay out of pocket. This system is operated by an FSB group initially designated UKIB (Computer & Information Security Directorate), Directorate R, heir to the KGB and focused especially on the fight against cybercrime and terrorism. The successor of this Directorate is the Information Security Center (CIS) of the FSB, framed in the Counterintelligence Directorate (SKR), the Second Directorate of the FSB and also identified as the Military Unit (VCH) 64829 or the Center number 18. SORM, which we will speak about in other posts as an example of “collaboration” of companies with the Russian intelligence services, deals, like the FSB mainly does, with the interception of data in the “Russian Internet”, where CIS is responsible for surveillance and counterintelligence, also working closely with Directorate K of the Russian Ministry of the Interior, responsible for combating cybercrime ([2]).

A priori, these CIS surveillance and counterintelligence capacities should be focused on Russia, without directly impacting the outside of the country; however, even though the FSB and within it the CIS are focused on inner intelligence, its actions may be directed against that focus but against Russian interests outside its borders, including elements considered to be disturbing according to Russian criteria (this may include attack on terrorist objectives … or simply political) and even with police powers of investigation and prosecution of such elements.

The Center for Electronic Communications Surveillance (TsRRSS), identified as FSB unit 71330 and focused on ELINT, has electronic spying and cyberespionage capabilities (communications interception, decryption …). This Center (number 16) is hypothetically the main offensive capability of the FSB, including operations outside Russia, as opposed to groups such as the CIS, described above and focused especially on defensive and surveillance tasks. Its internal structure is classified, and its responsibilities include the operation and processing of electronic communications.

The Center for Special Communications and Information Protection (TsBISS) provides the FSB with protection against cyberattacks or third party intrusions. From this Center, there have been peculiar (or interesting) initiatives such as the request to prohibit services such as GMail, Hotmail or Skype in Russia, as their use may constitute a threat to national security. A comment by the Center’s director in 2011 which caused a great stir at the time in social networks but that, much more interesting than the relative turmoil on the privacy and freedom of the users, was the moment in which it was published, marked by facts as transcendent as Arab spring or the Russian legislative elections.

Another interesting group in the cyber environment within the FSB is the Communications Security Center (CBS FSB, Vch 43753), which is part of the Eighth Service Directorate and is responsible for the logical protection of government communications through product accreditation and certification of safety standards, a kind of equivalent to the Certification Office of the Spanish CNI. Also in this sense, TSLSZ (translated approximately as Center for Licensing, Certification and Protection of State Secrets) is the branch of the FSB in charge of enabling organizations to handle classified information, in this case something similar to the attributions of The National Security Office in the CNI.

Finally, as a group with no offensive capabilities, cyber training activities within the FSB are the responsibility of the Institute of Cryptography, Telecommunications and Information Technology (IKSI), in the Service Academy, which trains specialists in cybersecurity not only for the FSB but also for other Russian Services… or for industry.

To try to summarize this structure, a summary table of the main groups or centers directly related to SIGINT or CNO dependent on the FSB is shown below:

Center ID Unit Function
Center for Information Security FSB CIS 64829 SORM. Search and surveillance
Center for Electronic Surveillance of Communications FSB TSRRSS 71330 Attacking capacity/td>
Centre for the Security of Information and Special Communications TsBISS N/A Defense against foreign intrusions
Communications Security Center FSB CBS 43753 Accreditation of products and services
Center for Licensing, Certification and Protection of State Secrets FSB TSLSZ N/A Security clearance
Institute of Cryptography, Telecommunications and Computer Science IKSI N/A Training

Referencias
[1] Roland Heickerö. Industrial Espionage and Theft of Information. In Proceedings of the 14th European Conference on Cyber Warfare and Security. Nasser Abouzakhar (Ed.). University of Hertfordshire. Julio, 2015.
[2] Taia Global. Russian Federal Security Service (FSB) Internet Operations Against Ukraine. Taia Global, 2015.