Monthly Archives: January 2016

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station.  Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation. 

Such acts are akin to terrorism  and punishable as a crime because of  its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

CVE-2015-8651 (Flash up to and Exploit Kits

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),
- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)
- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)

Angler has just integrated CVE-2015-8651 patched with Flash on 2015-12-28

Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !

CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory
Fiddler sent to VT.
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :

CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)
from the widely spread and covered "crypt13x" actor thread - 2016-01-25

(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )

I have been told by Eset that the exploit is successful on Flash and Firefox.
I spotted a thread serving a landing and an exploit to Firefox.
2016-03-23 Firefox pass with Sandbox escape :
Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash
Bedep successfully wrote its payload on the drive.
Files : Fiddler in a zip (password malware)

Neutrino :
Thanks Eset for identifying the added CVE here.

Neutrino Exploiting CVE-2015-8651 on 2016-02-09
Here Bunitu dropped
Note: For some reason couldn't have it working with Flash

Files : Fiddler here (password is malware)

Nuclear Pack:

Thanks again Eset for CVE identification here.
Nuclear Pack exploit CVE-2015-8651 on 2016-02-10

Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)

It seems Chrome won't save you if you do let it update.
2016-02-17 on DE/US/FR traffic

This is not something i can reproduce.

Is what i get with Chrome 46.0.2490.71 and its builtin (which should fast update itself to last version)

Files : Fiddler here (password: malware)

CVE ID confirmed by Anton Ivanov (Kaspersky)
Magnitude dropping Cryptowall via CVE-2015-8651
Files : Fiddler here (Password is malware)

Some days before 2016-04-06
Thanks FireEye for CVE identification.
CVE-2015-8651 successfuly exploited by RIG on 2016-04-07
Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02
( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)
Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)

Read More:
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook

Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

For the bored: Infosec Noir

Instead of doing productive things I’ve found a new outlet for self-entertainment, and I seem to be amusing a few others, too.

My newish Twitter account is @InfosecNoir, it is:

“The adventures of Jimmy Black. He decrements the TTLs of cybercriminals so you don't have to.

He has a drinking problem, but only when his glass is empty.”

It is pretty low volume, and is meant to entertain me.  If it entertains you, too, then maybe follow, or just check in occasionally.

Important note: While some of it is autobiographical, and some is “based on true stories”, much is pure fiction.  I’ll admit the first tweet is autobiographical,


after that, your guess is as good as mine.  And for the pedantic, it was Atorvastatin, not Lipotor™.  Yay generics.



Cybercitizens, stay away from commenting or liking posts with terror ideologies

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people.  The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.  

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.

Why this Data Privacy Day matters more than ever

We told you before that’s there is no real debate over encryption. Cyber security experts know that you can’t break it without creating huge security risks and eliminating most forms of secrecy, which is essential for free speech.

That’s what our Erka Koivunen told them members of the United Kingdom’s Parliament debating the draft Investigatory Powers bill also known as the “Snoopers’ Charter” in December.

But do governments even want to hear what the experts — or anyone outside of the intelligence community — has to say about encryption?

In the U.S., influential members of the Senate want to bypass a proposed commission to study encryption and move straight to passing a bill that could break it.

“I don’t think a commission is necessarily the right thing when you know what the problem is. And we know what the problem is,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said.

Why? Government’s want the access to encrypted communications and are willing to risk the vulnerabilities this will create for its citizens.

We’re trying to draw attention to this rush to break encryption that’s happening fast, relying on the very understandable fear of terrorism, without the public’s awareness of the potential consequences.

This January 28 is Data Privacy Day. It’s backed by the Cyber Security Alliance, which works with the U.S. Department of Homeland Security along with other private sector partners. We’re hoping to “hack” into attention around the day to make sure governments know that we do care about preserving privacy.

To mark it Erka will be doing an Ask Me Anything session on Reddit at 10 AM EST/ 5 PM EET answering any questions you have about encryption, cyber security and the pressures governments feel around the globe. You can also ask about how to secure yourself to maximize your security and privacy.

Erka has worked with top officials from the European Union and the US and understands the need for security balanced with a respect for privacy. And we’d love to know what questions you have about this issue so we can get answers to as many people as possible before it’s too late.

We hope you’ll join us and help spread the word.

Open Live Writer

Oh, hey- bloggy thing.  I know I should blog more, both here and over on my travel drinking blog, but you know…

Open Live Writer

One very nice recent development is that a team at Microsoft has created an Open Source fork of Windows Live Writer.  WLW used to be a really sweet, lightweight WYSIWYG blog tool for Windows- then it got Microsofted and bloaty, then abandoned.  Open Live Writer brings it back from the dead, updates authentication to work with modern platforms, and pulls out a lot of cruft.

It is still early in development, but so far it is working well for me and I do not miss any of the “missing” features.  I’m enjoying the speed and functionality of Open Live Writer, and I’m grateful that some folks at Microsoft have revived this great little tool.  If you are a blogger and Windows user, check it out.



Introducing the PIVOT Project

OK kids, this is cool.  Know a hacker or computer club or school that could use some free, community-contributed labs?

Pivot Cyber Challenges


From the website (

“People who earn great jobs in cyber security have mastered both academics and hands-on skills.  But where can people with a wide variety of skill levels get hands-on practice with real-world cyber security problems?  On January 12, the PIVOT project goes live to help meet that need. PIVOT makes it possible for students and others, all over the world, to build their hands-on skills in a fun, challenging, real-world cyber environment.  PIVOT provides exciting hands-on labs and challenges for student groups and associated faculty, completely free.  Through a variety of engaging downloadable materials, participants build their hands-on skills to help them pivot from academic studies to their future cyber security careers.”

To kick things off there’s a contest to get things moving and gather feedback:

“We’re launching PIVOT with a special contest and over a dozen prizes so you can help make PIVOT even better.  Prizes include gift cards, club pizza feasts, t-shirts, and more!

To participate in the contest and help us make PIVOT even better, all you need to do is have your group work through your choice of at least two of our current labs, and then have a student leader or faculty member fill out our contest form by February 15, 2016.  The contest form gathers information about your experiences with the labs and recommendations for additional PIVOT challenges.  From all submitted entries, we’ll select the top 5 with the most useful input to receive our grand prizes.  Then, from all submitted entries, we’ll select another 10 at random to receive a prize.”

Please check out PIVOT Project and spread the word, it is off to a great start but now we need to build the community.



Christian Fredrikson Named ‘Best CEO in the Online Security Industry’

“We are no longer securing computers,” our Chief Research Officer Mikko Hypponen said recently, “we are securing society.”

This responsibility is immense and since he joined F-Secure in 2012, Christian Fredrikson has fixated on the need to provide solutions that match it.

His leadership is now being recognized by European CEO, which has just named him the “Best CEO in the Online Security Industry.”

“This demonstrates hard work & commitment of Fellows to build a great company!” Christian tweeted, in response to the award. “I’m honored to be part of this journey.”

He also has a new editorial about the need for security in an age of mass connectivity.

“As smartphones lead to smart homes, smart cities and smart grids, the potential for efficiency is dwarfed only by the potential vulnerabilities,” he writes.

Before Christian joined F-Secure, he was the global sales for of Network Systems business unit at Nokia Siemens Networks.

He’s also a member of new EU cloud computing board , the Steering Board of the European Cloud Partnership, the Communications Administration Committee of Ministry of Transport and Communications Mobile in Finland, the Board of Remedy Entertainment Ltd. and the Board of Finnish Information Security Cluster.

And in his spare time — if he has any — he swims and enjoys football.



A different kind of magic

Yesterday the world lost a good man, and the hacker community lost a great friend.  David Jones, better known to many as Rance, or @RevRance, ended his battle with cancer early yesterday morning, his suffering is over.

A great photo of Rance by Kevin Riggins
Throughout history we’ve called anything we don’t understand “magic”.  To those of us in technical fields we often think of Arthur C. Clarke’s third law:
“Any sufficiently advanced technology is indistinguishable from magic”
but many things we don’t understand other than technology have been called magic as well.

Rance had a special magic.  We may not have understood how he always seemed to know who needed a kind word, or how he knew exactly what the needed word was, but he did.  In the last couple of years it was sometimes hard to understand how he remained so kind, generous, and happy in the face of his cancer battles- but he did, because he was Rance.  That is a special kind of magic, and we will miss it dearly.

While we mourn our friend we can remember him best by trying to find a little of that special Rance magic in ourselves and each other.


Kali NetHunter 3.0 Released

NetHunter has been actively developed for over a year now, and  has undergone nothing short of a complete transformation since its last release. We've taken our time with v3.0, and the results are a complete overhaul of the NetHunter Android application, with a more polished interface and a fully functioning feature set.

Through the amazing NetHunter community work led by  binkybear, fattire, and jmingov, we can now proudly look at NetHunter and confidently consider it to be a stable, commercial grade  mobile penetration testing platform. And so, we are really excited with todays release of NetHunter 3.0 - let the games begin!

Banking Protection – how does it work?

Security products are usually protecting you silently in the background. Until they encounter something malicious, that is. But there is one exception. You may have seen a banner in the upper part of the screen when visiting sites dealing with money. That’s our Banking Protection kicking in. It’s available in both Internet Security and our brand new SAFE. Let’s take a closer look at what’s going on when the banner appears.

One quite common form of malware is the banking Trojan. It sits in the computer and waits for the user to do her on-line banking. At this point it interferes with the traffic and manipulates payments. Much larger sums may go to an account other than the intended. The most sophisticated ones can even modify the account balance to hide the fact that a larger sum has been stolen. Most of these rely on some kind of communication with its own “mother ship”, and this is the point where Banking Protection strikes.

Every web site you open is checked and the products queries our Security Cloud to find out if it’s good, bad or ugly. This way the product also gets info about whether it is a banking site or not. If it is, then Banking Protection is activated. This means that all other connections to the web are monitored extra carefully and anything even remotely suspicious is blocked. In practice this means that we only allow connections that are known to be safe. This cuts off any Trojan’s communication to its server, and thus cripples most of them.

But wait a minute. How can the banking Trojan be active if our anti-malware is installed on the computer? Yes, that’s a good point. Banking Protection is actually your last line of defense. Any software that runs on your computer has passed through several levels of security. First the download source is examined, and known bad links are blocked. Then the actual executable is checked with several different techniques. Deep Guard will analyze the program when it runs. And then Banking Protection kicks in to protect you if all other layers have failed. So it’s not very likely that Banking Protection ever will stop a crime on your computer. But these banking Trojan cases can be very expensive so some extra security is never wrong.

And finally a word about the downsides. Nothing is perfect and Banking Protection has got some drawbacks too. I wrote that all network traffic, except connections known to be safe, are blocked. A side effect of this is that some of the mail traffic is stopped on my home computer. Sometimes I want to shoot away a mail to confirm that something has been paid. That mail will be stuck in my outbox until Banking Protection is disabled. So you need to be aware that there may be side effects like this. Just reach for the bar at the top of the screen and click End if you run into troubles. But finish your bank business before that.


Safe surfing,


Why we’re bringing the best cyber security minds to Helsinki

From launching the first anti-virus weblog on the internet to exposing 7 years of Russian-backed cyber espionage, F-Secure Labs has been at the forefront of cyber security for more than 25 years.

This year, we’re developing a new Advanced Threat Protection (ATP) solution to help detect, analyze and disarm attackers. And we have several openings that require professionals who have already proven they have the skills to innovate remarkable new solutions.

We’d be lying to say that the competition for the world’s best security talent has never been fiercer. A new Cisco report finds that there will be one million job openings in the industry just this year and demand for top talent will only increase over the next few years.

To reach out to those in search of a challenge that matters, we’ve decided to try a new approach — a meet-up in Helsinki.

“F-Secure fellows frequently participate many meet-ups, and we host meet-ups in our premises,” Sami Lappeteläinen, Senior Manager of Engineering Productivity told me.

These casual but inspiring opportunities offer a chance to trade ideas and make new connections in our neural and professional networks.

“The next meet-up we’re are hosting is on Advanced Persistent Threats with two main speakers plus some lighting talks,” Sami said. “Frode Hommedal will give a speech on Incident Response: Taking CSIRT modeling to the next level. F-Secure’s Artturi Lehtiö will give us peek behind the curtains of Dukes, the Russian-backed organized cyber espionage group.”

But what’s unusual about this meet-up is that we’d like to give you a chance to be there, wherever you happen to be right now.

“Unfortunately due to limited space we are not able to provide possibility for everyone to participate,” Sami said. “Convince us why you really want to come. If you need help in reimbursing of travel costs, we are flying in couple of carefully chosen candidates.”

To be considered, please send an email to sami.lappetelainen at

We’d love to see you in Helsinki.

What it means to be an OSCP

When a student earns an Offensive Security certification such as the OSCP, it is a testament to the personal investment they have made as part of a commitment to excellence. Like getting a degree from a university, no matter what happens in your life from that point forward, the fact is your earned that certification and it is yours to keep. Saying this, there are some hard truths behind the path to OSCP.