Monthly Archives: March 2017

Introducing Monitor.app for macOS

UPDATE (April 4, 2018): Monitor.app now supports macOS 10.13.

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS.

macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler.

Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. Monitor.app captures the following event types:

  • Process execution with command line arguments
  • File creates (if data is written)
  • File renames
  • Network activity
  • DNS requests and replies
  • Dynamic library loads
  • TTY Events

Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.

The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!

The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.

As an example, perhaps we were interested in seeing any processes that communicated with xkcd.com. We can simply use an “Any” filter and enter xkcd into the search bar, as seen in Figure 1.

Figure 1: Monitor.app User Interface

We think you will be surprised how useful Monitor can be when trying to figure out how components of macOS or even malware work under the hood, all without firing up a debugger or D script.

Click here to download Monitor.app. Please send any feature requests/bugs to monitorapp-bugs@fireeye.com.

Apple, Mac and MacOS are registered trademarks or trademarks of Apple Inc.

Reflection on Working From Home

In a moment of introspection last night, it occurred to me that working from home tends to amplify any perceived slight or sources of negativity. Most of my "human" interactions are online only, which - for this extrovert - means my energy is derived from whatever "interaction" I have online in Twitter, Facebook, email, Slack, etc.

It turns out that this can be highly problematic. Last year I turned off Facebook for months at a time because of all the negativity. I constantly felt myself slipping into depression because everything weighed me down. And don't get me wrong, I'm as much a source of negative posts as anyone else. I don't think we can help it in this political environment.

However, where this gets particularly challenging is around non-internet interactions. Whether it be having tea with a friend or just chatting with them on the phone... I've come to realize that a lot of my happiness ends up hanging on these very rare interactions, which can be highly problematic when folks are busy or when unexpected events conspire to prevent such meetings. The negative side of my brain then latches onto these as "proof" that I'm unworthy of friends or friendship and starts trying to commence the dark downward spiral.

To that end, now that I'm aware of these feelings, I can start developing mechanisms to cope with them. I think one of the big challenges for someone my age, with a family and working from home, is trying to find new opportunities for interaction. Real interactions - not phony interactions via "networking" events and BS like that. We're kind of at that point in the parenthood cycle where the kids' schedules tend to dominate our lives.

Anyway... this is my observation for the morning. I need to find new forms of positive human interactions. Preferably real human interactions. And, in the meantime, I need to stop letting negative interactions and disappointments amplify disproportionately to the degree that it triggers a major downward swing. This is not an easy thing to do, but in seeing the pattern, at least now I can tackle it.

Miele Professional PG 8528 Vulnerability

NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity washer and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable.

InsomniaHack Trip Report


Insomni'Hack Info:
https://insomnihack.ch/



Favorite talks
Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders

I really enjoyed this talk hearing how an organization defends in a BYOD & academic environment. Defense is difficult when you control the hosts, even more so when you you cant instrument the host and have to rely on network controls only.

My favorite slide was their alerting stack:


Not sure when the slides will be released but here is an older version of the talk I found:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraj

Awesome talk on breaking into 

  • HashiCorp Consul
  • Apache Zookeeper
  • CoreOS etcd
Tool they created:
https://github.com/torque59/Garfield


Modern reconnaissance phase on APT – protection layer
Paul Rascagnères

Fun talk on how APT have been implementing some checks to make sure the targets are valid prior to sending down the final stage of the attack. 

CERN
@cktricky and I also were able to give the talk at CERN. Background info on CERN: https://en.wikipedia.org/wiki/CERN

Archive of the talk:

Cool Pix:
Dropping Knowledge


Synchrocyclotron


Outside the Antimatter Factory

Thanks Twitter :-)

Three privacy tools that block your Internet provider from tracking you

It's official: Congress has sold you out to Internet service providers, passing a bill that dismantles Internet privacy rules and allows ISPs to sell your web history and other personal information without your permission. Assuming President Trump signs the bill into law, it means anyone concerned about privacy will have to protect themselves against over zealous data collection from their ISP.

Some privacy-conscious folks are already doing that—but many aren’t. If you want to keep your ISP from looking over your shoulder for data to sell to advertisers, here are three relatively simple actions you can take to get started.

To read this article in full, please click here

How to keep a private stash of bookmarks in Chrome

Incognito Mode in Chrome can keep your browsing history secret unless you have a nosy Internet Service Provider, and you’re not using a VPN. But one thing incognito doesn’t keep secret are any bookmarks you’ve got. If you’ve ever wanted to keep a private collection of bookmarks the Chrome extension Hush is one solution.

The extension only works in incognito mode and encrypts your store of private bookmarks that can only be accessed with the password.

To read this article in full, please click here

QOTD – Hubbard on the Risk Management Method

The single most important metric in all of risk management is the performance of the risk management method itself. The list of risks identified can be no more valid than the entire process of identifying risks. I would think that also applies to the method of "approving" mechanisms of measurement.
-- Douglas W. Hubbard, President of Hubbard Decision Research

[Source: statement made by the author on a closed mailing list.Posted with permission of the author.]

Toolsmith #124: Dripcap – Caffeinated Packet Analyzer

Dripcap is a modern, graphical packet analyzer based on Electron.
Electron, you say? "Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application."
We should all be deeply familiar with the venerable Wireshark, as it has long been the forerunner for packet analysts seeking a graphical interface to their PCAPs. Occasionally though, it's interesting to explore alternatives. I've long loved NetworkMiner, and the likes of Microsoft Message Analyzer and Xplico each have unique benefits.
For basic users comfortabel with Wireshark, you'll likely find Dripcap somewhat rudimentary at this stage, but it does give you opportunities to explore packet captures at fundamental levels and learn without some of the feature crutches more robust tools offer.
However, for JavaScript developers,  Dripcap opens up a whole other world of possibilities. Give the Create NTP dissector package tutorial a read, you can create, then publish and load dissector (and others) packages of your choosing.

Installation
I built Dripcap from source on Windows as follows, using Chocolatey.
From a administrator PowerShell prompt (ensure Get-ExecutionPolicy is not Restricted), execute the following (restart your admin PS prompt after #2):
  1. iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
  2. choco install git make jq nodejs
  3. git clone https://github.com/dripcap/dripcap.git
  4. cd dripcap
  5. npm install -g gulp node-gyp babel-cli
  6. npm install
  7. gulp
Step 1 installs Chocolatey, step 2 uses Chocolatey to install tools, step 3 clones Dripcap, steps 5 & 6 install packages, and step 7 builds it all.    
Execute dripcap, and you should be up and running.
You can also  use npm, part of Node.js' package ecosystem to install Dripcap CLI with npm install -g dripcap, or just download dripcap-windows-amd64.exe from Dripcap Releases.

Experiment 

I'll walk you through packet carving of sorts with Dripcap. One of Dripcap's strongest features is its filtering capabilities. I used an old PCAP with an Operation Aurora Internet Explorer exploit (CVE-2010-0249) payload for this tool test.
Ctrl+O will Import Pcap File for you.

Click Developer, then Toggle Log Panel for full logging.

Figure 1: Dripcap
You'll note four packets with lengths of 1514, as seen in Figure 1. Exploring the first of these packets indicates just what we'd expect: an Ethernet MTU (maximum transmission unit) of 1500 bytes, and a TCP payload of 1460 bytes, leaving 40 bytes for our header (20 byte IP and 20 byte TCP).

Figure 2: First large packet
 Hovering your mouse over the TCP details in the UI will highlight all the TCP specific data, but you can take such actions a step further. First, let's filter down to just the large packets with tcp.payload.length == 1460.
Figure 3: Filtered packets
 With our view reduced we can do some down and dirty carving pretty easily with Dripcap. In each of the four filtered packets I hovered over Payload 1460 bytes as seen in Figure 4, which highlighted the payload-specific hex. I then used the mouse to capture the highlighted content and, using Dripcap's Edit and Copy, grabbed only that payload-specific hex and pasted it to a text file.
Figure 4: Hex payload
I did this with each of these four packets and copied content, one hex blob after the other, into my text file, in tight, seamless sequence. I then used Python Tools for Visual Studio to do a quick hexadecimal to ASCII translation as easily as bytearray.fromhex("my hex snippet here").decode(). The result, in Figure 5, shows the resulting JavaScript payload the exploits CVE-2010-0249.
Figure 5: ASCII results
You can just as easily use online converters as well. I saved the ASCII results to a text file in a directory which I had excluded from my anti-malware protection. After uploading the file to VirusTotal as payload.txt, my expectations were confirmed: 32 of 56 AV providers detected the file as the likes of Exploit:JS/Elecom.D or, more to the point, Exploit.JS.Aurora.a.

In closing
Perhaps not the most elegant method, but it worked quickly and easily with Dripcap's filtering and editing functions. I hope to see this tool, and its community, continue to grow. Build dissector packages, create themes, become part of the process, it's always good to see alternatives in available to security practitioners.
Cheers...until next time.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

I thought everyone knew this by now

But apparently not. I just saw some “Security Awareness Training” that gave the bad old advice of “look for the padlock” in your web browser. Here’s my answer to that:

image

In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn’t that easy, we need to teach better. Also, “don’t click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice.

The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn’t assure you that the traffic isn’t being decrypted, inspected, and re-encrypted. Or maybe it isn’t encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn’t prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock” we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn’t entirely true if we are going to oversimplify this I think we’re better off telling folks that the padlock doesn’t mean a damn thing anymore, if it ever did.

While we’re on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you want”. I did find a few things which made me think of typical browser warnings:

BrowserWarning

This means it’s OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean.

And this, you know what it means, but what does it say?

image

That’s right, it says don’t P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me.

Jack

Review: Canary Flex security camera lives up to its name

Canary’s initial foray into the networked home security camera space was very impressive – my colleague David Newman touted its high security settings in the wake of revelations about the general insecurity of these types of devices. The Canary camera was also somewhat large – a cylindrical tower that took up some significant space on your desk, cabinet or shelf.

The latest camera the company sent me is the Canary Flex, a much smaller unit meant to be more flexible (hence the name) in terms of placement, but also in power options. Like the Arlo Pro camera, the Canary Flex is powered by an internal battery (it’s charged via USB cable and power adapter). This means you can move the Flex to a location inside or outside your home where there’s no power outlet. The Flex comes with wall mounting screws and a 360-degree magnetic stand so you can position the camera in different spots. Additional accessories, such as a plant mount or twist mount (pictured below), offer even more location choices.

To read this article in full, please click here

Where’s Jack?

As I mentioned in a post earlier this year I am traveling extensively this year, connecting and reconnecting with a lot of people. And thanks to a lot of wonderful people inside and out of the hacker and security communities I am doing very well after a rough few months. So, it’s time to share my plans and encourage folks to come and chat with me if our paths cross. I know I have a reputation of being a cranky old bastard, one which is well deserved, but I’m really not a miserable person- truly, seek me out and tell me stories, ask questions, whatever. If I can help you I will, or maybe I’ll point you to someone who can help if I can’t. I meant what I said in my recent post about the loss of Becky Bace and others, they set an example for those of us who knew them and I’m not about to let InfoMom down.

So, here’s my schedule as it looks from here:

Tomorrow, Friday March 24 I’ll be speaking at BSidesOK in Tulsa. Yeah, short notice, but there it is.

I’ll be speaking at the North Florida ISSA meeting in Jacksonville on April 6.

I’ll also be speaking at BSides Boston on April 15th.

BSides Nashville on April 22, I’ll be there, not speaking, so I’ll have more time to chat.

May 2 in Denver I’ll be speaking at the EDUCAUSE annual conference.

Later that week I’ll be attending Thotcon (May 4-5) and probably BurbSecCon (May 6) in Chicago.

Then things calm down a little before spending most of June in Europe, but more on that later.

See you on the road

Jack

Five Reasons I Want China Running Its Own Software

Periodically I read about efforts by China, or Russia, or North Korea, or other countries to replace American software with indigenous or semi-indigenous alternatives. I then reply via Twitter that I love the idea, with a short reason why. This post will list the top five reasons why I want China and other likely targets of American foreign intelligence collection to run their own software.

1. Many (most?) non-US software companies write lousy code. The US is by no means perfect, but our developers and processes generally appear to be superior to foreign indigenous efforts. Cisco vs Huawei is a good example. Cisco has plenty of problems, but it has processes in place to manage them, plus secure code development practices. Lousy indigenous code means it is easier for American intelligence agencies to penetrate foreign targets. (An example of a foreign country that excels in writing code is Israel, but thankfully it is not the same sort of priority target like China, Russia, or North Korea.)

2. Many (most?) non-US enterprises are 5-10 years behind US security practices. Even if a foreign target runs decent native code, the IT processes maintaining that code are lagging compared to American counterparts. Again, the US has not solved this problem by any stretch of the imagination. However, relatively speaking, American inventory management, patch management, and security operations have the edge over foreign intelligence targets. Because non-US enterprises running indigenous code will not necessarily be able to benefit from American expertise (as they might if they were running American code), these deficiencies will make them easier targets for foreign exploitation.

3. Foreign targets running foreign code is win-win for American intel and enterprises. The current vulnerability equities process (VEP) puts American intelligence agencies in a quandary. The IC develops a zero-day exploit for a vulnerability, say for use against Cisco routers. American and Chinese organizations use Cisco routers. Should the IC sit on the vulnerability in order to maintain access to foreign targets, or should it release the vulnerability to Cisco to enable patching and thereby protect American and foreign systems?

This dilemma disappears in a world where foreign targets run indigenous software. If the IC identifies a vulnerability in Cisco software, and the majority of its targets run non-Cisco software, then the IC is more likely (or should be pushed to be more likely) to assist with patching the vulnerable software. Meanwhile, the IC continues to exploit Huawei or other products at its leisure.

4. Writing and running indigenous code is the fastest way to improve. When foreign countries essentially outsource their IT to vendors, they become program managers. They lose or never develop any ability to write and run quality software. Writing and running your own code will enroll foreign organizations in the security school of hard knocks. American intel will have a field day for 3-5 years against these targets, as they flail around in a perpetual state of compromise. However, if they devote the proper native resources and attention, they will learn from their mistakes. They will write and run better software. Now, this means they will become harder targets for American intel, but American intel will retain the advantage of point 3.

5. Trustworthy indigenous code will promote international stability. Countries like China feel especially vulnerable to American exploitation. They have every reason to be scared. They run code written by other organizations. They don't patch it or manage it well. Their security operations stink. The American intel community could initiate a complete moratorium on hacking China, and the Chinese would still be ravaged by other countries or criminal hackers, all the while likely blaming American intel. They would not be able to assess the situation. This makes for a very unstable situation.

Therefore, countries like China and others are going down the indigenous software path. They understand that software, not oil as Daniel Yergen once wrote, is now the "commanding heights" of the economy. Pursuing this course will subject these countries to many years of pain. However, in the end I believe it will yield a more stable situation. These countries should begin to perceive that they are less vulnerable. They will experience their own vulnerability equity process. They will be more aware and less paranoid.

In this respect, indigenous software is a win for global politics. The losers, of course, are global software companies. Foreign countries will continue to make short-term deals to suck intellectual property and expertise from American software companies, before discarding them on the side of Al Gore's information highway.

One final point -- a way foreign companies could jump-start their indigenous efforts would be to leverage open source software. I doubt they would necessarily honor licenses which require sharing improvements with the open source community. However, open source would give foreign organizations the visibility they need and access to expertise that they lack. Microsoft's shared source and similar programs were a step in this direction, but I suggest foreign organizations adopt open source instead.

Now, widespread open source adoption by foreign intelligence targets would erode the advantages for American intel that I explained in point 3. I'm betting that foreign leaders are likely similar to Americans in that they tend to not trust open source, and prefer to roll their own and hold vendors accountable. Therefore I'm not that worried, from an American intel perspective, about point 3 being vastly eroded by widespread foreign open source adoption.

TeePublic is running a sale until midnight ET Thursday! Get a TaoSecurity Milnet T-shirt for yourself and a friend!


Panda Security Rated Top in Antivirus Test

IMG AVComp 03-17 - Blog

A recent study conducted by AV Comparatives recognised Panda Security for having obtained the highest possible score by detecting 100% of the malware samples tested.
 

AV Comparatives most rigorous test ranks Panda Security number one for malware detection

 

The analysis took into account the same infection vectors that a user might experience on an ordinary day. The fundamental objective of AV Comparatives’ Real-World Test is to determine if the security solutions are able to protect the system as it is exposed to an array of malware samples. Panda Security’s Free Antivirus proved it was able to detect 100% of malware to which it had been exposed.

“We are proud of the excellent results we received in the AV-Comparatives Real-World Test – these results validate our efforts to offer our users the best protection against all types of threats under real conditions. Panda Security is fully committed to the constant improvement of our solutions in order to provide maximum security levels with minimum performance impact.” say Jeremy Matthews, Regional Manager Panda Security Africa.
 
Infographic AVComp
 
These results speak to the success of the set of technologies leveraged by Panda Security to develop a solution that is ideal for all types of users – private or public, large or small. Panda Security’s solution comes in response to the rapid evolution of malware in recent years. In this regard, it offers the most effective response to threats such as ransomware, and proves to be the best ally in the prevention, protection and response to the latest attacks.

The post Panda Security Rated Top in Antivirus Test appeared first on CyberSafety.co.za.

Cybersecurity Domains Mind Map

Last month I retweeted an image labelled "The Map of Cybersecurity Domains (v1.0)". I liked the way this graphic divided "security" into various specialties. At the time I did not do any research to identify the originator of the graphic.

Last night before my Brazilian Jiu-Jitsu class I heard some of the guys talking about certifications. They were all interested in "cybersecurity" but did not know how to break into the field. The domain image came to mind as I mentioned that I had some experience in the field. I also remembered an article Brian Krebs asked me to write titled "How to Break Into Security, Bejtlich Edition," part of a series on that theme. I wrote:

Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.

I offered to help the guys in my BJJ class find the area of security that interests them and get started in that space. I thought the domains graphic might facilitate that conversation, so I decided to identify the originator so as to give proper credit.

It turns out that that CISO at Oppenheimer & Co, Henry Jiang, created the domains graphic. Last month at LinkedIn he published an updated Map of Cybersecurity Domains v2.0:

Map of Cybersecurity Domains v2.0 by Henry Jiang
If I could suggest a few changes for an updated version, I would try to put related disciplines closer to each other. For example, I would put the Threat Intelligence section right next to Security Operations. I would also swap the locations of Risk Assessment and Governance. Governance is closer to the Framework and Standard arena. I would also move User Education to be near Career Development, since both deal with people.

On a more substantive level, I am not comfortable with the Risk Assessment section. Blue Team and Red Team are not derivatives of a Penetration test, for example. I'm not sure how to rebuild that section.

These are minor issues overall. The main reason I like this graphic is that it largely captures the various disciplines one encounters in "cybersecurity." I could point a newcomer to the field at this image and ask "does any of this look interesting?" I could ask someone more experienced "in which areas have your worked?" or "in which areas would you like to work?"

The cropped image at the top of this blog shows the Security Operations and Threat Intelligence areas, where I have the most experience. Another security person could easily select a completely different section and still be considered a veteran. Our field is no longer defined by a small set of skills!

What do you think of this diagram? What changes would you make?

VirusTotal += Symantec Mobile Insight

We welcome the Symantec Mobile Insight scanner to VirusTotal. This engine is specialized in Android and reinforces the participation of Symantec that already had a multi-platform scanner in our service. In the words of the company:

"Symantec Mobile Insight is a comprehensive mobile security service capable of identifying suspicious and malicious apps using a broad array of endpoint-based and cloud-hosted techniques. These techniques blend traditional code and behavior analysis with cutting edge similarity and machine learning applications. Leveraging analysis of over 50 million apps and telemetry from millions of endpoints on a daily basis, we're able to provide superior protection. Our App Advisor technology can help end users identify malware and other unwanted apps on the App Store, prior to installation.

Symantec has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.

A quick REVENGE Analysis

Another free weekend, another suspicious link provided by a colleague of mine and another compelling feeling to understand "how it works".  The following analysis is made "just for fun" and is not part of my professional analyses which have to follows a complete different process before being released. So please consider it as a "sport activity".

A colleague of mine provided me a suspicious link which I decided to analyze.

The infection starts by redirecting the browser to the page "see.aliharperweddings.com" through a GET request with the following parameters:
biw=diamonds.104wh99.406v6e7i0&que=diamonds.124if80.406v5h6e9&qtuif=3654&fix=diamonds.108bf93.406p9e7i4&oq=CeliDpvspJOdZNQOyj0SGfwZkm4pcBwhH9Pqqj0bWmxCag57W9CW9UU4HupE&q=z3jQMvXcJwDQDoTBMvrESLtEMU_OHEKK2OH_783VCZ39JHT1vvHPRAPytgW&ct=diamonds&tuif=6124
The page is not build to return rendered content but rather to return three different scripts. Indeed the returned visible page holds a weird displayed content as follows:

Weird visible content by: see.aliharperweddings.com

Getting a little deeper on the page source code it is easy to experience nice obfuscated scripts, which look like (at least to my experience) a first infection stage. Let's have fun and try to understand how this new sample works. The following image shows an obfuscated piece of code portion. We are getting into the first stage of analysis.

First Stage: The fun begins.

Just few steps on google V8 engine to de-obfuscate the first stage which uses a couple of techniques to run VBscript on the target machine. The first implemented trick, as shown in next image, is to use the classic  but "ever green" window.execScript which is no longer supported on Explorer >= 11. execScript takes two parameters: "the code to be run" and the "used programming language". The function invokes the right interpreter depending on "programming language" parameter.

Second Stage: Running VBScript

The second trick is to use eval to de-obfuscate the second stage and later on to run its functions through VBArray technique.  Decoding the second stage was easier if compared to the first stage since less obfuscation rounds are involved. Once de-obfuscated the second stage I've run into another "browser" stage (let's call it Third Stage) written in VisualBasic Language as follows:

Third Stage: The VBScript saving Windows PE
The resulting script is quite simple to read no further obfuscated loops were involved.  The script per se is quite big so I am not going to describe every single line of code but just the most interesting one (at least in my personal opinion), so let's focalize on the "random function" (showed in the following image) which returns strLen number of "random" letters from a well defined alphabet :).

Third Stage: Implemented "random" function

This function is used later on to save the PE FileSystemObject into temporary file by using the number "8" as parameter to the rnds function. A nice and dirty IoC would be: "8 letters" from "abcdehiklmnoprstuw02346" alphabet ".exe" into system temporary directory as shown in the next image. 

Third Stage: Saving PE Object using 8 "random" (not really) characters

The FileSystemObject is then executed through the WScript.Shell technique as shown in the next image.

Third Stage: Running the fake shell32.dll

A key argument is defined as "gexywoaxor" and a stream is taken from an url as shown in the following image.

Third Stage: Key and Stream

A special function is crafted to decrypt the stream having as a key the defined one. The decoded stream is getting saved and launched according to the fake shell32.dll.

Third Stage: Decryption stream function (key= gexywoaxor)
Most of you would recognize RIG Exploit kit which used to decrypt streaming (ADOBE StreamObj) objects through inline xor. That decrypt function would not use a simple xor, and for such a reason I would consider it as new version of RIG Exploit Kit. The overall behavior looks like standard RIG EK having threes infection browser scripts and stream decoding procedure.

Finally I've got a Windows PE on my temporary directory and a script launching it from browser ! 

Let's move on and see what it does. A first run the PE file gets information from its Command and Control server which, on my time, happened to be: 193.70.90.120 (France)
It downloaded a Public Key (maybe for encrypting files ?) as follows:

Fourth Stage: Downloaded Public Key
This behavior reminds me a romantic Ransomware attack, which happens to fit pretty well with RIG distribution rings. The sample starts with simple http GET but later on it keeps trace of its malicious activity (encrypted files) by posting, on the same C&C, the number of encrypted files and a unique serial number as well. The sample returns back two parameters: id and count.

Fourth Stage: POST to C&C

id is different for every infection while it could be consider as a unique constant for a given one. count constantly increases its value as a counter depending to the number of encrypted files.
The sample presents some tricks to control the running environments such as (but not limited to): IsDebugPresent and VolumeChecking. The sample is a multi-thread encryptor which spawns an encrypting thread for each found system folder (limiting to 10 per times). The sample is not packed/encrypted from a well known packer/encryptor as the following image shows, but the real code (payload) is encoded into a Fourth Stage (let me define the Windows PE as fourth stage of infection).

Fourth Stage: No known packers/encrypters are found

The following image shows the real payload dynamically build in the heap of the fourth stage. As analyst I decided to not extract it but rather following on the original sample in order to understand how happens the control flow switch.


Stage Fifth: HEAP built payload 

The fifth stage is run by the following code which after having built the payload straight into the memory gets the control flow by simple dynamic "call" to dynamic memory [ebp+var_4].


Fifth Stage: getting control by call [ebp+var_4]
This is the last stage where the payload runs over the folders, read files and encrypt them by using a dynamically loaded cryptbase.dll and the downloaded public key. The payload per-se saves itself and get persistence by infiltrating on register keys. The following images show where the payload copies itself in the target machine

Fifth Stage: Payload Persistence
Te payload saves itself as svchost file creating a folder named Microsofts\ Windows NT\svchost.exe as the most classic payloads does ! Cryptobase.dll functions are dynamically loaded, only few library functions have been involved which takes easy to track them down (the following images show the tracking down imported libraries).

Stage Fifth: Cryptobase.dll tracking functions
Finally the SaveFile function write the ransom file: # !!!HELP_FILE!!! #.TXT  to physical drives having the following content and encrypts file through .REVENGE extension

Ransom File
Since the implemented languages are: English, Italian, German, Polish and Korean  it is easy t believe this ransomware attack would target European countries mainly.

While the infected website (see.aliharperweddings.com) has promptly been closed (now it belongs to GoDaddy) the Command and Control page is still up and running. Indeed the command and control appears to be an old vulnerable fake website created on 2016-10-07T08:19:40Z weaponized with an ancient content back to November 2014. The website is not a real one, it's a simple "lorem ipsum" with no apparent purpose. The following images shows the apparent not real website.

Command and Control Vulnerable Web Site
Conclusions

Despite the reverse engineering difficulty and/or the technical details I addressed in this quick and dirty post, I found an unusual C&C behavior. Usually attackers want to protect their C&C and are the first system (page, connection, services) to be closed and/or moved after a first disclosure. Indeed the attacker wont be "syncholed" by receiving injection commands into her malicious network. Contrary in this example the current C&C looks to be alive from October 2016. Please note that I am not saying it servers RIG from 2016 but it might have served many different EK over time, which makes me thinking to a well defined operation attributable to a RIG as a service group.

Useful IoC:
- url: see.aliharperweddings.com
- url: far.nycfatfreeze.com
- ip: 193.70.90.120
- ip: 188.225.38.186
- email: rev00@india.com
- email: revenge00@writeme.com
- email: rev_reserv@india.com
- string: 5427136ABEE9451E
- string: # !!!HELP_FILE!!! #.TXT
- string: gexywoaxor 
- file extension: REVENGE
- File Name: 8 characters from {abcdehiklmnoprstuw02346}.exe

BONUS:
A similar dropper (Third Stage) has been published on March 9th 2017 on pastebin.

msfrpcd

Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:


msf > load msgrpc
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: aKCU4AgT
[*] Successfully loaded plugin: msgrpc
msf >

Now start msfrpcd with -P and you're set. 


Reference https://help.rapid7.com/metasploit/Content/framework/msf-rpc-service.html for more info.

Transitioning from my CISO role at DataGravity

As of today I’m transitioning out of my CISO role at DataGravity and am on the hunt for a new full-time gig. Though I appreciate your condolences, I see this as a good thing and the transition is an amicable one.

 

What this really means, however, is that I get to explore exciting opportunities with exciting companies 🙂

 

Who is looking…

This guy. Many of us have met before but, if you’re like me, you may recognize the face but forget (or have never known) what my work history included.

 

For some background on my past work experience, please check LinkedIn (https://www.linkedin.com/in/andrewhay/) or the press kit section of my blog (http://www.andrewhay.ca/press-kit).

I also have a resume ready to go if you’d like a copy.

 

What I’m looking for…

A senior leadership role (e.g. Chief Research Officer, Head of Research, VP Research, etc.) in a data-centric security company where I can lead and mentor an existing, or help found, a world-class security research organization.

 

AND/OR

 

A senior leadership (e.g. CTO, CISO, CSO, etc.) role in an early-stage security startup where I can contribute to the company’s growth, innovation, product strategy, and market penetration.

 

AND/OR

 

A senior leadership (e.g. CISO, CSO, etc.) role in an established company where I can help keep the organization, its employees, and its customers safe and secure through the implementation and management of a measurable information security program.

 

Where I’m looking…

As my wife has a vested interest (no pun intended) in staying in San Francisco, I cannot relocate at this time. That means any opportunities would have to be in the San Francisco Bay Area or allow me to continue working from home as I do now.

 

If you’re in the market for a passionate security leader with my experience and qualifications I’d love to hear from you.

 

 

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss.

Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field.

Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky.

Once again, we take time to remember lost friends. While natural to mourn their passing we must remember that there are still many in our communities who need the kind of friends and mentors that Kevin, Howard, and Becky were to those of us who knew them. It is our responsibility to them and many others we’ve lost in our young field to remember them, but more importantly to fill those roles of friends and mentors to those who never knew them.

 

Jack

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Bejtlich Moves On

Exactly six years ago today I announced that I was joining Mandiant to become the company's first CSO. Today is my last day at FireEye, the company that bought Mandiant at the very end of 2013.

The highlights of my time at Mandiant involved two sets of responsibilities.

First, as CSO, I enjoyed working with my small but superb security team, consisting of Doug Burks, Derek Coulsen, Dani Jackson, and Scott Runnels. They showed that "a small team of A+ players can run circles around a giant team of B and C players."

Second, as a company spokesperson, I survived the one-of-a-kind ride that was the APT1 report. I have to credit our intel and consulting teams for the content, and our marketing and government teams for keeping me pointed in the right direction during the weeks of craziness that ensued.

At FireEye I transitioned to a strategist role because I was spending so much time talking to legislators and administration officials. I enjoyed working with another small but incredibly effective team: government relations. Back by the combined FireEye-Mandiant intel team, we helped policy makers better understand the digital landscape and, more importantly, what steps to take to mitigate various risks.

Where do I go from here?

Twenty years ago last month I started my first role in the information warfare arena, as an Air Force intelligence officer assigned to Air Intelligence Agency at Security Hill in San Antonio, Texas. Since that time I've played a small part in the "cyber wars," trying to stop bad guys while empowering good guys.

I've known for several years that my life was heading in a new direction. It took me a while, but now I understand that I am not the same person who used to post hundreds of blog entries per year, and review 50 security books per year, and write security books and articles, and speak to reporters, and testify before Congress, and train thousands of students worldwide.

That mission is accomplished. I have new missions waiting.

My near-term goal is to identify opportunities in the security space which fit with my current interests. These include:
  • Promoting open source software to protect organizations of all sizes
  • Advising venture capitalists on promising security start-ups
  • Helping companies to write more effective security job descriptions and to interview and select the best candidates available
My intermediate-term goal is to continue my Krav Maga training, which I started in January 2016. My focus is the General Instructor Course process required to become a fully certified instructor. I will also continue training in my other arts, such as Brazilian Jiu-Jitsu. Krav, though, is the priority, thanks to the next goal.

My main instructor, Nick Masi (L) and his instructor, Eyal Yanilov (R)
My long-term goal is to open a Krav Maga school in the northern Virginia area in the fall of 2018. Accomplishing this goal requires completing the GIC process and securing a studio and students to join me on this new journey. I plan to offer private training, plus specialized seminars for other executives who feel burned out, or who seek self-defense or fitness. I will also offer classes tailored for kids and women, to meet the requirements of those important parts of our human family.

Anyone who has spoken with me about these changes has sensed my enthusiasm. I've also likely encouraged them to join me at my current Krav Maga school, First Defense in Herndon, VA. Tell them Richard sent you!

Change, while often uncomfortable, is a powerful growth accelerator. I am thankful that my family, and my wife Amy in particular, are so supportive of my initiatives.

If you would like to join me in any of these endeavors, please leave a comment here with your email address, or email me via taosecurity at gmail dot com. Best wishes to those remaining at FireEye!

The Missing Trends in M-Trends 2017

FireEye released the 2017 edition of the Mandiant M-Trends report yesterday. I've been a fan of this report since the 2010 edition, before I worked at the company.

Curiously for a report with the name "trends" in the title, this and all other editions do not publish the sorts of yearly trends I would expect. This post will address that limitation.

The report is most famous for its "dwell time" metric, which is the median (not average, or "mean") number of days an intruder spends inside a target company until he is discovered.

Each report lists the statistic for the year in consideration, and compares it to the previous year. For example, the 2017 report, covering incidents from 2016, notes the dwell time has dropped from 146 days in 2015, to 99 days in 2016.

The second most interesting metric (for me) is the split between internal and external notification. Internal notification means that the target organization found the intrusion on its own. External notification means that someone else informed the target organization. The external party is often a law enforcement or intelligence agency, or a managed security services provider. The 2016 split was 53% internal vs 47% external.

How do these numbers look over the years that the M-Trends report has been published? Inquiring minds want to know.

The 2012 M-Trends report was the first edition to include these statistics. I have included them for that report and all subsequent editions in the table below.

Year Days Internal External
2011 416 6 94
2012 243 37 63
2013 229 33 67
2014 205 31 69
2015 146 47 53
2016 99 53 47

As you can see, all of the numbers are heading in the right direction. We are finally into double digits for dwell time, but over 3 months is still far too long. Internal detection continues to rise as well. This is a proxy for the maturity of a security organization, in my opinion.

Hopefully future M-Trends reports will include tables like this.


VirusTotal += SentinelOne

We welcome the SentinelOne scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:

"SentinelOne (Static ML) is a machine learning engine designed to identify unknown malware. It is part of SentinelOne’s unique offering of a multi-layer detection and prevention agent – utilizing behavioral monitoring and static analysis that is capable of keeping organizations ahead of any advanced threat in real-time. SentinelOne protects Windows, OS X and Linux-based endpoint devices against advanced malware, exploits and fileless attacks.

SentinelOne has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.

MS17-006 – Critical: Cumulative Security Update for Internet Explorer (4013073) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS17-019 – Important: Security Update for Active Directory Federation Services (4010320) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.

MS17-008 – Critical: Security Update for Windows Hyper-V (4013082) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

MS17-0113 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-022 – Important: Security Update for Microsoft XML Core Services (4010321) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

MS17-009 – Critical: Security Update for Microsoft Windows PDF Library (4010319) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

MS17-011 – Critical: Security Update for Microsoft Uniscribe (4013076) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-016 – Important: Security Update for Windows IIS (4013074) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS17-018 – Important: Security Update for Windows Kernel-Mode Drivers (4013083) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The Origin of Threat Hunting

2011 Article "Become a Hunter"
The term "threat hunting" has been popular with marketers from security companies for about five years. Yesterday Anton Chuvakin asked about the origin of the term.

I appear to have written the first article describing threat hunting in any meaningful way. It was published in the July-August 2011 issue of Information Security Magazine and was called "Become a Hunter." I wrote it in the spring of 2011, when I was director of incident response for GE-CIRT. Relevant excerpts include:

"To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise. These intruders can take the form of external threats who maintain persistence or internal threats who abuse their privileges. Rather than hoping defenses will repel invaders, or that breaches will be caught by passive alerting mechanisms, CTOps practitioners recognize that defeating intruders requires actively detecting and responding to them. CTOps experts then feed the lessons learned from finding and removing attackers into the software development lifecycle (SDL) and configuration and IT management processes to reduce the likelihood of future incidents...

In addition to performing SOC work, CTOps requires more active, unstructured, and creative thoughts and approaches. One way to characterize this more vigorous approach to detecting and responding to threats is the term “hunting.” In the mid-2000s, the Air Force popularized the term “hunter-killer” for a missions whereby teams of security experts performed “friendly force projection” on their networks. They combed through data from systems and in some cases occupied the systems themselves in order to find advanced threats. The concept of “hunting” (without the slightly more aggressive term “killing”) is now gaining ground in the civilian world.

2013 Book "The Practice of NSM"
If the SOC is characterized by a group that reviews alerts for signs of intruder action, the CIRT is recognized by the likelihood that senior analysts are taking junior analysts on “hunting trips.” A senior investigator who has discovered a novel or clever way to possibly detect intruders guides one or more junior analysts through data and systems looking for signs of the enemy. Upon validating the technique (and responding to any enemy actions), the hunting team should work to incorporate the new detection method into the repeatable processes used by SOC-type analysts. This idea of developing novel methods, testing them into the wild, and operationalizing them is the key to fighting modern adversaries."

The "hunting trips" I mentioned were activities that our GE-CIRT incident handlers -- David Bianco,  Ken Bradley, Tim Crothers, Tyler Hudak, Bamm Visscher, and Aaron Wade -- were conducting. Aaron in particular was a driving force for hunting methodology.

I also discussed hunting in chapter 9 of my 2013 book The Practice of Network Security Monitoring, contrasting it with "matching" as seen in figure 9-2. (If you want to save 30% off the book at No Starch, use discount code "NSM101.")

The question remains: from where did I get the term "hunt"? My 2011 article stated "In the mid-2000s, the Air Force popularized the term “hunter-killer." My friend Doug Steelman, a veteran of the Air Force, NSA, and Cyber Command, provided a piece of the puzzle on Twitter. He posted a link to a 2009 presentation by former NSA Vulnerability and Analysis Operations (VAO) chief Tony Sager, a friend of this blog.

July 2009 Presentation by Tony Sager
In the mid-2000s I was attending an annual conference held by NSA called the Red Team/Blue Team Symposium, or ReBl for short. ReBl took place over a week's time at the Johns Hopkins University Applied Physics Lab in Laurel, MD. If you Google for the conference you will likely find WikiLeaks emails from the HBGary breach.

It was a mix of classified and unclassified presentations on network defense. During these presentations I heard the term "APT" for the first time. I also likely heard about the "hunt" missions the Air Force was conducting, in addition to probably hearing Tony Sager's presentation mentioning a "hunt" focus.

That is as far back as I can go, but at least we have a decent understanding where I most likely first heard the term "threat hunting" in use by practitioners. Happy hunting!

MEMS Accelerometer Hardware Design Flaws (Update A)

This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional (the Americas, APAC and EMEA) analysis focused on attack trends, and defensive and emerging trends.

When it comes to attack trends, we’re seeing a much higher degree of sophistication than ever before. Nation-states continue to set a high bar for sophisticated cyber attacks, but some financial threat actors have caught up to the point where we no longer see the line separating the two. These groups have greatly upped their game and are thinking outside the box as well. One unexpected tactic we observed is attackers calling targets directly, showing us that they have become more brazen.

While there has been a marked acceleration of both the aggressiveness and sophistication of cyber attacks, defensive capabilities have been slower to evolve. We have observed that a majority of both victim organizations and those working diligently on defensive improvements are still lacking adequate fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Fortunately, we’re seeing that organizations are becoming better are identifying breaches. The global median time from compromise to discovery has dropped significantly from 146 days in 2015 to 99 days 2016, but it’s still not good enough. As we noted in M-Trends 2016, Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 99 days is still 96 days too long.

We strongly recommend that organizations adopt a posture of continuous cyber security, risk evaluation and adaptive defense or they risk having significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks.

On top of our analysis of recent trends, M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year. FaaS monitors organizations 24/7, which gives them a unique perspective into the current threat landscape. Additionally, this year we partnered with law firm DLA Piper for a discussion of the upcoming changes in EMEA data protection laws.

You can learn more in our M-Trends 2017 report. Additionally, you can register for our live webinar on March 29, 2017, to hear more from our experts.

Zix wins 5-vendor email encryption shootout

Email encryption products have made major strides since we last looked at them nearly two years ago. They have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements, and are at the point where encryption can almost be called effortless on the part of the end user.

Our biggest criticism in 2015 was that the products couldn’t cover multiple use cases, such as when a user switches from reading emails on their smartphone to moving to a webmailer to composing messages on their Outlook desktop client. Fortunately, the products are all doing a better job handling multi-modal email.

To read this article in full, please click here

(Insider Story)

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware. We have observed FIN7 attempt to compromise diverse organizations for malicious operations – usually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The sender email address was spoofed as EDGAR <filings@sec.gov> and the attachment was named “Important_Changes_to_Form10_K.doc” (MD5: d04b6410dddee19adec75f597c52e386). An example email is shown in Figure 1.

Figure 1: Example of a phishing email sent during this campaign

We have observed the following TTPs with this campaign:

  • The malicious documents drop a VBS script that installs a PowerShell backdoor, which uses DNS TXT records for its command and control. This backdoor appears to be a new malware family that FireEye iSIGHT Intelligence has dubbed POWERSOURCE. POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams. Using DNS TXT records to communicate is not an entirely new finding, but it should be noted that this has been a rising trend since 2013 likely because it makes detection and hunting for command and control traffic difficult.
  • We also observed POWERSOURCE being used to download a second-stage PowerShell backdoor called TEXTMATE in an effort to further infect the victim machine. The TEXTMATE backdoor provides a reverse shell to attackers and uses DNS TXT queries to tunnel interactive commands and other data. TEXTMATE is “memory resident” – often described as “fileless” malware. This is not a novel technique by any means, but it’s worth noting since it presents detection challenges and further speaks to the threat actor’s ability to remain stealthy and nimble in operations.
  • In some cases, we identified a Cobalt Strike Beacon payload being delivered via POWERSOURCE. This particular Cobalt Strike stager payload was previously used in operations linked to FIN7.
  • We observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a CARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily by FIN7 in previous operations.
Victims

Thus far, we have directly identified 11 targeted organizations in the following sectors:

  • Financial services, with different victims having insurance, investment, card services, and loan focuses
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

All these organizations are based in the United States, and many have international presences. As the SEC is a U.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-based organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.

Implications

We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft.  However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.

Previous FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and exfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.

Community Protection Event

FireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all clients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of additional detections by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly analyzed the malware. Detections were then quickly deployed to the suite of FireEye products.

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the POWERSOURCE and TEXTMATE malware. Click here for more information.

VirusTotal += Palo Alto Networks

We welcome Palo Alto Networks (Known Signatures) to VirusTotal. This scanner was developed by Palo Alto Networks, headquartered in Santa Clara, CA. In the words of the company:

"Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers superior security, safely enables daily business operations, and protects an organization's most valuable assets. The Palo Alto Networks (Known Signatures) scanner was built for VirusTotal to identify malicious files by comparing Windows portable executables (PE) file indicators against antivirus signatures from the Palo Alto Networks Threat Intelligence Cloud. The scanner is not a commercially available product, but leverages all of Palo Alto Networks known malicious antivirus signatures.

Palo Alto Networks has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SE Labs, an AMTSO-member tester.

Review: vArmour flips security on its head

Almost every cybersecurity program these days does some sort of scanning, sandboxing or traffic examination to look for anomalies that might indicate the presence of malware. We’ve even reviewed dedicated threat-hunting tools that ferret out malware that’s already active inside a network.

However, what if there were a different way to approach security? Instead of searching for behaviors that might indicate a threat, what if you could define everything that is allowed within a network? If every process, application and workflow needed to conduct business could be defined, then by default everything outside of those definitions could be flagged as illegal. At the very least, critical programs could be identified and all interactions with them could be tightly defined and monitored. It’s a different way of looking at security, called segmentation.

To read this article in full, please click here

(Insider Story)

VirusTotal += Check Point

We welcome ZoneAlarm to VirusTotal. This is a consumer security solution developed by Check Point Software Technologies. Ltd., a company with worldwide headquarters in Tel Aviv, Israel, and US headquarters in San Carlos, CA. In the words of the company:

"ZoneAlarm is a comprehensive, multilayered security suite that stops the toughest viruses, spyware and hackers. Award-winning protection includes Advanced Real-Time Antivirus, Advanced Firewall, Anti-Spyware, Enhanced Browser Protection, Threat Emulation, Find My Laptop, Anti-Keylogger, Parental Controls, PC Tune-up and more.

Check Point has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates these reviews by NSS Labs, an AMTSO-member tester.

Securing autonomous vehicles

Roborace unveiled the design for their autonomous race car at Mobile World Congress in Barcelona this week. Without a driver the car is lightweight and high performing. Powered by four 300kW motors which run off a 540kWh battery, the vehicle is capable of speeds up to 200 mph. Last month, an FIA Formula E event …

Bye Empire, Hello Nebula Exploit Kit.

Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - nebula-support@xmpp.jp


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 

This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
---
Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula
2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula
2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula
2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula
2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula
2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula
2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula
2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula
2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula
2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula
2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula
2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula
2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula
2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula
2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula
2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula