Category Archives: Analysis

Stocks Surge on Earnings as Saudi Tensions Ease

US stocks started the session in positive territory following the positive earnings surprises by Goldman Sachs (GS) and Morgan Stanley (MS), and from then on, the floodgates opened and we saw the strongest rally on Wall Street since March. President Trump’s more diplomatic stance towards Saudi Arabia helped the bounce in stocks, together with the […]

The post Stocks Surge on Earnings as Saudi Tensions Ease appeared first on Hacked: Hacking Finance.

Oil Bears Decide to Take a Break

Author: Dmitriy Gurkovskiy, Chief Analyst at RoboForex On October 16th, the oil market remains under pressure from the bears, though the amount of sale has reduced a bit. At the same time, market sentiment is still quite cautious. Brent is trading close to 81.00 USD today with the weekly low at 79.85 USD. WTI costs […]

The post Oil Bears Decide to Take a Break appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Stocks Finally Find Footing as Pound Pushes Higher

Tuesday Market Snapshot Asset Current Value Daily Change S&P 500 2,768 0.80% DAX 30 11,710 0.83% WTI Crude Oil 71.33 -0.54% GOLD 1,234 0.30% Bitcoin 6,441 0.04% EUR/USD 1.1600 0.18% Although most of the key global stock benchmarks are still very close to last week’s lows, with some markets even hitting new lows this week, […]

The post Pre-Market Analysis And Chartbook: Stocks Finally Find Footing as Pound Pushes Higher appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Taking Big Steps Towards Another Breakout Attempt, Prime Trust Adds Support for Stellar

Stellar’s native token Lumens is currently working its way towards another big retest of key near-term resistance. Price Trust, blockchain-based trust company, have announced their full support of Stellar. Stellar’s native token, Lumens, is making good headway for another big attempt at a breakout to the upside. The price has been trading firmly within a […]

The post Stellar Price Analysis: XLM/USD Taking Big Steps Towards Another Breakout Attempt, Prime Trust Adds Support for Stellar appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Settle Down After Crazy Monday

The cryptocurrency segment has been relatively quiet since yesterday’s spike and the subsequent pullback, with the majors settling down above their pre-surge levels, but well below the highs hit amid Tether’s slump. Bitcoin has been among the stronger coins while Ripple has been the most active top coin, as bulls and bears are fighting for […]

The post Crypto Update: Coins Settle Down After Crazy Monday appeared first on Hacked: Hacking Finance.

Stocks Fail to Rally as Treasury Yields Settle Down

Global equity markets had a very hectic day, with the US-Saudi standoff, the weakness in Chinese stocks, and a lackluster US Retail Sales report setting the tone for risk assets. The effects of last week’s deep selloff were still apparent, and the major global benchmarks failed to the reclaim major technical levels, leaving the short-term […]

The post Stocks Fail to Rally as Treasury Yields Settle Down appeared first on Hacked: Hacking Finance.

Crypto Update: Tether Chaos Triggers Spike, Bulls Beware of Reversals

While the week started out on a negative note, with the major cryptocurrencies selling off after the Asian market open, the European session saw a price rally that originated in a major market dislocation in Tether, the largest stablecoin. USDT/USD, 4-Hour Chart Analysis The spike affected coins and exchanges differently, and sellers quickly took control […]

The post Crypto Update: Tether Chaos Triggers Spike, Bulls Beware of Reversals appeared first on Hacked: Hacking Finance.

Ripple Price Analysis: XRP/USD Shoots Higher For Further Correction, Trump Administration Discuss XRP

Ripple has been in regular discussions with the Trump administration on XRP and other cryptos. XRP/USD receives a strong bid on Monday, making another attempt at correcting the heavy drop.  XRP Discussions with Trump Administration Ripple’s chief marketing strategist Cory Johnson, in an interview, revealed Ripple has been discussing XRP with the Trump administration. He […]

The post Ripple Price Analysis: XRP/USD Shoots Higher For Further Correction, Trump Administration Discuss XRP appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: Risk Assets Lower Again amid US-Saudi Tensions

Monday Market Snapshot Asset Current Value Daily Change S&P 500 2,767 -0.19% DAX 30 11,582 0.51% WTI Crude Oil 71.95 0.62% GOLD 1,233 0.96% Bitcoin 6,413 3.72% EUR/USD 1.1581 0.21% The deep correction that took hold of US equity markets last week is set to continue today, as the Asian and European sessions have been […]

The post Pre-Market Analysis and Chartbook: Risk Assets Lower Again amid US-Saudi Tensions appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Fall After a Quiet Weekend

The cryptocurrency segment stabilized this weekend after a technically important breakdown that shifted the short-term outlook to clearly bearish. While the stability was a small plus for bulls, the lack of bullish momentum and the fact that the majors remained below key resistance levels meant that most of the coins remained on sell signals in […]

The post Crypto Update: Coins Fall After a Quiet Weekend appeared first on Hacked: Hacking Finance.

A Few Lessons From Last Week

There is an adage on Wall Street.  It is quite old. It was passed down to me from my grandfather last Wednesday.  It goes something like this. When the cops raid the brothel, they take everybody including the piano player.   No matter when the notion originated, it applies directly, and painfully, to last week’s […]

The post A Few Lessons From Last Week appeared first on Hacked: Hacking Finance.

5 Things To Watch Next Week + Chartbook

2800 Level in Focus in the S&P 500 S&P 500 Futures, 4-Hour Chart Analysis The trendline breaks that we pointed out last week, which were triggered by the jump in Treasury yields led to an unexpectedly volatile selloff in US markets, while dragging lower stocks globally too. Now, as the technicals shifted bearish in almost […]

The post 5 Things To Watch Next Week + Chartbook appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Looks Favorable for Upside Despite No Gemini Support and Jimmy Song Trash Talk

Bitcoin Cash technical price developments look supportive of further upside momentum. Gemini adds Litecoin support, but not Bitcoin Cash for now. Jimmy Song says Bitcoin Cash has no reason to exist. Bitcoin Cash News Flow   Gemini, the cryptocurrency exchange founded by the Winklevoss twins, recently added Litecoin support. In terms of Bitcoin Cash, Gemini […]

The post Bitcoin Cash Price Analysis: BCH/USD Looks Favorable for Upside Despite No Gemini Support and Jimmy Song Trash Talk appeared first on Hacked: Hacking Finance.

Nasdaq Leads Dead-Cat-Bounce Before the Weekend

US stocks finished broadly higher yesterday, with the most oversold Nasdaq leading the way higher, and with all of the main sectors finishing in the green. The market-leading tech giants led the charge, but on a negative note, small-caps underperformed again, and in general, charts are still wounded across the board. Nasdaq 100 Futures, 4-Hour […]

The post Nasdaq Leads Dead-Cat-Bounce Before the Weekend appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Shoots Higher After Justin Sun Leaves Community Drooling from Anticipation  

TRON (TRX) is elevated, as price breaks out to the upside from a bull flag pattern formation. Justin Sun has sparked much excitement within the foundation’s community, following a tweet hinting of another huge partnership announcement.  Justin Sun Has Another Announcement The Tron founder, Justin Sun, has left the community very excited following a tweet […]

The post Tron Price Analysis: TRX/USD Shoots Higher After Justin Sun Leaves Community Drooling from Anticipation   appeared first on Hacked: Hacking Finance.

Bitcoin Update: 2018 and 2014 Bear Market Comparison

Technical analysis is the study of historical price action in an attempt to forecast future price movement. The assumption is that history tends to repeat itself and that human emotions such as fear and excitement can be predictable. That’s why technical traders and investors rely heavily on price action, volume, and other indicators to get […]

The post Bitcoin Update: 2018 and 2014 Bear Market Comparison appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD $50 Level Comes to The Rescue, as Buying Returns

Litecoin (LTC) price received a decent bounce ahead of the big psychological $50 mark on Friday. LTC/USD dropped to the lowest levels seen since 18th September, recovery is now eyed, following the steep fall. Litecoin (LTC) had suffered a bout of selling pressure during the prior session, as seen across the cryptocurrency market. LTC/USD initially […]

The post Litecoin Price Analysis: LTC/USD $50 Level Comes to The Rescue, as Buying Returns appeared first on Hacked: Hacking Finance.

Crypto Update: Altcoins in Trouble Despite Bounce as Bitcoin Holds Above $6000

While the major cryptocurrencies experienced an oversold bounce in Asian trading today, the key technical breakdowns in the segment are intact. The top altcoins extended their losses before the bounce, but Bitcoin held up relatively well again, avoiding a test of the $6000 level and staying well above the key long-term support zone that might […]

The post Crypto Update: Altcoins in Trouble Despite Bounce as Bitcoin Holds Above $6000 appeared first on Hacked: Hacking Finance.

Wall Street Ends Lower after Roller Coaster Session

Yesterday’s steep selloff in US stocks, which led to a global rout in risk assets, continued today, despite several violent intraday rally attempts. All of the major indices finished the day in the red, although in after-hours trading we’ve seen another bounce, well describing the hectic environment. Taking a step back, the most important global […]

The post Wall Street Ends Lower after Roller Coaster Session appeared first on Hacked: Hacking Finance.

Boeing Still Being a Good Investment, but Not Now

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets In one of our previous articles, we spoke about the rising demand of pilots and air transportation, which made us focus on relevant companies. Another important aspect here is aircraft, without which no air transportation is possible. So today, we’ll analyze one of the largest aircraft manufacturers out […]

The post Boeing Still Being a Good Investment, but Not Now appeared first on Hacked: Hacking Finance.

Finally Time To Switch Away From Stocks?

I know that talk is cheap and for the last few months I have babbled on about inflated stock prices and the relative values to be had in cryptocurrencies, so it is ok if you roll your eyes and sigh.  But the relative value case has an inevitability to it that is can’t be ignored. In […]

The post Finally Time To Switch Away From Stocks? appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Flood Gates are Open as Price Plummets Lower from Rising Wedge Pattern

Ethereum (ETH) is at threat of firmly giving up the $200 level, on the back of a crypto market wide sell-off. ETH/USD breaks aggressively from rising wedge pattern, running towards third consecutive week of losses.  Ethereum Price Pressure The Ethereum (ETH) price came crashing out from a rising wedge pattern on Thursday. As a result, […]

The post Ethereum Price Analysis: Flood Gates are Open as Price Plummets Lower from Rising Wedge Pattern appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Carnage Spreads as Stocks Extend Losses

Thursday Market Snapshot Asset Current Value Daily Change S&P 500 2,779 0.25% DAX 30 11,643 -0.60% WTI Crude Oil 72.2 -0.58% GOLD 1,213 1.28% Bitcoin 6,190 -5.03% EUR/USD 1.1578 0.51% 10 years after the Lehman-Crash, we have another chaotic October at hand in stocks, as equity markets had their worst 24 hours since the February […]

The post Pre-Market Analysis And Chartbook: Carnage Spreads as Stocks Extend Losses appeared first on Hacked: Hacking Finance.

Ripple Price Analysis: XRP/USD Downside Risks Intensify as a Hole is Pierced in Major Support Area

Ripple price was under heavy pressure on Thursday, due to a chunky crypto-market wide sell-off. XRP/USD bears have applied further pressure to break down a key demand area. Ripple Price Pressure The Ripple price came under heavy selling pressure on Thursday, due to a bloodbath being observed across the crypto market. XRP/USD is seen down over […]

The post Ripple Price Analysis: XRP/USD Downside Risks Intensify as a Hole is Pierced in Major Support Area appeared first on Hacked: Hacking Finance.

Stocks Crash as Treasury Yields Push Higher and Hurricane Makes Landfall

It was a perfect storm for equities today on Wall Street, as the rise in Yields following the release Producer Price Index (PPI) was joined by the landfall of the rapidly intensifying Hurricane Michael in Florida. Sentiment quickly turned from bad to worse and as the short-term oversold conditions didn’t lead to a bounce, buy-the-dippers […]

The post Stocks Crash as Treasury Yields Push Higher and Hurricane Makes Landfall appeared first on Hacked: Hacking Finance.

Crypto Update: Trade Setups for Bitcoin Cash and 0x

In the last two months, numerous altcoin pairs managed to put a stop to the bleeding in the crypto markets. Some of these pairs shed as much as 90% of their value from this year’s high. Ironically, the extreme plummet was one of the main catalysts that helped them carve a bottom. Many altcoins became […]

The post Crypto Update: Trade Setups for Bitcoin Cash and 0x appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: Roger Ver Planning to Launch an Exchange with BCH as the Base-currency

The CEO of Bitcoin.com, a digital currency wallet provider, noted that the organization is exploring launching its own exchange. Bitcoin Cash (BCH) still looks promising for a potential bull rally, despite the minor downturn seen. Bitcoin Cash Advocate Exploring Exchange Offering Roger Ver was speaking during an exclusive interview with Bloomberg in Malta, making it […]

The post Bitcoin Cash Price Analysis: Roger Ver Planning to Launch an Exchange with BCH as the Base-currency appeared first on Hacked: Hacking Finance.

Thieves and Geeks: Russian and Chinese Hacking Communities

Insikt Group

Click here to download the complete analysis as a PDF.

Scope Note: Recorded Future’s Insikt Group analyzed advertisements, posts, and interactions within hacking and criminal forums to explore the capabilities, cultures, and organization of Chinese and Russian hacking communities. Sources include the Recorded Future product, as well as Russian and Chinese personas created by Recorded Future to interact with actors on these forums.

This report will be of greatest interest to organizations seeking to understand the criminal underground to better monitor industry- and company-specific threats, as well as to those investigating the Russian or Chinese criminal undergrounds.

Executive Summary

When researchers primarily focus on items being sold on dark web markets, many gloss over the various types of communities that reside within the forums themselves, either focusing solely on Russian hacking collectives or not talking about forum members at all. This can cause readers to assume that the “hacker community” is an amorphous collective of individuals transcending borders and cultures. Quite the opposite — each country’s hackers are unique, with their own codes of conduct, forums, motives, and payment methods. Recorded Future has actively analyzed underground markets and forums tailored to Russian and Chinese audiences over the past year and has discovered a number of differences in content hosted on forums, as well as differences in forum organization and conduct.

Key Judgments

  • Both Russian and Chinese forums host a wide variety of international content. While it is uncommon for Russian forums to advertise data dumps from Russian companies, data dumps and malware originating from Chinese companies are usually only found on Chinese forums.
  • Chinese speakers are active on Chinese, English, and Russian forums, while few to no Russian or English speakers use Chinese forums.
  • Although current Chinese posts on non-Chinese forums are tailored to Chinese buyers, Recorded Future assesses with low confidence that Chinese buyers are beginning to bring services, data, and malware once unique to Chinese forums to a more international audience.
  • Russian forums will likely continue to provide content to a wide set of buyers on the internet in order to generate as much revenue as possible.
  • Russian forums are more tailored to business transactions, while Chinese forums instead focus on building the Chinese hacking community. Both communities sell goods and services for regional users, although this is far more prevalent on Chinese forums.
  • Hacktivism originating from China as a result of politically sensitive international events has continued even after the dissolution of the original patriotic hacking groups and is likely to continue in the future.

Analysis

Russian Forums — Thief Spirit

Chinese and Russian hacker groups, while emerging from similarly authoritarian countries, have very different origin stories and operate in different ways. Russian-speaking cybercriminals hold one thing above all else: money. Although sophisticated cybercrime is a trademark of the former Soviet Bloc, the financially-motivated cyber underground has much of its roots in the United States.

In 2000, the underground forum Counterfeit Library emerged as one of the first carding and fraud forums for English speakers.1 Russian speakers, upon discovering Counterfeit Library, wanted their own version, and responded with the “Odessa Summit.” This summit brought together a group of around 20 of the most premier Ukrainian fraudsters, who later became the founders of the Russian-language “Carders Alliance,” or simply CarderPlanet.2 CarderPlanet implemented a hierarchy of moderators and vetted all vendors before allowing them to sell any dumps, CVVs, fulls,3 SSNs, eBay accounts, magnetic stripe encoders, or skimmers — all the staple products of the carder community.

Following the lead set by CarderPlanet, the English-speaking world responded with ShadowCrew, another carding forum catered to Western fraudsters with the professionalism and structure of the Russian-speaking underground.4 Later, in 2005, the opening of CardersMarket allowed Western and Eastern fraudsters to conduct business with each other in the same forum.5

Counterfeit Library

The homepage of the original fraud and carding forum, Counterfeit Library.

During these early years in the formation of the cybercriminal underground, much of the activity surrounding credit card fraud, phishing, spamming, and the like was conducted by Americans. This is evidenced by the number of big busts and takedowns, such as Operation Firewall, Operation Shrouded Horizon, and the DarkMarket takedown, which dismantled many of the serious Western carder communities.

In Eastern Europe, technology use spread more slowly, and it took more time for internet connectivity and the personal computer to become ubiquitous in the republics and federations of the former USSR. The well-educated and underpaid citizens of these countries turned to crime against the West because they had the technical skills and needed the money. This is evidenced in the explosion of the types of scams, fraud, and malware launched by Russians in the early 2000s. For example, “Webmaster” forums such as Crutop and Master-X emerged with a focus on driving traffic to countless niche porn sites. Rogue pharmaceutical affiliate programs (or “partnerkas”) such as GlavMed and Rx-Promotion paid affiliates to spam out ads for erectile dysfunction medications and antidepressants. Pyotr Levashov, also known as Severa, operated rogue antivirus partnerkas, referral programs that deceived victims into buying useless software claiming to clean up infected computers, in addition to spreading the infamous Waledac and Kelihos botnets. The JabberZeuS Crew, the Business Club, and other crime rings collectively pocketed over $200 million from U.S. and U.K. financial institutions using Evgeniy Bogachev’s ZeuS banking trojan before law enforcement could put a stop to it. These are only a small fraction of the cyber underground’s economic success stories, and there is little indication of it slowing down.

Current Landscape

Russian forums leave very little room for socializing or camaraderie. These sites are places of business, not bastions for community. Respect and trust are built on successful financial transactions, and the reliable, consistent forum members rise to the top of their trade, while those with lesser consistency are given poor ratings. Members with poor ratings or bad reviews often end up on the forum’s blacklist and can be sentenced to a role as a “kidala” or “ripper,” meaning an individual who rips off others. There are no apprentices in this corner of the dark web, and few Russian forum members are willing to teach anyone anything without clear financial benefit.

Despite being focused on business, successful members offer useful tools and good customer service. Carders who deal in bulk and provide good customer service, such as refunding declined credit cards in a timely manner, are preferred and rewarded with loyal buyers for as long as the supply lasts. Sellers of trojans and spam services give out holiday discounts, and bulletproof hosters pay referral bonuses to any existing customers who send them new business. These actors operate with the financial wit of the major corporations they themselves so often target.

Kidala

Kidala is a website dedicated entirely to tracking the rippers of the criminal underground — 15,839 and counting.

There have been multiple instances of Russian hackers engaged in patriotic, vigilante activity, such as the cyberattacks against Estonia, Georgia, and others deemed personae non gratae by the Russian Federation. According to a study by Arbor Networks titled “Politically Motivated Distributed Denial of Service Attacks,” the pro-Kremlin youth group Nashi was allegedly involved in a DDoS attack against Estonia after a Soviet monument was removed.6 There was also a DDoS bash script made publicly available on the Russian blogging site LiveJournal whose function was to ping flood a list of Estonian IPs, allowing the less technical actors to get into the fight. The study also found that during the brief Russo-Georgian war, a DDoS attack was launched in sync with Russian tanks from various BlackEnergy-based botnets. One source claims that the spammer, Peter Levashov (Severa), sent out spam messages slandering the Kremlin and Mikhail Prokhorov, and recruited hackers to the “Civil Anti-Terror” community, which targeted Islamist and Chechen-separatist websites.7 Other, more verifiable accounts of Kremlin-backed hackers include Karim Baratov and Alexsey Belan, who were recruited by the FSB to orchestrate the Yahoo breach beginning in 2014.

Chinese Forums — Geek Spirit

Unlike Russia’s underground hacking community, many of China’s first hackers rallied around patriotism.8 Much of this sentiment originated from China’s national determination to never relive its “century of humiliation” from the late 1800s and early 1900s, during which it was coerced by other great powers into unequal treaties, concessions, and a forced opium trade.

China’s first hacker groups emerged in the late 1990s, triggered by anti-Chinese riots in Indonesia. Chinese netizens expressed outrage at the international community for treating their fellow citizens with contempt and set up discussion boards, social media groups, and bulletin board systems to plan defacements against Indonesian government websites. Many of these boards evolved into the first Chinese hacking groups: the Green Army, China Eagle Union, and Hongke (or Honker) Union. These groups all contributed to early internet defacements, DDoS attacks, and credential thefts targeting the U.S. and other Chinese adversaries. One such attack was in May of 2001, when the Hongke Union famously DDoSed the White House site and targeted websites of U.S. businesses in retaliation for the collision between a U.S. spy plane and a Chinese fighter jet off of Hainan Island that occurred a month earlier.

Website Defacement

Defacement of a U.S. website by Hongke (or Honker) Union group.

While all three of these original groups have either shut themselves down, splintered, or faded away, this initial wave of cyber patriotism enabled a robust government-hacker relationship in China. Individuals have been recruited into government positions from Chinese technical forums, and many famous old-school hackers now run large cybersecurity and technology firms in China’s flourishing cybersecurity market while maintaining excellent business relationships with the Chinese government. Numerous Chinese cybercriminals have also admitted to contracting their services to national intelligence agencies and military organizations like the Ministry of State Security or the People’s Liberation Army.

Although many have also been turned into security news forums, patriotic hacking sites do still exist. Historically, Chinese hacktivist activity tends to increase noticeably whenever geopolitically sensitive events occur in the East Asian region. Chinese hacktivist groups have reemerged to deface sites in countries involved in disputes with China over islands in the South and East China Seas. In 2012, 300 Japanese organizations were listed as targets for defacement on the message board of a Hongke Union-affiliated web page (eight years after the Hongke Union’s leaders had officially called for the group’s disbandment) to proclaim Chinese sovereignty over the Diaoyu Islands, a subject of intense diplomatic dispute between China and Japan during that time.

A new hacktivist group, 1937CN, initially compromised websites in Vietnam in May 2014 after Vietnamese outrage over a Chinese oil rig deployed in Vietnamese territorial waters. After primarily defacing websites in the Philippines in late 2015, 1937CN famously compromised the check-in systems at multiple major Vietnamese airports in July 2016, exposing the personal data of approximately 411,000 passengers in the process. This was allegedly a patriotic response to Vietnam’s relocation of missile launchers to disputed islands in the South China Sea.

It is difficult to determine how independently these hackers are acting. Malware found during the 1937CN’s Vietnamese airport compromise has been linked to wider, possibly state-sponsored cyberespionage campaigns against Vietnamese organizations. However, the group also seems to contain elements of hacktivism. 1937CN has a Zone-H web defacement account, various social media accounts linked to their website, and even a promotional video consisting of multiple hooded individuals wearing Guy Fawkes masks, uploaded to a popular video-sharing site in July 2017.9 Additionally, the Chinese government took down 1937CN’s website in March 2017, which it has done in the past to websites of other Chinese hacker groups that too aggressively pursue perceived slights to China’s reputation.

Current Landscape

Chinese forum members feel an overwhelming sense of community online. The term “geek spirit” (极客精神) is used to denote forum culture and refers to groups of technical individuals who hope to create a more ideal society. Many of these forums require members to engage with a post, either through a comment or personal message, before being able to purchase or trade malware. Daily interaction on a forum can also be a prerequisite for maintaining forum membership or a way to generate in-forum currency — money specifically held inside the forum used to buy products and added to by outside sources such as Bitcoin and Alipay.

This required social interaction with other forum members builds community; comments within forums range from slang praising the tools written by advertisers, to messages thanking the seller outright. In addition, Chinese hackers advertise applications for apprenticeship programs on similar forums, where a more experienced hacker will teach an apprentice for a fee, dividing work among members based on skill level. Potential hackers will also ask for tutelage to get more involved in the community. This willingness to teach and social engagement is in stark contrast to the norms on Russian language forums that we detailed above.

Forum Post

Forum post requiring a “回复,“ or reply, before a user can gain access to software that copies digital signatures.

Forum Post

Encouraging replies on a forum thanking a user for sharing a custom tool.

Organization of Russian Underground Forums

The social dynamics within the Russian criminal forums are fairly compartmentalized and professional. This is exemplified by the fact that Russian fraudsters and Russian hackers largely operate on different forums. Fraud and carding forums are focused on the sale of stolen financial information, while hacking forums have more of a focus on malware, exploits, and other technical tools. Among general hacking forums, three main tiers of forums have evolved: open, semi-private, and closed. Open forums are largely available to all users, requiring only a functional email account for registration. Semi-private communities have some threshold for entry, such as a $50 registration fee or proof of membership on other boards. The administrators of more prestigious “closed” forums require those applying for membership to prove the authenticity of the illicit services they offer and/or require current forum members to vouch for them. Other forums like Exploit require users to have a certain number of posts to see more sensitive content.

Historically, these forums have been accessible on the clearnet, but many have adopted Tor mirrors as both a backup and a separate means of access for those without virtual private networks (VPNs). The forum administrators for Verified moved to Tor entirely in 2018 due to difficulties staying online on the clearnet, cycling through multiple top-level domains and hosts. Other criminal resources, like the carding shop Joker’s Stash, have adopted blockchain DNS, utilizing a decentralized approach to their carding operation and resilience against traditional takedown efforts.

Korovka Banner Ads

Banner ads posted in English and Russian from the forum Korovka.

Russian fraudsters and hackers do not rely on the traditional banking system to facilitate payments. Some of the original digital currency systems, like the now defunct E-gold, ePassporte, and Liberty Reserve, required little more than a valid email address to transfer stolen money into usable bank accounts and debit cards. For well over a decade, WebMoney was the go-to method of payment used on the Russian forums, but Recorded Future has since observed a substantial decline in its use since the rise in cryptocurrency. Presently, Bitcoin, Monero, and other cryptocurrencies have been widely adopted in the Russian underground forums, and a cottage industry of cashout services have cropped up to exchange those coins into dollars or rubles. Money laundering operations like Fethard and ChronoPay are also used on top of cryptocurrencies, as the operations utilize an ever-changing network of banks and front companies to cover the final destination of currency used in illicit transactions.

Russian cyber outlaws must abide by an unwritten law if they desire to remain in front of their computer screens instead of a judge at the Moscow City Court: do not target citizens of the Commonwealth of Independent States. While Eastern Bloc cybercriminals have been known to test their malware on the domestic population before turning their cyber weapons toward Western targets, offenders who do more than just testing are quickly arrested. Dmitry “Paunch” Fedotov used his Blackhole exploit kit to spread multiple forms of malware internationally, but was only arrested when he started spreading malware for the Carberp gangs, who made their living targeting Russian citizens. Pavel Vrublevsky, owner of Russian payment processing service ChronoPay, provided money laundering and logistical services for illegal pharmaceutical sales and rogue antivirus without Russian government intervention, but he was arrested after ordering a DDoS attack on the rival Russian payment processor Assist. Recorded Future has and still sees many Russian hackers who specifically state that their malware is not to be used against Russians or members of the CIS.

Organization of Chinese Underground Forums

Chinese hacker groups are organized in notably different ways to their Russian counterparts, partially due to China’s strict censorship regime. The Golden Shield Project, or what would later become known as the “Great Firewall of China,” has been run by China’s Ministry of Public Security since 2000. The project was initially conceptualized to promote the adoption of advanced technology to strengthen central police control, responsiveness, and crime combating capacity. However, much of the project evolved over time to focus on content-filtering for Chinese individuals through IP blocking, IP address misdirection, and data filtering as internet adoption spread quickly throughout China.

The Great Firewall blocks websites, apps, social media, emails, messages, VPNs, and other internet content determined by the Chinese state to be inappropriate or offensive. For Chinese hackers, this often makes searching for foreign hacking content or illegal content for sale difficult. Additionally, the Great Firewall has multiple methods to identify outgoing Tor connections and shut down use of the Tor network, where many underground forums and marketplaces reside. One of the only consistent ways to “跳墙,“ or jump the Great Firewall, is for Chinese citizens to use a VPN.

However, as of 2017, China’s Ministry of Industry and Information Technology (MIIT) requires VPN providers in China to be licensed by Chinese officials, and has subsequently shut down many VPNs it claimed to be “unauthorized.” This further stunts the ability of Chinese hackers to anonymously search the web or find international hacking sources. Because jumping the Great Firewall is so difficult, far fewer Chinese forums or marketplaces are hosted on Tor than their Russian or English counterparts; instead, Chinese hackers have developed their own communities based loosely on their original domestic patriotic hacking groups, and have set up a wide variety of lower-level hacking forums easily available on the Chinese internet.

In addition to these online communities, many hackers heavily utilize invite-only chat groups or forums within Chinese social media apps QQ, Baidu, and WeChat. However, native Chinese chat groups and forums are also heavily censored and occasionally shut down by the Chinese government. The government has shut down multiple hacking and fraud sites in the past for various legal reasons. Some QQ groups still advertised on dark web sites are no longer accessible, and searches for Tieba bars that housed known hacker activity also show up as banned. Furthermore, because the Chinese government has historically driven hacking activity through both formal and informal channels, many Chinese forum members are fully aware of the consequences of acting outside that informal agreement and usually stay away from targeting systems within their homeland.

Onion Site

Onion site showcasing a QQ group that no longer exists.

Many Chinese entry-level forums also do not use Bitcoin due to China’s de facto ban of cryptocurrencies. China banned domestic initial coin offerings (ICOs) in September 2017, is actively blocking foreign cryptocurrency exchanges from domestic access, and has prevented Chinese financial institutions from conducting any Bitcoin transactions since 2013. To address the difficulty of obtaining Bitcoin in China, Chinese forums accept payments such as Alipay or Chinese bank transfers. Members can also generate forum currency by interacting with posts.

Chinese Forum Admin Post

Admin post on Chinese forum stating that the forum accepts payments through Alipay, WeChat, QQ, online banking, and PayPal. A forum member has the option to share this post on multiple Chinese social media outlets.

Chinese forums are also usually not as compartmentalized as their Russian counterparts, and are more community focused rather than business focused. Fraudsters and exploit writers will often use the same forums (albeit advertising their wares in different channels within the forum) and Chinese marketplaces dedicated to specific items like drugs or pornography will also contain a “hacker” section. Additionally, many underground forums for erotic content will also advertise “cracked web cameras” — cameras in bathrooms or bedrooms that have been broken into by amateur hackers. Member accounts on many forums have also been somewhat gamified: Chinese accounts are sometimes associated with levels — numbers correlated with how often an account logs onto a forum, the number of sales posts from an account, and whether the account has ever violated any forum rules. Chinese forums can encourage users to interact and share more online. This is similar to Russian forums, which require a user to surpass a set number of forum posts in order to view certain content. However, while both Russian and Chinese forums will also offer VIP-only channels and content as rewards for consistent forum interaction, Chinese forums will also offer in-forum currency, as mentioned above.

Drug Website Menu

Menu of drug website with a section for “hackers” next to sections for mushrooms and LSD.

In general, Chinese forums and marketplaces are organized similarly to the three tiers (open, semi-private, and closed) of Russian forums. As with Russian forums, the quality and complexity of the products sold on the more open forums are usually not as good as products on their closed counterparts. This is usually due to the difference in vendor sophistication and reliability. Forums in both languages also contain an administrator-verified “blacklist” section, where individuals can post proof that a vendor has provided a faulty or deliberately false product or service. This usually provides a good enough deterrent against unreliable vendors. The forums with higher barriers to entry usually result in more experienced vendor membership simply by having a vetting process. While most vetting processes are explicit — paying a forum admin, proving access to other forums, or having an existing forum member sponsor the new member — some Chinese forums also have implicit vetting processes. For example, many Chinese hacker QQ group and WeChat group numbers are advertised on semi-private forums, meaning that one must have been pre-vetted by a different forum prior to gaining access to the group itself.

Another implicit vetting process a Chinese forum can employ is to simply host the forum on Tor. Many Chinese forums hosted on Tor only require an email for registration, but all Chinese users must be able to jump the Chinese firewall and understand how to find the forum in order to register. This likely contributes to why most users of these forums are more technical than users on the Chinese clearnet.

Content in Russian Underground Forums and Marketplaces

Malware

Malware on Russian forums has rapidly evolved, but forum tradecraft has largely stayed the same. Ransomware, loaders, trojans, exploit kits, installs, spam bots, web traffic, forged documents, money mules, bank accounts, and credit cards are all still present and accounted for — they just look a bit different. For example, rogue antivirus has evolved into scareware, then from scareware to lockers, from lockers back to scareware, and finally, from scareware to ransomware. Each type has its own flavor, but all render a victim’s computer useless until hackers are paid to go away. The exploit kits Blackhole, Phoenix, and Nuclear have all come and gone, championed today by Rig, Magnitude, and Grandsoft. One of the few significant differences in tradecraft today is that malware is more likely to be dropped from weaponized Word macros than the once-dominant exploit kits.

ZeuS persists to this day across Russian malware forums as a trojan blueprint, despite its takedown in 2014. The leak of its source code was used to build a plethora of banking trojans like SpyEye, Dridex, and Carberp, and its lineage still survives to this day as Tinba and others. While banking trojans are certainly still in play, groups like FIN7 cut out the middleman and target banks directly. Although their top three members are in jail, Recorded Future believes the remaining members of Combi Security have potentially learned enough from their former managers to pose a threat to financial institutions in days to come.

Because the release of source code can increase the number of vendors selling the same or derivative malware like ZeuS’s descendants, malware source code is carefully guarded by its authors. Malicious programs on the underground, like banking trojans and loaders, are sold in the form of “builds,” which are similar to individual software licenses. For example, Smokebot, sold by the actor SmokeLdr, costs $400 per license, with the option to purchase additional modules, such as a form-grabber for $300 and a cryptominer for $100. There are even terms of agreement stating that each build (license) is only for one individual and is not to be resold. Rebuilds of Smokebot, or modification of the configuration file, are an additional $10 each, and are necessary if the customer needs to add a new command-and-control server in the case of a takedown or blacklisting. Only SmokeLdr has the ability to update the program’s configuration, as the actor is the only one with the source code. All of these facets — full control of the source code, the additional modules, and the eventual need for rebuilds — allow for maximum monetization of Smokebot and are common practice throughout the Russian underground.

Partnerkas, or affiliate programs, are also employed by malware authors to maximize their revenue from a single piece of software. This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates, or actors participating in the partnerka. These affiliates then spread Cerber themselves through vectors like spam or malvertising, and in return, earn a percentage of every ransom paid. A partnerka setup like this one allows crbr to focus primarily on the development of Cerber and its infrastructure, while outsourcing all the distribution to third parties without sharing the source code with anyone else.

Fraud

Dealing in fraud often means dealing in bulk quantities of information. The Target and Home Depot attackers absconded with the data of 40 and 56 million payment cards, respectively. Selling this many cards on forums or over Jabber chats would be a herculean labor, requiring a large support staff operating around the clock. To solve this problem, automated vending sites (also referred to as “carding shops”) like Rescator, Trump’s Dumps, and Joker’s Stash were created to allow carders to order the specific types and quantities of credit and debit card data without any human interaction at all. These have a layout similar to Amazon or Ebay, where buyers can point and click on what they want, add it to their cart, and check out within a matter of minutes. Without carding sites such as these, it would be extremely difficult to monetize the massive amounts of data stolen from mega breaches.

Other fraud-related services require a much more personal touch. Criminals of all sorts often require fake identification in the form of driver’s licenses, IDs, and passports, all of which can be found on Russian forums. The actor vengativo offers one such service, claiming that the fraudulent documents they sell are indistinguishable from the real things. This actor sells ID cards from dozens of European countries costing as much as $400, passports for countries such as the U.S. and Germany for $2,000, and even fake diplomas from Lithuanian universities. Believable identification documents are essential for fraudsters looking to make in-store purchases of high-value electronic devices with stolen payment cards, or open a bank account in a foreign country for money laundering.

Miscellaneous: Bulletproof Hosting and VPNs

Criminal forums, Jabber servers, banking trojans, and other criminal operations all could not exist without hosting, and those individuals who use these services could not use them securely without some sort of network anonymity. Thus, bulletproof hosting — hosting services operating in jurisdictions that large tech companies and federal law enforcement have no influence over — form the backbone of the criminal underground. Actors like Whost, who has been in business for over a decade, offers servers in Beirut, Lebanon for as little as $100 per month. The fast-flux hosting services operated by actors like Yalishanda make takedown efforts against malware extremely difficult, allowing infrastructure like CnC domains to be constantly cycled through ever-changing series of IP addresses. Additionally, VPNs allowing actors to hide their true IPs are sold on Russian forums. Actors like FirstVPN offer a variety of VPN configurations with servers available in 24 different countries for untraceable network activity. These different autonomous services comprise a sort of dark web ISP, upon which the criminal underground is built.

Content in Chinese Underground Forums and Marketplaces

Malware

Common categories within Chinese malware forums include DDoS tools, remote access trojans, antivirus evasion techniques, and penetration testing. Certain forums will also contain sections for cracked software and will have areas for individuals to hire hackers. In addition to selling malware and other tools, individuals will share programming and hacking tutorials on these same forums, occasionally offering or asking for teaching or mentorship services. Many posts on malware and tooling on the clear web usually use code words or state that the use of these tools is only for “research purposes.”

Many lower-tier or open Chinese forums contain advertisements either for malware created by foreign vendors, or open source tools. However, the same forums often also contain malware unique to these Chinese communities. Much of this malware originates from newer hackers who wish to receive criticism of malware they write themselves and usually only have access to lower-level forums. Forum posts under the original advertisement will often contain reviews of custom malware and suggestions on how the malware author can improve. Because of this, individuals will often release multiple builds of their product, similar to users on Russian forums. However, unlike their Russian counterparts, many Chinese malware authors will offer up their source code for a small fee in order to receive feedback from other members to incorporate into newer editions. Cracked software is also often advertised on Chinese forums and is usually tailored to the East Asian market. For example, Xunlei Download Manager, YangCong Math, and the Baidu Wangpan cloud service are all products primarily consumed by Chinese speakers, and cracked versions of their software are readily found on underground Chinese forums.

Forum Categories

Forum categories including source code sharing, software cracking, tools and software, and remote access trojans.

Cracked Software Mentions

Mentions of cracked software on forums collected by Recorded Future.

Fraud

While Chinese forums will advertise credit card data and personal information belonging to international users of large multinational corporations, many posts will also contain equal amounts of data belonging to China’s unique domestic technology industry. For example, Taobao and Alipay accounts are almost as prevalent as a set of Visa card numbers on certain forums. Most data belonging to these companies consist of East Asian user accounts.

Furthermore, some of this data is only found on Chinese forums, as is the case of a data dump from 51job, Inc. from June 2018. The dump of 2.45 million accounts from the major Chinese job board and provider of integrated human resource services was found by Recorded Future on DeepWebChinese on June 14, 2018. Recorded Future did not detect any other reference to the data dump on any non-Chinese forums. Similarly, Chinese delivery service SF Express also suffered a data breach in July 2018, the content of which has only shown up on Chinese dark web marketplaces as of late August 2018.

Recorded Future assesses with medium confidence that domestic data dumps are not shared beyond domestic Chinese marketplaces due to linguistic and cultural barriers. Not only is there little language crossover between forums, but the act of taking advantage of a Chinese account or personal information requires knowledge of Chinese services. China’s technology industry is largely tailored to its domestic market with services and functionality that are distinct from their international competitors. For this reason, Chinese accounts are primarily used and understood by native Chinese-speaking individuals.

Aside from providing opportunities to make money through cybercrime and identity theft, Chinese vendors will advertise forged documents for sale, most of which are tailored to a Chinese audience. Foreign diploma forgeries are incredibly popular. Paste sites and forums of all languages show Chinese advertisements for diploma creation services to fool family and friends. Many vendors even claim that their diplomas fool state-owned corporations, which check credentials through the Chinese Ministry of Education. Other common forgery services found include forged foreign passports and Chinese business licenses. Vendors play into the concept of “mian-zi” in China to attract clientele by claiming that these diplomas, passports, and business licenses will provide better career opportunities and respect from family members. Like Chinese hackers, Chinese fraudsters will also openly sell their tools and tutorials alongside their wares.

What Is Mian-Zi?

The concept of “mian-zi,” or “face,” can be described as gaining and retaining respect or prestige from peers. Much of China’s culture revolves around this concept, especially when pertaining to family and business. “Losing face” can be such a fear for individuals in China that they would rather deceive others than be honest about their shortcomings. For example, many women going back to their hometowns over Chinese New Year would prefer to rent fake boyfriends to show off to their parents rather than admit that they are single, and young Chinese businessmen have realized that purchasing a fake diploma is an easy way to beef up a resume before looking for a job.

Miscellaneous: Weapons, Pornography, VPNs

Compared to other hacker forums, Chinese marketplaces advertise a wide variety of miscellaneous wares that are uniquely tailored to Chinese and other East Asian buyers. Although the possession of many of these items are completely legal in other countries, they are illegal in mainland China.

For example, only a small amount of the pornographic content shared in Chinese marketplaces would be considered illegal outside of China. However, the Chinese Communist Party considers all pornography to be a form of “illegal publication,” and its General Administration of Press and Publications (GAPP) has attempted to shut down pornography sites since the early 2000s. As such, online pornography vendors have evolved from blatant advertising to using internet slang (the terms “welfare”10 or “getting on a car”11 are both common terms for explicit content) and have moved largely from open sites to live-streaming applications and underground forums.

As for weaponry, large knives are commonly found on Chinese dark web marketplaces. This is likely the result of national regulation controlling the sale of knives with blades larger than 5.9 inches, due to knife attacks within the country in 2008, 2011, and 2014 attributed to Uighur separatists.

Although the sale of VPNs is not a uniquely Chinese forum characteristic, the massive number of VPNs for sale on Chinese forums is notable. Mentions of VPN access shared or sold on Chinese underground forums have steadily increased since January 2017, when the Ministry of Industry and Information Technology announced that it now requires VPN providers to be licensed by Chinese officials. The activity rose even more rapidly once China’s official ban against VPNs came into effect in March 2018.

VPN Mentions

Mentions of VPNs on Chinese forums and dark web marketplaces in Recorded Future.

Interactions Between Chinese and Russian Hackers in Forums

Analysis of select underground forums in Recorded Future demonstrates that Russian forums consist of primarily English and Russian posts with some Chinese overlap. The Chinese posts indicate that Chinese vendors are communicating with Chinese buyers on foreign forums. Additionally, many Chinese posts within Russian or English forums are fraud services tailored to Chinese audiences, like the fake diploma sales mentioned above.

In contrast, Chinese forums consist almost entirely of Chinese language posts, with most English posts on the forums consisting of numbers, code, or simple words. Thus, it is probable that while some Chinese vendors and buyers are on Russian and English forums, very few non-Chinese vendors advertise on Chinese forums. The lack of Russian or English speakers on Chinese forums could be due to a language barrier that exists between Chinese and Russian hackers. Chinese is among one of the hardest languages to learn and only a handful of Russians speak foreign languages at all.

More likely, however, is that the abundance of Russian and English language hacking forums eliminate the need for actors fluent in these languages to search for other forums. These two points would also explain the lack of Chinese malware or data dumps on non-Chinese forums. Because non-Chinese speakers do not use both sets of forums, products that originate on Chinese forums are less frequently resold on foreign forums, if at all. On the other hand, even the small presence of Chinese speakers on non-Chinese forums indicates that Chinese vendors are attempting to decrease their exposure to domestic monitoring and government intervention, while increasing their exposure to buyers posting in foreign marketplaces to ensure they stay in business. If so, this may be a result of the Chinese government’s efforts to censor and shut down Chinese forums.

Forum Breakdown

Breakdown of select forums by post language. Source: Recorded Future data.

Outlook

The hacker cultures of China and Russia each have their own unique genesis and have evolved to take advantage of their respective regional circumstances. Understanding the differences within these communities is essential to grasping the respective threats they currently pose and the manner in which these threats may evolve.

Recorded Future assesses with high confidence that the Russian underground will follow the money above all else. Predominantly, these forums have catered to the former Soviet Bloc, but they also have a unique appeal to the international community, as the databases and credit cards sold on them come from victims throughout the world. The exploit kits and bulletproof hosting are open to most anyone with enough Bitcoin. In fact, a number of sales threads on Russian forums are posted in both English and Russian, demonstrating a willingness to expand into other markets. This cross-cultural endeavor is reminiscent of the original fraudster forums and could once again bring the English-speaking hacker communities closer to their Russian comrades. Anyone with enough background in English — a mandatory language to study in China — could find their way into some of these Russian forums and access the extensive criminal arsenal therein. This may result in the exchange of tactics and tools across English, Chinese, and Russian-speaking criminal groups, whose target bases will suffer from potentially new methods of attack.

The members of the Russian-language cyber underground pose a global threat due to their sophistication and diverse criminal operations. Regardless of their location, every financial institution, social network, and ISP should take note that they and their customers are or could be a target, and ensure that their systems are continually patched against commonly known vulnerabilities.

Recorded Future also assesses with medium confidence that China’s determination to shut down Tor and VPN access to its citizens in a crusade toward a “clean and righteous internet” will cause Chinese markets and hacker forums to shut down. Increasing numbers of Chinese dark web vendors will peddle their wares on foreign sites as a result, thereby increasing foreign access to previously unique regional malware and hard-to-get data. If no drift occurs and the Chinese underground forums do not shut down while China tightens its noose on online anonymity, we assess that the Chinese government implicitly accepts domestic cybercrime under a certain threshold.

For now, companies doing business in China or the wider East Asian region should monitor Chinese hacking forums and marketplaces for credential leaks and operations targeting company infrastructure, due to the variety of East Asia-specific data, specifically on these sets of forums. Additionally, companies with offices within East Asia should ensure that their infrastructure is secured against malware developed within Chinese forums, and monitor politically sensitive regional events that might spur Chinese patriotic hacktivism.

1Poulsen, K. Kingpin. Broadway Books. 2011.

2Ibid.

3Personally identifiable information used for financial fraud.

4Poulsen, K. Kingpin. Broadway Books. 2011.

5Ibid.

6Nazario, Joes. Politically Motivated Denial of Service Attacks. 2008.

7Shnygina, Anna. “‘It’s our time to serve the Motherland’ How Russia’s war in Georgia sparked Moscow’s modern-day recruitment of criminal hackers.” 2018.

8Henderson, Scott J. The Dark Visitor. 2007.

9While also known as the symbol of international hacking collective Anonymous, the Guy Fawkes mask was popularized by 2005 film V for Vendetta, widely thought to be banned in China until 2012.

10福利: Welfare/material comforts; slang for explicit content.

11上车: Getting on a car; slang for sharing explicit content.

The post Thieves and Geeks: Russian and Chinese Hacking Communities appeared first on Recorded Future.

     

Bounce Fades in Stocks as Market Awaits Inflation-Data

It was a hectic but mixed day for US stocks, as although the major indices opened lower with the technical breakdown in Europe weighing heavily on sentiment on Wall Street. Stocks quickly recovered their early losses, but the bounce failed to turn into a full-fledged rally, and although the recently struggling Nasdaq ended the day […]

The post Bounce Fades in Stocks as Market Awaits Inflation-Data appeared first on Hacked: Hacking Finance.

Ripple Price Analysis: XRP/USD at Risk of September Bull Run Being Completely Deflated

Ripple’s native token XRP is at large danger of totally giving back the big September bull run gains.  XRP/USD is capped to the upside at $0.6000. Vital near-term support seen tracking from $0.4550-0.4350. Ripple’s native token XRP price has further been sent down to the burning south. This comes after the chunky and excessive bull […]

The post Ripple Price Analysis: XRP/USD at Risk of September Bull Run Being Completely Deflated appeared first on Hacked: Hacking Finance.

The Australian Dollar Is In No Hurry To Rise

By Dmitriy Gurkovskiy, Chief Analyst at RoboForex On Tuesday October 9th, the Australian Dollar is still attempting to recover against the USD after plummeting at the beginning of October. Strengthening of the USD that took place earlier turned out to be a serious test for the Aussie to go through as the US Dollar got […]

The post The Australian Dollar Is In No Hurry To Rise appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: European Stocks Hit Multi-Month Lows

Tuesday Market Snapshot Asset Current Value Daily Change S&P 500 2,882 -0.33% DAX 30 11,901 -0.38% WTI Crude Oil 74,53 0.42% GOLD 1,191 -0.01% Bitcoin 6,573 -0.47% EUR/USD 1.1454 -0.32% Stocks markets are broadly lower yet again today just after the US open, with pronounced weakness and multi-month lows in Europe. The major US indices […]

The post Pre-Market Analysis And Chartbook: European Stocks Hit Multi-Month Lows appeared first on Hacked: Hacking Finance.

Crypto Update: Rally Attempts Fails Again as Ripple Weighs

The cryptocurrency segment still resembles a swamp, as prices are stuck in narrow trading ranges, with no major moves in any of the top coins for almost a week now, except the short-term breakdown in Ripple.  It’s no surprise that the technical picture is unchanged, with a slightly mixed short-term outlook and a still overwhelmingly […]

The post Crypto Update: Rally Attempts Fails Again as Ripple Weighs appeared first on Hacked: Hacking Finance.

Nasdaq Hit Hard Despite Afternoon Bounce

The Nasdaq has been in the center of attention on Wall Street yet again, as the tech benchmark continues to lead the selloff in US stocks. The Nasdaq hit a two-month low today, dipping below last week’s low, while the S&P 500 and the Dow are still faring better from a technical perspective. The industrial […]

The post Nasdaq Hit Hard Despite Afternoon Bounce appeared first on Hacked: Hacking Finance.

Crypto Update: Rosy Outlook for IOTA/Bitcoin

Technical analysis is all about making sense of chaos. To do that, you must be able to shut the noise and focus on the long-term direction. For instance, a plummet of over 75% can be so overwhelmingly loud that participants who were once invested in the asset might never look at it again. However, those […]

The post Crypto Update: Rosy Outlook for IOTA/Bitcoin appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: Here Come the Bulls, as Price Finally Breaks Bullish Pennant  

Bitcoin Cash price edges over a bullish pennant pattern to the upside. Bulls will need to capitalize on this breach. Next major upside target would likely be $575, where a supply zone is seen. Bitcoin Cash Developments Looking at the news flow side of things, CoinText.io, an SMS service to send cryptocurrency, expanded its services […]

The post Bitcoin Cash Price Analysis: Here Come the Bulls, as Price Finally Breaks Bullish Pennant   appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Moves Within Ascending Wedge Pattern as Community Speculates Over Creator’s Future

ETH/USD is moving within an ascending wedge pattern, with price action very narrow at current point. Ethereum (ETH) community speculate on Creator Vatalik Buterin’s future as part of the foundation. Ethereum Developments Vatalik Buterin, the creator of Ethereum (ETH), provided some updates on developments from the foundation. These came via his Twitter, after being asked […]

The post Ethereum Price Analysis: ETH/USD Moves Within Ascending Wedge Pattern as Community Speculates Over Creator’s Future appeared first on Hacked: Hacking Finance.

Crypto Update: Week Starts on a Bullish Note as Sideways Drift Continues

The major cryptocurrencies haven’t made meaningful progress during the weekend, with Ripple’s move below support being the most important change in the technical setups. Today, we saw some positive price action in early trading, as Chinese markets reopened following the Golden Week, and traditional financial markets remained in a risk-off mood. The top coins are […]

The post Crypto Update: Week Starts on a Bullish Note as Sideways Drift Continues appeared first on Hacked: Hacking Finance.

Dash Price Analysis: DASH/USD Looking to Escape The Stubborn Block of Consolidation after BitGo Addition

DASH/USD is stuck within a chunky block of consolidation, as price action narrows further, subject to a breakout. BitGo adds DASH to its list of supported cryptocurrencies due its “instant payment” and “privacy payment” features. DASH/USD has been trading within a very mundane range, with price action continuing to narrow. It has been stuck within, […]

The post Dash Price Analysis: DASH/USD Looking to Escape The Stubborn Block of Consolidation after BitGo Addition appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Has the Potential for a Short-term Rally, Though Bearish Set-up Eyed

Stellar’s XLM potentially has further room for upside, within the short-term view. Danger still looms for XLM/USD, as the daily chart suggests of a bearish technical pattern set up. Steller’s native token XLM, has failed to commit to any sustained trend. This has been the case since the start of July. Bull rallies that have […]

The post Stellar Price Analysis: XLM/USD Has the Potential for a Short-term Rally, Though Bearish Set-up Eyed appeared first on Hacked: Hacking Finance.

Crypto Slumber: Time To Wake Up?

How many times this year did we hope for stability in the crypto market?  Well, now we are having all the quiet and calm anyone could ever want. But what good is stability anyway? The answer to that question is easy: lots of things.   For one thing we have learned that mass acceptance of […]

The post Crypto Slumber: Time To Wake Up? appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Breaks Support as Market Ticks Lower

Choppy trading continues in the cryptocurrency segment, with most of the major still stuck in narrow trading ranges, with little changes in the technical setup. Ripple is back in the center of attention after a period of lower trading activity in the third largest coin. XRP moved below short-term support, triggering a short-term sell signal […]

The post Crypto Update: Ripple Breaks Support as Market Ticks Lower appeared first on Hacked: Hacking Finance.

Another Risk-Off Session Closes the Week on Wall Street

The official US employment report caused even more turmoil in financial markets than usual, as the most watched data points sent conflicting signals about the most important global labor market. Non-Farm Payrolls missed the consensus estimate by a mile, the Unemployment Rate hit an almost 50-year low at 3.7%, while the most-awaited Average Hourly Earnings […]

The post Another Risk-Off Session Closes the Week on Wall Street appeared first on Hacked: Hacking Finance.

Brent Crude Oil Update: Roadblocks Ahead

Brent Crude Oil (BCO/USD) has been flexing its muscles ever since it breached resistance of $70 in April 2018. This enabled the pair to break out of the large inverse head and shoulders pattern on the daily chart. The price action signaled the start of the commodity’s uptrend. However, six months into the uptrend and […]

The post Brent Crude Oil Update: Roadblocks Ahead appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: When is BCH/USD Taking Another Extended Move Higher?

The Bitcoin Cash price behavior suggests another imminent breakout is likely. Upside surprises appear move likely than any potential downside breakouts. BCH/USD continues to move within a bullish pennant pattern formation. Narrowing price action indicates a breach is near. The Bitcoin Cash price after the huge surge to the upside on 26th September, attributed to the […]

The post Bitcoin Cash Price Analysis: When is BCH/USD Taking Another Extended Move Higher? appeared first on Hacked: Hacking Finance.

XRP Still a Mixed Bag

XRP is downtrending on Friday Oct 5, trading at around 0.5202 (-1.6%), says Dmitriy Gurkovskiy, Chief Analyst at RoboForex. Technically, XRP is correcting on H4 after the previous uptrend. The correction went down to break out 61.8% Fibo. Afterwards, the price went up again to form a fractal high and the current correction channel, with […]

The post XRP Still a Mixed Bag appeared first on Hacked: Hacking Finance.

Monero Price Analysis: XMR/USD Bulls Cooking Up Big Potential Moves

XMR/USD price action surprisingly this week has been generally muted. Current price behavior looks more favorable to see upside surprises, rather than any heavy selling pressure. The Monero price this trading week has been somewhat muted. This comes as quite a surprise given the recent updates from the foundation. The foundation introduced the Maleware Workgroup, a huge […]

The post Monero Price Analysis: XMR/USD Bulls Cooking Up Big Potential Moves appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Turn Lower Again as Trading Ranges Remain Intact

The major cryptocurrencies are still trading with low volumes and low volatility across the board, with now even the recently active Ripple settling down within its triangle consolidation pattern. The total value of the market is virtually unchanged compared to the previous weekend, hovering around the $220 billion level. Yesterday’s bounce quickly lost momentum, and […]

The post Crypto Update: Coins Turn Lower Again as Trading Ranges Remain Intact appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: Risk Assets Under Pressure as Volatility Returns

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,902 -0.29% DAX 30 12,142 -0.83% WTI Crude Oil 74,51 -0.16% GOLD 1,202 -0.09% Bitcoin 6,528 -0.29% EUR/USD 1.1494 -0.17% Stocks have been choppy with a bearish bias today in European trading, with yesterday’s steep US selloff still affecting markets across the globe. All eyes are […]

The post Pre-Market Analysis and Chartbook: Risk Assets Under Pressure as Volatility Returns appeared first on Hacked: Hacking Finance.

Treasuries and Stocks Tumble as Jobs Friday Looms

Financial markets had a bloody US session, with especially the second half of the day bringing steep losses in stocks. All of the major indices finished deep in the red, while the Volatility Index (VIX) surged to its highest level since the mid-August emerging market rout. Treasury yields, which triggered the selloff, retreated off their […]

The post Treasuries and Stocks Tumble as Jobs Friday Looms appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: Big Optimism Boost Following Litecoin Futures Update

The Litecoin (LTC) price is looking to close in the green, after six consecutive sessions of losses. New regulated cryptocurrency exchange, ErisX, may soon launch Litecoin futures and others. Positive Litecoin Development TD Ameritrade, a brokerage firm based in the U.S., have launched a new regulated cryptocurrency exchange, ErisX. This will facilitate spot and futures […]

The post Litecoin Price Analysis: Big Optimism Boost Following Litecoin Futures Update appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: Imminent Breakout Anticipated, with Eyes on Another Bull Run

The Cardano (ADA) price has been showing some promising signs, following the project’s 1-year anniversary. ADA/USDT is near the end of a triangular pattern, which can also be perceived as a bullish pennant pattern. Cardano a few days ago celebrated its one-year anniversary. It is still very much a new project to hit the industry. […]

The post Cardano Price Analysis: Imminent Breakout Anticipated, with Eyes on Another Bull Run appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: Stocks Tumble as US Yields Surge

Thursday Market Snapshot Asset Current Value Daily Change S&P 500 2,921 -0.16% DAX 30 12,280 -0.05% WTI Crude Oil 76,33 0.14% GOLD 1,202 0.13% Bitcoin 6,536 1.23% EUR/USD 1.1505 -0.83% The major US indices ended another session near their intraday lows yesterday, and today the market is set to open clearly in the red too. […]

The post Pre-Market Analysis and Chartbook: Stocks Tumble as US Yields Surge appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Rebound but Selling Pressure Persists

The cryptocurrency market is experiencing a relief rally today after several days of dominantly bearish price action in the majors. The rebound left the short-term technical setup unchanged, and yesterday’s downgrades in our trend model are in place. Most of the top coins are trading in or near the trading ranges that developed last week, […]

The post Crypto Update: Coins Rebound but Selling Pressure Persists appeared first on Hacked: Hacking Finance.

Crypto Update: TRON/Bitcoin Looks Ready to Make a Splash

The TRON/Bitcoin pair (TRX/BTC) may be down by over 80% from the 2018 high of 0.00002047. If you’ve been following our crypto updates, you would have known by now that such heavy losses can be the catalyst of a trend reversal. This actually makes sense from the perspective of a whale. You force or wait […]

The post Crypto Update: TRON/Bitcoin Looks Ready to Make a Splash appeared first on Hacked: Hacking Finance.

Crypto Market Development: South Korea’s National Policy Committee Chair Calls For ICO Legalization

A member of South Korea’s governing Democratic party and the chairman of Korea’s National Policy Committee, Min Byung-Doo, is urging to ease the current regulations on Initial Coin Offerings (ICOs). Min Byung-Doo wants to introduce necessary regulatory framework, allowing ICOs in the country. Allow ICOs In South Korea The South Korean National Policy Committee Chief, […]

The post Crypto Market Development: South Korea’s National Policy Committee Chair Calls For ICO Legalization appeared first on Hacked: Hacking Finance.

Vietnam ETFs: Growing Higher Than Planned

By Dmitriy Gurkovsky, Chief Analyst at RoboMarkets Quite recently, we’ve been speaking about TUR (NYSE: TUR), a Turkish ETF that declined severely because of US customs duties. This, in fact, allowed investors to enter the market a lower price, while TUR now is up and 15% away from its lows. Still, investing opportunities appear not […]

The post Vietnam ETFs: Growing Higher Than Planned appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: Dow Hits Record High, 27,000 in Sight

Wednesday Market Snapshot Asset Current Value Daily Change S&P 500 2,941 0.40% DAX 30 12,252 0.00% WTI Crude Oil 74.85 -0.25% GOLD 1,206 -0.14% Bitcoin 6,477 -0.35% EUR/USD 1.1531 -0.13% Risk assets, especially stocks staged a rebound today in early Asian and European trading, with the US indices recovering a large part of their late-session […]

The post Pre-Market Analysis and Chartbook: Dow Hits Record High, 27,000 in Sight appeared first on Hacked: Hacking Finance.

Will Bitcoin Rally To $20,000 Before The End Of 2018?

This time last year Bitcoin was just getting into the swing of its chunky 2017 bull run. The week commencing 25th September 2017, until the week commencing 11th December, Bitcoin gained around 445%. Bitcoin Rally 2017 Looking back at 2017, Bitcoin investors enjoyed a huge rally to the upside, towards the end of the year. […]

The post Will Bitcoin Rally To $20,000 Before The End Of 2018? appeared first on Hacked: Hacking Finance.

Crypto Update: Technical Outlook Deteriorates as Selloff Continues

While the major coins are slightly off their lows before the start of the US session, the cryptocurrency segment is having a clearly bearish day so far. Several coins triggered downgrades in our trend model in the past 24 hours, falling below key support levels and trendlines. Most of the top coins are only modestly […]

The post Crypto Update: Technical Outlook Deteriorates as Selloff Continues appeared first on Hacked: Hacking Finance.

Crypto Versus Cannabis: What You Need To Consider

Here is a question worth taking a moment to consider.  Which would you rather own: one Bitcoin or 130 shares of Canopy Growth Corp (NYSE: CGC, $50)?  They are both about equal in value based on current prices. But what about next week, next month or as far out as maybe 2020?   The point […]

The post Crypto Versus Cannabis: What You Need To Consider appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Big Bullish Pennant Eyed For A Breakout

The Bitcoin Cash price as of late has been outperforming several of its peers across the market. BCH/USD price behavior has formed a bullish pennant pattern. Range-bound trading seen, post the aggressive spike higher, from 26th – 27th. Bitcoin Cash Price Behavior The Bitcoin Cash price has been performing relatively well in comparison to a several […]

The post Bitcoin Cash Price Analysis: BCH/USD Big Bullish Pennant Eyed For A Breakout appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Euro Hits 6-Week Low

Tuesday Market Snapshot Asset Current Value Daily Change S&P 500 2,926 -0.12% DAX 30 12,252 -0.71% WTI Crude Oil 75,08 -0.48% GOLD 1,209 1.44% Bitcoin 6,526 -0.69% EUR/USD 1.1538 -0.34% Global stock markets are mixed after the US open, with the main European indices being significantly lower amid the growing tensions surrounding the Italian budget […]

The post Pre-Market Analysis And Chartbook: Euro Hits 6-Week Low appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Drift Lower but Key Support Levels Hold

The major cryptocurrencies are sporting small losses today in European trading, with still Ripple being the most volatile from a short-term perspective. In general, the market is very calm, with most of the top digital currencies being stuck in the ranges that developed during the weekend. The volatility compression will likely lead to a larger […]

The post Crypto Update: Coins Drift Lower but Key Support Levels Hold appeared first on Hacked: Hacking Finance.

Oil Surges as Stocks Pull Back in Late Trading

It’s been a very busy session in global financial markets, with two distinct intraday trends dominating the major asset classes. The day started out on a clearly positive note, with the help of the US-Canadian trade deal that put an end on the post-NAFTA questions regarding the US-Mexican-Canadian trade relations. USD/CAD, 4-Hour Chart Analysis The […]

The post Oil Surges as Stocks Pull Back in Late Trading appeared first on Hacked: Hacking Finance.

Crypto Update: Laggard Altcoins Play Catch Up

In September 2018, many altcoins started to break out of their bearish patterns to signal the beginning of the end of the altcoin apocalypse. Pairs such as Ripple/Bitcoin (XRP/BTC), Doge/Bitcoin (DOGE/BTC), and Monero/Bitcoin (XMR/BTC) led the way. These markets doubled or tripled their value from the bottom in a matter of days. Eventually, other altcoin […]

The post Crypto Update: Laggard Altcoins Play Catch Up appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Trade Deal Lifts Risk Assets

Monday Market Snapshot Asset Current Value Daily Change S&P 500 2,937 0.54% DAX 30 12,326 0.65% WTI Crude Oil 73,33 0.11% GOLD 1,189 -0.61% Bitcoin 6,583 -0.22% EUR/USD 1.1607 0.05% Stocks are broadly higher in European trading, as several positive catalysts lifted the major local and US indices. The trade deal between the US, Mexico, […]

The post Pre-Market Analysis And Chartbook: Trade Deal Lifts Risk Assets appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Flatline, Major Move Ahead?

The cryptocurrency segment has been very quiet during the weekend with most of the major coin trading in progressively narrowing ranges with very low volumes. The total value of the market settled down near $220 billion, with only Ripple experiencing meaningful moves, hovering around the $24 billion market cap of Ethereum. The short-term picture remains […]

The post Crypto Update: Coins Flatline, Major Move Ahead? appeared first on Hacked: Hacking Finance.

Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets

A group of cryptocurrency exchange operators in Japan is readying to tighten up measures following recent cyber breach. Action follows reported hack earlier in the month; cryptocurrency exchange Zaif lost an estimated $59.67 million. Self-Regulatory Group Set To Tighten Rules The Japan Virtual Currency Exchange Association (JVCEA) is exploring new rules to safeguard against cyber […]

The post Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets appeared first on Hacked: Hacking Finance.

5 Things To Watch Next Week

US Stocks Continue rally 10 years After The Bloody October? S&P 500 Index Futures, 4-Hour Chart Analysis 10 years ago the major stock markets crashed in October across the board, with the financial crisis, which has been under way for quite a while entering its “mainstream” phase. Today, stock markets are in a very different […]

The post 5 Things To Watch Next Week appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Drift Higher as Ripple Hits $0.60 Again

The major cryptocurrencies continued the relatively quiet weekend so far today, with only Ripple’s rally making headlines in the segment. Trading volumes are low, as is volatility, and most of the top coins are stuck in very narrow short-term ranges. The mixed short-term and bearish long-term outlook is intact, but Ripple’s strength led to an […]

The post Crypto Update: Coins Drift Higher as Ripple Hits $0.60 Again appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Attempts Another Rally as Market Remains Stable

The cryptocurrency segment settled down today after the selloff in the second half of the session yesterday. Ripple is the most active among the majors, spiking higher in early trading, and while most of the top coins are also off their lows, yesterday’s highs are clearly above the current price levels in most cases. With […]

The post Crypto Update: Ripple Attempts Another Rally as Market Remains Stable appeared first on Hacked: Hacking Finance.

Sugar Update: Possible Bullish Action Ahead

Sugar (SUGAR/USD) has been in a downtrend since it generated a lower high of 0.32358 in July 2011. This capped off an impressive bull run that saw the market climb from $0.10 in December 2008 to its 10-year high of $0.36353 in February 2011. At that point, the market started to show signs of weakness. […]

The post Sugar Update: Possible Bullish Action Ahead appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: Dollar Surges as European Stocks Plunge

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,913 -0.23% DAX 30 12,230 -1.66% WTI Crude Oil 72,11 -0.01% GOLD 1,190 0.24% Bitcoin 6,619 1.61% EUR/USD 1.1588 -0.46% While the week has been encouraging up until now in European and emerging market equities, which finally rose together with US stocks, today, Europe erased […]

The post Pre-Market Analysis and Chartbook: Dollar Surges as European Stocks Plunge appeared first on Hacked: Hacking Finance.

Crypto Update: Litecoin Hits $64 Resistance Level After Triggering Buy Signal

The cryptocurrency segment continued to lean bullish for the second day in a row, despite the late-session pullback yesterday, with today, Litecoin and Bitcoin Cash leading the rally.  On the other hand, the top 3 coins have been quiet today, with Ethereum and Bitcoin both failing to rally, and with Ripple getting stick below resistance, […]

The post Crypto Update: Litecoin Hits $64 Resistance Level After Triggering Buy Signal appeared first on Hacked: Hacking Finance.

Pre-Market: Dollar Bounces, Stocks Pull Back After Rate Hike

While the market’s initial reaction was positive to the Federal Reserve’s widely expected rate hike yesterday, Chairman Jerome Powell spooked the markets on the subsequent press conference. He told the press that some asset prices are rich form a historical perspective, which is absolutely true as we pointed out several times. EUR/USD, 4-Hour Chart Analysis […]

The post Pre-Market: Dollar Bounces, Stocks Pull Back After Rate Hike appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Surges Again But Remains Weak

The cryptocurrency segment had a mostly bullish Fed-Day, with last week’s star, with Ripple experiencing a strong rebound after the correction of the past few days.  Although most of the majors spent the day in the green, their gains are dwarfed by the more than 20% rise in the price XRP, with the closely correlated […]

The post Crypto Update: Ripple Surges Again But Remains Weak appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple and Dash Are Showing Bullish Continuation

Many cryptos started this week in the red as heavy profit taking commenced. For those who bought the hype amidst the breakout rally, the price action would have been catastrophic. A lot of altcoin pairs have dropped more than 20% from the top of the rally. Fortunately in trading, you only lose money once you […]

The post Crypto Update: Ripple and Dash Are Showing Bullish Continuation appeared first on Hacked: Hacking Finance.

Ether to Face Another Selloff

Ether is going down on Wed Sep 26, trading around $213.07. The crypto recently lost 2.80% of its value. As the Chief Analyst at RoboForex Dmitriy Gurkovskiy says, the selloff started three days ago. Today, however, Ether’s outlook is somewhat more positive, as on Tuesday Buterin’s currency was around the support of $204. Still, on […]

The post Ether to Face Another Selloff appeared first on Hacked: Hacking Finance.

Stocks Go Nowhere Ahead of the Fed

Global stock markets had a very quiet Tuesday, as traders took a step back before tomorrow much-awaited Fed rate decision. While most of the major indices finished the day virtually unchanged, risk assets gained ground in general, as investors sentiment improved following the slightly nervous Monday session. DAX 30 Index Futures, 4-Hour Chart Analysis European […]

The post Stocks Go Nowhere Ahead of the Fed appeared first on Hacked: Hacking Finance.

Ripple: One Thing That Doesn’t Make Sense

If you are bored or just tired of reading about Washington politics, just come over to the crypto world.  But be warned, the headlines can be just as singularly focused and confusing as anything inside the beltway.  Like Ripple for example, it has had everybody talking for the last week. The coming week is likely […]

The post Ripple: One Thing That Doesn’t Make Sense appeared first on Hacked: Hacking Finance.

Long-Term Cryptocurrency Analysis: Bearish Trend Intact Despite Explosive Rally Attempts

The negative trend in the cryptocurrency segment continues to be dominant, with almost all of the top coins trading below the structural support levels that were broken during the summer months. Bitcoin is still above the $5850 level, the last base support before last winter’s explosive speculative event, but Ethereum, Ripple, Litecoin, and the other […]

The post Long-Term Cryptocurrency Analysis: Bearish Trend Intact Despite Explosive Rally Attempts appeared first on Hacked: Hacking Finance.

Investors Getting High on Cannabis

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets A year ago, you would hardly find even the most financially illiterate person in the world that had not heard of Bitcoin or cryptocurrency. Regardless of whether they know what it was — at least they know you can earn money with it! Opportunities to earn easy money […]

The post Investors Getting High on Cannabis appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Leads Selloff After Weekend Consolidation

Sellers are back in full force in the cryptocurrency segment as Ripple retraced a large chunk of last week’s surge Monday in late trading. The coin dragged the whole market lower, with Bitcoin, Ethereum, and all of the major altcoins registering significant losses. The 5-10% decline and the almost 20% plunge of XRP hurt the […]

The post Crypto Update: Ripple Leads Selloff After Weekend Consolidation appeared first on Hacked: Hacking Finance.

Stocks Pull Back as China Exits Trade Talks

Global stock markets have spent the better part of the day in the red, although the losses are muted, and markets are slightly choppy before Wednesday’s Fed meeting. China pulled out of the scheduled trade talks with the US following last week’s tariff-escalation and that put pressure on risk assets globally. Chinese and Japanese markets […]

The post Stocks Pull Back as China Exits Trade Talks appeared first on Hacked: Hacking Finance.

Crypto Update: Bullish Continuation Patterns for Lisk and Waves

Last month, we ran a series of articles about altcoins that broke out from patterns that have kept them bearish for most of the year. A few days after the breakouts, rallies faded. It caused many to feel that the breakouts were bull traps. Many of the altcoins we covered showed signs of weakness. Some […]

The post Crypto Update: Bullish Continuation Patterns for Lisk and Waves appeared first on Hacked: Hacking Finance.

Crypto Update: Market Stabilizes as Ripple Craze Fades

The major cryptocurrencies had crazy Friday, with the skyrocketing Ripple in the center of attention. XRP more than doubled in 24 hours, and the coin was up 3 times off its low from earlier this month before entering a correction in the second half of the day. Ripple briefly took over Ethereum as the second […]

The post Crypto Update: Market Stabilizes as Ripple Craze Fades appeared first on Hacked: Hacking Finance.

Forex Update: A Good Time to Accumulate Euros

On our August 31 Forex Update, we revealed how the Euro is looking strong against major currencies such as the British Pound (EUR/GBP), Japanese Yen (EUR/JPY), and the Canadian Dollar (EUR/CAD). Widening our scope, we discovered that the Euro is also doing well against other major currencies. Other than its recent struggles against the US […]

The post Forex Update: A Good Time to Accumulate Euros appeared first on Hacked: Hacking Finance.

ETFs: What Is The SEC  Really Thinking?

As a veteran Wall Street type, I was not surprised at Thursday’s SEC announcement on the VanEck-SolidX Bitcoin ETF.  Once again they gave a “no decision”. This pushes the deadline back to December 29, 2018. Don’t be surprised if New Year’s Eve comes and goes and nothing happens before the SEC is forced into a […]

The post ETFs: What Is The SEC  Really Thinking? appeared first on Hacked: Hacking Finance.

Stocks Pull Back From Highs as Pound Plunges

After yesterday’s record-breaking session, US stocks once again broadly opened at all-time highs, even as the momentum of the global rally waned. Chinese stocks kick-started the day by extending their relief rally off their 4-year lows and Europe also ticked higher, although the major indices couldn’t hold on to their early gains. Since the US […]

The post Stocks Pull Back From Highs as Pound Plunges appeared first on Hacked: Hacking Finance.

The Flippening: XRP Overtakes Ethereum as Second-Largest Cryptocurrency

XRP’s sudden and dramatic surge over the past four days has fundamentally altered the composition of the cryptocurrency market. On Friday, the so-called banker’s cryptocurrency overtook Ethereum as the world’s second-largest blockchain, highlighting the latter’s struggle over the past two months. Market Cap Rankings The market capitalization for XRP has more than doubled this week […]

The post The Flippening: XRP Overtakes Ethereum as Second-Largest Cryptocurrency appeared first on Hacked: Hacking Finance.

Crypto Update: Surging Ripple Leads Strong Rally, Tops $0.50

The last 24 hours saw a much-awaited bullish shift in the cryptocurrency segment, as finally, the rally of a major triggered a broad and sustained move in the other top coins as well. Ripple surged by 50% after the initial rally of the bear market lows, and it really took off after yesterday’s buy signal […]

The post Crypto Update: Surging Ripple Leads Strong Rally, Tops $0.50 appeared first on Hacked: Hacking Finance.

Crypto: Is Relative Value Investing Time Finally Here?

For at least the past six months you have been kind enough to listen while the topic of relative value in cryptocurrencies has repeated more than once.  Could it finally be happening? Things are certainly in place. It seems to show every time the price of Bitcoin or any of the altcoins suddenly spikes for […]

The post Crypto: Is Relative Value Investing Time Finally Here? appeared first on Hacked: Hacking Finance.

Pre-Market: S&P 500, Dow Hit Record High Amid Global Rally

The major global indices are marching higher in a concerted fashion today, as the risk-on shift that started after Trump’s trade announcement continues in earnest. Asian stocks were up, but not enthusiastic, while European equities are strong, with the major benchmarks being around 1% higher today. The US market is still the island of bulls, […]

The post Pre-Market: S&P 500, Dow Hit Record High Amid Global Rally appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Settle Down After End-Of-The-Day Bitcoin Madness

While the short-term technical setup has been little changed in the cryptocurrency segment in the past 24 hours, a volatile dump&pump period made headlines in Bitcoin. The most valuable coin got smashed lower right before the futures market close, violating the $6275 support and plunging as low as $6100, triggering a downgrade in our trend […]

The post Crypto Update: Coins Settle Down After End-Of-The-Day Bitcoin Madness appeared first on Hacked: Hacking Finance.

Markets Looking for Direction as Dow Eyes All-Time High

Global stocks have been trading without clear direction so far today, even after Asia kicked off the day in a bullish fashion, with the Shanghai Composite rallying for the second session in a row following Trump’s tariff announcement. The Nikkei retreated a bit after its recent surge, but Europe followed China’s lead and the majority […]

The post Markets Looking for Direction as Dow Eyes All-Time High appeared first on Hacked: Hacking Finance.

Crypto Update: Worst Seems to be Over for Stellar and Cardano

With so many cryptocurrency pairs losing as much as 90% of their value from this year’s high, it may seem that altcoins are deep in bear territory. Even if you’ve been following our bullish breakout series, the pullbacks in the last two few weeks would have made it easy for you to doubt our claims. […]

The post Crypto Update: Worst Seems to be Over for Stellar and Cardano appeared first on Hacked: Hacking Finance.

Ethereum Making a Decision Where to Go

Ether is losing its value slightly today on Sep 19, trading at around $207.98. Losing 0.25% on Wednesday is not that surprising after a very hard Monday (although Tuesday was neutral). The crypto was above $210 when the session started, but then failed to stay near the local highs, says Dmitriy Gurkovskiy, Chief Analyst at […]

The post Ethereum Making a Decision Where to Go appeared first on Hacked: Hacking Finance.

Crypto Update: Market Remains Weak Despite Ripple’s Surge

Ripple made headlines today in the cryptocurrency segment, as the third largest coin jumped by more than 15% after trading in a narrow range for several days. Most of the major coins joined the rally, but the gains were muted and the technical setup remained unchanged in most cases, with the long-term outlook still being […]

The post Crypto Update: Market Remains Weak Despite Ripple’s Surge appeared first on Hacked: Hacking Finance.

NIO Means Tesla Monopoly Ends

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets On Sep 12, NIO made its IPO on the NYSE, which is a very important event for all automotive investors. Founded in 2014 by William Lee, NIO is one of the first companies to compete with Tesla in the premium electric car segment. NIO is based in Shanghai, […]

The post NIO Means Tesla Monopoly Ends appeared first on Hacked: Hacking Finance.

Pre-Market: Sell The Rumor, Buy The News?

After a long period of uncertainty, the US finally decided to commence with the second round of tariffs directed at China, slapping a 10% levy on $200 billion worth of goods, and threatening with tariffs on another $267 billion of goods in case of a Chinese retaliation. The tariffs will increase to 25% in 2019, […]

The post Pre-Market: Sell The Rumor, Buy The News? appeared first on Hacked: Hacking Finance.

Crypto Update: Monday Selloff Drags Majors Lower

The cryptocurrency continues to show mixed short-term signs following last week’s Ethereum-led bounce, and the subsequent consolidation. Today, all of the majors sold off after the US open, triggering downgrades in our trend model, but the two largest coins, barely, retained their short-term buy signals, holding up above key support levels. Ethereum remained north of […]

The post Crypto Update: Monday Selloff Drags Majors Lower appeared first on Hacked: Hacking Finance.

Crypto Update: Downtrend Looms for Binance Coin

Binance Coin/Bitcoin (BNB/BTC) is one of the few altcoins that’s in the green this year. The pair is up by over 145% year-to-date. The gains can be shocking, especially if you consider that most crypto pairs are down by 70% – 90%. That’s because BNB/BTC has been known to move against the general cryptocurrency market […]

The post Crypto Update: Downtrend Looms for Binance Coin appeared first on Hacked: Hacking Finance.

Good Crypto News: What It All Means

It was another one of those weeks.  Crypto prices hit rock bottom around $186 billion. Goldman Sachs backs away from it plans to offer a crypto trading desk.  Vitalik Buterin tells Bloomberg how little he thinks of Ethereum. Technical analysts give us little hope for getting bullish anytime soon. But that was before The New […]

The post Good Crypto News: What It All Means appeared first on Hacked: Hacking Finance.

Crypto Update: Ethereum Hits 9-day High as Altcoin Bounce Continues

The cryptocurrency segment continued to show signs of short-term strength so far this weekend with the severely oversold altcoins leading the way higher. Ethereum is still in the epicenter of the moves, with the second largest coin pushing higher towards the $235 resistance level as expected. Despite the ongoing bounce, several coins are stuck in […]

The post Crypto Update: Ethereum Hits 9-day High as Altcoin Bounce Continues appeared first on Hacked: Hacking Finance.

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot chain. However, this process takes time and even an army of skilled reverse engineers wouldn’t scale to the size of modern enterprise networks. To put this in context, the compromised enterprise network referenced in our ROCKBOOT blog post had approximately 10,000 hosts. Assuming a minimum of two boot records per host, a Master Boot Record (MBR) and a Volume Boot Record (VBR), that is an average of 20,000 boot records to analyze! An initial reaction is probably, “Why not just hash the boot records and only analyze the unique ones?” One would assume that corporate networks are mostly homogeneous, particularly with respect to boot code, yet this is not the case. Using the same network as an example, the 20,000 boot records reduced to only 6,000 unique records based on MD5 hash. Table 1 demonstrates this using data we’ve collected across our engagements for various enterprise sizes.

Enterprise Size (# hosts)

Avg # Unique Boot Records (md5)

100-1000

428

1000-10000

4,738

10000+

8,717

Table 1 – Unique boot records by MD5 hash

Now, the next thought might be, “Rather than hashing the entire record, why not implement a custom hashing technique where only subsections of the boot code are hashed, thus avoiding the dynamic data portions?” We tried this as well. For example, in the case of Master Boot Records, we used the bytes at the following two offsets to calculate a hash:

md5( offset[0:218] + offset[224:440] )

In one network this resulted in approximately 185,000 systems reducing to around 90 unique MBR hashes. However, this technique had drawbacks. Most notably, it required accounting for numerous special cases for applications such as Altiris, SafeBoot, and PGPGuard. This required small adjustments to the algorithm for each environment, which in turn required reverse engineering many records to find the appropriate offsets to hash.

Ultimately, we concluded that to solve the problem we needed a solution that provided the following:

  • A reliable collection of boot records from systems
  • A behavioral analysis of boot records, not just static analysis
  • The ability to analyze tens of thousands of boot records in a timely manner

The remainder of this post describes how we solved each of these challenges.

Collect the Bytes

Malicious drivers insert themselves into the disk driver stack so they can intercept disk I/O as it traverses the stack. They do this to hide their presence (the real bytes) on disk. To address this attack vector, we developed a custom kernel driver (henceforth, our “Raw Read” driver) capable of targeting various altitudes in the disk driver stack. Using the Raw Read driver, we identify the lowest level of the stack and read the bytes from that level (Figure 1).


Figure 1: Malicious driver inserts itself as a filter driver in the stack, raw read driver reads bytes from lowest level

This allows us to bypass the rest of the driver stack, as well as any user space hooks. (It is important to note, however, that if the lowest driver on the I/O stack has an inline code hook an attacker can still intercept the read requests.) Additionally, we can compare the bytes read from the lowest level of the driver stack to those read from user space. Introducing our first indicator of a compromised boot system: the bytes retrieved from user space don’t match those retrieved from the lowest level of the disk driver stack.

Analyze the Bytes

As previously mentioned, reverse engineering and static analysis are impractical when dealing with hundreds of thousands of boot records. Automated dynamic analysis is a more practical approach, specifically through emulating the execution of a boot record. In more technical terms, we are emulating the real mode instructions of a boot record.

The emulation engine that we chose is the Unicorn project. Unicorn is based on the QEMU emulator and supports 16-bit real mode emulation. As boot samples are collected from endpoint machines, they are sent to the emulation engine where high-level functionality is captured during emulation. This functionality includes events such as memory access, disk reads and writes, and other interrupts that execute during emulation.

The Execution Hash

Folding down (aka stacking) duplicate samples is critical to reduce the time needed on follow-up analysis by a human analyst. An interesting quality of the boot samples gathered at scale is that while samples are often functionally identical, the data they use (e.g. strings or offsets) is often very different. This makes it quite difficult to generate a hash to identify duplicates, as demonstrated in Table 1. So how can we solve this problem with emulation? Enter the “execution hash”. The idea is simple: during emulation, hash the mnemonic of every assembly instruction that executes (e.g., “md5(‘and’ + ‘mov’ + ‘shl’ + ‘or’)”). Figure 2 illustrates this concept of hashing the assembly instruction as it executes to ultimately arrive at the “execution hash”


Figure 2: Execution hash

Using this method, the 650,000 unique boot samples we’ve collected to date can be grouped into a little more than 300 unique execution hashes. This reduced data set makes it far more manageable to identify samples for follow-up analysis. Introducing our second indicator of a compromised boot system: an execution hash that is only found on a few systems in an enterprise!

Behavioral Analysis

Like all malware, suspicious activity executed by bootkits can vary widely. To avoid the pitfall of writing detection signatures for individual malware samples, we focused on identifying behavior that deviates from normal OS bootstrapping. To enable this analysis, the series of instructions that execute during emulation are fed into an analytic engine. Let's look in more detail at an example of malicious functionality exhibited by several bootkits that we discovered by analyzing the results of emulation.

Several malicious bootkits we discovered hooked the interrupt vector table (IVT) and the BIOS Data Area (BDA) to intercept system interrupts and data during the boot process. This can provide an attacker the ability to intercept disk reads and also alter the maximum memory reported by the system. By hooking these structures, bootkits can attempt to hide themselves on disk or even in memory.

These hooks can be identified by memory writes to the memory ranges reserved for the IVT and BDA during the boot process. The IVT structure is located at the memory range 0000:0000h to 0000:03FCh and the BDA is located at 0040:0000h. The malware can hook the interrupt 13h handler to inspect and modify disk writes that occur during the boot process. Additionally, bootkit malware has been observed modifying the memory size reported by the BIOS Data Area in order to potentially hide itself in memory.

This leads us to our final category of indicators of a compromised boot system: detection of suspicious behaviors such as IVT hooking, decoding and executing data from disk, suspicious screen output from the boot code, and modifying files or data on disk.

Do it at Scale

Dynamic analysis gives us a drastic improvement when determining the behavior of boot records, but it comes at a cost. Unlike static analysis or hashing, it is orders of magnitude slower. In our cloud analysis environment, the average time to emulate a single record is 4.83 seconds. Using the compromised enterprise network that contained ROCKBOOT as an example (approximately 20,000 boot records), it would take more than 26 hours to dynamically analyze (emulate) the records serially! In order to provide timely results to our analysts we needed to easily scale our analysis throughput relative to the amount of incoming data from our endpoint technologies. To further complicate the problem, boot record analysis tends to happen in batches, for example, when our endpoint technology is first deployed to a new enterprise.

With the advent of serverless cloud computing, we had the opportunity to create an emulation analysis service that scales to meet this demand – all while remaining cost effective. One of the advantages of serverless computing versus traditional cloud instances is that there are no compute costs during inactive periods; the only cost incurred is storage. Even when our cloud solution receives tens of thousands of records at the start of a new customer engagement, it can rapidly scale to meet demand and maintain near real-time detection of malicious bytes.

The cloud infrastructure we selected for our application is Amazon Web Services (AWS). Figure 3 provides an overview of the architecture.


Figure 3: Boot record analysis workflow

Our design currently utilizes:

  • API Gateway to provide a RESTful interface.
  • Lambda functions to do validation, emulation, analysis, as well as storage and retrieval of results.
  • DynamoDB to track progress of processed boot records through the system.
  • S3 to store boot records and emulation reports.

The architecture we created exposes a RESTful API that provides a handful of endpoints. At a high level the workflow is:

  1. Endpoint agents in customer networks automatically collect boot records using FireEye’s custom developed Raw Read kernel driver (see “Collect the bytes” described earlier) and return the records to FireEye’s Incident Response (IR) server.
  2. The IR server submits batches of boot records to the AWS-hosted REST interface, and polls the interface for batched results.
  3. The IR server provides a UI for analysts to view the aggregated results across the enterprise, as well as automated notifications when malicious boot records are found.

The REST API endpoints are exposed via AWS’s API Gateway, which then proxies the incoming requests to a “submission” Lambda. The submission Lambda validates the incoming data, stores the record (aka boot code) to S3, and then fans out the incoming requests to “analysis” Lambdas.

The analysis Lambda is where boot record emulation occurs. Because Lambdas are started on demand, this model allows for an incredibly high level of parallelization. AWS provides various settings to control the maximum concurrency for a Lambda function, as well as memory/CPU allocations and more. Once the analysis is complete, a report is generated for the boot record and the report is stored in S3. The reports include the results of emulation and other metadata extracted from the boot record (e.g., ASCII strings).

As described earlier, the IR server periodically polls the AWS REST endpoint until processing is complete, at which time the report is downloaded.

Find More Evil in Big Data

Our workflow for identifying malicious boot records is only effective when we know what malicious indicators to look for, or what execution hashes to blacklist. But what if a new malicious boot record (with a unique hash) evades our existing signatures?

For this problem, we leverage our in-house big data platform engine that we integrated into FireEye Helix following the acquisition of X15 Software. By loading the results of hundreds of thousands of emulations into the engine X15, our analysts can hunt through the results at scale and identify anomalous behaviors such as unique screen prints, unusual initial jump offsets, or patterns in disk reads or writes.

This analysis at scale helps us identify new and interesting samples to reverse engineer, and ultimately helps us identify new detection signatures that feed back into our analytic engine.

Conclusion

Within weeks of going live we detected previously unknown compromised systems in multiple customer environments. We’ve identified everything from ROCKBOOT and HDRoot! bootkits to the admittedly humorous JackTheRipper, a bootkit that spreads itself via floppy disk (no joke). Our system has collected and processed nearly 650,000 unique records to date and continues to find the evil needles (suspicious and malicious boot records) in very large haystacks.

In summary, by combining advanced endpoint boot record extraction with scalable serverless computing and an automated emulation engine, we can rapidly analyze thousands of records in search of evil. FireEye is now using this solution in both our Managed Defense and Incident Response offerings.

Acknowledgements

Dimiter Andonov, Jamin Becker, Fred House, and Seth Summersett contributed to this blog post.

A Totally Tubular Treatise on TRITON and TriStation

Introduction

In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz distillates, remote desktop sessions, and other well-documented, easily-detected attack methods were used throughout these intrusions.

Despite the routine techniques employed to gain access to an OT environment, the threat actors behind the TRITON malware framework invested significant time learning about the Triconex Safety Instrumented System (SIS) controllers and TriStation, a proprietary network communications protocol. The investment and purpose of the Triconex SIS controllers leads Mandiant to assess the attacker's objective was likely to build the capability to cause physical consequences.

TriStation remains closed source and there is no official public information detailing the structure of the protocol, raising several questions about how the TRITON framework was developed. Did the actor have access to a Triconex controller and TriStation 1131 software suite? When did development first start? How did the threat actor reverse engineer the protocol, and to what extent? What is the protocol structure?

FireEye’s Advanced Practices Team was born to investigate adversary methodologies, and to answer these types of questions, so we started with a deeper look at the TRITON’s own Python scripts.

Glossary:

  • TRITON – Malware framework designed to operate Triconex SIS controllers via the TriStation protocol.
  • TriStation – UDP network protocol specific to Triconex controllers.
  • TRITON threat actor – The human beings who developed, deployed and/or operated TRITON.

Diving into TRITON's Implementation of TriStation

TriStation is a proprietary network protocol and there is no public documentation detailing its structure or how to create software applications that use TriStation. The current TriStation UDP/IP protocol is little understood, but natively implemented through the TriStation 1131 software suite. TriStation operates by UDP over port 1502 and allows for communications between designated masters (PCs with the software that are “engineering workstations”) and slaves (Triconex controllers with special communications modules) over a network.

To us, the Triconex systems, software and associated terminology sound foreign and complicated, and the TriStation protocol is no different. Attempting to understand the protocol from ground zero would take a considerable amount of time and reverse engineering effort – so why not learn from TRITON itself? With the TRITON framework containing TriStation communication functionality, we pursued studying the framework to better understand this mysterious protocol. Work smarter, not harder, amirite?

The TRITON framework has a multitude of functionalities, but we started with the basic components:

  • TS_cnames.pyc # Compiled at: 2017-08-03 10:52:33
  • TsBase.pyc # Compiled at: 2017-08-03 10:52:33
  • TsHi.pyc # Compiled at: 2017-08-04 02:04:01
  • TsLow.pyc # Compiled at: 2017-08-03 10:46:51

TsLow.pyc (Figure 1) contains several pieces of code for error handling, but these also present some cues to the protocol structure.


Figure 1: TsLow.pyc function print_last_error()

In the TsLow.pyc’s function for print_last_error we see error handling for “TCM Error”. This compares the TriStation packet value at offset 0 with a value in a corresponding array from TS_cnames.pyc (Figure 2), which is largely used as a “dictionary” for the protocol.


Figure 2: TS_cnames.pyc TS_cst array

From this we can infer that offset 0 of the TriStation protocol contains message types. This is supported by an additional function, tcm_result, which declares type, size = struct.unpack('<HH', data_received[0:4]), stating that the first two bytes should be handled as integer type and the second two bytes are integer size of the TriStation message. This is our first glimpse into what the threat actor(s) understood about the TriStation protocol.

Since there are only 11 defined message types, it really doesn't matter much if the type is one byte or two because the second byte will always be 0x00.

We also have indications that message type 5 is for all Execution Command Requests and Responses, so it is curious to observe that the TRITON developers called this “Command Reply.” (We won’t understand this naming convention until later.)

Next we examine TsLow.pyc’s print_last_error function (Figure 3) to look at “TS Error” and “TS_names.” We begin by looking at the ts_err variable and see that it references ts_result.


Figure 3: TsLow.pyc function print_last_error() with ts_err highlighted

We follow that thread to ts_result, which defines a few variables in the next 10 bytes (Figure 4): dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). Now things are heating up. What fun. There’s a lot to unpack here, but the most interesting thing is how this piece script breaks down 10 bytes from ts_packet into different variables.


Figure 4: ts_result with ts_packet header variables highlighted


Figure 5: tcm_result

Referencing tcm_result (Figure 5) we see that it defines type and size as the first four bytes (offset 0 – 3) and tcm_result returns the packet bytes 4:-2 (offset 4 to the end minus 2, because the last two bytes are the CRC-16 checksum). Now that we know where tcm_result leaves off, we know that the ts_reply “cmd” is a single byte at offset 6, and corresponds to the values in the TS_cnames.pyc array and TS_names (Figure 6). The TRITON script also tells us that any integer value over 100 is a likely “command reply.” Sweet.

When looking back at the ts_result packet header definitions, we begin to see some gaps in the TRITON developer's knowledge: dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). We're clearly speculating based on naming conventions, but we get an impression that offsets 4, 5 and 6 could be "direction", "controller ID" and "command", respectively. Values such as "unk" show that the developer either did not know or did not care to identify this value. We suspect it is a constant, but this value is still unknown to us.


Figure 6: Excerpt TS_cnames.pyc TS_names array, which contain TRITON actor’s notes for execution command function codes

TriStation Protocol Packet Structure

The TRITON threat actor’s knowledge and reverse engineering effort provides us a better understanding of the protocol. From here we can start to form a more complete picture and document the basic functionality of TriStation. We are primarily interested in message type 5, Execution Command, which best illustrates the overall structure of the protocol. Other, smaller message types will have varying structure.


Figure 7: Sample TriStation "Allocate Program" Execution Command, with color annotation and protocol legend

Corroborating the TriStation Analysis

Minute discrepancies aside, the TriStation structure detailed in Figure 7 is supported by other public analyses. Foremost, researchers from the Coordinated Science Laboratory (CSL) at University of Illinois at Urbana-Champaign published a 2017 paper titled "Attack Induced Common-Mode Failures on PLC-based Safety System in a Nuclear Power Plant". The CSL team mentions that they used the Triconex System Access Application (TSAA) protocol to reverse engineer elements of the TriStation protocol. TSAA is a protocol developed by the same company as TriStation. Unlike TriStation, the TSAA protocol structure is described within official documentation. CSL assessed similarities between the two protocols would exist and they leveraged TSAA to better understand TriStation. The team's overall research and analysis of the general packet structure aligns with our TRITON-sourced packet structure.

There are some awesome blog posts and whitepapers out there that support our findings in one way or another. Writeups by Midnight Blue Labs, Accenture, and US-CERT each explain how the TRITON framework relates to the TriStation protocol in superb detail.

TriStation's Reverse Engineering and TRITON's Development

When TRITON was discovered, we began to wonder how the TRITON actor reverse engineered TriStation and implemented it into the framework. We have a lot of theories, all of which seemed plausible: Did they build, buy, borrow, or steal? Or some combination thereof?

Our initial theory was that the threat actor purchased a Triconex controller and software for their own testing and reverse engineering from the "ground up", although if this was the case we do not believe they had a controller with the exact vulnerable firmware version, else they would have had fewer problems with TRITON in practice at the victim site. They may have bought or used a demo version of the TriStation 1131 software, allowing them to reverse engineer enough of TriStation for the framework. They may have stolen TriStation Python libraries from ICS companies, subsidiaries or system integrators and used the stolen material as a base for TriStation and TRITON development. But then again, it is possible that they borrowed TriStation software, Triconex hardware and Python connectors from government-owned utility that was using them legitimately.

Looking at the raw TRITON code, some of the comments may appear oddly phrased, but we do get a sense that the developer is clearly using many of the right vernacular and acronyms, showing smarts on PLC programming. The TS_cnames.pyc script contains interesting typos such as 'Set lable', 'Alocate network accepted', 'Symbol table ccepted' and 'Set program information reponse'. These appear to be normal human error and reflect neither poor written English nor laziness in coding. The significant amount of annotation, cascading logic, and robust error handling throughout the code suggests thoughtful development and testing of the framework. This complicates the theory of "ground up" development, so did they base their code on something else?

While learning from the TriStation functionality within TRITON, we continued to explore legitimate TriStation software. We began our search for "TS1131.exe" and hit dead ends sorting through TriStation DLLs until we came across a variety of TriStation utilities in MSI form. We ultimately stumbled across a juicy archive containing "Trilog v4." Upon further inspection, this file installed "TriLog.exe," which the original TRITON executable mimicked, and a couple of supporting DLLs, all of which were timestamped around August 2006.

When we saw the DLL file description "Tricon Communications Interface" and original file name "TricCom.DLL", we knew we were in the right place. With a simple look at the file strings, "BAZINGA!" We struck gold.

File Name

tr1com40.dll

MD5

069247DF527A96A0E048732CA57E7D3D

Size

110592

Compile Date

2006-08-23

File Description

Tricon Communications Interface

Product Name

TricCom Dynamic Link Library

File Version

4.2.441

Original File Name

TricCom.DLL

Copyright

Copyright © 1993-2006 Triconex Corporation

The tr1com40.DLL is exactly what you would expect to see in a custom application package. It is a library that helps support the communications for a Triconex controller. If you've pored over TRITON as much as we have, the moment you look at strings you can see the obvious overlaps between the legitimate DLL and TRITON's own TS_cnames.pyc.


Figure 8: Strings excerpt from tr1com40.DLL

Each of the execution command "error codes" from TS_cnames.pyc are in the strings of tr1com40.DLL (Figure 8). We see "An MP has re-educated" and "Invalid Tristation I command". Even misspelled command strings verbatim such as "Non-existant data item" and "Alocate network accepted". We also see many of the same unknown values. What is obvious from this discovery is that some of the strings in TRITON are likely based on code used in communications libraries for Trident and Tricon controllers.

In our brief survey of the legitimate Triconex Corporation binaries, we observed a few samples with related string tables.

Pe:dllname

Compile Date

Reference CPP Strings Code

Lagcom40.dll

2004/11/19

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Tr1com40.dll

2006/08/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2008/07/23

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2008/07/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2010/09/29

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0 

Tr1com.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Lagcom.dll

2011/04/27

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

We extracted the CPP string tables in TR1STRS and LAGSTRS and the TS_cnames.pyc TS_names array from TRITON, and compared the 210, 204, and 212 relevant strings from each respective file.

TS_cnames.pyc TS_names and tr1com40.dll share 202 of 220 combined table strings. The remaining strings are unique to each, as seen here:

TS_cnames.TS_names (2017 pyc)

Tr1com40.dll (2006 CPP)

Go to DOWNLOAD mode

<200>

Not set

<209>

Unk75

Bad message from module

Unk76

Bad message type

Unk77

Bad TMI version number

Unk78

Module did not respond

Unk79

Open Connection: Invalid SAP %d

Unk81

Unsupported message for this TMI version

Unk83

 

Wrong command

 

TS_cnames.pyc TS_names and Tridcom.dll (1999 CPP) shared only 151 of 268 combined table strings, showing a much smaller overlap with the seemingly older CPP library. This makes sense based on the context that Tridcom.dll is meant for a Trident controller, not a Tricon controller. It does seem as though Tr1com40.dll and TR1STRS.CPP code was based on older work.

We are not shocked to find that the threat actor reversed legitimate code to bolster development of the TRITON framework. They want to work smarter, not harder, too. But after reverse engineering legitimate software and implementing the basics of the TriStation, the threat actors still had an incomplete understanding of the protocol. In TRITON's TS_cnames.pyc we saw "Unk75", "Unk76", "Unk83" and other values that were not present in the tr1com40.DLL strings, indicating that the TRITON threat actor may have explored the protocol and annotated their findings beyond what they reverse engineered from the DLL. The gaps in TriStation implementation show us why the actors encountered problems interacting with the Triconex controllers when using TRITON in the wild.

You can see more of the Trilog and Triconex DLL files on VirusTotal.

Item Name

MD5

Description

Tr1com40.dll

069247df527a96a0e048732ca57e7d3d

Tricom Communcations DLL

Data1.cab

e6a3c93a6d433cbaf6f573b6c09d76c4

Parent of Tr1com40.dll

Trilog v4.1.360R

13a3b83ba2c4236ca59aba679941c8a5

RAR Archive of TriLog

TridCom.dll

5c2ed617fdec4779cb33c89082a43100

Trident Communications DLL

Afterthoughts

Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies. If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.

Basic security measures do little to thwart truly persistent threat actors and monitoring only IT networks is not an ideal situation. Visibility into both the IT and OT environments is critical for detecting the various stages of an ICS intrusion. Simple detection concepts such as baseline deviation can provide insight into abnormal activity.

While the TRITON framework was actively in use, how many traditional ICS “alarms” were set off while the actors tested their exploits and backdoors on the Triconex controller? How many times did the TriStation protocol, as implemented in their Python scripts, fail or cause errors because of non-standard traffic? How many TriStation UDP pings were sent and how many Connection Requests? How did these statistics compare to the baseline for TriStation traffic? There are no answers to these questions for now. We believe that we can identify these anomalies in the long run if we strive for increased visibility into ICS technologies.

We hope that by holding public discussions about ICS technologies, the Infosec community can cultivate closer relationships with ICS vendors and give the world better insight into how attackers move from the IT to the OT space. We want to foster more conversations like this and generally share good techniques for finding evil. Since most of all ICS attacks involve standard IT intrusions, we should probably come together to invent and improve any guidelines for how to monitor PCs and engineering workstations that bridge the IT and OT networks. We envision a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time, and their freedom. It's an ideal world, but something nice to shoot for.

Thanks and Future Work

There is still much to do for TRITON and TriStation. There are many more sub-message types and nuances for parsing out the nitty gritty details, which is hard to do without a controller of our own. And although we’ve published much of what we learned about the TriStation here on the blog, our work will continue as we continue our study of the protocol.

Thanks to everyone who did so much public research on TRITON and TriStation. We have cited a few individuals in this blog post, but there is a lot more community-sourced information that gave us clues and leads for our research and testing of the framework and protocol. We also have to acknowledge the research performed by the TRITON attackers. We borrowed a lot of your knowledge about TriStation from the TRITON framework itself.

Finally, remember that we're here to collaborate. We think most of our research is right, but if you notice any errors or omissions, or have ideas for improvements, please spear phish contact: smiller@fireeye.com.

Recommended Reading

Appendix A: TriStation Message Type Codes

The following table consists of hex values at offset 0 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x0

Message Type

1

Connection Request

2

Connection Response

3

Disconnect Request

4

Disconnect Response

5

Execution Command

6

Ping Command

7

Connection Limit Reached

8

Not Connected

9

MPS Are Dead

10

Access Denied

11

Connection Failed

Appendix B: TriStation Execution Command Function Codes

The following table consists of hex values at offset 6 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x6

TS_cnames String

0

0: 'Start download all',

1

1: 'Start download change',

2

2: 'Update configuration',

3

3: 'Upload configuration',

4

4: 'Set I/O addresses',

5

5: 'Allocate network',

6

6: 'Load vector table',

7

7: 'Set calendar',

8

8: 'Get calendar',

9

9: 'Set scan time',

A

10: 'End download all',

B

11: 'End download change',

C

12: 'Cancel download change',

D

13: 'Attach TRICON',

E

14: 'Set I/O address limits',

F

15: 'Configure module',

10

16: 'Set multiple point values',

11

17: 'Enable all points',

12

18: 'Upload vector table',

13

19: 'Get CP status ',

14

20: 'Run program',

15

21: 'Halt program',

16

22: 'Pause program',

17

23: 'Do single scan',

18

24: 'Get chassis status',

19

25: 'Get minimum scan time',

1A

26: 'Set node number',

1B

27: 'Set I/O point values',

1C

28: 'Get I/O point values',

1D

29: 'Get MP status',

1E

30: 'Set retentive values',

1F

31: 'Adjust clock calendar',

20

32: 'Clear module alarms',

21

33: 'Get event log',

22

34: 'Set SOE block',

23

35: 'Record event log',

24

36: 'Get SOE data',

25

37: 'Enable OVD',

26

38: 'Disable OVD',

27

39: 'Enable all OVDs',

28

40: 'Disable all OVDs',

29

41: 'Process MODBUS',

2A

42: 'Upload network',

2B

43: 'Set lable',

2C

44: 'Configure system variables',

2D

45: 'Deconfigure module',

2E

46: 'Get system variables',

2F

47: 'Get module types',

30

48: 'Begin conversion table download',

31

49: 'Continue conversion table download',

32

50: 'End conversion table download',

33

51: 'Get conversion table',

34

52: 'Set ICM status',

35

53: 'Broadcast SOE data available',

36

54: 'Get module versions',

37

55: 'Allocate program',

38

56: 'Allocate function',

39

57: 'Clear retentives',

3A

58: 'Set initial values',

3B

59: 'Start TS2 program download',

3C

60: 'Set TS2 data area',

3D

61: 'Get TS2 data',

3E

62: 'Set TS2 data',

3F

63: 'Set program information',

40

64: 'Get program information',

41

65: 'Upload program',

42

66: 'Upload function',

43

67: 'Get point groups',

44

68: 'Allocate symbol table',

45

69: 'Get I/O address',

46

70: 'Resend I/O address',

47

71: 'Get program timing',

48

72: 'Allocate multiple functions',

49

73: 'Get node number',

4A

74: 'Get symbol table',

4B

75: 'Unk75',

4C

76: 'Unk76',

4D

77: 'Unk77',

4E

78: 'Unk78',

4F

79: 'Unk79',

50

80: 'Go to DOWNLOAD mode',

51

81: 'Unk81',

52

 

53

83: 'Unk83',

54

 

55

 

56

 

57

 

58

 

59

 

5A

 

5B

 

5C

 

5D

 

5E

 

5F

 

60

 

61

 

62

 

63

 

64

100: 'Command rejected',

65

101: 'Download all permitted',

66

102: 'Download change permitted',

67

103: 'Modification accepted',

68

104: 'Download cancelled',

69

105: 'Program accepted',

6A

106: 'TRICON attached',

6B

107: 'I/O addresses set',

6C

108: 'Get CP status response',

6D

109: 'Program is running',

6E

110: 'Program is halted',

6F

111: 'Program is paused',

70

112: 'End of single scan',

71

113: 'Get chassis configuration response',

72

114: 'Scan period modified',

73

115: '<115>',

74

116: '<116>',

75

117: 'Module configured',

76

118: '<118>',

77

119: 'Get chassis status response',

78

120: 'Vectors response',

79

121: 'Get I/O point values response',

7A

122: 'Calendar changed',

7B

123: 'Configuration updated',

7C

124: 'Get minimum scan time response',

7D

125: '<125>',

7E

126: 'Node number set',

7F

127: 'Get MP status response',

80

128: 'Retentive values set',

81

129: 'SOE block set',

82

130: 'Module alarms cleared',

83

131: 'Get event log response',

84

132: 'Symbol table ccepted',

85

133: 'OVD enable accepted',

86

134: 'OVD disable accepted',

87

135: 'Record event log response',

88

136: 'Upload network response',

89

137: 'Get SOE data response',

8A

138: 'Alocate network accepted',

8B

139: 'Load vector table accepted',

8C

140: 'Get calendar response',

8D

141: 'Label set',

8E

142: 'Get module types response',

8F

143: 'System variables configured',

90

144: 'Module deconfigured',

91

145: '<145>',

92

146: '<146>',

93

147: 'Get conversion table response',

94

148: 'ICM print data sent',

95

149: 'Set ICM status response',

96

150: 'Get system variables response',

97

151: 'Get module versions response',

98

152: 'Process MODBUS response',

99

153: 'Allocate program response',

9A

154: 'Allocate function response',

9B

155: 'Clear retentives response',

9C

156: 'Set initial values response',

9D

157: 'Set TS2 data area response',

9E

158: 'Get TS2 data response',

9F

159: 'Set TS2 data response',

A0

160: 'Set program information reponse',

A1

161: 'Get program information response',

A2

162: 'Upload program response',

A3

163: 'Upload function response',

A4

164: 'Get point groups response',

A5

165: 'Allocate symbol table response',

A6

166: 'Program timing response',

A7

167: 'Disable points full',

A8

168: 'Allocate multiple functions response',

A9

169: 'Get node number response',

AA

170: 'Symbol table response',

AB

 

AC

 

AD

 

AE

 

AF

 

B0

 

B1

 

B2

 

B3

 

B4

 

B5

 

B6

 

B7

 

B8

 

B9

 

BA

 

BB

 

BC

 

BD

 

BE

 

BF

 

C0

 

C1

 

C2

 

C3

 

C4

 

C5

 

C6

 

C7

 

C8

200: 'Wrong command',

C9

201: 'Load is in progress',

CA

202: 'Bad clock calendar data',

CB

203: 'Control program not halted',

CC

204: 'Control program checksum error',

CD

205: 'No memory available',

CE

206: 'Control program not valid',

CF

207: 'Not loading a control program',

D0

208: 'Network is out of range',

D1

209: 'Not enough arguments',

D2

210: 'A Network is missing',

D3

211: 'The download time mismatches',

D4

212: 'Key setting prohibits this operation',

D5

213: 'Bad control program version',

D6

214: 'Command not in correct sequence',

D7

215: '<215>',

D8

216: 'Bad Index for a module',

D9

217: 'Module address is invalid',

DA

218: '<218>',

DB

219: '<219>',

DC

220: 'Bad offset for an I/O point',

DD

221: 'Invalid point type',

DE

222: 'Invalid Point Location',

DF

223: 'Program name is invalid',

E0

224: '<224>',

E1

225: '<225>',

E2

226: '<226>',

E3

227: 'Invalid module type',

E4

228: '<228>',

E5

229: 'Invalid table type',

E6

230: '<230>',

E7

231: 'Invalid network continuation',

E8

232: 'Invalid scan time',

E9

233: 'Load is busy',

EA

234: 'An MP has re-educated',

EB

235: 'Invalid chassis or slot',

EC

236: 'Invalid SOE number',

ED

237: 'Invalid SOE type',

EE

238: 'Invalid SOE state',

EF

239: 'The variable is write protected',

F0

240: 'Node number mismatch',

F1

241: 'Command not allowed',

F2

242: 'Invalid sequence number',

F3

243: 'Time change on non-master TRICON',

F4

244: 'No free Tristation ports',

F5

245: 'Invalid Tristation I command',

F6

246: 'Invalid TriStation 1131 command',

F7

247: 'Only one chassis allowed',

F8

248: 'Bad variable address',

F9

249: 'Response overflow',

FA

250: 'Invalid bus',

FB

251: 'Disable is not allowed',

FC

252: 'Invalid length',

FD

253: 'Point cannot be disabled',

FE

254: 'Too many retentive variables',

FF

255: 'LOADER_CONNECT',

 

256: 'Unknown reject code'

Remote Authentication GeoFeasibility Tool – GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks (VPNs), web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials to access systems and data. Due to large volumes of remote access connections, it can be difficult to distinguish between a legitimate and a malicious login.

Today, we are releasing GeoLogonalyzer to help organizations analyze logs to identify malicious logins based on GeoFeasibility; for example, a user connecting to a VPN from New York at 13:00 is unlikely to legitimately connect to the VPN from Australia five minutes later.

Once remote authentication activity is baselined across an environment, analysts can begin to identify authentication activity that deviates from business requirements and normalized patterns, such as:

  1. User accounts that authenticate from two distant locations, and at times between which the user probably could not have physically travelled the route.
  2. User accounts that usually log on from IP addresses registered to one physical location such as a city, state, or country, but also have logons from locations where the user is not likely to be physically located.
  3. User accounts that log on from a foreign location at which no employees reside or are expected to travel to, and your organization has no business contacts at that location.
  4. User accounts that usually log on from one source IP address, subnet, or ASN, but have a small number of logons from a different source IP address, subnet, or ASN.
  5. User accounts that usually log on from home or work networks, but also have logons from an IP address registered to cloud server hosting providers.
  6. User accounts that log on from multiple source hostnames or with multiple VPN clients.

GeoLogonalyzer can help address these and similar situations by processing authentication logs containing timestamps, usernames, and source IP addresses.

GeoLogonalyzer can be downloaded from our FireEye GitHub.

GeoLogonalyzer Features

IP Address GeoFeasibility Analysis

For a remote authentication log that records a source IP address, it is possible to estimate the location each logon originated from using data such as MaxMind’s free GeoIP database. With additional information, such as a timestamp and username, analysts can identify a change in source location over time to determine if that user could have possibly traveled between those two physical locations to legitimately perform the logons.

For example, if a user account, Meghan, logged on from New York City, New York on 2017-11-24 at 10:00:00 UTC and then logged on from Los Angeles, California 10 hours later on 2017-11-24 at 20:00:00 UTC, that is roughly a 2,450 mile change over 10 hours. Meghan’s logon source change can be normalized to 245 miles per hour which is reasonable through commercial airline travel.

If a second user account, Harry, logged on from Dallas, Texas on 2017-11-25 at 17:00:00 UTC and then logged on from Sydney, Australia two hours later on 2017-11-25 at 19:00:00 UTC, that is roughly an 8,500 mile change over two hours. Harry’s logon source change can be normalized to 4,250 miles per hour, which is likely infeasible with modern travel technology.

By focusing on the changes in logon sources, analysts do not have to manually review the many times that Harry might have logged in from Dallas before and after logging on from Sydney.

Cloud Data Hosting Provider Analysis

Attackers understand that organizations may either be blocking or looking for connections from unexpected locations. One solution for attackers is to establish a proxy on either a compromised server in another country, or even through a rented server hosted in another country by companies such as AWS, DigitalOcean, or Choopa.

Fortunately, Github user “client9” tracks many datacenter hosting providers in an easily digestible format. With this information, we can attempt to detect attackers utilizing datacenter proxy to thwart GeoFeasibility analysis.

Using GeoLogonalyzer

Usable Log Sources

GeoLogonalyzer is designed to process remote access platform logs that include a timestamp, username, and source IP. Applicable log sources include, but are not limited to:

  1. VPN
  2. Email client or web applications
  3. Remote desktop environments such as Citrix
  4. Internet-facing applications
Usage

GeoLogonalyzer’s built-in –csv input type accepts CSV formatted input with the following considerations:

  1. Input must be sorted by timestamp.
  2. Input timestamps must all be in the same time zone, preferably UTC, to avoid seasonal changes such as daylight savings time.
  3. Input format must match the following CSV structure – this will likely require manually parsing or reformatting existing log formats:

YYYY-MM-DD HH:MM:SS, username, source IP, optional source hostname, optional VPN client details

GeoLogonalyzer’s code comments include instructions for adding customized log format support. Due to the various VPN log formats exported from VPN server manufacturers, version 1.0 of GeoLogonalyzer does not include support for raw VPN server logs.

GeoLogonalyzer Usage

Example Input

Figure 1 represents an example input VPNLogs.csv file that recorded eight authentication events for the two user accounts Meghan and Harry. The input data is commonly derived from logs exported directly from an application administration console or SIEM.  Note that this example dataset was created entirely for demonstration purposes.


Figure 1: Example GeoLogonalyzer input

Example Windows Executable Command

GeoLogonalyzer.exe --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Python Script Execution Command

python GeoLogonalyzer.py --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Output

Figure 2 represents the example output GeoLogonalyzedVPNLogs.csv file, which shows relevant data from the authentication source changes (highlights have been added for emphasis and some columns have been removed for brevity):


Figure 2: Example GeoLogonalyzer output

Analysis

In the example output from Figure 2, GeoLogonalyzer helps identify the following anomalies in the Harry account’s logon patterns:

  1. FAST - For Harry to physically log on from New York and subsequently from Australia in the recorded timeframe, Harry needed to travel at a speed of 4,297 miles per hour.
  2. DISTANCE – Harry’s 8,990 mile trip from New York to Australia might not be expected travel.
  3. DCH – Harry’s logon from Australia originated from an IP address associated with a datacenter hosting provider.
  4. HOSTNAME and CLIENT – Harry logged on from different systems using different VPN client software, which may be against policy.
  5. ASN – Harry’s source IP addresses did not belong to the same ASN. Using ASN analysis helps cut down on reviewing logons with different source IP addresses that belong to the same provider. Examples include logons from different campus buildings or an updated residential IP address.

Manual analysis of the data could also reveal anomalies such as:

  1. Countries or regions where no business takes place, or where there are no employees located
  2. Datacenters that are not expected
  3. ASN names that are not expected, such as a university
  4. Usernames that should not log on to the service
  5. Unapproved VPN client software names
  6. Hostnames that are not part of the environment, do not match standard naming conventions, or do not belong to the associated user

While it may be impossible to determine if a logon pattern is malicious based on this data alone, analysts can use GeoLogonalyzer to flag and investigate potentially suspicious logon activity through other investigative methods.

GeoLogonalyzer Limitations

Reserved Addresses

Any RFC1918 source IP addresses, such as 192.168.X.X and 10.X.X.X, will not have a physical location registered in the MaxMind database. By default, GeoLogonalyzer will use the coordinates (0, 0) for any reserved IP address, which may alter results. Analysts can manually edit these coordinates, if desired, by modifying the RESERVED_IP_COORDINATES constant in the Python script.

Setting this constant to the coordinates of your office location may provide the most accurate results, although may not be feasible if your organization has multiple locations or other point-to-point connections.

GeoLogonalyzer also accepts the parameter –skip_rfc1918, which will completely ignore any RFC1918 source IP addresses and could result in missed activity.

Failed Logon and Logoff Data

It may also be useful to include failed logon attempts and logoff records with the log source data to see anomalies related to source information of all VPN activity. At this time, GeoLogonalyzer does not distinguish between successful logons, failed logon attempts, and logoff events. GeoLogonalyzer also does not detect overlapping logon sessions from multiple source IP addresses.

False Positive Factors

Note that the use of VPN or other tunneling services may create false positives. For example, a user may access an application from their home office in Wyoming at 08:00 UTC, connect to a VPN service hosted in Georgia at 08:30 UTC, and access the application again through the VPN service at 09:00 UTC. GeoLogonalyzer would process this application access log and detect that the user account required a FAST travel rate of roughly 1,250 miles per hour which may appear malicious. Establishing a baseline of legitimate authentication patterns is recommended to understand false positives.

Reliance on Open Source Data

GeoLogonalyzer relies on open source data to make cloud hosting provider determinations. These lookups are only as accurate as the available open source data.

Preventing Remote Access Abuse

Understanding that no single analysis method is perfect, the following recommendations can help security teams prevent the abuse of remote access platforms and investigate suspected compromise.

  1. Identify and limit remote access platforms that allow access to sensitive information from the Internet, such as VPN servers, systems with RDP or SSH exposed, third-party applications (e.g., Citrix), intranet sites, and email infrastructure.
  2. Implement a multi-factor authentication solution that utilizes dynamically generated one-time use tokens for all remote access platforms.
  3. Ensure that remote access authentication logs for each identified access platform are recorded, forwarded to a log aggregation utility, and retained for at least one year.
  4. Whitelist IP address ranges that are confirmed as legitimate for remote access users based on baselining or physical location registrations. If whitelisting is not possible, blacklist IP address ranges registered to physical locations or cloud hosting providers that should never legitimately authenticate to your remote access portal.
  5. Utilize either SIEM capabilities or GeoLogonalyzer.py to perform GeoFeasibility analysis of all remote access on a regular frequency to establish a baseline of accounts that legitimately perform unexpected logon activity and identify new anomalies. Investigating anomalies may require contacting the owner of the user account in question. FireEye Helix analyzes live log data for all techniques utilized by GeoLogonalyzer, and more!

Download GeoLogonalyzer today.

Acknowledgements

Christopher Schmitt, Seth Summersett, Jeff Johns, and Alexander Mulfinger.

Solving Ad-hoc Problems with Hex-Rays API

Introduction

IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled and decompiled code can greatly reduce the analysis time.

The decompiler (from now on referred to as Hex-Rays) has been around for a long time and has achieved a good level of maturity. However, there seems to be a lack of a concise and complete resources regarding this topic (tutorials or otherwise). In this blog, we aim to close that gap by showcasing examples where scripting Hex-Rays goes a long way.

Overview of a Decompiler

In order to understand how the decompiler works, it’s helpful to first review the normal compilation process.

Compilation and decompilation center around the concept of an Abstract Syntax Tree (AST). In essence, a compiler takes the source code, splits it into tokens according to a grammar, then these tokens are grouped into logical expressions. In this phase of the compilation process, referred to as parsing, the code structure is represented as a complex object, the AST. From the AST, the compiler will produce assembly code for the specified platform.

A decompiler takes the opposite route. From the given assembly code, it works back to produce an AST, and from this to produce pseudocode.

From all the intermediate steps between code and assembly, we are stressing the AST so much because most of the time you will spend using the Hex-Rays API, you will actually be reading and/or modifying the Abstract Syntax Tree (or ctree in Hex-Rays terminology).

Items, Expressions and Statements

Now we know that Hex-Rays’s ctree is a tree-like data structure. The nodes of this tree are either of type cinsn_t or cexpr_t. We will define these in a moment, but for now it is important to know that both derive from a very basic type, namely the citem_t type, as seen in the following code snippet:

Therefore, all nodes in the ctree will have the op property, which indicates the node type (variable, number, logical expression, etc.).

The type of op (ctype_t) is an enumeration where all constants are named either cit_<xyz> (for statements) or cot_<xyz> (for expressions). Keep this in mind, as it will be very important. A quick way to inspect all ctype_t constants and their values is to execute the following code snippet:

This produces the following output:

Let’s dive a bit deeper and explain the two types of nodes: expressions and statements.

It is useful to think about expressions as the “the little logical elements” of your code. They range from simple types such as variables, strings or numerical constants, to small code constructs (assignments, comparisons, additions, logical operations, array indexing, etc.).

These are of type cexpr_t, a large structure containing several members. The members that can be accessed depend on its op value. For example, the member n to obtain the numeric value only makes sense when dealing with constants.

On the other side, we have statements. These correlate roughly to language keywords (if, for, do, while, return, etc.) Most of them are related to control flow and can be thought as “the big picture elements” of your code.

Recapitulating, we have seen how the decompiler exposes this tree-like structure (the ctree), which consists of two types of nodes: expressions and statements. In order to extract information from or modify the decompiled code, we have to interact with the ctree nodes via methods dependent on the node type. However, the following question arises: “How do we reach the nodes?”

This is done via a class exposed by Hex-Rays: the tree visitor (ctree_visitor_t). This class has two virtual methods, visit_insn and visit_expr, that are executed when a statement or expression is found while traversing the ctree. We can create our own visitor classes by inheriting from this one and overloading the corresponding methods.

Example Scripts

In this section, we will use the Hex-Rays API to solve two real-world problems:

  • Identify calls to GetProcAddress to dynamically resolve Windows APIs, assigning the resulting address to a global variable.
  • Display assignments related to stack strings as characters instead of numbers, for easier readability.

GetProcAddress

The first example we will walk through is how to automatically handle renaming global variables that have been dynamically resolved at run time. This is a common technique malware uses to hide its capabilities from static analysis tools. An example of dynamically resolving global variables using GetProcAddress is shown in Figure 1.


Figure 1: Dynamic API resolution using GetProcAddress

There are several ways to rename the global variables, with the simplest being manual copy and paste. However, this task is very repetitive and can be scripted using the Hex-Rays API.

In order to write any Hex-Rays script, it is important to first visualize the ctree. The Hex-Rays SDK includes a sample, sample5, which can be used to view the current function’s ctree. The amount of data shown in a ctree for a function can be overwhelming. A modified version of the sample was used to produce a picture of a sub-ctree for the function shown in Figure 1. The sub-ctree for the single expression: 'dword_1000B2D8 = (int)GetProcAdress(v0, "CreateThread");' is shown in Figure 2.


Figure 2: Sub-ctree for GetProcAddress assignment

With knowledge of the sub-ctree in use, we can write a script to automatically rename all the global variables that are being assigned using this method.

The code to automatically rename all the local variables is shown in Figure 3. The code works by traversing the ctree looking for calls to the GetProcAddress function. Once found, the code takes the name of the function being resolved and finds the global variable that is being set. The code then uses the IDA MakeName API to rename the address to the correct function.


Figure 3: Function renaming global variables

After the script has been executed, we can see in Figure 4 that all the global variables have been renamed to the appropriate function name.


Figure 4: Global variables renamed

Stack Strings

Our next example is a typical issue when dealing with malware: stack strings. This is a technique aimed to make the analysis harder by using arrays of characters instead of strings in the code. An example can be seen in Figure 5; the malware stores each character’s ASCII value in the stack and then references it in the call to sprintf. At a first glance, it’s very difficult to say what is the meaning of this string (unless of course, you know the ASCII table by heart).


Figure 5: Hex-Rays decompiler output. Stack strings are difficult to read.

Our script will modify these assignments to something more readable. The important part of our code is the ctree visitor mentioned earlier, which is shown in Figure 6.


Figure 6: Custom ctree visitor

The logic implemented here is pretty straightforward. We define our subclass of a ctree visitor (line 1) and override its visit_expr method. This will only kick in when an assignment is found (line 9). Another condition to be met is that the left side of the assignment is a variable and the right side a number (line 15). Moreover, the numeric value must be in the readable ASCII range (lines 20 and 21).

Once this kind of expression is found, we will change the type of the right side from a number to a string (lines 26 to 31), and replace its numerical value by the corresponding ASCII character (line 32).

The modified pseudocode after running this script is shown in Figure 7.


Figure 7: Assigned values shown as characters

You can find the complete scripts in our FLARE GitHub repository under decompiler scripts

Conclusion

These two admittedly simple examples should be able to give you an idea of the power of IDA’s decompiler API. In this post we have covered the foundations of all decompiler scripts: the ctree object, a structure composed by expressions and statements representing every element of the code as well the relationships between them. By creating a custom visitor we have shown how to traverse the tree and read or modify the code elements, therefore analyzing or modifying the pseudocode.

Hopefully, this post will motivate you to start writing your own scripts. This is only the beginning!

Do you want to learn more about these tools and techniques from FLARE? Then you should take one of our Black Hat classes in Las Vegas this summer! Our offerings include Malware Analysis Crash Course, macOS Malware for Reverse Engineers, and Malware Analysis Master Class.

References

Although written in 2009, one of the best references is still the original article on the Hex-Rays blog.

PacketTotal

The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes, packettotal.com.