Category Archives: Analysis

Litecoin Price Analysis: LTC/USD Set for Another Potential Explosive Move North as Bulls Penetrate Pennant Pattern

Litecoin price on Saturday is seen holding decent gains of over 3% at the time of writing, as the bulls continue their latest push north. Fundamental prospects surrounding the Litecoin Foundation remain strong and supportive of the price recovery. LTC/USD since last week has been on a decent push to the north; the price has […]

The post Litecoin Price Analysis: LTC/USD Set for Another Potential Explosive Move North as Bulls Penetrate Pennant Pattern appeared first on Hacked: Hacking Finance.

Crypto Update: Another Spike Fails in Crypto-Land

The major cryptocurrencies continue to follow the pattern which consists of sudden spikes followed by choppy sideways periods. Today, the top coins jumped higher, with the strongest currencies testing their recent swing highs, but the move quickly failed. The market continues to be dominated by low liquidity and the bearish long-term forces, making it difficult […]

The post Crypto Update: Another Spike Fails in Crypto-Land appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Could be in Serious Trouble as Test of Major Support Back in Play

Ripple’s XRP price is seen trading marginally in negative territory towards the latter part of Friday, with XRP/USD heading for a weekly closure in the red. Ripple has announced a newly improved XRP Ledger 1.2.0 for improved censorship resistance. XRP/USD: Recent Price Behaviour Ripple’s XRP price continues to cool, running towards is a third consecutive […]

The post XRP Price Analysis: XRP/USD Could be in Serious Trouble as Test of Major Support Back in Play appeared first on Hacked: Hacking Finance.

The “Accessibility Premium”: How Coinbase’s Overseas Expansion Could Affect Crypto Prices

The accessibility premium refers to the affect on a cryptocurrency’s price when it is added to Coinbase. The $8 billion valued exchange is now looking to expand beyond its U.S-based institutional trading business to offer institutional services worldwide. Bitcoin, Bitcoin Cash, Ethereum, and Litecoin may end up being the greatest beneficiaries. These cryptocurrencies could gain […]

The post The “Accessibility Premium”: How Coinbase’s Overseas Expansion Could Affect Crypto Prices appeared first on Hacked: Hacking Finance.

Ethereum Update: Bottom Already Reached

To say that Ethereum (ETH/USD) had a bad 2018 would be a huge understatement. After climbing as high as $1,424.3 in January 2018, the market quickly reversed. 11 months later, Ethereum recorded lows of $83 on December 7, 2018. In other words, the 2018 bear market has devalued Ethereum by over 94%. While this is […]

The post Ethereum Update: Bottom Already Reached appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Extended Trade Talks, Economic Data Dump, National Emergency

1, Trade Talks to Continue Next Week in Washington S&P 500 Futures, 4-Hour Chart Analysis The news of the day, so far, is clearly the unexpected extension of the current round of trade talks between the US and China. The negotiations will reportedly continue next week in Washington, and that could mean that some kind […]

The post 3 Things You Need to Know About the Market Today: Extended Trade Talks, Economic Data Dump, National Emergency appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: BNB Profit-Taking Kicks In as Binance’s Business Continues to Defy Cryto Winter

BNB/BTC produces a double-top pattern formation, leaving the door open to further downside pressure. Binance CFO confirms that the organization is still profitable, despite the ‘crypto winter’. Binance Coin Price Behavior The BNB token has been outperforming many of its peers over the past few weeks. Since the week commencing 3rd December, BNB/USDT has rallied […]

The post Binance Coin Price Analysis: BNB Profit-Taking Kicks In as Binance’s Business Continues to Defy Cryto Winter appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Drift Sideways but Leadership Weakens

The major cryptocurrencies have been mostly trading in relatively narrow ranges in the past 24 hours, and although we saw a broad sell-off today in early trading, a major bearish move has been avoided, for now. While the coins are still holding on to most of their gains from last Friday’s Litecoin-led surge, the relatively […]

The post Crypto Update: Coins Drift Sideways but Leadership Weakens appeared first on Hacked: Hacking Finance.

NEM Price Analysis: XEM Regains Bullish Momentum amid Plan to Save the NEM Project

XEM/USDT has gained as much as 10% over the past two trading sessions. The NEM Foundation and NEM Labs have put an action plan together to keep the project afloat. XEM: Recent Price Behavior XEM has picked up some upside momentum over the last couple of days, thanks to renewed optimism around the NEM Foundation. […]

The post NEM Price Analysis: XEM Regains Bullish Momentum amid Plan to Save the NEM Project appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Extended Trade Truce?, Economic Worries, Late Earnings

1, 60-Day Extension to the Trade Deadline? USD/CNH, 4-Hour Chart Analysis The extension of the March 1 deadline for the US-Chinese trade deal is getting closer as we expected, and the rumors are now specifically pointing to a 2-month extension. Given the weakening Chinese growth and president Trump’s falling approval rates, some kind of agreement […]

The post 3 Things You Need to Know About the Market Today: Extended Trade Truce?, Economic Worries, Late Earnings appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Under Pressure Despite MoU Splash with South Korean Gaming and Blockchain Associations

Tron has recorded losses for the past five consecutive sessions, dropping as much as 15%. The Tron Foundation sign Memorandums of Understanding (MoUs) with two massive gaming and blockchain associations in South Korea. TRX/USD: Recent Price Behavior The Tron price continues further cooling and is currently running at its fifth consecutive session in the red. […]

The post Tron Price Analysis: TRX/USD Under Pressure Despite MoU Splash with South Korean Gaming and Blockchain Associations appeared first on Hacked: Hacking Finance.

Crypto Update: Litecoin Pulls Back as Rally Fails to Reignite

While the major cryptocurrencies experienced another rally attempt yesterday following last week’s Litecoin-led surge, most of them failed to hit sustained new highs. The top coins are still holding on to most of their gains, but the lack of bullish momentum is a negative sign. With the bearish long-term picture in mind, traders should still […]

The post Crypto Update: Litecoin Pulls Back as Rally Fails to Reignite appeared first on Hacked: Hacking Finance.

Monero Price Analysis: XMR/USD Bursts Out of Narrow Range-Block as Fight Against ASIC Domination Continues

Monero (XMR) bulls have been able to break out to the upside from a range-block formation. The price had been confined within this region for 28 sessions.  The Monero Foundation has scheduled another ASIC-disabling hard fork on 9th March. XMR/USD: Recent Price Behavior The XMR price over the past few sessions has continued to grind […]

The post Monero Price Analysis: XMR/USD Bursts Out of Narrow Range-Block as Fight Against ASIC Domination Continues appeared first on Hacked: Hacking Finance.

Bitcoin Update: A Case That the Bottom Is In

With the current market sentiment, almost everyone in the crypto community believes that we have yet to bottom out. Most think that the recent Bitcoin (BTC/USD) rally is nothing but a dead cat bounce. From their point of view, we may rally to $4,300 or maybe even go as high as $5,800. Just as everyone’s […]

The post Bitcoin Update: A Case That the Bottom Is In appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Xi’s Surprise, US Inflation, Shutdown Saga

1, Chinese President Xi to Join Trade Talks in Beijing Shanghai Composite Index CFD, 4-Hour Chart Analysis Global stocks markets are higher once again today ahead of the US session, boosted by the continued trade-related optimism. The news that Chinese President Xi will unexpectedly attend the current round of US-Chinese trade talks lifted stocks across […]

The post 3 Things You Need to Know About the Market Today: Xi’s Surprise, US Inflation, Shutdown Saga appeared first on Hacked: Hacking Finance.

ETH/USD Price Analysis: Ethereum Bulls Capitalize After Receiving Chunky Buying Interest in Known Demand Zone

ETH/USD maintained decent gains in the session on Tuesday, with the bulls attempting to break down resistance barriers. Ethereum DApp usage is continuing to lose ground versus peers Tron and EOS. ETH/USD: Recent Price Behaviour Over the past few sessions, the ETH/USD pair has remained somewhat elevated after receiving decent buying interest within a known […]

The post ETH/USD Price Analysis: Ethereum Bulls Capitalize After Receiving Chunky Buying Interest in Known Demand Zone appeared first on Hacked: Hacking Finance.

Traders Buying Activision Blizzard Options

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets With the S&P 500 having recovered most of its Christmas losses, there are still stocks that have not even started to move away from their lows. Today we are going to analyze one of those. Activision Blizzard (NASDAQ: ATVI) is a US based company that produces and sells […]

The post Traders Buying Activision Blizzard Options appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Shutdown Deal?, Another Powell Speech, Gold Strength

1, Stocks Pop Higher on Tentative Shutdown Deal Nasdaq 100 Futures, 4-Hour Chart Analysis Following yesterday’s marginal gains, today, global stock markets are well in the green at the US open, as investor sentiment improved substantially. It seems that a second partial government shutdown might be avoided in the US, as the two parties agreed […]

The post 3 Things You Need to Know About the Market Today: Shutdown Deal?, Another Powell Speech, Gold Strength appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Bears Force a Significant Break of a Vital Supporting Trend Line

The Tron price is running at its fourth consecutive session trading in the red. TRX/USD bears manage to break down a long-running ascending trend line of support. TRX/USD Recent Price Behavior TRX/USD has been further cooling within recent trading; the price is running at its fourth consecutive session in the red. At the time of […]

The post Tron Price Analysis: TRX/USD Bears Force a Significant Break of a Vital Supporting Trend Line appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Pull Back as Follow-Through Rally Fades

The cryptocurrency segment has been consolidating Friday’s Litecoin-led surge over the weekend, and although most of the major coins are holding on to the bulk of their gains, the follow-through move has been lacking momentum. That said, compared to the failed Ripple-led attempt two weeks ago, more coins are showing positive signs, and despite the […]

The post Crypto Update: Coins Pull Back as Follow-Through Rally Fades appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Breakout Out is Now Retesting Wedge Pattern Formation

UAE Exchange and Unimoni joins the ever-growing list of institutions to leverage Ripple technology. XRP/USD broke out and is now retesting a wedge pattern formation. Recent Price Behavior XRP/USD has been cooling of late, with the past three sessions having closed in the red. This comes after the bulls failed to sustain the big chunky upside […]

The post XRP Price Analysis: XRP/USD Breakout Out is Now Retesting Wedge Pattern Formation appeared first on Hacked: Hacking Finance.

DASH Price Analysis: The Bulls Awaken Following News of Further Adoption

DASH bulls awaken, as the price breaks out from the confinements of a descending wedge pattern. Crypto Emporium, an online retailer, is now accepting DASH as a method of payment. Recent Price Behavior The Dash price is enjoying some upside, as the bulls came back to life following a prolonged period of mundane sideways trading. […]

The post DASH Price Analysis: The Bulls Awaken Following News of Further Adoption appeared first on Hacked: Hacking Finance.

Euro Remains Vulnerable

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets EUR/USD, the major currency pair, remains weak in the middle of February, although there were some moments when it tried to recover. These attempts weren’t too successful, however, as they showed that market players were still interested in the Euro. The Euro is trying to recover against the […]

The post Euro Remains Vulnerable appeared first on Hacked: Hacking Finance.

Crypto Breakout Coming? Volume Indicators Say Yes

The major cryptocurrencies reported slight-to-moderate gains on Monday, as the return of high-volume trading offered compelling evidence that a bearish-to-bullish trend reversal may be afoot. Market Update Most of the top 20 cryptocurrencies are trading in positive territory. Among the majors, Ethereum is leading the way higher. The developer’s cryptocurrency has gained 4% in the […]

The post Crypto Breakout Coming? Volume Indicators Say Yes appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Rally in China, Dollar Surge, European Gloom

1, Chinese Stocks Climb on Fresh Trade Hopes Shanghai Composite Index CFD, 4-Hour Chart Analysis Chinese markets opened higher following the one-week holiday break, with the Shanghai Composite hitting a marginal two-month high, trying to play catch-up with the recent surge in the key US benchmarks. Despite today’s bounce, Chinese equities are clearly in a […]

The post 3 Things You Need to Know About the Market Today: Rally in China, Dollar Surge, European Gloom appeared first on Hacked: Hacking Finance.

GBP/USD Price Prediction: Cable Could be Hit Harder This Week

Big fundamental data points will play a massive role in the direction of GBP this week. GBP/USD downside targets are eyed at 1.2800 and then the range of 1.2750-1.2650. It is another week where GBP takes the spotlight with a raft of key economic data points being released from the UK. This comes after an […]

The post GBP/USD Price Prediction: Cable Could be Hit Harder This Week appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX Facing a Huge Technical Test of Key Support

TRX/USD is testing a vital long-running ascending trend line of support. TRX/BTC was dealt another rejection blow and is also set to meet a key support area. The Tron price has been cooling the last couple of sessions, looking at both TRX/USD and TRX/BTC. It has failed to break down and move past a tricky […]

The post Tron Price Analysis: TRX Facing a Huge Technical Test of Key Support appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA/USDT Jumps to Highest Levels in Two Weeks Ahead of IOHK Summit

Cardano’s ADA price maintains decent heights after a big 15% jump in the prior session. There is much anticipation ahead of the IOHK summit for details of the new Cardano roadmap. Recent ADA Price Behavior Cardano’s ADA price remains elevated after the decent pop higher yesterday, where the bulls gained big double-digits. An advance in the […]

The post Cardano Price Analysis: ADA/USDT Jumps to Highest Levels in Two Weeks Ahead of IOHK Summit appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: BNB/USDT Maintains Decent Bullish Momentum after Breakout from Wedge Pattern

The BNB/USDT bulls extend to the north, following the breach of an ascending wedge pattern. Binance is moving ever closer to its Decentralized Exchange (DEX) going live. Recent Price Behavior The Binance Coin bulls have made a strong breakout to the upside from the confinements of a wedge pattern formation. BNB/USDT has made some big advances […]

The post Binance Coin Price Analysis: BNB/USDT Maintains Decent Bullish Momentum after Breakout from Wedge Pattern appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: Bulls Break from the Descending Wedge as Developers Patch Up ‘Infinite ZEC’ Bug

Zcash jumped a big double-digits in the session on Friday, hitting the highest level in around two weeks. Developers at Zcash managed to patch up a dangerous bug that could have allowed hackers to produce infinite ZEC. The Zcash (ZEC) price on Friday enjoyed big gains in the session, jumping double-digits thanks to a substantial […]

The post Zcash Price Analysis: Bulls Break from the Descending Wedge as Developers Patch Up ‘Infinite ZEC’ Bug appeared first on Hacked: Hacking Finance.

China’s New Cybersecurity Measures Allow State Police to Remotely Access Company Systems

Insikt Group

Recorded Future’s Insikt Group analyzed new cybersecurity provisions issued by the Chinese Ministry of Public Security. This report will be of greatest interest to any corporation conducting business within China.

Executive Summary

In August 2017, Recorded Future analyzed the security and risk implications for international companies of China’s Cybersecurity Law, assessing that the law gave China’s Ministry of State Security (MSS) sweeping new powers. In particular, the Cybersecurity Law mandated that several sectors be subject to “national security reviews, ” which could allow the MSS to identify vulnerabilities in foreign technologies that China could subsequently exploit in espionage operations.

On November 1, 2018, China issued new provisions to the law titled “Regulations on Internet Security Supervision and Inspection by Public Security Organs” (公安机关互联网安全监督检查规定). The regulations, likely evolved to clarify portions of China’s 2017 Cybersecurity Law, give the Ministry of Public Security (MPS) broad powers over the computer networks of companies in China. These ostensibly include the authority to remotely conduct penetration testing on almost any business operating in China and copy any information related to user data or security measures found during the inspection.

These new provisions specify no limits on the scope of vulnerability or security inspections and require extremely minimal reporting to be provided back to the corporation. Further, the regulations continue to use vague terminology and do not limit the scope of in-person or remote inspections for network security testing. We assess that the combination of existing MSS regulations with these new Cybersecurity Law provisions for the MPS will support Chinese government attempts to both censor and surveil foreign companies.

Key Judgments

  • New regulations give the Ministry of Public Security (MPS) authority to conduct on-site and remote inspections of any company with five or more computers connected to the internet. This wide definition accounts for almost every foreign company in China.
  • As of November 2018, the MPS is allowed to copy user information, log security response plans during on-site inspections, and check for vulnerabilities. This information could be leveraged by state surveillance or security organs to monitor a company’s inner workings as well as its customers.
  • The People’s Armed Police (PAP) will be present during on-site inspections to ensure that companies comply.
  • The MPS can also conduct remote inspections of companies to check for vulnerabilities. These new regulations make remote inspections easier to conduct than physical inspections and are not bound by time or limited in scope. For remote inspections, the MPS is able to involve third-party “cybersecurity service agencies,” increasing the risks of both vulnerability discovery and data leakages.
  • These regulations also empower MPS to enforce Chinese prohibited content laws, using network security as a justification to monitor for adherence to censorship laws.

Background

The Ministry of Public Security (MPS) is China’s primary police and security authority. While the organization has a wide variety of internal security duties, such as border security and administrating national identification cards, they are also tasked by various national cybersecurity regulations to handle and collect large amounts of data.

Among many responsibilities, the MPS is in charge of China’s Golden Shield Project (金盾工程), a massive series of legal and technological initiatives — including China’s Great Firewall — meant to improve intelligence assessments and surveillance capabilities of the national police force. Part of this initiative involves the expansion of facial recognition software used with a nationwide system of surveillance cameras, designed to better locate and clamp down on dissenters.

As of 2017, China’s National Cybersecurity Law (CSL) made the MPS one of the organizations responsible for “cybersecurity protection, supervision, and management” within its larger scope of investigating matters in public and internal security, and MPS is specifically tasked with punishing actors that violate the CSL.

The new provisions to the CSL, “Regulations on Internet Security Supervision and Inspection by Public Security Organs,” produced by the MPS specify what measures its branches at the county level and above must implement in order to better protect, supervise, and manage cybersecurity under the CSL. This is an extra authority under the Cybersecurity Law, which already gave China’s Ministry of State Security the power to conduct national security reviews of foreign technology. However, articles within the new provisions contain sweeping measures that should alarm any business currently operating in China.

Analysis

In 2017, Recorded Future analyzed the national security review provisions of the CSL to reveal the sweeping powers given to Chinese state security organizations over foreign technology, especially companies that operated “critical information infrastructure.” While the new CSL regulations do not address critical information infrastructure, they do focus on businesses at large.

These November 2018 updates empower public security organs under the MPS to conduct safety supervision and inspection of internet service providers (ISPs) and networked units to ensure that they are “fulfilling network security obligations stipulated by laws and administrative regulations,” according to Article 2 of the new regulations. These regulatory efforts are framed to resemble cybersecurity legislation enacted by other developed countries, with the crucial difference being that broadened state control is the overriding objective rather than data protection.

According to the Yunnan Network Security Corps, a branch under the MPS, the definition of a networked unit is “a unit with a fixed IP or with five or more computers connected to the internet to conduct internet or internet-related activity.” Networked units are, according to the same Yunnan MPS site, usually registered through the MPS in order to obtain hosting rights on Chinese servers, but also registered through other internet security-related organizations at the municipal and county level.

Yunnan Network Security Corps Screenshot

Screenshot of Yunnan Network Security Corps’s description of a networked unit.

The law specifies that public security branches at the county level and above can conduct inspections on networked units and ISPs that provide any of the following: internet access, data centers, content distribution, domain name services, internet information services, public internet services, or other internet services. This broad authority encompasses nearly any company providing any type of internet-related service, from a SaaS company to a company providing internal internet services to its employees, as long as that company has at least five computers that use a router for their internet connection.

In-Person Inspections

According to Article 15, when conducting in-person inspections, MPS branches are entitled to enter almost any company area related to networked units (联网使用单位) in order to check computer systems for network security compliance. Upon entering business premises, computer rooms, and workplaces, MPS officers can view or copy any information related to the inspection. This includes but is not limited to: any and all user information, technical measures for the network, and information security protection, hosting, or domain name information, as well as any content distribution the organization may be conducting.

This inspection also covers other provisions within the wider CSL, including inspecting whether the publication of prohibited information is prevented or censored. According to Articles 10, 11, and 21, companies hosting content that the Chinese government determines as “prohibited information” found through an inspection can be prosecuted under the Cybersecurity Law. We assess that the MPS will use this provision as a means to ensure that companies are complying with prohibited content and censorship laws. Because the scope of inspections given by the regulations is so broad, it is not clear if content published outside of the Chinese language internet also applies. However, not only can refusal to cooperate be punishable by law, but the provisions also require at least two members of the People’s Armed Police (PAP) to assist in and sign off on all inspections.

Article 16 states that MPS branches are able to conduct remote inspections of networked units and ISPs for network security loopholes. It is not immediately clear what the scope of a remote inspection entails; it could encompass anything from a traditional penetration test to the installation of system backdoors. Further, Article 18 includes language that makes remote inspections easier than on-site inspections to conduct, as remote inspections do not require permission from the company. In fact, Article 16 only requires that the MPS notify the inspected company of the date and scope of the inspection. The regulations do not even limit the scope or time frame for an inspection. Finally, Article 17 empowers the MPS to involve third-party “cybersecurity service agencies” in these inspections, a provision which substantially increases the risk of vulnerability discovery and data leakages.

Additionally, Article 6 mandates that the MPS write share reports of the inspections with relevant government departments, while Article 19 requires that MPS branches supervise and guide organizations to mitigate against any hidden network security risks found during inspection. Because the provisions do not specify which PRC government departments are “relevant,” the information obtained could theoretically be leveraged by its state or foreign surveillance arms to monitor corporate and customer data.

Most alarmingly, the regulations contain no obligation for the MPS to disclose the full results of remote or on-site inspections to companies themselves. Article 18 stipulates that a supervisor within the organization being inspected must sign an inspection report produced by the MPS during an on-site inspection; however, there is no requirement for the MPS to provide a report to the organization during a remote inspection. The only required communication between the MPS branch and the organization prior to a remote inspection is an announcement of the inspection time, scope, and “other matters.” Thus, companies subject to remote inspection may not know exactly where in their network MPS officers are conducting inspections, and could be completely ignorant of inspection results.

Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China. The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.

Impact for Businesses Operating in China

The breadth of inspection authority granted to the MPS by these new regulations could impact almost all foreign businesses operating in China. The extremely broad criteria and lack of specifics in this regulation mean that most companies operating in China could be subjected to MPS inspection for any reason, at any time. Further, with the scope of both on-site and remote inspections so undefined, we assess that the international operations and customers of inspected companies could be at risk of exposure to the Chinese government and security services as well. Thus, almost all foreign businesses will be subject to in-person facility searches, copying of company user data, invasive checking for “illegally published materials,” and remote inspection of company networks.

As recommended in Recorded Future’s previous analysis of China’s Cybersecurity Law, companies need to evaluate three possible risk scenarios:

  1. Risk to a company’s own machines or networks
  2. Risk to a company’s product, service, and intellectual property
  3. Derivative risk to customers, clients, or users around the world

These new regulations place companies’ network infrastructure, data, and proprietary information at a higher risk for MPS intrusion and surveillance operations. Corporate networks and products can be subjected to extensive inspections for “illegal material” and companies could be prosecuted if such material is found. Customers, data, and systems in territorial China are not only at risk of having their data held by the Chinese government, but also are at increased risk for third-party data breaches and Chinese government surveillance.

The risks to companies laid out in Recorded Future’s previous analysis are exacerbated by these new CSL provisions. Because most company products and services sold in China are not dissimilar to their international equivalents, vulnerabilities found by the MPS can be utilized to exploit both domestic and international users. If companies choose not to comply with the new provisions, however, they may need to evaluate a fourth possible risk scenario: risk to employee safety. Any pushback against inspections could be noted and reacted to by the People’s Armed Police officers present.

Recorded Future recommends that all international corporations operating in China take measures to evaluate their technology footprint within the country, their evacuation and government relations policies, and their system architecture to minimize the impact of the law and effectively address the worst-case scenario if subjected to an MPS inspection. Altering company system architecture to keep connections between Chinese and international operations as segmented as possible is important to prevent inspections from spilling into corporate networks or databases with no connection to territorial China. Further, keeping one’s employees safe and informed of the inspections should remain a top priority for companies operating within the country.

As a baseline, companies should properly inspect their systems for known vulnerabilities. To quantify the risk to global operations, offices operating within China should ascertain which parts of their infrastructure have already been registered as networked units (联网使用单位) and prioritize these units when updating and segmenting their systems. While these new regulations now provide the legal authority for MPS officers to probe company systems, patching against known vulnerabilities will prevent inspectors from easily gaining unwanted access or escalating privileges. Organizations or companies operating in China must also determine whether their products or services host material that the Chinese government may deem illegal to publish, and make a decision on where and how to host this data to minimize the impact of the law.

Editor’s Note: This is not meant to replace legal advice or counsel. Please make sure to consult local legal counsel for concerns and/or advice regarding regulations and legislation that may impact your organization.

The post China’s New Cybersecurity Measures Allow State Police to Remotely Access Company Systems appeared first on Recorded Future.

     

Crypto Update: Coins Stage Rally Attempt as Litecoin Triggers Buy Signal

The major cryptocurrencies are finally having a positive day following a quiet and bearish period, and although the negative overall picture hasn’t changed, bulls at have something to cheer about. Litecoin managed to move above its primary resistance level at $34.50, building on its recent relative strength, and that triggered a short-term buy signal in […]

The post Crypto Update: Coins Stage Rally Attempt as Litecoin Triggers Buy Signal appeared first on Hacked: Hacking Finance.

Crypto Update: Key Levels to Watch for TRON and 2 Other Coins

TRON (TRX/BTC), ChainLink (LINK/BTC), and Binance Coin (BNB/BTC) have one thing in common: they’ve all decoupled from Bitcoin’s trend. In other words, bulls have taken over these markets while Bitcoin and other altcoins continue to languish in bear territory. Bulls have been flexing their muscles so hard that these three alts have been recently on […]

The post Crypto Update: Key Levels to Watch for TRON and 2 Other Coins appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD Sees Big Double-Digit Gains as Litecoin Foundation Moves Closer to Privacy Ambitions

The Litecoin price on Friday is holding chunky gains of 14% in the session, jumping to the highest level in almost 4 weeks. The Litecoin Foundation announced a partnership with Beam Privacy, taking positive steps towards privacy transaction goals. The Litecoin price was seen holding some big gains on Friday, having jumped double-digits. LTC/USD at […]

The post Litecoin Price Analysis: LTC/USD Sees Big Double-Digit Gains as Litecoin Foundation Moves Closer to Privacy Ambitions appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Stock Sell-Off, Volatility Spike, Oil Reversal

1, Risk Rally Fizzles Out as Trade and Growth Worries Weigh DAX 30 Index CFD, 4-Hour Chart Analysis We saw several signs that the global counter-trend rally is losing steam, and yesterday several key benchmarks competed trendline and support breaks. Another batch of negative European economic releases, Fed Chair Jerome Powell’s upbeat speech, and the […]

The post 3 Things You Need to Know About the Market Today: Stock Sell-Off, Volatility Spike, Oil Reversal appeared first on Hacked: Hacking Finance.

Crypto Update: Altcoins Bounce Back but Technicals Still Point Lower

The major cryptocurrencies had another quiet session, despite this week’s bearish price action, and although the top coins failed to show technical progress, bulls avoided a break-down yet again. That said, selling pressure remains apparent in the segment and although we saw some encouraging signs in a few smaller altcoins, the total value of the […]

The post Crypto Update: Altcoins Bounce Back but Technicals Still Point Lower appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Powell Surprise, Eurozone Slump, Pound Dump & Pump

1, Stocks Fall as Bonds Turn Volatile on Fed Chair’s Comments Dow 30 Futures, 4-Hour Chart Analysis Fed Chair Jerome Powell continues to be the most important person for global financial markets, and yesterday, the central banker gave a surprisingly upbeat speech about the US economy, causing a dip in global equity markets and a […]

The post 3 Things You Need to Know About the Market Today: Powell Surprise, Eurozone Slump, Pound Dump & Pump appeared first on Hacked: Hacking Finance.

Crypto Update: Ethereum Hits 7-Week Low as Coins Resume Slide

While the top cryptocurrencies sold off in a concerted fashion today in early trading, and the relatively weaker coins fell below their short-term support levels, the segment once again avoided a decisive break-down in the low-volume environment. With the bearish momentum still being weak, the immediate outlook is rather neutral, but given the negative long-term […]

The post Crypto Update: Ethereum Hits 7-Week Low as Coins Resume Slide appeared first on Hacked: Hacking Finance.

Monero Price Analysis: XMR/USD Set for Critical Retest of December 2018 Low; Monero Still Being Mined Using Malware

The Monero price on Wednesday is seen nursing minor losses of around 1%. However, price action is very much vulnerable to further downside risks. XMR/USD price behavior has formed a bearish flag pattern structure, which is subject to further downside risks. The key near-term level of support that would be noted is $42. Recent Price […]

The post Monero Price Analysis: XMR/USD Set for Critical Retest of December 2018 Low; Monero Still Being Mined Using Malware appeared first on Hacked: Hacking Finance.

Bitcoin Update: Breakout Incoming

Bitcoin (BTC/USD) has been bleeding out ever since it failed to take out resistance of $4,200 on December 24, 2018. Slowly but surely, price faded along with volume and momentum. Relief bounces have been few and far in between. Under such conditions, bears are once again making noise, screaming that the bottom may be found […]

The post Bitcoin Update: Breakout Incoming appeared first on Hacked: Hacking Finance.

EOS Price Analysis: EOS/USD Danger of Moving Back to $1 Territory, Despite Dominating Tron in DApps

The EOS price is trading down some 3% in the early part of trading on Wednesday. The EOS/USD daily chart view can see somewhat of a bearish flag formation, subject to an extended breakout south. Recent Price Behavior The EOS price on Wednesday is seen nursing some sizable losses of 3% at the time of […]

The post EOS Price Analysis: EOS/USD Danger of Moving Back to $1 Territory, Despite Dominating Tron in DApps appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: German Weakness, Dollar Rally, Trump’s Speech

1, German Economy Sends Another Warning Sign DAX 30 Index CFD, 4-Hour Chart Analysis German Factory Orders came in well below expected today, declining by -1.3% on a monthly basis, while on a yearly comparison we are seeing the deepest downturn since the sovereign debt crisis 6 years ago. The effects of the Chinese slowdown […]

The post 3 Things You Need to Know About the Market Today: German Weakness, Dollar Rally, Trump’s Speech appeared first on Hacked: Hacking Finance.

APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign

Insikt Group

Co-Authored by Rapid7

Click here to download the complete analysis as a PDF.

Recorded Future analyzed an intrusion into one of our client’s networks and collaborated with Rapid7 to determine the scope of a cyberespionage campaign assessed to be conducted by a Chinese state-sponsored threat actor, APT10. This report details the campaign using data acquired from targeted host networks, the Recorded FutureⓇ Platform, network metadata, VirusTotal, Farsight DNS, Shodan, and other OSINT techniques.

Norwegian company Visma, who was targeted in the attack, and U.S. company Rapid7 provided support and extensive expertise throughout this research. Industry collaboration is a vital enabler in illuminating threats and offering protection to organizations at risk from hostile, state-sponsored economic cyberespionage.

This report will be of most value to network defenders and corporate risk executives within companies that utilize services from managed IT service providers and cloud hosting providers. The report will also be of interest to companies with an exposed third-party supply chain.

Executive Summary

A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018. Based on the technical data uncovered, and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.

The targeted companies included:

  • IT and business cloud services managed service provider (MSP) and Recorded Future client and supplier, Visma, a billion-dollar Norwegian company with at least 850,000 customers globally
  • An international apparel company
  • A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others

In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user cr. edentials. The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware. During the Visma intrusion, APT10 deployed their Trochilus malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10.

APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool. The same Dropbox account was also accessed in a similar fashion by the attackers during the apparel company intrusion. Dropbox was also used to store exfiltrated documents from the third victim, a U.S. law firm, with the files again exfiltrated using identical TTPs and uploaded using cURL for Windows.

We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date. On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the Chinese intelligence agency, the Ministry of State Security (MSS).

Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司), and under the direct supervision of their regional bureau in Tianjin, the MSS has conducted an unprecedented campaign, dubbed “Operation Cloud Hopper,” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients. Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world. We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.

In this same time frame, APT10 also targeted a U.S. law firm and an international apparel company, likely to gather information for commercial advantage. In all three incidents, APT10 actors used previously acquired legitimate credentials, possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company.

Recorded Future Timeline

Recorded Future timeline of APT10 activity between August 2018 and January 2019.

Key Judgments

  • We have identified a new variant of Trochilus malware, with its C2 communications encrypted using a combination of RC4 and Salsa20 stream ciphers.
  • An UPPERCUT backdoor was identified in the targeting of an international apparel company and U.S. law firm. The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL, as noted in APT10’s targeting of Japanese corporations in July 2018.
  • In addition to using Trochilus and UPPERCUT, APT10 utilized a series of previously known and associated attack TTPs for all three of these intrusions. Some of these TTPs include:
    • Transferring tools from the C2 to the host using BITSAdmin-scheduled tasks into C:\ProgramData\temp
    • Use of DLL sideloading by executing a legitimate binary to load a renamed malicious DLL that decrypts, decompresses, and injects a Trochilus payload into memory
    • Use of legitimate credentials, possibly acquired through previous MSP compromises, to log in to accessible Citrix Remote Desktop clients in targeted organizations

Infographic

Background

APT10 is a threat actor that has been active since at least 2009. It has historically targeted healthcare, defense, aerospace, government, heavy industry and mining, and MSPs and IT services, as well as other sectors, for probable intellectual property theft.

In early 2017, APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks. During this operation (dubbed “‘Cloud Hopper” because of the group’s use of popular western cloud-based services), APT10 utilized both new malware (Quasar RAT, Trochilus, RedLeaves, ChChes) as well as some familiar old tools (Poison Ivy, PlugX).

Most recently, on December 20, 2018, the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property. This indictment attributed the intrusions to APT10, a group that had been conducting the malicious activities for over a decade on behalf of the MSS, China’s civilian human intelligence agency. Some of the material included within the indictment corroborated information detailed in the Intrusion Truth blog that provided strong evidence attributing APT10 to the Tianjin State Security Bureau, a provincial bureau of the Ministry of State Security. In the blog, Intrusion Truth identified APT10 as having utilized several Tianjin-based companies, including Huaying Haitai Science and Technology Development Co. Ltd. and Laoying Baichen Instruments Equipment Co. Ltd.

Indictment of APT10 Threat Actors

U.S. Department of Justice indictment of APT10 threat actors. (Source: www.justice.gov)

The use of suspected shell companies as a front for MSS-enabled cyber activity isn’t a new observation, however. Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec, which was identified as a shell company for APT3.

Suspected Tianjin State Security Bureau Headquarters

Suspected Tianjin State Security Bureau headquarters. (Source: IntrusionTruth)

The December APT10 indictment noted that the group’s malicious activities breached at least 45 companies and managed service providers in 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States.

About Visma

Visma offers software and services that simplify and digitize core business processes in the private and public sector. The Visma group operates across the entire Nordic region along with Benelux, Central, and Eastern Europe. With 8,500 employees, more than 850,000 customers, and a net revenue of NOK 8,537 million (approximately $1 billion USD) in 2017, Visma is one of Europe’s leading software companies.

Intrusion Overview

Recorded Future’s Insikt Group has actively tracked APT10 for several years, focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017. We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10, given their potential access through compromised MSP networks.

In September 2018, one of our clients (and a supplier as well), Visma, reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7. Visma provided us with malware samples and network logs from the event. Analysis of the data revealed that Visma’s Citrix infrastructure had been probed and subsequently accessed using stolen credentials as early as August 17, 2018. This was followed by an initial exploitation, network enumeration, and malicious tool deployment on various Visma endpoints within two weeks of initial access. The theft of enterprise login credentials was conducted within two and a half weeks of initial access.

On August 30, 2018, APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild. This sample, similar to other Trochilus samples, was deployed using a DLL sideloading method utilizing three files, uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A (last revised on December 20, 2018). This method involves the use of a legitimate binary (File 1) used to load a malicious DLL (File 2). The malicious DLL is renamed to match the name of an expected DLL to be loaded by the executable. The malicious DLL then decrypts and decompresses shellcode contained within a third file placed by the attackers in the same temporary folder. The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process. This method of malicious payload installation is a well-documented TTP of APT10.

The attackers used Mimikatz (pd.exe) to enable credential theft and made use of scheduled tasks via the Microsoft BITSAdmin utility to transfer files from their C2 to the Visma network. The attackers preferred to upload their malicious tooling to the C:\ProgramData\temp or C:\ProgramData\media directories and executed commands using batch files (x.bat). A full list of the filenames of the suspected attacker tooling can be found in the report appendices.

BITSAdmin Example Commands

BITSAdmin example commands used by the attackers.

In order to exfiltrate the compromised data, the attackers employed custom malware that used Dropbox as its C2. They also used WinRAR and cURL for Windows, both often renamed, to compress and upload the exfiltrated files from the Visma network to the Dropbox API.

Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company. They also identified broadly similar TTPs being used in the attack against a U.S. law firm specializing in intellectual property law. The firm has a dedicated China practice aimed at assisting Chinese companies entering the U.S. market.

Rapid7’s investigation revealed the law firm was first targeted in late 2017, followed by the apparel company a few months later, and finally, the Visma attack in August 2018. In one of the attacks, Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop. Interestingly, in all three attacks, the targeting of Citrix remote desktops was a common thread. Additionally, the same DLL sideloading technique observed in the Visma attack was used, and many of the tools deployed by the attackers shared naming similarities as well (1.bat, cu.exe, ss.rar, r.exe, pd.exe). Most interestingly, Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor (also known as ANEL). APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018.

The Visma Attack

APT10 actors gained initial access to the Visma network around August 17, 2018. Examination of network logs revealed an employee’s credentials were stolen and used to authenticate to the network outside of her normal working hours. While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials, it is not clear how or when these credentials were initially compromised.

Throughout August 2018, the APT10 actors regularly logged in to the Visma network via accessible Citrix servers using two valid user accounts. The times of the logins were consistent with a GMT+8 timezone, indicative of typical Tianjin, China working hours. On each occasion, the logins were from one of eight VPN endpoints that resolved to IPs in the following tightly defined subnets:

Subnet Registration AS
104.237.86.0/24 Los Angeles Cloud, HostAware AS32181 — GigeNET
45.56.155.0/24 VPN Consumer Network AS32181 — GigeNET
45.62.52.0/24 Los Angeles Cloud, HostAware AS32181 — GigeNET
173.239.198.0/24 VPN Consumer Network AS36351 — SoftLayer Technologies Inc.

VPN Consumer Network is an ambiguous Panama-registered entity. Based on information in WHOIS registration records, the website for the company is vpnconsumer.com, which is a nondescript landing page only containing the abuse contact details and a physical address in Panama. BGP routing information shows that the organization manages 44/24 subnets hosted around the world, many of which resolve to low-cost VPN services, such as ExpressVPN.

Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17, 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials.

After almost two weeks, on August 30, 2018, APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading technique. Two separate infection chains leveraging this specific DLL sideloading technique were identified on the Visma network using legitimate known good binaries that had DLL search-order path issues. This means that APT10 actors had two separate access points into the Visma network.

Infection Chain 1: August 30, 2018

Once on the Visma network, APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \ProgramData\temp\ directory on the infected host.

The copied files included:

  • A legitimate binary for the uninstaller for PDF printing application PDF-Xchange 2011 Lite DE, renamed from unins000.exe to CASTSP.exe (f6e0f076e27391a6e6eb23f23f77c2ff078488875113df388640aca8bf4dd64b)
  • An accompanying malicious DLL, version.dll (10182f0e64b765db989c158402c76eb1e0e862cab407f7c5cec133d8e5cb73e3)
  • A DES-encrypted shellcode configuration containing the Trochilus implant into the same folder (42b5eb1f77a25ad73202d3be14e1833ef0502b0b6ae7ab54f5d4b5c2283429c6)

After the files were copied across the attacker-executed CASTSP.exe, this file sideloaded and ran version.dll, which in turn decrypted and decompressed the encrypted shellcode and injected the Trochilus payload into memory.

Infection Chain 1

Infection Chain 1.

Infection Chain 2: September 4, 2018

A few days later, APT10 used an almost identical approach used during Infection Chain 1 to deploy Trochilus onto another part of Visma’s network. While the deployed DLL and the encrypted shellcode were named differently, the underlying method of malware installation was the same as Infection Chain 1. The files remotely copied into C:\ProgramData\temp\ using BITSAdmin included:

  • Another dropper renamed to “CASTSP.exe” that this time was a legitimately signed Microsoft Visual Studio binary TailoredDeploy.Host.exe (also known as TailoredDeploy.exe)(fc6a130504b54fa72cfc104c656fe2cd92d7998f42ca064e22167e1d402a1514)
  • A malicious DLL, vcruntime140.dll (eed0c7f7d36e75382c83e945a8b00abf01d3762b973c952dec05ceccb34b487d)
  • A DES-encrypted Trochilus payload (e6280de09f9adf79212409529eb25c0c2ea73e33a50281e22228a3db3998eecb)

The execution method was identical: CASTSP.exe sideloaded and ran vcruntime140.dll, which decrypted and decompressed the encrypted shellcode configuration and injected the Trochilus payload into a system process in-memory on the host machine.

Infection Chain 2

Infection Chain 2.

Malware Analysis

The malware sets used for both infection chains are nearly identical both in infection method and code structure. Because the malware for both infection chains were so similar, it is only necessary to include the in-depth analysis for one chain here, so we focused on Infection Chain 1. It included the binaries below:

  • CASTSP.exe: A valid and signed application that utilizes DLL sideloading to execute the malicious DLL, “version.dll”
  • Version.dll: Main functionality of “Version.dll” is to decrypt and execute the Trochilus payload
  • CZYSOYKPOIKKZGUFOIUI: DES-encrypted Trochilus payload

Trochilus Implant

The Trochilus loader, version.dll, has four entry points, as shown below. The malicious entrypoint called by CASTSP.exe is DllEntryPoint.

Trochilus Loader

After version.dll runs, it loads the file CZYSOYKPOIKKZGUFOIUI into memory. The file “CZYSOYKPOIKKZGUFOIUI” is 387,094 bytes of binary code that is not human-readable.

Loaded File

After the file is loaded, the next function, sub_6a351000, starts the decryption routine for CZYSOYKPOIKKZGUFOIUI. The file is DES-encrypted and the key can be identified being loaded into memory at the start of the decryption routine.

Decryption Routine

Once the payload is decrypted, version.dll creates a new process in a suspended state and writes the Trochilus payload into the suspended process. Next, version.dll resumes the process, executing the Trochilus payload.

Trochilus Attribution

Trochilus attribution.

This variant of Trochilus is significantly different from some of the reported variants.1 The C2 infrastructure, network communications, and encryption are different from prior versions, but the code similarities and the use of DLL sideloading demonstrate that this is just another variant of Trochilus. First, the libraries below are included in the Trochilus variant and are known to be a part of the source code upon which Trochilus is based on.

  • SelfDestruction.cpp
  • MySocket.cpp
  • CommManager.cpp
  • Common.cpp
  • Main.cpp
  • Manager.cpp
  • ServiceManager.cpp
  • TCPComm.cpp
  • UDPComm.cpp

Second, the unencrypted C2 beacon, _msgid.23.__serial.0.clientid.xxxxxxxxxxxxxxx, is a well-defined component of the Trochilus source code.

The capabilities of Trochilus are well documented in other research reports, but the C2 infrastructure for this variant uses a combination of XOR, RC4, and Salsa20, which is different from what has previously been reported for Trochilus.

Command and Control Infrastructure

The C2 domain www.miphomanager[.]com is hardcoded, and after a successful DNS request for the IP address, the Trochilus implant will use that IP address for communication.

Trochilus Implant

The encoding and encryption routines used in this variant are different from other variants and use three stages of encryption. Other variants have typically used XOR encoding with RC4 encryption to obfuscate C2 communication.

Stage 1: Rolling XOR Function

The first stage is a simple rolling XOR function. The rolling XOR key is computed by taking two initial values, Constant 1 and Constant 2, and adding them together. The result is then divided against the divisor 0xff. The remainder of this result is used as the XOR key. On the second iteration, Constant 1 is now saved as Constant 2, and Constant 2 becomes the remainder from the previous operation. They are added together and again divided by the divisor 0xff to produce the next XOR key. This process repeats until the end of the cleartext string. A Python script is provided below showing this encoding function.

Encoding Function

Our analysis revealed that the “__msgid.23.” cleartext string below was sent to the XOR function above.

Cleartext String

Stage 2: RC4 Encryption

The resulting data then goes to the second stage, which is RC4 encryption using the hard-coded string NASDKJF7832Hnkjsadf878UHds89iujkhNHKJDHJDH8UIYE98uihwjshewde8w. The main routine shown below takes the key and then sends it to the function sub_B49252, which initializes the key-scheduling algorithm (KSA) and pseudo-random generation algorithm (PRGA), which are the two key components of RC4 encryption.

Routine

Stage 3: Salsa20 Encryption

For the final phase, the resulting data from the RC4 encryption is then encrypted again, this time with Salsa20. Salsa20 is another stream cipher that encrypts data in 64-byte blocks. Salsa20 uses a secret key and nonce to initialize the encryption. These values are hard-coded and are:

  • Secret Key: 0x1,0x2,0x3,0x4,0x5,0x6,0x7,0x8,0x9,0xA,0xB,0xC,0xD,0xE,0xF,0x10
  • Nonce: 0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6C (“efghijkl”)

Encrypted Message

After the message is encrypted, it is then sent via an HTTP POST to the C2 host, which in this case is the domain www.miphomanager[.]com. The HTTP headers are provided in the figure below.

HTTP Headers

Infrastructure

DNS log data revealed that requests were made for the malicious Trochilus C2 domain, www.miphomanager[.]com, as early as August 30, 2018 — only two weeks after Visma was initially compromised on August 17, 2018. This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack.

According to WHOIS information, the malicious miphomanager domain was registered with a relatively small Bahamas-based domain registrar, internet.bs. This registrar is widely noted to host a disproportionate number of rogue or malicious websites, with the registrar aggressively marketing itself as an “offshore” registrar. Other examples of malicious infrastructure registered with internet.bs include domains for APT28’s VPNFilter malware campaign and the registration of the cyber-berkut[.]org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut.

The registrant organization name was privacy protected using Whois Privacy Corp, and the registered name servers for the malicious C2 were listed as:

  • Ns-canada.topdns[.]com
  • Ns-uk.topdns[.]com
  • Ns-usa.topdns[.]com

Internet.bs and the name servers listed above were noted in the registration of a malicious C2 used in a KHRAT campaign targeting Cambodia. KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK.

All three name servers appear in Recorded Future with an unusual risk rating as they appear in the “Bambenek Consulting C&C Nameserver Blocklist” threat list, because of their prevalence in being associated with a Zeus-based banking trojan, Sphinx.

Credential Harvesting and Exfiltration

During our investigation, we also found evidence of a legitimate decompression utility typically packaged with Java named “unpack200.exe” being executed on the Visma network. This utility sideloaded Mimikatz (pd.exe) and enabled credential theft from Visma users. Interestingly, the same combination of unpack200.exe to deploy Mimikatz was used by the same attackers in both the apparel company and U.S.-based law firm breaches.

Using the newly acquired credentials, the attacker accessed Visma’s Microsoft Active Directory domain controller, deployed Trochilus, and made a copy of the “NTDS.DIT” database file containing Active Directory data for Visma’s corporate network, including password hashes for all users in the domain.

The NTDS.DIT file and accompanying stolen data was then packaged up using a renamed WinRAR executable (r.exe) that was transferred across by the attacker who then used cURL for Windows (renamed to “CU.exe”) to upload the exfil to content.dropboxapi.com. The RAR files followed a naming convention of a short run of repeating characters (for example, kkk.rar, ss.rar, pp.rar, dds.rar, gggg.rar, etc).

Rapid7 research revealed the exfiltrated content from Visma was uploaded to a Dropbox account that contained files from another incident related to the compromise of an international apparel company that they were investigating.

US-Based Law Firm Attack

In late 2017, Rapid7 responded to a breach at a U.S.-based law firm. The attacker first gained access to the victim environment through Citrix servers. Once inside the victim network, the attacker deployed their own customized malware and also used known good binaries that have DLL search order hijacking issues in order to perform DLL sideloading to execute customized versions of Mimikatz in order to retrieve passwords. The filename for the custom malware was “ccSEUPDT.exe” (MD5: d8e37f07fdc9827871f0f959519275e1), a legitimate Symantec Security Submission Engine Update Module binary. The custom malware also would have a DLL in the same staging directory and a randomized 15-character uppercase and lowercase alpha character set filename without an extension that contained the shellcode. The attacker used unpack200.exe (MD5: 6807be8466955bafffa568b6da0e785c), a decompression program that comes with Java 8 and their copy of Mimikatz was placed into MSVCR100.DLL (MD5: c8ea12ee884f274ca35fa54a073df130).

These methods of initial ingress into the victim networks and the method of obtaining passwords remained consistent TTPs across all victims. The DLL sideloading technique can evade application whitelisting and antivirus software. However, if deployed, systems that perform process.start creation would log the command line being passed to the binary and could be reviewed, and then signatures created that look for the common flags could be passed to Mimikatz. The attacker would also move laterally by mounting the remote drive on a system, copying “1.bat” to it, use task scheduler to execute, and then delete the batch script.

In order to perform exfiltration of the stolen data, the attacker used common file compression utilities (rar.exe) to create archives of the information they intended to exfiltrate, and then used common command line-based web clients (curl.exe) to transfer the stolen data to a cloud-based storage provider (Dropbox). This TTP for data exfiltration remained consistent across all victims.

To maintain access to the victim network from the external public internet, the attacker deployed password-protected ASP eval webshells (Filename “iisstart.aspx,” SHA256: 243d47fc2a24b391e1153d5c7807c6e5de51aba65fc79465d7b3e5c64d5fac41) within the client environment in order to maintain access.

ASPX Payload

Server-side ASPX payload of the China Chopper webshell. (Source: Rapid7)

This resembled the server-side ASPX payload of the China Chopper webshell documented previously. Uploads to VirusTotal in late August 2018 resembling the same filename, iisstart.aspx, indicate the deployed webshell was likely a version of the China Chopper webshell known to have been used by several Chinese threat actors.

The attacker also used TeamViewer in order to maintain remote access to compromised systems within the victim environment.

International Apparel Company Attack

In early 2018, Rapid7 identified that the attackers compromised an apparel company, based upon detections and intelligence gathered from the U.S.-based law firm breach. The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network. Rapid7 again observed the attackers dropping payloads named “ccSEUPDT.exe.” The attackers used identical TTPs for executing malware and Mimikatz as observed before, by using DLL sideloading with known good binaries that had DLL search order path issues. The attackers used the Notepad++ updater GUP.exe (MD5: f5322b2f18605674b9a0c1757de5fd94), the Java archive decompression utility unpack200.exe (MD5: 6807be8466955bafffa568b6da0e785c), renamed from “coInst.exe,” and Norton Identity Safe binary CASRTSP.exe (MD5: 1e3a57cff7cba8732364c26f4bbdcbe2). These binaries were used to load malware from DLL files MSVCR100.DLL (MD5: 5739c1f17503e21e56667d53ea823401) and libcurl.dll (MD5: 8f07160febdb240909b27aa519bba575). Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2. The attackers used the same method of lateral movement by mounting the remote drive on a system, copying 1.bat to it, using task scheduler to execute the batch script, and finally, deleting the batch script.

For exfiltration of stolen data, the attacker used WinRAR and renamed “rar.exe” to “r.exe” to create archives, upload them with “curl.exe” (renamed to “c.exe”), and again, use the cloud storage provider Dropbox. Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma. Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018.

Outlook

We identified three victims of cyberespionage operations since late 2017 across the managed IT service provider, retail, and legal sectors. The targeted sectors vary significantly, indicating a wide scope of targeting for the group. We assess with high confidence that the attacks were conducted by Chinese MSS threat actor, APT10, based on the evidence outlined in this report, summarized below:

  1. The use of a variant of the Trochilus malware. While the variant has not been noted publicly previously, Trochilus is widely used by APT10.
  2. The use of legitimate binaries to sideload malicious DLLs that decrypt and decompress shellcode configuration files containing a Trochilus payload.
  3. The use of Notepad++ updater (filename “gup.exe”) to load malicious DLL (libcurl.dll) in the deployment of the APT10 backdoor, UPPERCUT.
  4. Extensive use of command-line tools including, but not limited to, Mimikatz, cURL for Windows, BITSAdmin, and WinRAR, to perform actions on-host.
  5. The targeting of a Norwegian MSP, which enabled potential access to an extensive customer base. We believe that the APT10 targeting of Visma is an extension of their 2017 Cloud Hopper operation (which victimized some of the world’s largest MSPs) and has continued into late 2018.
  6. The unauthorized access to Citrix remote desktop clients at Visma using stolen credentials occured at times corresponding to Tianjin working hours (GMT +8).

We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations. Their unprecedented campaign against MSPs, alleged to have included some of the largest MSPs in the world, in order to conduct secondary attacks against their clients, grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world.

This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations, led by the U.S. Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security. Crucially, the variety of businesses targeted prove that these campaigns are being conducted against corporations across the commercial spectrum, aimed at undermining international norms in trade to erode the competitive advantage of companies that have invested heavily in patented technology.

This report, alongside the plethora of other reporting on APT10 operations, acutely highlights the vulnerability of organizational supply chains. Often, third parties in the supply chain are less likely to adopt high-end, expensive security measures, and therefore offer an attacker a convenient access vector to target interconnected organizations. Also, the targeting of cloud providers exploits the trust companies place in the security of the cloud services they use.

Based on available information, we assess that this intrusion was conducted by the group that is known as APT10. However, during the course of this investigation, we have had privileged conversations that lead us to believe that in the future, portions of what is now known as APT10 will be recategorized as a new group. There is insufficient data at this time to make that distinction.

Network Defense Recommendations

Recorded Future recommends organizations conduct the following measures outlined in this section in conjunction with the advice published by US-CERT2 and the U.K.’s NCSC3 when defending against APT10 attempts to gain network access.

  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Implement the provided SNORT rules in Appendix B into your IDS and IPS appliance and investigate any alerts generated for activity resembling the TTPs outlined in this report on APT10.
  • Conduct regular Yara scans across your enterprise for the new rules listed in Appendix C and those listed in the official U.S. and U.K. government advisories listed above.
  • Consider blocking any connection attempts emanating from IPs resolving to “VPN Consumer Network” (listed in Appendix B) and consider implementing a VPN whitelisting policy based on approved vendors.
  • Detection of potential ASP eval webshells can be difficult, but can be accomplished by deploying file integrity monitoring of the web root directories on all servers with a client environment.
  • Detection of exfiltration based on network flow data would be difficult if the attacker chose to use the same cloud storage provider that the victim has standardized upon. However, if SSL is proxied for monitoring, signatures can be created to identify this activity by checking the user agent or method of client header construction against the Dropbox client applications themselves.
  • Ensure you have DNS response policy zones enabled for your enterprise. If so, consider detecting, alerting, and blocking requests for the nameservers below associated with the disproportionately malicious domain registrar internet.bs:
    • ns-uk.topdns.com
    • ns-usa.topdns.com
    • ns-canada.topdns.com

To view a full list of the associated indicators of compromise, download the appendix.

The post APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign appeared first on Recorded Future.

     

GBP/USD Price Prediction: Cable Flood Gates Open to Fresh Wave of Sellers

GBP/USD was under heavy attack throughout the session on Tuesday, following a poor UK services PMI data release. The next major areas of support should be noted at 1.2900, 1.2870-30 and then 1.2750-00. The British pound was hit with heavy selling pressure on Tuesday, resuming the trend which was kick-started last week. Looking at GBP/USD […]

The post GBP/USD Price Prediction: Cable Flood Gates Open to Fresh Wave of Sellers appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Fights For $0.30 Support as Market Remains Frozen

Light trading continued in the major cryptocurrencies, with the top coins trading in very narrow ranges across the board. While the low-volatility, low-volume environment is usually bullish, given the recent failed rally attempts and the overwhelmingly negative long-term picture, bearish forces continue to clearly dominate the segment. In light of the downside risks traders and […]

The post Crypto Update: Ripple Fights For $0.30 Support as Market Remains Frozen appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: Big Test for the Bulls in Play

BNB/USDT bulls have much upside momentum, a notable out-performer against many of its peers. BNB/BTC is trading back at the highest levels seen since July 2018; greater upside in sight should the bulls break down near-term barriers. Binance Coin has been enjoying a decent rally to the upside, with solid gains being recorded in the […]

The post Binance Coin Price Analysis: Big Test for the Bulls in Play appeared first on Hacked: Hacking Finance.

Crypto Update: Bearish Drift Continues in Crypto-Land

Trading activity remained low in the cryptocurrency segment following the mixed weekend, and although the top coins continue to be stuck in bearish technical setups, bulls avoided a move below the key short-term support levels. That said, none of the majors managed to show bullish momentum or technical progress in the quiet environment, and we […]

The post Crypto Update: Bearish Drift Continues in Crypto-Land appeared first on Hacked: Hacking Finance.

There’s Too Much Pressure On USD

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets There were enough statistics from the USA last Friday. The Unemployment Rate increased to 4.0% in January after being 3.9% the month before. However, the indicator wasn’t expected to change. The Average Hourly Earnings added only 0.1% m/m over the same period after expanding by 0.4% m/m in […]

The post There’s Too Much Pressure On USD appeared first on Hacked: Hacking Finance.

GBP/USD Price Prediction: Cable Subject to Further Downside Pressure with Focus on the Bank of England

GBP/USD saw its first weekly close in the red after six consecutive weeks of gains. Focus on the Bank of England, as the general expectations are for it to push back rate hike expectations. GBP/USD prior to last week has been rallying to the upside at quite some momentum. The price was enjoying six consecutive […]

The post GBP/USD Price Prediction: Cable Subject to Further Downside Pressure with Focus on the Bank of England appeared first on Hacked: Hacking Finance.

NEM Price Analysis: XEM Remains Under Heavy Selling Pressure; NEM Foundation Tries to Ease Concerns

XEM is seeing a large spike in volume to the downside, with XEM/USDT and XEM/BTC in unknown territory. NEM Foundation provide further clarity after large worries of bankruptcy. XEM has been losing considerable value in recent weeks. Looking at specifically XEM/USDT, the price has dropped down to levels that have not been seen before. Despite […]

The post NEM Price Analysis: XEM Remains Under Heavy Selling Pressure; NEM Foundation Tries to Ease Concerns appeared first on Hacked: Hacking Finance.

NEO Price Analysis: NEO/USD Under Pressure Heading into NEO 3.0 Unveiling

NEO is nursing losses of around 5% on Sunday, as the bears remain in control of the trend. The community is heavily anticipating the NEO 3.0 upgrade details to be delivered by the founder at their DevCon on 16th February.  The NEO/USD recent price action further reinforces the notion that the bear market does not […]

The post NEO Price Analysis: NEO/USD Under Pressure Heading into NEO 3.0 Unveiling appeared first on Hacked: Hacking Finance.

Crypto Update: Weekend Rally Fades as Coins Lack Momentum

While the major cryptocurrencies had a bullish Saturday following a hectic week, with Litecoin pulling its weight again, the segment continues to be controlled by sellers. We still haven’t seen meaningful technical progress in the top coins, with even the short-term resistance levels proving too strong in the quiet and illiquid environment. Today, the majors […]

The post Crypto Update: Weekend Rally Fades as Coins Lack Momentum appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Subject to a Breakout Higher from a Descending Wedge Formation

XRP/USD price action is moving within a descending wedge pattern, which is subject to a breakout north. CoinGate has added XRP as a payment option, which is part of a gateway to 4,500 online stores. Ripple’s XRP continues to trade around a huge buying area, which is initially seen from $0.3000-$0.2500. The price has been […]

The post XRP Price Analysis: XRP/USD Subject to a Breakout Higher from a Descending Wedge Formation appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD May Have to Return to $80 Territory, Despite 2.0 Progression

ETH/USD price is back within consolidation mode after the selling of late January. Ethereum network 2.0 upgrade is stabilize and progressing, according to the latest update. ETH/USD: Recent Price Behavior The Ethereum price has managed to stabilize over the past five sessions after the selling pressure that came into play at the back-end of January. The […]

The post Ethereum Price Analysis: ETH/USD May Have to Return to $80 Territory, Despite 2.0 Progression appeared first on Hacked: Hacking Finance.

Crypto Update: Market Bounces Again as Litecoin Gains Ground

The cryptocurrency segment had another active day, and although the recent failed rally attempt cemented the short-term downtrend, the majors managed to avoid another downswing, for now. The top coins were boosted by the more than 5% advance of Litecoin, while the continued stability of Bitcoin also helped investor sentiment in the segment ahead of […]

The post Crypto Update: Market Bounces Again as Litecoin Gains Ground appeared first on Hacked: Hacking Finance.

Threat Actor Behind Collection #1 Data Breach Identified

Executive Summary

On January 17, 2019, security professional Troy Hunt disclosed “Collection #1,” a data breach collection of 1,160,253,228 unique combinations of email addresses and corresponding passwords. A total of 772,904,991 unique email addresses and 21,222,975 unique passwords were discovered. Then, on January 31, PCWorld reported that researchers at the Hasso Plattner Institute discovered an additional 611 million credentials they attributed to the Collection #1 data breach.

Recorded Future analyzed the complete dump on January 19, 2019 and confirmed that many of the account credentials contained in Collection #1 are from a wide variety of previous data breaches, some of which are two to three years old, and may not contain newly compromised accounts.

Multiple threat actors claimed to be the source of the data and were distributing these databases throughout the dark web, including the threat actor “Clorox.” However, Recorded Future assesses with moderate confidence that the original creator and seller of Collection #1 was the actor “C0rpz.” Another actor from a well-known Russian hacking forum was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same datasets found in Collection #1.

Threat Analysis

Insikt Group discovered a forum post created on January 17, 2019 by Clorox, who posted seven URLs to separate databases hosted on the file sharing service MEGA.

In total, the seven databases listed below contained 993.53 GB of data containing three different variations of user credentials: email addresses and passwords, usernames and passwords, and cell phone numbers and passwords.

  • “ANTIPUBLIC #1” (102.04 GB)
  • “AP MYR & ZABUGOR #2” (19.49 GB)
  • “Collection #1” (87.18 GB)
  • “Collection #2” (528.50 GB)
  • “Collection #3” (37.18 GB)
  • “Collection #4” (178.58 GB)
  • “Collection #5” (40.56 GB)

In the forum post, Clorox linked to the Troy Hunt article “The 773 Million Record ‘Collection #1’ Data Breach,” claiming that the database Troy Hunt has is incomplete and is only a fraction of the original dump known on the dark web as Collection #1. Furthermore, Clorox stated that the original data dump was being sold on a different forum by another party, who then took down the original files that were hosted on different URLs on MEGA. Troy Hunt, according to Clorox, was able to download one of these databases that the individual forgot to remove, though the individual did remove it shortly after.

Further analysis showed another individual using the moniker C0rpz, who claimed to be the original creator and seller of Collection #1 as early as January 7, 2019. C0rpz also stated that another forum member, “Sanix,” purchased Collection #1 from them and then attempted to resell it to other forum members. Sanix was the individual identified by Brian Krebs in his article “773M Password ‘Megabreach’ is Years Old,” and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz. Sanix has since been banned from the forum, and C0rpz has posted links to MEGA sharing Collection #1 free of charge to the community.

Recorded Future discovered yet another possible source of Collection #1. On January 10, 2019, an actor on a well-known Russian-speaking hacker forum posted both a magnet link and a direct download link to a database containing 100 billion user accounts hosted on a personal website. The following week, the actor made clear that the data dump referenced in Troy Hunt’s article was included in their dump as well.

Outlook

Recorded Future assesses with high confidence that the database Collection #1 and its variations will continue to be shared among dark web communities and incorporated in credential-stuffing attacks from various threat actors. However, many of the account credentials contained in Collection #1 are from a wide variety of previous data breaches, some of which are two to three years old. It is highly likely that many of the affected individuals already have been required to change their passwords which would otherwise have been compromised by this leak.

Individuals should be prepared for phishing attacks that could target exposed email addresses or cell phone numbers. Current customers can contact their Recorded Future Intelligence Services consultants if they are interested in learning more.

The post Threat Actor Behind Collection #1 Data Breach Identified appeared first on Recorded Future.

     

Stellar Price Analysis: XLM/USD in Deep Trouble Floating in the Abyss

XLM/USD and XLM/BTC plunge into unknown territory, with a lack of technical reference indicators. US tech giant IBM was recently advertising for new staff to work on a Stellar blockchain project. XLM/USD Price Behavior Stellar’s XLM remains at depressed levels, a price area that has not been observed before, specifically when looking at XLM/USD. The […]

The post Stellar Price Analysis: XLM/USD in Deep Trouble Floating in the Abyss appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple and Bitcoin Gold Ripe for Bottom Picking

On our January 30 crypto update, we noted how Bitcoin (BTC/USD), EOS (EOS/USD), and Monero (XMR/USD) are likely to revisit recent lows. Although this forecast make it seem that the markets are bearish in the short-term, it is not all gloom and doom. In fact, the point of that article was to prepare you for […]

The post Crypto Update: Ripple and Bitcoin Gold Ripe for Bottom Picking appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: BNB Outperformance with Bulls Gunning for a Big Retest of the $7.00 Area

BNB/USDT holding decent gains of some 6% on Friday, as price maintains upside momentum. Binance announced they are now accepting credit card payments for crypto purchases. BNB Price Behavior BNB/USDT was seen running with strong gains on Friday, seen up over 6% at the time of writing. The bulls maintained upside momentum after a chunky […]

The post Binance Coin Price Analysis: BNB Outperformance with Bulls Gunning for a Big Retest of the $7.00 Area appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Turn Lower as Ripple-Effect Fades

Yesterday’s rally, which was led by the surge in the price of Ripple quickly ran out of steam, as the majority of the major cryptocurrencies failed to make meaningful technical progress, and the broad bearish pressures remained strong in the segment. XRP spiked briefly above the $0.33 level, but failed to maintain its bullish momentum, […]

The post Crypto Update: Coins Turn Lower as Ripple-Effect Fades appeared first on Hacked: Hacking Finance.

Ethereum Classic Price Analysis: ETC/USD Moving within a Descending Wedge Pattern Structure

Ethereum Classic (ETC) remains stuck within a bearish trend, price confined within a wedge pattern. Bob Summerwill, a developer from ConsenSys, has joined The Ethereum Classic Cooperative. Recent Price Behavior Ethereum Classic continues to edge further south, with the price confined within a bearish structure. Since the start of January, ETC/USD has been stuck within […]

The post Ethereum Classic Price Analysis: ETC/USD Moving within a Descending Wedge Pattern Structure appeared first on Hacked: Hacking Finance.

IOTA Price Analysis: New Partnership with Denmark’s Largest Energy Company

IOTA set to partner up with Energinet, Denmark’s largest energy company. IOT/USD receives some bidding within a known area of demand, preventing a further free-fall. Recent Price Behavior Over the last two sessions at the time of writing, IOT/USD has managed to bounce and see some minor upside. This comes after heavy selling pressure to the […]

The post IOTA Price Analysis: New Partnership with Denmark’s Largest Energy Company appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Surges on Swift-R3 Partnership, but Bearish Forces Still Strong

The major cryptocurrencies all gained ground today, with the help of Ripple’s strong, news-induced rally, which propelled the currency all the way to the, recently significant, $0.32 price level. While XRP managed to recapture the $0.30 resistance level, its peers failed to make meaningful technical progress, and the bearish overall picture remains dominant in the […]

The post Crypto Update: Ripple Surges on Swift-R3 Partnership, but Bearish Forces Still Strong appeared first on Hacked: Hacking Finance.

GBP/JPY Price Prediction: Cable Gunning Testing Huge Daily Support

GBP took a heavy beating late on Tuesday, following the Cooper Brexit Amendment failing to pass. There is once again high uncertainty for the UK, as Prime Minister May continues to face rejection from the EU on renegotiation. Brexit Vote Results Disappoint GBP Bulls GBP was hit hard across the board last night, after a […]

The post GBP/JPY Price Prediction: Cable Gunning Testing Huge Daily Support appeared first on Hacked: Hacking Finance.

Crypto Update: Bitcoin and Two Altcoins to Revisit Lows

The first month of the year hasn’t been so kind to large cap cryptos like Bitcoin (BTC/USD), EOS (EOS/USD), and Monero (XMR/USD). While these three cryptos ended the last couple of weeks of 2018 strong, they’ve been pulling back ever since the calendar switched to 2019. As a matter of fact, they are now in […]

The post Crypto Update: Bitcoin and Two Altcoins to Revisit Lows appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD on Firmer Footing Compared to Its Peers

Litecoin price held much ground, despite that wave of selling pressure earlier in the week. Charlie Lee, Litecoin’s founder, talks of potential fungibility this year for the coin. Litecoin Price Behavior LTC/USD continues to struggle with a committed direction. Price action is still very much victim of range-bound narrow trading. Litecoin however has managed to hold […]

The post Litecoin Price Analysis: LTC/USD on Firmer Footing Compared to Its Peers appeared first on Hacked: Hacking Finance.

Crypto Update: Majors Attempt Bounce but Technical Setup Still Bearish

Following yesterday’s key short-term breakdown the top cryptocurrencies found support today in early trading and attempted a weak rally towards the previous support levels. With Bitcoin showing relative weakness overnight, and with Ripple and Ethereum only bouncing back slightly, the break-down remained clearly intact despite the rally attempt and the negative short- and long-term trends […]

The post Crypto Update: Majors Attempt Bounce but Technical Setup Still Bearish appeared first on Hacked: Hacking Finance.

High Risk, High Yield

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets After Donald Trump became President he told investors it was he who made the stock market rise. When the market went down, however, most blamed Trump again. In 2018, the indices reached their highs and started correcting, which meant the ascending trend faded out and the market needed […]

The post High Risk, High Yield appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Bulls Run Out of Steam for Now, Bears to Test Vital Trend Line of Support

TRX/USD is running at its second consecutive session in the red after the bulls lost upside momentum on 27th A bearish evening star candlestick was produced, which indicated selling pressure to the downside was looming. Tron Recent Price Behavior The TRX/USD bulls have lost their upside momentum after enjoying a decent run higher from 21st – […]

The post Tron Price Analysis: TRX/USD Bulls Run Out of Steam for Now, Bears to Test Vital Trend Line of Support appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA is Just One Barrier Away from a Return to December 2018 Low

Yoroi, the Cardano wallet is now live for android users, facilitating the storing of ADA and transactions. ADA/USDT is gunning for a big retest of the December 2018 low area. Cardano’s ADA has been taking a large beating over the past few sessions. If looking at ADA/USDT, this has been falling for the past seven […]

The post Cardano Price Analysis: ADA is Just One Barrier Away from a Return to December 2018 Low appeared first on Hacked: Hacking Finance.

Crypto Update: Top Coins Break Support as Consolidation Period Ends

The bearish trend in the cryptocurrency segment proved its strength yet again, as following a lengthy period of consolidation, most of the majors broke below key support levels today, hitting new 1-month lows in the process. While there are a few positive signs that could give hope to bulls here, especially the relative stability of […]

The post Crypto Update: Top Coins Break Support as Consolidation Period Ends appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Bears Break Out from Bearish Flag Structure

Bitcoin Cash suffered big double-digit losses on Monday, seen down as much as 10% in the latter part of the session. BCH/USD bears retest a breached descending trend line as the price seeks support. Bitcoin Cash Price Developments Bitcoin Cash price has been hammered on Monday, with big sellers returning with force after a breakout […]

The post Bitcoin Cash Price Analysis: BCH/USD Bears Break Out from Bearish Flag Structure appeared first on Hacked: Hacking Finance.

Labour Party Lifts the Pound

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets The British Pound is doing pretty fine in the last week of January. GBPUSD is trading close to its local highs and this movement has serious fundamental reasons. Last week, the British Labor party, the opposition in other words, said that they wouldn’t exclude a possibility of supporting […]

The post Labour Party Lifts the Pound appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today: Stock Pullback, Crypto Break-Down, Earnings Troubles

1, Global Stocks Start Tumultuous Week Lower FTSE 100 Index CFD, 4-Hour Chart Analysis Despite Friday’s euphoric price action in global stocks, the major indices failed to extend their gains today in early trading, with an incredibly eventful week looming. While the losses are not disastrous, given the broader negative trends in risk assets, and […]

The post 3 Things You Need to Know About the Market Today: Stock Pullback, Crypto Break-Down, Earnings Troubles appeared first on Hacked: Hacking Finance.

EUR/USD Price Prediction: Big Week for the Eurozone and the U.S; Large Volatility Eyed   

Eurozone economy in a very fragile state, but USD weakness helps keep EUR higher. Mixed technical signals across the time frames, but weekly EUR/USD view could have staged a rebound. The EUR/USD bulls managed to force a strong weekly close despite the large rollercoaster of a ride that was seen. The foundations appear to have […]

The post EUR/USD Price Prediction: Big Week for the Eurozone and the U.S; Large Volatility Eyed    appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Produces Daily Gravestone Doji Candlestick; Here Come More Bears

The Ethereum price is at risk of giving back the large gains from December 2018 – January 2019. Saturday’s daily candlestick closure produced a bearish gravestone doji. The Ethereum price has continued to be a victim of narrowing trading, however signs are starting to show of the bears readying to regain full control. ETH/USD has […]

The post Ethereum Price Analysis: ETH/USD Produces Daily Gravestone Doji Candlestick; Here Come More Bears appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: BNB Continues to Storm Higher; Greater Breakout Eyed

BNB/USDT has seen a decent return of bullish momentum, recovering some 25%. Fundamental developments surrounding the organization, Binance, continue to remain strong. BNB Price Behavior The Binance Coin has been on a decent grind to the north of late, as the bulls make up ground for a recovery. This comes after BNB/USDT was enjoying a […]

The post Binance Coin Price Analysis: BNB Continues to Storm Higher; Greater Breakout Eyed appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Has Several Bearish Technical Confluences

XRP/USD stuck within the narrowing range-block formation. The price is also moving within a descending wedge pattern. Ripple reported that $535.56 million worth of XRP was sold for the full year of 2018. Ripple’s XRP is further plagued by the narrowing daily range, which can see an explosive breakout at any time. XRP/USD has been […]

The post XRP Price Analysis: XRP/USD Has Several Bearish Technical Confluences appeared first on Hacked: Hacking Finance.

Crypto Update: Altcoin Season on the Horizon

With so many altcoins posting daily gains between 20% and 100%, many on social media have began to speculate whether we’re about to enter a proper altcoin season. During this season, many mid cap and low cap alts have the potential to grow their market capital by over 500% in a short period of time. […]

The post Crypto Update: Altcoin Season on the Horizon appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: A Change in Logo Has Got the Bulls Excited; LTC/USD on Consecutive Daily Run

The Litecoin price, aside from the small losses today, had been on a decent run higher. A run of four consecutive sessions was observed. LTC/USD price action via the daily chart view is moving within a bearish flag formation. Litecoin Price Behavior The Litecoin price has been storming higher of late, as the bull set the […]

The post Litecoin Price Analysis: A Change in Logo Has Got the Bulls Excited; LTC/USD on Consecutive Daily Run appeared first on Hacked: Hacking Finance.

Crypto Update: Market in Standstill but Weakness in Top Coins Apparent

While directionless trading continues in the cryptocurrency segment, the bearish drift in the top 3 coins is a warning sign for bulls that the broader downtrend is still intact. The technical setup has been unchanged for over a week, with the short-term trading ranges still being in place despite the failed break-downs and the weak […]

The post Crypto Update: Market in Standstill but Weakness in Top Coins Apparent appeared first on Hacked: Hacking Finance.

EOS Price Analysis: EOSIO 1.6.0 to Increase Transaction Speeds By Up to 35%

Block.one announce upgrade of EOSIO 1.6.0, set for faster transaction speeds across the network. EOS/USD price action via the daily chart view is stuck within a bearish flag structure. EOS price action remains very much plagued by the confinements of a narrow range block formation. This has been the case for the past 14 sessions […]

The post EOS Price Analysis: EOSIO 1.6.0 to Increase Transaction Speeds By Up to 35% appeared first on Hacked: Hacking Finance.

Price Prediction Update: New Lows Still Likely in EUR/USD Following Post-ECB Chaos

Dismal European Economic Numbers and Mysterious Mario Draghi Last week, we noted that the European and US economies continue to diverge, which, together with monetary tightening by the Fed was among the main drivers of the EUR/USD weakness last year. Since the economic picture shifted in favor of the Dollar even more, and today, the […]

The post Price Prediction Update: New Lows Still Likely in EUR/USD Following Post-ECB Chaos appeared first on Hacked: Hacking Finance.

Crypto Update: Top Coins Still Under Pressure as Support Levels Continue to Hold

The technical setup continues to be stable in the cryptocurrency segment, with no major developments among the top coins, even as a few key short-term support levels have been tested in the past 24 hours. The weakness in the markets of Ethereum and Ripple is still weighing on the outlook of the broader market, and […]

The post Crypto Update: Top Coins Still Under Pressure as Support Levels Continue to Hold appeared first on Hacked: Hacking Finance.

IOTA Price Analysis: A Suspect Arrested for Stealing €10 Million in IOTA

An unnamed man in the UK has been arrested for stealing €10 Million worth of IOTA. IOT/USD is subject to further downside risks, given the bearish pennant structure. Recent IOT/USD Price Behavior IOT/USD has been under pressure over the last two days, running towards its second consecutive session in the red. Since 11th January, after the […]

The post IOTA Price Analysis: A Suspect Arrested for Stealing €10 Million in IOTA appeared first on Hacked: Hacking Finance.

GBP/JPY Price Prediction: Cable Jumps Over 150 Pips With Room for Another Squeeze Higher

GBP/JPY saw decent gains on Wednesday, receiving a helping hand from Brexit and BOJ fundamentals. Brexit optimism helps GBP higher, while BOJ remain dovish, adding pressure to JPY. GBP/JPY jumped to its highest levels seen since 14th December 2018. The session high print was observed at 143.56, with the pair having gained over 150 pips. […]

The post GBP/JPY Price Prediction: Cable Jumps Over 150 Pips With Room for Another Squeeze Higher appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Survive Break-Down Attempt, but Setup Still Bearish

Yesterday, the major cryptocurrencies experienced a quick sell-off below support and a rapid reversal, but the “glitch” (or manipulation attempt) didn’t change the overall technical setup. The top coins are back in their trading ranges that have been dominant for over a week, and the short- and long-term downtrends are all intact. While the recovery […]

The post Crypto Update: Coins Survive Break-Down Attempt, but Setup Still Bearish appeared first on Hacked: Hacking Finance.

Crypto Update: These 3 Altcoins Look Ready to Pump

With Bitcoin (BTC/USD) trading sideways, altcoins finally get the opportunity to shine. Over the last few weeks, small and mid cap coins have been pumping left and right. Many, such as BlockMason Credit Protocol (BCPT/BTC) and Viberate (VIB/BTC) have posted double digit gains in terms of percentage from their bottom. However, there are those that […]

The post Crypto Update: These 3 Altcoins Look Ready to Pump appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Bulls Force a Breakout Above a Huge Resistance Trend Line

Bitcoin Cash continues upside momentum, running at its second consecutive session in the green. BCH/USD bulls make a big push above long-running descending trend line. BCH/USD Price Behavior The Bitcoin Cash price was seen trading in positive territory again in the early part of trading on Wednesday. BCH/USD is running at its second consecutive session within […]

The post Bitcoin Cash Price Analysis: BCH/USD Bulls Force a Breakout Above a Huge Resistance Trend Line appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Must Break and Close Above $0.03000 or be Punished

Tron price is seen trading in the green late on Tuesday, with gains of 2.5% at the time of writing. TRX/USD is still shaping up a potential head and shoulders pattern structure. The Tron price in the latter part of trading on Tuesday was seen holding gains of 2.5%. The bulls manage to see TRX/USD […]

The post Tron Price Analysis: TRX/USD Must Break and Close Above $0.03000 or be Punished appeared first on Hacked: Hacking Finance.

Goldman Sachs: Even a $7.50B Fine Can’t Take Them Down

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets Last week, Goldman Sachs Group Inc. (NYSE: GS) published its Q4 earnings report, in which the main financial indicators exceeded all analysts’ expectations. The net profit amounted to $2.54B, well above expectations of $1.78B; the revenue reached $8.12B compared with a forecast of $7.5B; finally, the net interest […]

The post Goldman Sachs: Even a $7.50B Fine Can’t Take Them Down appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Sellers are Stepping Up Downside Pressure; Explosive Breakout is Imminent

ETH/USD is very much close to a breakout of the recent range-block formation. Diar reports that on-chain transaction value on the Ethereum network was seen at an all-time-high in December 2018. Over the past three sessions for ETH/USD, a pick-up in downside intensity has been demonstrated by the market bears. The price had been moving […]

The post Ethereum Price Analysis: ETH/USD Sellers are Stepping Up Downside Pressure; Explosive Breakout is Imminent appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Settle Down After Weekend Pump & Dump

While crypto bulls had something to cheer about early on during the weekend following a rally attempt in the majors, the move once again failed to improve the technical setup in the segment, and the top coins quickly gave back their gains. Now, most of the coins are trading near the bottom of their short-term […]

The post Crypto Update: Coins Settle Down After Weekend Pump & Dump appeared first on Hacked: Hacking Finance.

GBP/USD Price Prediction: Bulls Reclaim 1.2900, Eyes Locked on Another Retest of 1.3000

GBP/USD bulls pick up momentum to the upside, following generally positive tone to Theresa May’s Plan B statement. Next upside targets for the bulls should they firmly breakdown 1.2900 again, will be the psychological 1.3000 mark. GBP/USD throughout the session on Monday remained very much elevated. This came as market participants were somewhat maintaining an […]

The post GBP/USD Price Prediction: Bulls Reclaim 1.2900, Eyes Locked on Another Retest of 1.3000 appeared first on Hacked: Hacking Finance.

3 Things You Need to Know About the Market Today

1, Chinese GDP Growth Slows to Multi-Decade Low Shanghai Composite, 4-Hour Chart Analysis When even the strongly PR-optimized Chinese economic releases are showing severe weakness, it’s not at all surprising that the local stock market is in a deep bear market, and even the explosive oversold rally on Wall Street combined with the trade optimism […]

The post 3 Things You Need to Know About the Market Today appeared first on Hacked: Hacking Finance.

Crypto Update: 5 Altcoins to Watch This Week

Four out of five of the altcoins that we included on last week’s list moved within our expectations. Ethereum (ETH/BTC) and NEM (XEM/BTC) have managed to stay above key support areas. In addition, Binance Coin (BNB/BTC) and 0x (ZRX/BTC) have maintained their bullish tone. Only Bitcoin Gold (BTG/BTC) disappointed as the market took out its […]

The post Crypto Update: 5 Altcoins to Watch This Week appeared first on Hacked: Hacking Finance.

Brent Crude Continues Rising

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets Brent recovered to the levels it last reached on December 7. Today, on Monday, January 21, 2019, the instrument is trading at $62.77 USD and tending to keep this positive momentum. Over the last week, there were a lot of different and sometimes even opposite signals, but investors […]

The post Brent Crude Continues Rising appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA Must Hold This Key Support or Be Forced to Give Up $0.04 & $0.03

ADA/USDT price action has formed a head and shoulders pattern, subject to a possible neckline break. Chunky supply is heavily capping upside for ADA/BTC, tracking from 0.00001400-0.00001200. ADA/USDT in the very latter stages of trading on Sunday was seen nursing chunky losses of over 5%. The price has continued to trade within a choppy nature, […]

The post Cardano Price Analysis: ADA Must Hold This Key Support or Be Forced to Give Up $0.04 & $0.03 appeared first on Hacked: Hacking Finance.

Dash Price Analysis: DASH/USDT Downside Risks Linger Despite Trust Wallet Support Announcement

DASH/USDT price action is moving within a narrowing range formation, subject to further downside risks. Trust Wallet, Binance-owed crypto wallet provider, announces support of DASH. Price Behavior DASH/USDT has been trading within a $6 range for the tenth session in a row, at the time of writing. The upper part of this range should be noted […]

The post Dash Price Analysis: DASH/USDT Downside Risks Linger Despite Trust Wallet Support Announcement appeared first on Hacked: Hacking Finance.

5 Things To Watch Next Week + ChartBook

ECB Faces Tough Task as Eurozone Continues to Slow DAX 30 Index CFD, 4-Hour Chart Analysis This week’s G20 meeting in Tokio for finance ministers and central bankers was eclipsed by the trade-war-related developments, but next week, the European Central Bank will surely be at the center of attention. The ECB is lagging behind the […]

The post 5 Things To Watch Next Week + ChartBook appeared first on Hacked: Hacking Finance.

Your Guide to Stablecoins 2019

Stablecoins are cryptocurrencies with a value pegged to a currency or to exchange traded commodities. Many projects today are researching and developing such technology. Issuers distribute stablecoins to customers in exchange for fiat currency such as USD at a 1:1 fixed exchange rate. USD is a desirable medium of exchange and globally accepted unit of […]

The post Your Guide to Stablecoins 2019 appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Constructing a Head and Shoulders Pattern

TRX/USD remains vulnerable to further downside, with eyes on the possible head and shoulders technical structure. TRX/BTC bulls are having much difficulty breaking down huge area of supply. TRX/USD Price Action There has been little in terms of committed market direction. It appears that after the huge bull run, which was observed from mid-December until […]

The post Tron Price Analysis: TRX/USD Constructing a Head and Shoulders Pattern appeared first on Hacked: Hacking Finance.

Monero Price Analysis: Stronger Malware to Mine Monero; XMR/USD Has Room for Another Potential Squeeze South

Researchers: a stronger malware has been uncovered, which can mine Monero. XMR/USD price action remains stuck in a narrowing range, subject to an imminent breakout. The XMR/USD price has seen some upside on Saturday, holding gains of around 3% towards the latter stages of the day. Despite the press higher from the bulls, a move […]

The post Monero Price Analysis: Stronger Malware to Mine Monero; XMR/USD Has Room for Another Potential Squeeze South appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD Bulls Enjoy Big Jump But Stubborn Resistance Capping Potential

Litecoin sees a relief rally on Friday, but is still stuck within stubborn range-block. LTC/USD price action has formed a bearish flag pattern structure, subject to a potential break lower. The Litecoin price on Saturday was seen holding decent gains of over 5%, as life is kicked back into the bulls. The LTC/USD pair has […]

The post Litecoin Price Analysis: LTC/USD Bulls Enjoy Big Jump But Stubborn Resistance Capping Potential appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Drift Lower but Damage Remains Limited

The major cryptocurrencies continue to trade in narrow ranges following last week’s decline and this week’s failed rally attempt. While Bitcoin is stuck near the $3600 support, the other top coins have been losing ground today, with Ethereum dipping below the $120 level, Ripple violating the $0.32 price level and Litecoin testing the $30-$30.50 support […]

The post Crypto Update: Coins Drift Lower but Damage Remains Limited appeared first on Hacked: Hacking Finance.

Binance Coin Update: Wyckoff Breakout in Progress

Binance Coin (BNB/BTC) is the altcoin market’s ultimate comeback kid. It was dead in the water on November 17, 2018 when it broke support of 0.0014. The market flipped the support into resistance two days later on November 19 to confirm the breakdown. Binance Coin was supposed to enter a long bear winter. However, the […]

The post Binance Coin Update: Wyckoff Breakout in Progress appeared first on Hacked: Hacking Finance.

The History of Ashiyane: Iran’s First Security Forum

Insikt Group

Scope Note: Recorded Future conducted research on the evolution of Ashiyane Forum, the first and largest security forum in Iran. Sources of this research include the Recorded FutureⓇ Platform, direct forum interaction, open source research, and interviews with a former Iranian hacker who claims firsthand knowledge of Iran’s security forums.

This report will be of greatest interest to organizations seeking to understand the rapidly changing criminal and state-sponsored cyber threats emerging from Iran to better protect their organizations.

Executive Summary

In a previous report, Insikt Group documented the relationship between the Iranian government, contractors used for offensive cyber operations, and the trust communities that begin with Iranian security forums. This report further explores the historical links between Iran’s primary security forum, Ashiyane Forum, and the Iranian government. Recorded Future observed forum posts from over 20,000 Ashiyane Forum members and found a trend in Iranian hacker migration following Ashiyane Forum’s shutdown in August 2018.

Key Judgments

  • Ashiyane Forum, once the main security forum in Iran, was managed by one of the primary security contractors in Iran with known connections to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has been shut down since August 2018 with no indication of reemergence.
  • We assess with medium confidence that Ashiyane Forum and its creator, the Ashiyane Digital Security Team, were key sources for Iranian contractors to identify talent and share information on successful offensive tools and tactics.
  • Ashiyane Digital Security Team founder Behrooz Kamalian has deep ties to the Iranian government and is currently attempting to build new businesses after his short time in prison.
  • Recorded Future assesses with moderate confidence that a small percentage of Ashiyane Forum users have begun to migrate to one of two distinct Persian forums since Ashiyane Forum’s shutdown, with little membership overlap between the two new forums.

Background

Recorded Future previously reported on the cyber capabilities of the Islamic Republic of Iran in June 2015 and May 2018, describing the country’s cyber prowess, its fight against Saudi Arabia for regional hegemony, and its willingness to conduct offensive campaigns against Saudi Arabia on both occasions. Since at least 2009, Iran has regularly responded to both regional provocations and international sanctions by conducting offensive cyber operations. Primary targets of such attacks have been Saudi Arabia, Israel, and Western organizations, as well as Asian petrochemical and aviation companies. The sophistication of these attacks has ranged from social media hijacking and website defacement to highly destructive campaigns, like the attack on Saudi Aramco and sophisticated espionage campaigns against Western, Middle Eastern, and Asian targets.

Recorded Future has also previously reported that many Iranian state-sponsored operations utilize contractors, and that Iranian government contractors are forced to mine closed-trust communities to find and retain good cyber talent. The following is an account of the genesis and maturation of Iran’s online security community, and the role that Ashiyane Forum played in that history.

In 2002, according to an Insikt Group source, Iranian youth were creating hacker web forums and IRC — Internet Relay Chat channels (online clubs) — to share information. Much activity within these forums involved members defacing rival hacker websites for prestige among their peers. Early forums (among others) included simorgh-ev.com and ashiyane.com. The goal of operating these forums was not financial gain. Rather, forum members exchanged offensive tradecraft and conducted defacements for fun. Within two years, however, Iranian website defacements began including messages with ideological and religious overtones. According to Insikt Group’s source, toward the end of 2007, a small and brief online skirmish broke out between Saudi forums tailored to Wahhabism (Saudi Arabia’s dominant faith) and Iranian forums.

The Iranian government began to take notice of these defacements, translating the cyber activity into formal propaganda — Iranian youth taking up the Shia cause. According to Insikt Group’s source, notoriety came with something akin to an “Iranian defenders” label, and Iranian hackers had a new motive to participate in foreign website defacements.

Multiple data points suggest that Iranian security forums play a role in staffing and knowledge sharing for Iranian contractors. For example, Insikt Group’s source claims that the Iranian Simorgh forum administrator had familial ties to the Islamic Revolutionary Guard Corps (IRGC), a branch of Iran’s Armed Forces involved in cyber operations. Most suspiciously, a handle found in APT33 malware, Xman_1365_x, has also been found as an active member on Ashiyane Forum, the largest and most famous hacking forum within Iran. This forum is managed by an Iranian security contractor with proven ties to IRGC operations. Based on the link between Ashiyane Forum and its namesake contractor, a forum member with ties to APT33, as well as the contractor’s links to the Iranian government, we assess with medium confidence that Ashiyane Forum has provided staffing and knowledge exchange for Iranian state-sponsored contractors.

History of Ashiyane Forum and Its Founder

Based on archived web page data, Ashiyane Forum initially started as a section of Ashiyane Digital Security Team’s original website, ashiyane.com, in early 2003. The forum expanded into its own website, ashiyane.org, in 2006. Ashiyane.org contained sections for general questions, tool sharing, defacements, training sessions, and news. Many of these original sections persisted as the forum expanded and became one of the largest hacking forums in Iran. In August of 2018, Ashiyane Forum was shut down.

Ashiyane Banner

Banner for Ashiyane in 2006.

Ashiyane Forum Banner

Banner for Ashiyane Forum proclaiming that it is the “first security forum in Iran.”

Ashiyane Forum was run by Ashiyane Digital Security Team, a “gray hatnetwork security company. Founded in 2002, Ashiyane Digital Security Team’s initial goal was to educate Iranian users and network administrators on security by finding vulnerabilities within computer networks. Their group members still deface websites for notoriety: in 2014, Ashiyane Digital Security Team handles were found on defaced websites belonging to Thai and Indian government organizations, as well as websites hosted on Italian IPs.

Ashiyane Digital Security Team has attacked hundreds of websites belonging to Israeli and U.S. government organizations, including Mossad and NASA, allegedly due to their lack of respect for Ayatollah Khomeini. When Sunni Arab hackers brought down a major server hosting most Shia religious websites in Iran, Ashiyane Forum responded by bringing down 300 Arabic websites through attacking five of the major servers belonging to the hackers. The Department of Justice and other industry members identified members of Ashiyane Digital Security Team involved in operations on behalf of the IRGC.

Behrooz Kamalian, known as the “father of Iranian hacking,” is the CEO and founder of Ashiyane Digital Security Team. Behrooz is well regarded among the Iranians for his willingness to share his knowledge with younger hackers. Behrooz is also popular among many Iranian actors and actresses who claim he has helped protect their Instagram access, specifically by helping to regain control of previously compromised accounts. When asked about Ashiyane Digital Security Team’s possible involvement with Iranian state-sponsored efforts, Behrouz has claimed that while Ashiyane Forum operates independently and spontaneously, they cooperate with Iranian military apparatuses in advising and improving security, and “have always operated in the framework of the goals of the state.”

Behrooz Kamalian Instagram

Behrooz Kamalian’s Instagram profile.

Ashiyane Forum’s most notorious web defacements revolve around the historic Iran-Saudi conflict. In late 2008, while Saudi Wahhabi groups were retaliating against Iranian web defacements by defacing Iranian sites, Behrooz Kamalian visited prominent cleric Ayatollah Naser Makarem Shirazi. Following that meeting, the cleric publicly requested restraint from Iranian hacking groups to cease further attacks on Wahhabi websites. However, the defacements did not stop; the back and forth was memorialized on zone-h.org, a website that records website defacements. On October 9, 2008, Delta Security (a spinoff of Ashiyane Forum) was compromised by bAd Hack3r, an actor who had a long self-recorded history of defacing Iranian sites.

Insikt Group’s source alleges that in one specific operation, Wahhabi actors deployed spearphishing campaigns with a backdoored version of Putty (a free remote connectivity application for Windows) from compromised Ashiyane Forum email servers. XP-Group, an alleged Wahhabi group, specifically began targeting and defacing Iranian clerical sites with vulgar imagery. Subsequently, XP-Group’s website was defaced in retaliation. For external observers, it was difficult to discern which side escalated initially. An Ashiyane Forum member told Insikt Group’s source that Kamalian created XP-Group and owned the domain. If this is true, XP-Group masqueraded as Wahhabi, but was owned and operated by Kamalian. Ashiyane Forum and XP-Group were essentially one and the same, and Kamalian had manufactured his own religiously motivated cyber conflict. Recorded Future has been unable to confirm secondary validation of these claims.

In 2009, the government issued a directive to blacklist all Iranian hacking sites in response to the Iranian Green Movement, during which Iranian government sites like khamenei.com were attacked. Ashiyane Forum was one of the only hacking forums that remained, and according to Insikt Group’s source, the Iranian hacking community speculated that Kamalian essentially struck a sole-source deal with the Iranian government. Ashiyane Forum had become the primary forum connecting to the new generation of Iranian hackers.

Following the peak of the Green Movement, government-sponsored offensive cyber campaigns were disorganized. In 2010, the Stuxnet worm was successfully victimizing Iran’s uranium enrichment plants, and the IRGC, reporting to Ayatollah Khamenei, realized the need for expedited, offensive cyber competency. As the premier hacking group aligned with state interests, Behrooz and Ashiyane Forum were well positioned to help. One member of the Ashiyane Digital Security Team participated in an IRGC-led distributed denial-of-service (DDoS) campaign against U.S. financial institutions in December 2011, lasting over 176 days. Additionally, Kamalian’s status with the IRGC was further cemented after he appeared on an EU sanctions list in 2011.

Threat Analysis: Ashiyane Forum Content

As one of the only Iranian hacking forums organized by a security company that clearly cooperated with Iranian nation-state cyber forces, Ashiyane Forum attracted a cumulative membership of approximately 20,000 active users. By collecting and analyzing Ashiyane Forum threads for the past 12 years, Recorded Future determined general trends within the forum. The majority of the content posted within Ashiyane Forum focused on web exploitation. Cross-site scripting, DDoS attacks, SQL, and other browser-based code injections have been the primary subjects since the forum’s inception. Additionally, Android exploits were a consistently popular topic over the past four years, possibly due to the steady increase in the number of mobile devices within the region, from 26.72 percent of total device market share in January 2014 to 37.85 percent in April 2015.

Ashiyane Forum Post

An Ashiyane Forum post requesting assistance deploying AndroRAT. (Source: Recorded Future)

In 2015, the top tools advertised included Android remote access trojans (RATs), such as AndroRAT and Dendroid RAT, and Citroni Ransomware. In 2016, content on the forums shifted to exploits for consumer electronics and Android devices, as well as exploits for internet protocols. Android malware DroidJack, PC trojan njRAT, and USB malware PoisonTap became popular, as did questions about DDoS and SQL injection attacks. In 2017, while similar themes to those discussed in 2015 and 2016 were popular, many posts revolved around Linux products and enterprise content management, as well as Android devices. Because Ashiyane Forum was one of the most famous hacking forums within Iran, these posts likely represent a consistent stream of new, less experienced members registering on the forum and asking similar questions about simple web vulnerabilities on newer web browsers and technologies.

Ashiyane Forum Cyber Trends

Visual of Ashiyane Forum cyber trends by top three recent years.

Insikt Group believes that Ashiyane Forum also had its fair share of experienced hackers as forum veterans, shown by the speed at which new, highly sophisticated vulnerabilities were shared among forum members. For example, a proof of concept for CVE-2015-0313, an Adobe Flash use-after-free (UAF) vulnerability, as well as a similar post for CVE-2015-0311, an Adobe Flash remote code execution (RCE) vulnerability, were shared only months after the vulnerabilities were recorded on NVD. Furthermore, when CIA hacking tool OutlawCountry was released on WikiLeaks on June 29, 2017, Ashiyane Forum members were sharing and discussing the tool only five days later.

Ashiyane Forum Advertisements

Advertisements on Ashiyane Forum since 2015. (Source: Recorded Future)

The Shutdown of Ashiyane Forum and Iranian Hacker Migration

On March 12, 2018, the official Ashiyane Digital Security Team channel stated that the Iranian court had ordered them to shut down all of their activities until further notice. While the announcement gave no reason as to why the shutdown had occurred, sources in Iran confirmed that Ashiyane Forum was operating gambling websites, which is dangerous due to the penalties, including life imprisonment or death. Ashiyane Forum was previously linked to gambling in 2013, when a portion of Ashiyane Forum’s database was leaked online. According to Insikt Group’s source, the username used for Ashiyane Forum’s database support was linked to the creation of multiple poker sites operating in Iran under the moniker “persianpoker.”

Ashiyane Forum Pastebin

Ashiyane Forum Pastebin

Pastebin of an Ashiyane Forum dump from 2013, correlated with DNS records for persianpoker[.]asia.

According to Recorded Future data, Ashiyane Forum went offline on August 5, 2018. Forum members circulated rumors that the site had been hacked or forcibly shut down. On October 31, 2018, an Iranian hosting specialist tweeted, “I have been worried lately. I do not know who would be in charge now that Behrooz is not around.” Insikt Group’s source and posts on Ashiyane Forum between mid-April and July 2018 state that Behrooz had been arrested. However, Behrooz was out of prison by early November, and on November 8, 2018, he posted an Instagram video where an Iranian actor thanked Behrooz for regaining access to his Instagram account after the account had been compromised. Instagram users have left comments on Behrooz’s more recent posts asking about Ashiyane Forum’s shutdown, but Recorded Future has not observed Behrooz engage with those posts.

Online poker is both a profitable and dangerous enterprise. According to Insikt Group’s source, there are over 3,000 gambling websites within Iran that are short lived and are blocked daily. While Insikt Group has been unable to find secondary verification on the statistics themselves, Insikt Group can confirm that running gambling operations in Iran or any Islamic country is a dangerous act due to its harsh punishments. Instead of receiving life imprisonment or the death penalty, Behrooz was able to leave prison in only a few months, possibly due to his existing relationships with the Iranian government and the IRGC. If this is the case, Behrooz’s lenient sentencing may suggest that his role in the domestic hacker community is of great importance to the Iranian government. However, Ashiyane Forum remains offline and Behrooz has rebranded himself as the hacker that assists celebrities on social media. There is no evidence that Behrooz will attempt to recreate the Ashiyane Digital Security Team and Forum in the future.

Twitter Reactions

Twitter Reactions

Twitter reactions to the Ashiyane Digital Security Team shutdown.

Ashiyane Forum Member Migration Activity

As one of the largest and most prominent forums within the Iranian hacking community, Ashiyane Forum’s closure will likely leave hackers searching for new communities that provide the same topical discussions and interactions, or rely increasingly on other already established — albeit less popular — forums.

Recorded Future reviewed posts from over 20,000 Ashiyane Forum members from 2014 to 2018. Of the 18,060 users active before Ashiyane Forum shut down, only four percent of users had monikers with exact matches on other Persian, Arabic, Russian, or English forums. Of these exact matches, two stood out in particular: VBIran.ir and Persian Tools forum. The below graph shows the number of exact Ashiyane Forum username matches on other forums, separated by the date of their first post. Recorded Future attempted to ascertain whether a majority of the usernames were created before the Ashiyane Digital Security Team channel shutdown announcement in March 2018 (during the period between the announcement and the forum shutdown), or after Ashiyane Forum’s shutdown on August 5, 2018.

Forum Overlap

Forums with overlap in Ashiyane Forum membership. (Source: Recorded Future)

With 237 exact Ashiyane Forum username matches, VBIran.ir had the most users in common overall, and most of the users had posted on the VBIran.ir forum prior to any Ashiyane Forum shutdown announcement. Persian Tools forum, on the other hand, had no usernames in common prior to the Ashiyane Forum announcement — all 85 users registered either during or after the shutdown period. While CyberForum.ru also had a large number of Ashiyane Forum username matches, a majority of the matches were false positives due to commonly used usernames.

After removing likely false positives and looking for common entities, Recorded Future concluded that usernames with exact matches to Ashiyane Forum members consist of approximately seven percent of total membership on VBIran.ir — one out of every 14 members is a former Ashiyane Forum member. Exact matches to Ashiyane Forum usernames also now constitute 3.5 percent of total membership on Persian Tools forum, up from from zero percent in March 2018. Interestingly, there was almost no overlap in Ashiyane Forum usernames between the two forums, suggesting that after Ashiyane Forum shut down, hackers that migrated to other forums split into two factions.

Forum Membership Breakdown

Breakdown of membership on possible Ashiyane Forum migrations. (Source: Recorded Future)

VBIran.ir and Persian Tools Forum

While both of these forums have approximately one-tenth of Ashiyane Forum’s membership, they share some similarities with Ashiyane Forum itself. Both forums contain primarily Farsi posts, similar to Ashiyane Forum, and offer fairly large forums to conduct offensive tactical discussions. However, Persian Tools forum and VBIran.ir differ widely in terms of content and focus. Most posts on Persian Tools forum are either sales posts or posts related to Iran, hacking, electronics, or even soccer. Forum organization on Persian Tools forum also seems to be similar to that of Ashiyane Forum, before Ashiyane Forum became separate from the Ashiyane Digital Security Team website.

While a section of the Persian Tools forum website exists with subsections on various forms of hacking, Persian Tools forum also offers SSL certificate sales, hosting services, and even website design. VBIran.ir also appears to cater to a more general audience. VBIran.ir posts are primarily discussion or tutorial-based, and cater to topics on both hacking and software development. Furthermore, VBIran.ir does not offer any special services like Persian Tools forum, but instead sells various web development plugins. This is a possible reason as to why there was little overlap between Ashiyane Forum members.

Outlook

Ashiyane Digital Security Team, as the administrator of one of the largest and most prominent forums within Iran’s hacking community, has not announced the reasons behind Ashiyane Forum’s shutdown and has ignored questions about its possible return. The forum is likely offline indefinitely. There does not appear to be a clear Ashiyane Forum replacement, though smaller forums are attracting new members.

We assess that companies with business relationships in Iran, firms operating in Saudi Arabia, and any energy or national defense organization should monitor the evolutions of these newer forums. Iranian contractors who previously relied on Ashiyane Forum as their primary community will continue looking for alternatives.

We also assess that Behrooz Kamalian is a worthwhile individual to monitor for the same previously described organizations because of his relationships inside the Iranian government, as well as his reputation as one of Iran’s premier hackers.

The post The History of Ashiyane: Iran’s First Security Forum appeared first on Recorded Future.

     

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development costs. Creating and curating a large set of useful features takes significant amounts of time and expertise from malware analysts and data scientists (note that in this context a feature refers to a property or characteristic of the executable that can be used to distinguish between goodware and malware). In recent years, however, deep learning approaches have shown impressive results in automatically learning feature representations for complex problem domains, like images, speech, and text. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering?

As it turns out, deep learning architectures, and in particular convolutional neural networks (CNNs), can do a good job of detecting malware simply by looking at the raw bytes of Windows Portable Executable (PE) files. Over the last two years, FireEye has been experimenting with deep learning architectures for malware classification, as well as methods to evade them. Our experiments have demonstrated surprising levels of accuracy that are competitive with traditional ML-based solutions, while avoiding the costs of manual feature engineering. Since the initial presentation of our findings, other researchers have published similarly impressive results, with accuracy upwards of 96%.

Since these deep learning models are only looking at the raw bytes without any additional structural, semantic, or syntactic context, how can they possibly be learning what separates goodware from malware? In this blog post, we answer this question by analyzing FireEye’s deep learning-based malware classifier.

Highlights

  • FireEye’s deep learning classifier can successfully identify malware using only the unstructured bytes of the Windows PE file.
  • Import-based features, like names and function call fingerprints, play a significant role in the features learned across all levels of the classifier.
  • Unlike other deep learning application areas, where low-level features tend to generally capture properties across all classes, many of our low-level features focused on very specific sequences primarily found in malware.
  • End-to-end analysis of the classifier identified important features that closely mirror those created through manual feature engineering, which demonstrates the importance of classifier depth in capturing meaningful features.

Background

Before we dive into our analysis, let’s first discuss what a CNN classifier is doing with Windows PE file bytes. Figure 1 shows the high-level operations performed by the classifier while “learning” from the raw executable data. We start with the raw byte representation of the executable, absent any structure that might exist (1). This raw byte sequence is embedded into a high-dimensional space where each byte is replaced with an n-dimensional vector of values (2). This embedding step allows the CNN to learn relationships among the discrete bytes by moving them within the n-dimensional embedding space. For example, if the bytes 0xe0 and 0xe2 are used interchangeably, then the CNN can move those two bytes closer together in the embedding space so that the cost of replacing one with the other is small. Next, we perform convolutions over the embedded byte sequence (3). As we do this across our entire training set, our convolutional filters begin to learn the characteristics of certain sequences that differentiate goodware from malware (4). In simpler terms, we slide a fixed-length window across the embedded byte sequence and the convolutional filters learn the important features from across those windows. Once we have scanned the entire sequence, we can then pool the convolutional activations to select the best features from each section of the sequence (i.e., those that maximally activated the filters) to pass along to the next level (5). In practice, the convolution and pooling operations are used repeatedly in a hierarchical fashion to aggregate many low-level features into a smaller number of high-level features that are more useful for classification. Finally, we use the aggregated features from our pooling as input to a fully-connected neural network, which classifies the PE file sample as either goodware or malware (6).


Figure 1: High-level overview of a convolutional neural network applied to raw bytes from a Windows PE files.

The specific deep learning architecture that we analyze here actually has five convolutional and max pooling layers arranged in a hierarchical fashion, which allows it to learn complex features by combining those discovered at lower levels of the hierarchy. To efficiently train such a deep neural network, we must restrict our input sequences to a fixed length – truncating any bytes beyond this length or using special padding symbols to fill out smaller files. For this analysis, we chose an input length of 100KB, though we have experimented with lengths upwards of 1MB. We trained our CNN model on more than 15 million Windows PE files, 80% of which were goodware and the remainder malware. When evaluated against a test set of nearly 9 million PE files observed in the wild from June to August 2018, the classifier achieves an accuracy of 95.1% and an F1 score of 0.96, which are on the higher end of scores reported by previous work.

In order to figure out what this classifier has learned about malware, we will examine each component of the architecture in turn. At each step, we use either a sample of 4,000 PE files taken from our training data to examine broad trends, or a smaller set of six artifacts from the NotPetya, WannaCry, and BadRabbit ransomware families to examine specific features.

Bytes in (Embedding) Space

The embedding space can encode interesting relationships that the classifier has learned about the individual bytes and determine whether certain bytes are treated differently than others because of their implied importance to the classifier’s decision. To tease out these relationships, we will use two tools: (1) a dimensionality reduction technique called multi-dimensional scaling (MDS) and (2) a density-based clustering method called HDBSCAN. The dimensionality reduction technique allows us to move from the high-dimensional embedding space to an approximation in two-dimensional space that we can easily visualize, while still retaining the overall structure and organization of the points. Meanwhile, the clustering technique allows us to identify dense groups of points, as well as outliers that have no nearby points. The underlying intuition being that outliers are treated as “special” by the model since there are no other points that can easily replace them without a significant change in upstream calculations, while dense clusters of points can be used interchangeably.


Figure 2: Visualization of the byte embedding space using multi-dimensional scaling (MDS) and clustered with hierarchical density-based clustering (HDBSCAN) with clusters (Left) and outliers labeled (Right).

On the left side of Figure 2, we show the two-dimensional representation of our byte embedding space with each of the clusters labeled, along with an outlier cluster labeled as -1. As you can see, the vast majority of bytes fall into one large catch-all class (Cluster 3), while the remaining three clusters have just two bytes each. Though there are no obvious semantic relationships in these clusters, the bytes that were included are interesting in their own right – for instance, Cluster 0 includes our special padding byte that is only used when files are smaller than the fixed-length cutoff, and Cluster 1 includes the ASCII character ‘r.’

What is more fascinating, however, is the set of outliers that the clustering produced, which are shown in the right side of Figure 3.  Here, there are a number of intriguing trends that start to appear. For one, each of the bytes in the range 0x0 to 0x6 are present, and these bytes are often used in short forward jumps or when registers are used as instruction arguments (e.g., eax, ebx, etc.). Interestingly, 0x7 and 0x8 are grouped together in Cluster 2, which may indicate that they are used interchangeably in our training data even though 0x7 could also be interpreted as a register argument. Another clear trend is the presence of several ASCII characters in the set of outliers, including ‘\n’, ‘A’, ‘e’, ‘s’, and ‘t.’ Finally, we see several opcodes present, including the call instruction (0xe8), loop and loopne (0xe0, 0xe2), and a breakpoint instruction (0xcc).

Given these findings, we immediately get a sense of what the classifier might be looking for in low-level features: ASCII text and usage of specific types of instructions.

Deciphering Low-Level Features

The next step in our analysis is to examine the low-level features learned by the first layer of convolutional filters. In our architecture, we used 96 convolutional filters at this layer, each of which learns basic building-block features that will be combined across the succeeding layers to derive useful high-level features. When one of these filters sees a byte pattern that it has learned in the current convolution, it will produce a large activation value and we can use that value as a method for identifying the most interesting bytes for each filter. Of course, since we are examining the raw byte sequences, this will merely tell us which file offsets to look at, and we still need to bridge the gap between the raw byte interpretation of the data and something that a human can understand. To do so, we parse the file using PEFile and apply BinaryNinja’s disassembler to executable sections to make it easier to identify common patterns among the learned features for each filter.

Since there are a large number of filters to examine, we can narrow our search by getting a broad sense of which filters have the strongest activations across our sample of 4,000 Windows PE files and where in those files those activations occur. In Figure 3, we show the locations of the 100 strongest activations across our 4,000-sample dataset. This shows a couple of interesting trends, some of which could be expected and others that are perhaps more surprising. For one, the majority of the activations at this level in our architecture occur in the ‘.text’ section, which typically contains executable code. When we compare the ‘.text’ section activations between malware and goodware subsets, there are significantly more activations for the malware set, meaning that even at this low level there appear to be certain filters that have keyed in on specific byte sequences primarily found in malware. Additionally, we see that the ‘UNKNOWN’ section– basically, any activation that occurs outside the valid bounds of the PE file – has many more activations in the malware group than in goodware. This makes some intuitive sense since many obfuscation and evasion techniques rely on placing data in non-standard locations (e.g., embedding PE files within one another).


Figure 3: Distribution of low-level activation locations across PE file headers and sections. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right). UNKNOWN indicates an area outside the valid bounds of the file and NULL indicates an empty section name.

We can also examine the activation trends among the convolutional filters by plotting the top-100 activations for each filter across our 4,000 PE files, as shown in Figure 4. Here, we validate our intuition that some of these filters are overwhelmingly associated with features found in our malware samples. In this case, the activations for Filter 57 occur almost exclusively in the malware set, so that will be an important filter to look at later in our analysis. The other main takeaway from the distribution of filter activations is that the distribution is quite skewed, with only two filters handling the majority of activations at this level in our architecture. In fact, some filters are not activated at all on the set of 4,000 files we are analyzing.


Figure 4: Distribution of activations over each of the 96 low-level convolutional filters. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right).

Now that we have identified the most interesting and active filters, we can disassemble the areas surrounding their activation locations and see if we can tease out some trends. In particular, we are going to look at Filters 83 and 57, both of which were important filters in our model based on activation value. The disassembly results for these filters across several of our ransomware artifacts is shown in Figure 5.

For Filter 83, the trend in activations becomes pretty clear when we look at the ASCII encoding of the bytes, which shows that the filter has learned to detect certain types of imports. If we look closer at the activations (denoted with a ‘*’), these always seem to include characters like ‘r’, ‘s’, ‘t’, and ‘e’, all of which were identified as outliers or found in their own unique clusters during our embedding analysis.  When we look at the disassembly of Filter 57’s activations, we see another clear pattern, where the filter activates on sequences containing multiple push instructions and a call instruction – essentially, identifying function calls with multiple parameters.

In some ways, we can look at Filters 83 and 57 as detecting two sides of the same overarching behavior, with Filter 83 detecting the imports and 57 detecting the potential use of those imports (i.e., by fingerprinting the number of parameters and usage). Due to the independent nature of convolutional filters, the relationships between the imports and their usage (e.g., which imports were used where) is lost, and that the classifier treats these as two completely independent features.


Figure 5: Example disassembly of activations for filters 83 (Left) and 57 (Right) from ransomware samples. Lines prepended with '*' contain the actual filter activations, others are provided for context.

Aside from the import-related features described above, our analysis also identified some filters that keyed in on particular byte sequences found in functions containing exploit code, such as DoublePulsar or EternalBlue. For instance, Filter 94 activated on portions of the EternalRomance exploit code from the BadRabbit artifact we analyzed. Note that these low-level filters did not necessarily detect the specific exploit activity, but instead activate on byte sequences within the surrounding code in the same function.

These results indicate that the classifier has learned some very specific byte sequences related to ASCII text and instruction usage that relate to imports, function calls, and artifacts found within exploit code. This finding is surprising because in other machine learning domains, such as images, low-level filters often learn generic, reusable features across all classes.

Bird’s Eye View of End-to-End Features

While it seems that lower layers of our CNN classifier have learned particular byte sequences, the larger question is: does the depth and complexity of our classifier (i.e., the number of layers) help us extract more meaningful features as we move up the hierarchy? To answer this question, we have to examine the end-to-end relationships between the classifier’s decision and each of the input bytes. This allows us to directly evaluate each byte (or segment thereof) in the input sequence and see whether it pushed the classifier toward a decision of malware or goodware, and by how much. To accomplish this type of end-to-end analysis, we leverage the SHapley Additive exPlanations (SHAP) framework developed by Lundberg and Lee. In particular, we use the GradientSHAP method that combines a number of techniques to precisely identify the contributions of each input byte, with positive SHAP values indicating areas that can be considered to be malicious features and negative values for benign features.

After applying the GradientSHAP method to our ransomware dataset, we noticed that many of the most important end-to-end features were not directly related to the types of specific byte sequences that we discovered at lower layers of the classifier. Instead, many of the end-to-end features that we discovered mapped closely to features developed from manual feature engineering in our traditional ML models. As an example, the end-to-end analysis on our ransomware samples identified several malicious features in the checksum portion of the PE header, which is commonly used as a feature in traditional ML models. Other notable end-to-end features included the presence or absence of certain directory information related to certificates used to sign the PE files, anomalies in the section table that define the properties of the various sections of the PE file, and specific imports that are often used by malware (e.g., GetProcAddress and VirtualAlloc).

In Figure 6, we show the distribution of SHAP values across the file offsets for the worm artifact of the WannaCry ransomware family. Many of the most important malicious features found in this sample are focused in the PE header structures, including previously mentioned checksum and directory-related features. One particularly interesting observation from this sample, though, is that it contains another PE file embedded within it, and the CNN discovered two end-to-end features related to this. First, it identified an area of the section table that indicated the ‘.data’ section had a virtual size that was more than 10x larger than the stated physical size of the section. Second, it discovered maliciously-oriented imports and exports within the embedded PE file itself. Taken as a whole, these results show that the depth of our classifier appears to have helped it learn more abstract features and generalize beyond the specific byte sequences we observed in the activations at lower layers.


Figure 6: SHAP values for file offsets from the worm artifact of WannaCry. File offsets with positive values are associated with malicious end-to-end features, while offsets with negative values are associated with benign features.

Summary

In this blog post, we dove into the inner workings of FireEye’s byte-based deep learning classifier in order to understand what it, and other deep learning classifiers like it, are learning about malware from its unstructured raw bytes. Through our analysis, we have gained insight into a number of important aspects of the classifier’s operation, weaknesses, and strengths:

  • Import Features: Import-related features play a large role in classifying malware across all levels of the CNN architecture. We found evidence of ASCII-based import features in the embedding layer, low-level convolutional features, and end-to-end features.
  • Low-Level Instruction Features: Several features discovered at the lower layers of our CNN classifier focused on sequences of instructions that capture specific behaviors, such as particular types of function calls or code surrounding certain types of exploits. In many cases, these features were primarily associated with malware, which runs counter to the typical use of CNNs in other domains, such as image classification, where low-level features capture generic aspects of the data (e.g., lines and simple shapes). Additionally, many of these low-level features did not appear in the most malicious end-to-end features.
  • End-to-End Features: Perhaps the most interesting result of our analysis is that many of the most important maliciously-oriented end-to-end features closely map to common manually-derived features from traditional ML classifiers. Features like the presence or absence of certificates, obviously mangled checksums, and inconsistencies in the section table do not have clear analogs to the lower-level features we uncovered. Instead, it appears that the depth and complexity of our CNN classifier plays a key role in generalizing from specific byte sequences to meaningful and intuitive features.

It is clear that deep learning offers a promising path toward sustainable, cutting-edge malware classification. At the same time, significant improvements will be necessary to create a viable real-world solution that addresses the shortcomings discussed in this article. The most important next step will be improving the architecture to include more information about the structural, semantic, and syntactic context of the executable rather than treating it as an unstructured byte sequence. By adding this specialized domain knowledge directly into the deep learning architecture, we allow the classifier to focus on learning relevant features for each context, inferring relationships that would not be possible otherwise, and creating even more robust end-to-end features with better generalization properties.

The content of this blog post is based on research presented at the Conference on Applied Machine Learning for Information Security (CAMLIS) in Washington, DC on Oct. 12-13, 2018. Additional material, including slides and a video of the presentation, can be found on the conference website.

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x86_64, ARM, and ARM64 architectures to reverse engineers. Along with this library, we are also sharing an Objective-C code analysis IDAPython script that uses it. Read on to learn some creative ways that emulation can help solve your code analysis problems and how to use our new IDAPython library to save you lots of time in the process.

Why Emulation?

If you haven’t employed emulation as a means to solve a code analysis problem, then you are missing out! I will highlight some of its benefits and a few use cases in order to give you an idea of how powerful it can be. Emulation is flexible, and many emulation frameworks available today, including Unicorn, are cross-platform. With emulation, you choose which code to emulate and you control the context under which it is executed. Because the emulated code cannot access the system services of the operating system under which it is running, there is little risk of it causing damage. All of these benefits make emulation a great option for ad-hoc experimentation, problem solving, or automation.

Use Cases

  • Decoding/Decryption/Deobfuscation/Decompress – Often during malicious code analysis you will come across a function used to decode, decompress, decrypt, or deobfuscate some useful data such as strings, configuration data, or another payload. If it is a common algorithm, you may be able to identify it by sight or with a plug-in such as signsrch. Unfortunately, this is not often the case. You are then left to either opening up a debugger and instrumenting the sample to decode it for you, or transposing the function by hand into whatever programming language fits your needs at the time. These options can be time consuming and problematic depending on the complexity of the code and the sample you are analyzing. Here, emulation can often provide a preferable third option. Writing a script that emulates the function for you is akin to having the function available to you as if you wrote it or are calling it from a library. This allows you to reuse the function as many times as it’s needed, with varying inputs, without having to open a debugger. This case also applies to self-decrypting shellcode, where you can have the code decrypt itself for you.
  • Data Tracking – With emulation, you have the power to stop and inspect the emulation context at any time using an instruction hook. Pairing a disassembler with an emulator allows you to pause emulation at key instructions and inspect the contents of registers and memory. This allows you to keep tabs on interesting data as it flows through a function. This can have several applications. As previously covered in other blogs in the FLARE script series, Automating Function Argument Extraction and Automating Obfuscated String Decoding, this technique can be used to track the arguments passed to a given function throughout an entire program. Function argument tracking is one of the techniques employed by the Objective-C code analysis tool introduced later in this post. The data tracking technique could also be employed to track the this pointer in C++ code in order to markup object member references, or the return values from calls to GetProcAddress/dlsym in order to rename the variables they are stored in appropriately. There are many possibilities.

Introducing flare-emu

The FLARE team is introducing an IDAPython library, flare-emu, that marries IDA Pro’s binary analysis capabilities with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. flare-emu is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems. It currently provides three different interfaces to serve your emulation needs, along with a slew of related helper and utility functions.

  1. emulateRange – This API is used to emulate a range of instructions, or a function, within a user-specified context. It provides options for user-defined hooks for both individual instructions and for when “call” instructions are encountered. The user can decide whether the emulator will skip over, or call into function calls. Figure 1 shows emulateRange used with both an instruction and call hook to track the return value of GetProcAddress calls and rename global variables to the name of the Windows APIs they will be pointing to. In this example, it was only set to emulate from 0x401514 to 0x40153D.  This interface provides an easy way for the user to specify values for given registers and stack arguments. If a bytestring is specified, it is written to the emulator’s memory and the pointer is written to the register or stack variable. After emulation, the user can make use of flare-emu’s utility functions to read data from the emulated memory or registers, or use the Unicorn emulation object that is returned for direct probing in case flare-emu does not expose some functionality you require.

    A small wrapper function for emulateRange, named emulateSelection, can be used to emulate the range of instructions currently highlighted in IDA Pro.


    Figure 1: emulateRange being used to track the return value of GetProcAddress

  2. iterate – This API is used to force emulation down specific branches within a function in order to reach a given target. The user can specify a list of target addresses, or the address of a function from which a list of cross-references to the function is used as the targets, along with a callback for when a target is reached. The targets will be reached, regardless of conditions during emulation that may have caused different branches to be taken. Figure 2 illustrates a set of code branches that iterate has forced to be taken in order to reach its target; the flags set by the cmp instructions are irrelevant.  Like the emulateRange API, options for user-defined hooks for both individual instructions and for when “call” instructions are encountered are provided. An example use of the iterate API is for the function argument tracking technique mentioned earlier in this post.


    Figure 2: A path of emulation determined by the iterate API in order to reach the target address

  3. emulateBytes – This API provides a way to simply emulate a blob of extraneous shellcode. The provided bytes are not added to the IDB and are simply emulated as is. This can be useful for preparing the emulation environment. For example, flare-emu itself uses this API to manipulate a Model Specific Register (MSR) for the ARM64 CPU that is not exposed by Unicorn in order to enable Vector Floating Point (VFP) instructions and register access. Figure 3 shows the code snippet that achieves this. Like with emulateRange, the Unicorn emulation object is returned for further probing by the user in case flare-emu does not expose some functionality required by the user.


    Figure 3: flare-emu using emulateBytes to enable VFP for ARM64

API Hooking

As previously stated, flare-emu is designed to make it easy for you to use emulation to solve your code analysis needs. One of the pains of emulation is in dealing with calls into library functions. While flare-emu gives you the option to simply skip over call instructions, or define your own hooks for dealing with specific functions within your call hook routine, it also comes with predefined hooks for over 80 functions! These functions include many of the common C runtime functions for string and memory manipulation that you will encounter, as well as some of their Windows API counterparts.

Examples

Figure 4 shows a few blocks of code that call a function that takes a timestamp value and converts it to a string. Figure 5 shows a simple script that uses flare-emu’s iterate API to print the arguments passed to this function for each place it is called. The script also emulates a simple XOR decode function and prints the resulting, decoded string. Figure 6 shows the resulting output of the script.


Figure 4: Calls to a timestamp conversion function


Figure 5: Simple example of flare-emu usage


Figure 6: Output of script shown in Figure 5

Here is a sample script that uses flare-emu to track return values of GetProcAddress and rename the variables they are stored in accordingly. Check out our README for more examples and help with flare-emu.

Introducing objc2_analyzer

Last year, I wrote a blog post to introduce you to reverse engineering Cocoa applications for macOS. That post included a short primer on how Objective-C methods are called under the hood, and how this adversely affects cross-references in IDA Pro and other disassemblers. An IDAPython script named objc2_xrefs_helper was also introduced in the post to help fix these cross-references issues. If you have not read that blog post, I recommend reading it before continuing on reading this post as it provides some context for what makes objc2_analyzer particularly useful. A major shortcoming of objc2_xrefs_helper was that if a selector name was ambiguous, meaning that two or more classes implement a method with the same name, the script was unable to determine which class the referenced selector belonged to at any given location in the binary and had to ignore such cases when fixing cross-references.

Now, with emulation support, this is no longer the case. objc2_analyzer uses the iterate API from flare-emu along with instruction and call hooks that perform Objective-C disassembly analysis in order to determine the id and selector being passed for every call to objc_msgSend variants in a binary. As an added bonus, it can also catch calls made to objc_msgSend variants when the function pointer is stored in a register, which is a very common pattern in Clang (the compiler used by modern versions of Xcode). IDA Pro tries to catch these itself and does a pretty good job, but it doesn’t catch them all. In addition to x86_64, support was also added for the ARM and ARM64 architectures in order to support reverse engineering iOS applications. This script supersedes the older objc2_xrefs_helper script, which has been removed from our repo. And, since the script can perform such data tracking in Objective-C code by using emulation, it can also determine whether an id is a class instance or a class object itself. Additional support has been added to track ivars being passed as ids as well. With all this information, Objective-C-style pseudocode comments are added to each call to objc_msgSend variants that represent the method call being made at each location. An example of the script’s capability is shown in Figure 7 and Figure 8.


Figure 7: Objective-C IDB snippet before running objc2_analyzer


Figure 8: Objective-C IDB snippet after running objc2_analyzer

Observe the instructions referencing selectors have been patched to instead reference the implementation function itself, for easy transition. The comments added to each call make analysis much easier. Cross-references from the implementation functions are also created to point back to the objc_msgSend calls that reference them as shown in Figure 9.


Figure 9: Cross-references added to IDB for implementation function

It should be noted that every release of IDA Pro starting with 7.0 have brought improvements to Objective-C code analysis and handling. However, at the time of writing, the latest version of IDA Pro being 7.2, there are still shortcomings that are mitigated using this tool as well as the immensely helpful comments that are added. objc2_analyzer is available, along with our other IDA Pro plugins and scripts, at our GitHub page.

Conclusion

flare-emu is a flexible tool to include in your arsenal that can be applied to a variety of code analysis problems. Several example problems were presented and solved using it in this blog post, but this is just a glimpse of its possible applications. If you haven’t given emulation a try for solving your code analysis problems, we hope you will now consider it an option. And for all, we hope you find value in using these new tools!

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot chain. However, this process takes time and even an army of skilled reverse engineers wouldn’t scale to the size of modern enterprise networks. To put this in context, the compromised enterprise network referenced in our ROCKBOOT blog post had approximately 10,000 hosts. Assuming a minimum of two boot records per host, a Master Boot Record (MBR) and a Volume Boot Record (VBR), that is an average of 20,000 boot records to analyze! An initial reaction is probably, “Why not just hash the boot records and only analyze the unique ones?” One would assume that corporate networks are mostly homogeneous, particularly with respect to boot code, yet this is not the case. Using the same network as an example, the 20,000 boot records reduced to only 6,000 unique records based on MD5 hash. Table 1 demonstrates this using data we’ve collected across our engagements for various enterprise sizes.

Enterprise Size (# hosts)

Avg # Unique Boot Records (md5)

100-1000

428

1000-10000

4,738

10000+

8,717

Table 1 – Unique boot records by MD5 hash

Now, the next thought might be, “Rather than hashing the entire record, why not implement a custom hashing technique where only subsections of the boot code are hashed, thus avoiding the dynamic data portions?” We tried this as well. For example, in the case of Master Boot Records, we used the bytes at the following two offsets to calculate a hash:

md5( offset[0:218] + offset[224:440] )

In one network this resulted in approximately 185,000 systems reducing to around 90 unique MBR hashes. However, this technique had drawbacks. Most notably, it required accounting for numerous special cases for applications such as Altiris, SafeBoot, and PGPGuard. This required small adjustments to the algorithm for each environment, which in turn required reverse engineering many records to find the appropriate offsets to hash.

Ultimately, we concluded that to solve the problem we needed a solution that provided the following:

  • A reliable collection of boot records from systems
  • A behavioral analysis of boot records, not just static analysis
  • The ability to analyze tens of thousands of boot records in a timely manner

The remainder of this post describes how we solved each of these challenges.

Collect the Bytes

Malicious drivers insert themselves into the disk driver stack so they can intercept disk I/O as it traverses the stack. They do this to hide their presence (the real bytes) on disk. To address this attack vector, we developed a custom kernel driver (henceforth, our “Raw Read” driver) capable of targeting various altitudes in the disk driver stack. Using the Raw Read driver, we identify the lowest level of the stack and read the bytes from that level (Figure 1).


Figure 1: Malicious driver inserts itself as a filter driver in the stack, raw read driver reads bytes from lowest level

This allows us to bypass the rest of the driver stack, as well as any user space hooks. (It is important to note, however, that if the lowest driver on the I/O stack has an inline code hook an attacker can still intercept the read requests.) Additionally, we can compare the bytes read from the lowest level of the driver stack to those read from user space. Introducing our first indicator of a compromised boot system: the bytes retrieved from user space don’t match those retrieved from the lowest level of the disk driver stack.

Analyze the Bytes

As previously mentioned, reverse engineering and static analysis are impractical when dealing with hundreds of thousands of boot records. Automated dynamic analysis is a more practical approach, specifically through emulating the execution of a boot record. In more technical terms, we are emulating the real mode instructions of a boot record.

The emulation engine that we chose is the Unicorn project. Unicorn is based on the QEMU emulator and supports 16-bit real mode emulation. As boot samples are collected from endpoint machines, they are sent to the emulation engine where high-level functionality is captured during emulation. This functionality includes events such as memory access, disk reads and writes, and other interrupts that execute during emulation.

The Execution Hash

Folding down (aka stacking) duplicate samples is critical to reduce the time needed on follow-up analysis by a human analyst. An interesting quality of the boot samples gathered at scale is that while samples are often functionally identical, the data they use (e.g. strings or offsets) is often very different. This makes it quite difficult to generate a hash to identify duplicates, as demonstrated in Table 1. So how can we solve this problem with emulation? Enter the “execution hash”. The idea is simple: during emulation, hash the mnemonic of every assembly instruction that executes (e.g., “md5(‘and’ + ‘mov’ + ‘shl’ + ‘or’)”). Figure 2 illustrates this concept of hashing the assembly instruction as it executes to ultimately arrive at the “execution hash”


Figure 2: Execution hash

Using this method, the 650,000 unique boot samples we’ve collected to date can be grouped into a little more than 300 unique execution hashes. This reduced data set makes it far more manageable to identify samples for follow-up analysis. Introducing our second indicator of a compromised boot system: an execution hash that is only found on a few systems in an enterprise!

Behavioral Analysis

Like all malware, suspicious activity executed by bootkits can vary widely. To avoid the pitfall of writing detection signatures for individual malware samples, we focused on identifying behavior that deviates from normal OS bootstrapping. To enable this analysis, the series of instructions that execute during emulation are fed into an analytic engine. Let's look in more detail at an example of malicious functionality exhibited by several bootkits that we discovered by analyzing the results of emulation.

Several malicious bootkits we discovered hooked the interrupt vector table (IVT) and the BIOS Data Area (BDA) to intercept system interrupts and data during the boot process. This can provide an attacker the ability to intercept disk reads and also alter the maximum memory reported by the system. By hooking these structures, bootkits can attempt to hide themselves on disk or even in memory.

These hooks can be identified by memory writes to the memory ranges reserved for the IVT and BDA during the boot process. The IVT structure is located at the memory range 0000:0000h to 0000:03FCh and the BDA is located at 0040:0000h. The malware can hook the interrupt 13h handler to inspect and modify disk writes that occur during the boot process. Additionally, bootkit malware has been observed modifying the memory size reported by the BIOS Data Area in order to potentially hide itself in memory.

This leads us to our final category of indicators of a compromised boot system: detection of suspicious behaviors such as IVT hooking, decoding and executing data from disk, suspicious screen output from the boot code, and modifying files or data on disk.

Do it at Scale

Dynamic analysis gives us a drastic improvement when determining the behavior of boot records, but it comes at a cost. Unlike static analysis or hashing, it is orders of magnitude slower. In our cloud analysis environment, the average time to emulate a single record is 4.83 seconds. Using the compromised enterprise network that contained ROCKBOOT as an example (approximately 20,000 boot records), it would take more than 26 hours to dynamically analyze (emulate) the records serially! In order to provide timely results to our analysts we needed to easily scale our analysis throughput relative to the amount of incoming data from our endpoint technologies. To further complicate the problem, boot record analysis tends to happen in batches, for example, when our endpoint technology is first deployed to a new enterprise.

With the advent of serverless cloud computing, we had the opportunity to create an emulation analysis service that scales to meet this demand – all while remaining cost effective. One of the advantages of serverless computing versus traditional cloud instances is that there are no compute costs during inactive periods; the only cost incurred is storage. Even when our cloud solution receives tens of thousands of records at the start of a new customer engagement, it can rapidly scale to meet demand and maintain near real-time detection of malicious bytes.

The cloud infrastructure we selected for our application is Amazon Web Services (AWS). Figure 3 provides an overview of the architecture.


Figure 3: Boot record analysis workflow

Our design currently utilizes:

  • API Gateway to provide a RESTful interface.
  • Lambda functions to do validation, emulation, analysis, as well as storage and retrieval of results.
  • DynamoDB to track progress of processed boot records through the system.
  • S3 to store boot records and emulation reports.

The architecture we created exposes a RESTful API that provides a handful of endpoints. At a high level the workflow is:

  1. Endpoint agents in customer networks automatically collect boot records using FireEye’s custom developed Raw Read kernel driver (see “Collect the bytes” described earlier) and return the records to FireEye’s Incident Response (IR) server.
  2. The IR server submits batches of boot records to the AWS-hosted REST interface, and polls the interface for batched results.
  3. The IR server provides a UI for analysts to view the aggregated results across the enterprise, as well as automated notifications when malicious boot records are found.

The REST API endpoints are exposed via AWS’s API Gateway, which then proxies the incoming requests to a “submission” Lambda. The submission Lambda validates the incoming data, stores the record (aka boot code) to S3, and then fans out the incoming requests to “analysis” Lambdas.

The analysis Lambda is where boot record emulation occurs. Because Lambdas are started on demand, this model allows for an incredibly high level of parallelization. AWS provides various settings to control the maximum concurrency for a Lambda function, as well as memory/CPU allocations and more. Once the analysis is complete, a report is generated for the boot record and the report is stored in S3. The reports include the results of emulation and other metadata extracted from the boot record (e.g., ASCII strings).

As described earlier, the IR server periodically polls the AWS REST endpoint until processing is complete, at which time the report is downloaded.

Find More Evil in Big Data

Our workflow for identifying malicious boot records is only effective when we know what malicious indicators to look for, or what execution hashes to blacklist. But what if a new malicious boot record (with a unique hash) evades our existing signatures?

For this problem, we leverage our in-house big data platform engine that we integrated into FireEye Helix following the acquisition of X15 Software. By loading the results of hundreds of thousands of emulations into the engine X15, our analysts can hunt through the results at scale and identify anomalous behaviors such as unique screen prints, unusual initial jump offsets, or patterns in disk reads or writes.

This analysis at scale helps us identify new and interesting samples to reverse engineer, and ultimately helps us identify new detection signatures that feed back into our analytic engine.

Conclusion

Within weeks of going live we detected previously unknown compromised systems in multiple customer environments. We’ve identified everything from ROCKBOOT and HDRoot! bootkits to the admittedly humorous JackTheRipper, a bootkit that spreads itself via floppy disk (no joke). Our system has collected and processed nearly 650,000 unique records to date and continues to find the evil needles (suspicious and malicious boot records) in very large haystacks.

In summary, by combining advanced endpoint boot record extraction with scalable serverless computing and an automated emulation engine, we can rapidly analyze thousands of records in search of evil. FireEye is now using this solution in both our Managed Defense and Incident Response offerings.

Acknowledgements

Dimiter Andonov, Jamin Becker, Fred House, and Seth Summersett contributed to this blog post.

A Totally Tubular Treatise on TRITON and TriStation

Introduction

In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz distillates, remote desktop sessions, and other well-documented, easily-detected attack methods were used throughout these intrusions.

Despite the routine techniques employed to gain access to an OT environment, the threat actors behind the TRITON malware framework invested significant time learning about the Triconex Safety Instrumented System (SIS) controllers and TriStation, a proprietary network communications protocol. The investment and purpose of the Triconex SIS controllers leads Mandiant to assess the attacker's objective was likely to build the capability to cause physical consequences.

TriStation remains closed source and there is no official public information detailing the structure of the protocol, raising several questions about how the TRITON framework was developed. Did the actor have access to a Triconex controller and TriStation 1131 software suite? When did development first start? How did the threat actor reverse engineer the protocol, and to what extent? What is the protocol structure?

FireEye’s Advanced Practices Team was born to investigate adversary methodologies, and to answer these types of questions, so we started with a deeper look at the TRITON’s own Python scripts.

Glossary:

  • TRITON – Malware framework designed to operate Triconex SIS controllers via the TriStation protocol.
  • TriStation – UDP network protocol specific to Triconex controllers.
  • TRITON threat actor – The human beings who developed, deployed and/or operated TRITON.

Diving into TRITON's Implementation of TriStation

TriStation is a proprietary network protocol and there is no public documentation detailing its structure or how to create software applications that use TriStation. The current TriStation UDP/IP protocol is little understood, but natively implemented through the TriStation 1131 software suite. TriStation operates by UDP over port 1502 and allows for communications between designated masters (PCs with the software that are “engineering workstations”) and slaves (Triconex controllers with special communications modules) over a network.

To us, the Triconex systems, software and associated terminology sound foreign and complicated, and the TriStation protocol is no different. Attempting to understand the protocol from ground zero would take a considerable amount of time and reverse engineering effort – so why not learn from TRITON itself? With the TRITON framework containing TriStation communication functionality, we pursued studying the framework to better understand this mysterious protocol. Work smarter, not harder, amirite?

The TRITON framework has a multitude of functionalities, but we started with the basic components:

  • TS_cnames.pyc # Compiled at: 2017-08-03 10:52:33
  • TsBase.pyc # Compiled at: 2017-08-03 10:52:33
  • TsHi.pyc # Compiled at: 2017-08-04 02:04:01
  • TsLow.pyc # Compiled at: 2017-08-03 10:46:51

TsLow.pyc (Figure 1) contains several pieces of code for error handling, but these also present some cues to the protocol structure.


Figure 1: TsLow.pyc function print_last_error()

In the TsLow.pyc’s function for print_last_error we see error handling for “TCM Error”. This compares the TriStation packet value at offset 0 with a value in a corresponding array from TS_cnames.pyc (Figure 2), which is largely used as a “dictionary” for the protocol.


Figure 2: TS_cnames.pyc TS_cst array

From this we can infer that offset 0 of the TriStation protocol contains message types. This is supported by an additional function, tcm_result, which declares type, size = struct.unpack('<HH', data_received[0:4]), stating that the first two bytes should be handled as integer type and the second two bytes are integer size of the TriStation message. This is our first glimpse into what the threat actor(s) understood about the TriStation protocol.

Since there are only 11 defined message types, it really doesn't matter much if the type is one byte or two because the second byte will always be 0x00.

We also have indications that message type 5 is for all Execution Command Requests and Responses, so it is curious to observe that the TRITON developers called this “Command Reply.” (We won’t understand this naming convention until later.)

Next we examine TsLow.pyc’s print_last_error function (Figure 3) to look at “TS Error” and “TS_names.” We begin by looking at the ts_err variable and see that it references ts_result.


Figure 3: TsLow.pyc function print_last_error() with ts_err highlighted

We follow that thread to ts_result, which defines a few variables in the next 10 bytes (Figure 4): dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). Now things are heating up. What fun. There’s a lot to unpack here, but the most interesting thing is how this piece script breaks down 10 bytes from ts_packet into different variables.


Figure 4: ts_result with ts_packet header variables highlighted


Figure 5: tcm_result

Referencing tcm_result (Figure 5) we see that it defines type and size as the first four bytes (offset 0 – 3) and tcm_result returns the packet bytes 4:-2 (offset 4 to the end minus 2, because the last two bytes are the CRC-16 checksum). Now that we know where tcm_result leaves off, we know that the ts_reply “cmd” is a single byte at offset 6, and corresponds to the values in the TS_cnames.pyc array and TS_names (Figure 6). The TRITON script also tells us that any integer value over 100 is a likely “command reply.” Sweet.

When looking back at the ts_result packet header definitions, we begin to see some gaps in the TRITON developer's knowledge: dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). We're clearly speculating based on naming conventions, but we get an impression that offsets 4, 5 and 6 could be "direction", "controller ID" and "command", respectively. Values such as "unk" show that the developer either did not know or did not care to identify this value. We suspect it is a constant, but this value is still unknown to us.


Figure 6: Excerpt TS_cnames.pyc TS_names array, which contain TRITON actor’s notes for execution command function codes

TriStation Protocol Packet Structure

The TRITON threat actor’s knowledge and reverse engineering effort provides us a better understanding of the protocol. From here we can start to form a more complete picture and document the basic functionality of TriStation. We are primarily interested in message type 5, Execution Command, which best illustrates the overall structure of the protocol. Other, smaller message types will have varying structure.


Figure 7: Sample TriStation "Allocate Program" Execution Command, with color annotation and protocol legend

Corroborating the TriStation Analysis

Minute discrepancies aside, the TriStation structure detailed in Figure 7 is supported by other public analyses. Foremost, researchers from the Coordinated Science Laboratory (CSL) at University of Illinois at Urbana-Champaign published a 2017 paper titled "Attack Induced Common-Mode Failures on PLC-based Safety System in a Nuclear Power Plant". The CSL team mentions that they used the Triconex System Access Application (TSAA) protocol to reverse engineer elements of the TriStation protocol. TSAA is a protocol developed by the same company as TriStation. Unlike TriStation, the TSAA protocol structure is described within official documentation. CSL assessed similarities between the two protocols would exist and they leveraged TSAA to better understand TriStation. The team's overall research and analysis of the general packet structure aligns with our TRITON-sourced packet structure.

There are some awesome blog posts and whitepapers out there that support our findings in one way or another. Writeups by Midnight Blue Labs, Accenture, and US-CERT each explain how the TRITON framework relates to the TriStation protocol in superb detail.

TriStation's Reverse Engineering and TRITON's Development

When TRITON was discovered, we began to wonder how the TRITON actor reverse engineered TriStation and implemented it into the framework. We have a lot of theories, all of which seemed plausible: Did they build, buy, borrow, or steal? Or some combination thereof?

Our initial theory was that the threat actor purchased a Triconex controller and software for their own testing and reverse engineering from the "ground up", although if this was the case we do not believe they had a controller with the exact vulnerable firmware version, else they would have had fewer problems with TRITON in practice at the victim site. They may have bought or used a demo version of the TriStation 1131 software, allowing them to reverse engineer enough of TriStation for the framework. They may have stolen TriStation Python libraries from ICS companies, subsidiaries or system integrators and used the stolen material as a base for TriStation and TRITON development. But then again, it is possible that they borrowed TriStation software, Triconex hardware and Python connectors from government-owned utility that was using them legitimately.

Looking at the raw TRITON code, some of the comments may appear oddly phrased, but we do get a sense that the developer is clearly using many of the right vernacular and acronyms, showing smarts on PLC programming. The TS_cnames.pyc script contains interesting typos such as 'Set lable', 'Alocate network accepted', 'Symbol table ccepted' and 'Set program information reponse'. These appear to be normal human error and reflect neither poor written English nor laziness in coding. The significant amount of annotation, cascading logic, and robust error handling throughout the code suggests thoughtful development and testing of the framework. This complicates the theory of "ground up" development, so did they base their code on something else?

While learning from the TriStation functionality within TRITON, we continued to explore legitimate TriStation software. We began our search for "TS1131.exe" and hit dead ends sorting through TriStation DLLs until we came across a variety of TriStation utilities in MSI form. We ultimately stumbled across a juicy archive containing "Trilog v4." Upon further inspection, this file installed "TriLog.exe," which the original TRITON executable mimicked, and a couple of supporting DLLs, all of which were timestamped around August 2006.

When we saw the DLL file description "Tricon Communications Interface" and original file name "TricCom.DLL", we knew we were in the right place. With a simple look at the file strings, "BAZINGA!" We struck gold.

File Name

tr1com40.dll

MD5

069247DF527A96A0E048732CA57E7D3D

Size

110592

Compile Date

2006-08-23

File Description

Tricon Communications Interface

Product Name

TricCom Dynamic Link Library

File Version

4.2.441

Original File Name

TricCom.DLL

Copyright

Copyright © 1993-2006 Triconex Corporation

The tr1com40.DLL is exactly what you would expect to see in a custom application package. It is a library that helps support the communications for a Triconex controller. If you've pored over TRITON as much as we have, the moment you look at strings you can see the obvious overlaps between the legitimate DLL and TRITON's own TS_cnames.pyc.


Figure 8: Strings excerpt from tr1com40.DLL

Each of the execution command "error codes" from TS_cnames.pyc are in the strings of tr1com40.DLL (Figure 8). We see "An MP has re-educated" and "Invalid Tristation I command". Even misspelled command strings verbatim such as "Non-existant data item" and "Alocate network accepted". We also see many of the same unknown values. What is obvious from this discovery is that some of the strings in TRITON are likely based on code used in communications libraries for Trident and Tricon controllers.

In our brief survey of the legitimate Triconex Corporation binaries, we observed a few samples with related string tables.

Pe:dllname

Compile Date

Reference CPP Strings Code

Lagcom40.dll

2004/11/19

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Tr1com40.dll

2006/08/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2008/07/23

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2008/07/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2010/09/29

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0 

Tr1com.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Lagcom.dll

2011/04/27

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

We extracted the CPP string tables in TR1STRS and LAGSTRS and the TS_cnames.pyc TS_names array from TRITON, and compared the 210, 204, and 212 relevant strings from each respective file.

TS_cnames.pyc TS_names and tr1com40.dll share 202 of 220 combined table strings. The remaining strings are unique to each, as seen here:

TS_cnames.TS_names (2017 pyc)

Tr1com40.dll (2006 CPP)

Go to DOWNLOAD mode

<200>

Not set

<209>

Unk75

Bad message from module

Unk76

Bad message type

Unk77

Bad TMI version number

Unk78

Module did not respond

Unk79

Open Connection: Invalid SAP %d

Unk81

Unsupported message for this TMI version

Unk83

 

Wrong command

 

TS_cnames.pyc TS_names and Tridcom.dll (1999 CPP) shared only 151 of 268 combined table strings, showing a much smaller overlap with the seemingly older CPP library. This makes sense based on the context that Tridcom.dll is meant for a Trident controller, not a Tricon controller. It does seem as though Tr1com40.dll and TR1STRS.CPP code was based on older work.

We are not shocked to find that the threat actor reversed legitimate code to bolster development of the TRITON framework. They want to work smarter, not harder, too. But after reverse engineering legitimate software and implementing the basics of the TriStation, the threat actors still had an incomplete understanding of the protocol. In TRITON's TS_cnames.pyc we saw "Unk75", "Unk76", "Unk83" and other values that were not present in the tr1com40.DLL strings, indicating that the TRITON threat actor may have explored the protocol and annotated their findings beyond what they reverse engineered from the DLL. The gaps in TriStation implementation show us why the actors encountered problems interacting with the Triconex controllers when using TRITON in the wild.

You can see more of the Trilog and Triconex DLL files on VirusTotal.

Item Name

MD5

Description

Tr1com40.dll

069247df527a96a0e048732ca57e7d3d

Tricom Communcations DLL

Data1.cab

e6a3c93a6d433cbaf6f573b6c09d76c4

Parent of Tr1com40.dll

Trilog v4.1.360R

13a3b83ba2c4236ca59aba679941c8a5

RAR Archive of TriLog

TridCom.dll

5c2ed617fdec4779cb33c89082a43100

Trident Communications DLL

Afterthoughts

Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies. If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.

Basic security measures do little to thwart truly persistent threat actors and monitoring only IT networks is not an ideal situation. Visibility into both the IT and OT environments is critical for detecting the various stages of an ICS intrusion. Simple detection concepts such as baseline deviation can provide insight into abnormal activity.

While the TRITON framework was actively in use, how many traditional ICS “alarms” were set off while the actors tested their exploits and backdoors on the Triconex controller? How many times did the TriStation protocol, as implemented in their Python scripts, fail or cause errors because of non-standard traffic? How many TriStation UDP pings were sent and how many Connection Requests? How did these statistics compare to the baseline for TriStation traffic? There are no answers to these questions for now. We believe that we can identify these anomalies in the long run if we strive for increased visibility into ICS technologies.

We hope that by holding public discussions about ICS technologies, the Infosec community can cultivate closer relationships with ICS vendors and give the world better insight into how attackers move from the IT to the OT space. We want to foster more conversations like this and generally share good techniques for finding evil. Since most of all ICS attacks involve standard IT intrusions, we should probably come together to invent and improve any guidelines for how to monitor PCs and engineering workstations that bridge the IT and OT networks. We envision a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time, and their freedom. It's an ideal world, but something nice to shoot for.

Thanks and Future Work

There is still much to do for TRITON and TriStation. There are many more sub-message types and nuances for parsing out the nitty gritty details, which is hard to do without a controller of our own. And although we’ve published much of what we learned about the TriStation here on the blog, our work will continue as we continue our study of the protocol.

Thanks to everyone who did so much public research on TRITON and TriStation. We have cited a few individuals in this blog post, but there is a lot more community-sourced information that gave us clues and leads for our research and testing of the framework and protocol. We also have to acknowledge the research performed by the TRITON attackers. We borrowed a lot of your knowledge about TriStation from the TRITON framework itself.

Finally, remember that we're here to collaborate. We think most of our research is right, but if you notice any errors or omissions, or have ideas for improvements, please spear phish contact: smiller@fireeye.com.

Recommended Reading

Appendix A: TriStation Message Type Codes

The following table consists of hex values at offset 0 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x0

Message Type

1

Connection Request

2

Connection Response

3

Disconnect Request

4

Disconnect Response

5

Execution Command

6

Ping Command

7

Connection Limit Reached

8

Not Connected

9

MPS Are Dead

10

Access Denied

11

Connection Failed

Appendix B: TriStation Execution Command Function Codes

The following table consists of hex values at offset 6 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x6

TS_cnames String

0

0: 'Start download all',

1

1: 'Start download change',

2

2: 'Update configuration',

3

3: 'Upload configuration',

4

4: 'Set I/O addresses',

5

5: 'Allocate network',

6

6: 'Load vector table',

7

7: 'Set calendar',

8

8: 'Get calendar',

9

9: 'Set scan time',

A

10: 'End download all',

B

11: 'End download change',

C

12: 'Cancel download change',

D

13: 'Attach TRICON',

E

14: 'Set I/O address limits',

F

15: 'Configure module',

10

16: 'Set multiple point values',

11

17: 'Enable all points',

12

18: 'Upload vector table',

13

19: 'Get CP status ',

14

20: 'Run program',

15

21: 'Halt program',

16

22: 'Pause program',

17

23: 'Do single scan',

18

24: 'Get chassis status',

19

25: 'Get minimum scan time',

1A

26: 'Set node number',

1B

27: 'Set I/O point values',

1C

28: 'Get I/O point values',

1D

29: 'Get MP status',

1E

30: 'Set retentive values',

1F

31: 'Adjust clock calendar',

20

32: 'Clear module alarms',

21

33: 'Get event log',

22

34: 'Set SOE block',

23

35: 'Record event log',

24

36: 'Get SOE data',

25

37: 'Enable OVD',

26

38: 'Disable OVD',

27

39: 'Enable all OVDs',

28

40: 'Disable all OVDs',

29

41: 'Process MODBUS',

2A

42: 'Upload network',

2B

43: 'Set lable',

2C

44: 'Configure system variables',

2D

45: 'Deconfigure module',

2E

46: 'Get system variables',

2F

47: 'Get module types',

30

48: 'Begin conversion table download',

31

49: 'Continue conversion table download',

32

50: 'End conversion table download',

33

51: 'Get conversion table',

34

52: 'Set ICM status',

35

53: 'Broadcast SOE data available',

36

54: 'Get module versions',

37

55: 'Allocate program',

38

56: 'Allocate function',

39

57: 'Clear retentives',

3A

58: 'Set initial values',

3B

59: 'Start TS2 program download',

3C

60: 'Set TS2 data area',

3D

61: 'Get TS2 data',

3E

62: 'Set TS2 data',

3F

63: 'Set program information',

40

64: 'Get program information',

41

65: 'Upload program',

42

66: 'Upload function',

43

67: 'Get point groups',

44

68: 'Allocate symbol table',

45

69: 'Get I/O address',

46

70: 'Resend I/O address',

47

71: 'Get program timing',

48

72: 'Allocate multiple functions',

49

73: 'Get node number',

4A

74: 'Get symbol table',

4B

75: 'Unk75',

4C

76: 'Unk76',

4D

77: 'Unk77',

4E

78: 'Unk78',

4F

79: 'Unk79',

50

80: 'Go to DOWNLOAD mode',

51

81: 'Unk81',

52

 

53

83: 'Unk83',

54

 

55

 

56

 

57

 

58

 

59

 

5A

 

5B

 

5C

 

5D

 

5E

 

5F

 

60

 

61

 

62

 

63

 

64

100: 'Command rejected',

65

101: 'Download all permitted',

66

102: 'Download change permitted',

67

103: 'Modification accepted',

68

104: 'Download cancelled',

69

105: 'Program accepted',

6A

106: 'TRICON attached',

6B

107: 'I/O addresses set',

6C

108: 'Get CP status response',

6D

109: 'Program is running',

6E

110: 'Program is halted',

6F

111: 'Program is paused',

70

112: 'End of single scan',

71

113: 'Get chassis configuration response',

72

114: 'Scan period modified',

73

115: '<115>',

74

116: '<116>',

75

117: 'Module configured',

76

118: '<118>',

77

119: 'Get chassis status response',

78

120: 'Vectors response',

79

121: 'Get I/O point values response',

7A

122: 'Calendar changed',

7B

123: 'Configuration updated',

7C

124: 'Get minimum scan time response',

7D

125: '<125>',

7E

126: 'Node number set',

7F

127: 'Get MP status response',

80

128: 'Retentive values set',

81

129: 'SOE block set',

82

130: 'Module alarms cleared',

83

131: 'Get event log response',

84

132: 'Symbol table ccepted',

85

133: 'OVD enable accepted',

86

134: 'OVD disable accepted',

87

135: 'Record event log response',

88

136: 'Upload network response',

89

137: 'Get SOE data response',

8A

138: 'Alocate network accepted',

8B

139: 'Load vector table accepted',

8C

140: 'Get calendar response',

8D

141: 'Label set',

8E

142: 'Get module types response',

8F

143: 'System variables configured',

90

144: 'Module deconfigured',

91

145: '<145>',

92

146: '<146>',

93

147: 'Get conversion table response',

94

148: 'ICM print data sent',

95

149: 'Set ICM status response',

96

150: 'Get system variables response',

97

151: 'Get module versions response',

98

152: 'Process MODBUS response',

99

153: 'Allocate program response',

9A

154: 'Allocate function response',

9B

155: 'Clear retentives response',

9C

156: 'Set initial values response',

9D

157: 'Set TS2 data area response',

9E

158: 'Get TS2 data response',

9F

159: 'Set TS2 data response',

A0

160: 'Set program information reponse',

A1

161: 'Get program information response',

A2

162: 'Upload program response',

A3

163: 'Upload function response',

A4

164: 'Get point groups response',

A5

165: 'Allocate symbol table response',

A6

166: 'Program timing response',

A7

167: 'Disable points full',

A8

168: 'Allocate multiple functions response',

A9

169: 'Get node number response',

AA

170: 'Symbol table response',

AB

 

AC

 

AD

 

AE

 

AF

 

B0

 

B1

 

B2

 

B3

 

B4

 

B5

 

B6

 

B7

 

B8

 

B9

 

BA

 

BB

 

BC

 

BD

 

BE

 

BF

 

C0

 

C1

 

C2

 

C3

 

C4

 

C5

 

C6

 

C7

 

C8

200: 'Wrong command',

C9

201: 'Load is in progress',

CA

202: 'Bad clock calendar data',

CB

203: 'Control program not halted',

CC

204: 'Control program checksum error',

CD

205: 'No memory available',

CE

206: 'Control program not valid',

CF

207: 'Not loading a control program',

D0

208: 'Network is out of range',

D1

209: 'Not enough arguments',

D2

210: 'A Network is missing',

D3

211: 'The download time mismatches',

D4

212: 'Key setting prohibits this operation',

D5

213: 'Bad control program version',

D6

214: 'Command not in correct sequence',

D7

215: '<215>',

D8

216: 'Bad Index for a module',

D9

217: 'Module address is invalid',

DA

218: '<218>',

DB

219: '<219>',

DC

220: 'Bad offset for an I/O point',

DD

221: 'Invalid point type',

DE

222: 'Invalid Point Location',

DF

223: 'Program name is invalid',

E0

224: '<224>',

E1

225: '<225>',

E2

226: '<226>',

E3

227: 'Invalid module type',

E4

228: '<228>',

E5

229: 'Invalid table type',

E6

230: '<230>',

E7

231: 'Invalid network continuation',

E8

232: 'Invalid scan time',

E9

233: 'Load is busy',

EA

234: 'An MP has re-educated',

EB

235: 'Invalid chassis or slot',

EC

236: 'Invalid SOE number',

ED

237: 'Invalid SOE type',

EE

238: 'Invalid SOE state',

EF

239: 'The variable is write protected',

F0

240: 'Node number mismatch',

F1

241: 'Command not allowed',

F2

242: 'Invalid sequence number',

F3

243: 'Time change on non-master TRICON',

F4

244: 'No free Tristation ports',

F5

245: 'Invalid Tristation I command',

F6

246: 'Invalid TriStation 1131 command',

F7

247: 'Only one chassis allowed',

F8

248: 'Bad variable address',

F9

249: 'Response overflow',

FA

250: 'Invalid bus',

FB

251: 'Disable is not allowed',

FC

252: 'Invalid length',

FD

253: 'Point cannot be disabled',

FE

254: 'Too many retentive variables',

FF

255: 'LOADER_CONNECT',

 

256: 'Unknown reject code'

Remote Authentication GeoFeasibility Tool – GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks (VPNs), web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials to access systems and data. Due to large volumes of remote access connections, it can be difficult to distinguish between a legitimate and a malicious login.

Today, we are releasing GeoLogonalyzer to help organizations analyze logs to identify malicious logins based on GeoFeasibility; for example, a user connecting to a VPN from New York at 13:00 is unlikely to legitimately connect to the VPN from Australia five minutes later.

Once remote authentication activity is baselined across an environment, analysts can begin to identify authentication activity that deviates from business requirements and normalized patterns, such as:

  1. User accounts that authenticate from two distant locations, and at times between which the user probably could not have physically travelled the route.
  2. User accounts that usually log on from IP addresses registered to one physical location such as a city, state, or country, but also have logons from locations where the user is not likely to be physically located.
  3. User accounts that log on from a foreign location at which no employees reside or are expected to travel to, and your organization has no business contacts at that location.
  4. User accounts that usually log on from one source IP address, subnet, or ASN, but have a small number of logons from a different source IP address, subnet, or ASN.
  5. User accounts that usually log on from home or work networks, but also have logons from an IP address registered to cloud server hosting providers.
  6. User accounts that log on from multiple source hostnames or with multiple VPN clients.

GeoLogonalyzer can help address these and similar situations by processing authentication logs containing timestamps, usernames, and source IP addresses.

GeoLogonalyzer can be downloaded from our FireEye GitHub.

GeoLogonalyzer Features

IP Address GeoFeasibility Analysis

For a remote authentication log that records a source IP address, it is possible to estimate the location each logon originated from using data such as MaxMind’s free GeoIP database. With additional information, such as a timestamp and username, analysts can identify a change in source location over time to determine if that user could have possibly traveled between those two physical locations to legitimately perform the logons.

For example, if a user account, Meghan, logged on from New York City, New York on 2017-11-24 at 10:00:00 UTC and then logged on from Los Angeles, California 10 hours later on 2017-11-24 at 20:00:00 UTC, that is roughly a 2,450 mile change over 10 hours. Meghan’s logon source change can be normalized to 245 miles per hour which is reasonable through commercial airline travel.

If a second user account, Harry, logged on from Dallas, Texas on 2017-11-25 at 17:00:00 UTC and then logged on from Sydney, Australia two hours later on 2017-11-25 at 19:00:00 UTC, that is roughly an 8,500 mile change over two hours. Harry’s logon source change can be normalized to 4,250 miles per hour, which is likely infeasible with modern travel technology.

By focusing on the changes in logon sources, analysts do not have to manually review the many times that Harry might have logged in from Dallas before and after logging on from Sydney.

Cloud Data Hosting Provider Analysis

Attackers understand that organizations may either be blocking or looking for connections from unexpected locations. One solution for attackers is to establish a proxy on either a compromised server in another country, or even through a rented server hosted in another country by companies such as AWS, DigitalOcean, or Choopa.

Fortunately, Github user “client9” tracks many datacenter hosting providers in an easily digestible format. With this information, we can attempt to detect attackers utilizing datacenter proxy to thwart GeoFeasibility analysis.

Using GeoLogonalyzer

Usable Log Sources

GeoLogonalyzer is designed to process remote access platform logs that include a timestamp, username, and source IP. Applicable log sources include, but are not limited to:

  1. VPN
  2. Email client or web applications
  3. Remote desktop environments such as Citrix
  4. Internet-facing applications
Usage

GeoLogonalyzer’s built-in –csv input type accepts CSV formatted input with the following considerations:

  1. Input must be sorted by timestamp.
  2. Input timestamps must all be in the same time zone, preferably UTC, to avoid seasonal changes such as daylight savings time.
  3. Input format must match the following CSV structure – this will likely require manually parsing or reformatting existing log formats:

YYYY-MM-DD HH:MM:SS, username, source IP, optional source hostname, optional VPN client details

GeoLogonalyzer’s code comments include instructions for adding customized log format support. Due to the various VPN log formats exported from VPN server manufacturers, version 1.0 of GeoLogonalyzer does not include support for raw VPN server logs.

GeoLogonalyzer Usage

Example Input

Figure 1 represents an example input VPNLogs.csv file that recorded eight authentication events for the two user accounts Meghan and Harry. The input data is commonly derived from logs exported directly from an application administration console or SIEM.  Note that this example dataset was created entirely for demonstration purposes.


Figure 1: Example GeoLogonalyzer input

Example Windows Executable Command

GeoLogonalyzer.exe --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Python Script Execution Command

python GeoLogonalyzer.py --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Output

Figure 2 represents the example output GeoLogonalyzedVPNLogs.csv file, which shows relevant data from the authentication source changes (highlights have been added for emphasis and some columns have been removed for brevity):


Figure 2: Example GeoLogonalyzer output

Analysis

In the example output from Figure 2, GeoLogonalyzer helps identify the following anomalies in the Harry account’s logon patterns:

  1. FAST - For Harry to physically log on from New York and subsequently from Australia in the recorded timeframe, Harry needed to travel at a speed of 4,297 miles per hour.
  2. DISTANCE – Harry’s 8,990 mile trip from New York to Australia might not be expected travel.
  3. DCH – Harry’s logon from Australia originated from an IP address associated with a datacenter hosting provider.
  4. HOSTNAME and CLIENT – Harry logged on from different systems using different VPN client software, which may be against policy.
  5. ASN – Harry’s source IP addresses did not belong to the same ASN. Using ASN analysis helps cut down on reviewing logons with different source IP addresses that belong to the same provider. Examples include logons from different campus buildings or an updated residential IP address.

Manual analysis of the data could also reveal anomalies such as:

  1. Countries or regions where no business takes place, or where there are no employees located
  2. Datacenters that are not expected
  3. ASN names that are not expected, such as a university
  4. Usernames that should not log on to the service
  5. Unapproved VPN client software names
  6. Hostnames that are not part of the environment, do not match standard naming conventions, or do not belong to the associated user

While it may be impossible to determine if a logon pattern is malicious based on this data alone, analysts can use GeoLogonalyzer to flag and investigate potentially suspicious logon activity through other investigative methods.

GeoLogonalyzer Limitations

Reserved Addresses

Any RFC1918 source IP addresses, such as 192.168.X.X and 10.X.X.X, will not have a physical location registered in the MaxMind database. By default, GeoLogonalyzer will use the coordinates (0, 0) for any reserved IP address, which may alter results. Analysts can manually edit these coordinates, if desired, by modifying the RESERVED_IP_COORDINATES constant in the Python script.

Setting this constant to the coordinates of your office location may provide the most accurate results, although may not be feasible if your organization has multiple locations or other point-to-point connections.

GeoLogonalyzer also accepts the parameter –skip_rfc1918, which will completely ignore any RFC1918 source IP addresses and could result in missed activity.

Failed Logon and Logoff Data

It may also be useful to include failed logon attempts and logoff records with the log source data to see anomalies related to source information of all VPN activity. At this time, GeoLogonalyzer does not distinguish between successful logons, failed logon attempts, and logoff events. GeoLogonalyzer also does not detect overlapping logon sessions from multiple source IP addresses.

False Positive Factors

Note that the use of VPN or other tunneling services may create false positives. For example, a user may access an application from their home office in Wyoming at 08:00 UTC, connect to a VPN service hosted in Georgia at 08:30 UTC, and access the application again through the VPN service at 09:00 UTC. GeoLogonalyzer would process this application access log and detect that the user account required a FAST travel rate of roughly 1,250 miles per hour which may appear malicious. Establishing a baseline of legitimate authentication patterns is recommended to understand false positives.

Reliance on Open Source Data

GeoLogonalyzer relies on open source data to make cloud hosting provider determinations. These lookups are only as accurate as the available open source data.

Preventing Remote Access Abuse

Understanding that no single analysis method is perfect, the following recommendations can help security teams prevent the abuse of remote access platforms and investigate suspected compromise.

  1. Identify and limit remote access platforms that allow access to sensitive information from the Internet, such as VPN servers, systems with RDP or SSH exposed, third-party applications (e.g., Citrix), intranet sites, and email infrastructure.
  2. Implement a multi-factor authentication solution that utilizes dynamically generated one-time use tokens for all remote access platforms.
  3. Ensure that remote access authentication logs for each identified access platform are recorded, forwarded to a log aggregation utility, and retained for at least one year.
  4. Whitelist IP address ranges that are confirmed as legitimate for remote access users based on baselining or physical location registrations. If whitelisting is not possible, blacklist IP address ranges registered to physical locations or cloud hosting providers that should never legitimately authenticate to your remote access portal.
  5. Utilize either SIEM capabilities or GeoLogonalyzer.py to perform GeoFeasibility analysis of all remote access on a regular frequency to establish a baseline of accounts that legitimately perform unexpected logon activity and identify new anomalies. Investigating anomalies may require contacting the owner of the user account in question. FireEye Helix analyzes live log data for all techniques utilized by GeoLogonalyzer, and more!

Download GeoLogonalyzer today.

Acknowledgements

Christopher Schmitt, Seth Summersett, Jeff Johns, and Alexander Mulfinger.

Solving Ad-hoc Problems with Hex-Rays API

Introduction

IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled and decompiled code can greatly reduce the analysis time.

The decompiler (from now on referred to as Hex-Rays) has been around for a long time and has achieved a good level of maturity. However, there seems to be a lack of a concise and complete resources regarding this topic (tutorials or otherwise). In this blog, we aim to close that gap by showcasing examples where scripting Hex-Rays goes a long way.

Overview of a Decompiler

In order to understand how the decompiler works, it’s helpful to first review the normal compilation process.

Compilation and decompilation center around the concept of an Abstract Syntax Tree (AST). In essence, a compiler takes the source code, splits it into tokens according to a grammar, then these tokens are grouped into logical expressions. In this phase of the compilation process, referred to as parsing, the code structure is represented as a complex object, the AST. From the AST, the compiler will produce assembly code for the specified platform.

A decompiler takes the opposite route. From the given assembly code, it works back to produce an AST, and from this to produce pseudocode.

From all the intermediate steps between code and assembly, we are stressing the AST so much because most of the time you will spend using the Hex-Rays API, you will actually be reading and/or modifying the Abstract Syntax Tree (or ctree in Hex-Rays terminology).

Items, Expressions and Statements

Now we know that Hex-Rays’s ctree is a tree-like data structure. The nodes of this tree are either of type cinsn_t or cexpr_t. We will define these in a moment, but for now it is important to know that both derive from a very basic type, namely the citem_t type, as seen in the following code snippet:

Therefore, all nodes in the ctree will have the op property, which indicates the node type (variable, number, logical expression, etc.).

The type of op (ctype_t) is an enumeration where all constants are named either cit_<xyz> (for statements) or cot_<xyz> (for expressions). Keep this in mind, as it will be very important. A quick way to inspect all ctype_t constants and their values is to execute the following code snippet:

This produces the following output:

Let’s dive a bit deeper and explain the two types of nodes: expressions and statements.

It is useful to think about expressions as the “the little logical elements” of your code. They range from simple types such as variables, strings or numerical constants, to small code constructs (assignments, comparisons, additions, logical operations, array indexing, etc.).

These are of type cexpr_t, a large structure containing several members. The members that can be accessed depend on its op value. For example, the member n to obtain the numeric value only makes sense when dealing with constants.

On the other side, we have statements. These correlate roughly to language keywords (if, for, do, while, return, etc.) Most of them are related to control flow and can be thought as “the big picture elements” of your code.

Recapitulating, we have seen how the decompiler exposes this tree-like structure (the ctree), which consists of two types of nodes: expressions and statements. In order to extract information from or modify the decompiled code, we have to interact with the ctree nodes via methods dependent on the node type. However, the following question arises: “How do we reach the nodes?”

This is done via a class exposed by Hex-Rays: the tree visitor (ctree_visitor_t). This class has two virtual methods, visit_insn and visit_expr, that are executed when a statement or expression is found while traversing the ctree. We can create our own visitor classes by inheriting from this one and overloading the corresponding methods.

Example Scripts

In this section, we will use the Hex-Rays API to solve two real-world problems:

  • Identify calls to GetProcAddress to dynamically resolve Windows APIs, assigning the resulting address to a global variable.
  • Display assignments related to stack strings as characters instead of numbers, for easier readability.

GetProcAddress

The first example we will walk through is how to automatically handle renaming global variables that have been dynamically resolved at run time. This is a common technique malware uses to hide its capabilities from static analysis tools. An example of dynamically resolving global variables using GetProcAddress is shown in Figure 1.


Figure 1: Dynamic API resolution using GetProcAddress

There are several ways to rename the global variables, with the simplest being manual copy and paste. However, this task is very repetitive and can be scripted using the Hex-Rays API.

In order to write any Hex-Rays script, it is important to first visualize the ctree. The Hex-Rays SDK includes a sample, sample5, which can be used to view the current function’s ctree. The amount of data shown in a ctree for a function can be overwhelming. A modified version of the sample was used to produce a picture of a sub-ctree for the function shown in Figure 1. The sub-ctree for the single expression: 'dword_1000B2D8 = (int)GetProcAdress(v0, "CreateThread");' is shown in Figure 2.


Figure 2: Sub-ctree for GetProcAddress assignment

With knowledge of the sub-ctree in use, we can write a script to automatically rename all the global variables that are being assigned using this method.

The code to automatically rename all the local variables is shown in Figure 3. The code works by traversing the ctree looking for calls to the GetProcAddress function. Once found, the code takes the name of the function being resolved and finds the global variable that is being set. The code then uses the IDA MakeName API to rename the address to the correct function.


Figure 3: Function renaming global variables

After the script has been executed, we can see in Figure 4 that all the global variables have been renamed to the appropriate function name.


Figure 4: Global variables renamed

Stack Strings

Our next example is a typical issue when dealing with malware: stack strings. This is a technique aimed to make the analysis harder by using arrays of characters instead of strings in the code. An example can be seen in Figure 5; the malware stores each character’s ASCII value in the stack and then references it in the call to sprintf. At a first glance, it’s very difficult to say what is the meaning of this string (unless of course, you know the ASCII table by heart).


Figure 5: Hex-Rays decompiler output. Stack strings are difficult to read.

Our script will modify these assignments to something more readable. The important part of our code is the ctree visitor mentioned earlier, which is shown in Figure 6.


Figure 6: Custom ctree visitor

The logic implemented here is pretty straightforward. We define our subclass of a ctree visitor (line 1) and override its visit_expr method. This will only kick in when an assignment is found (line 9). Another condition to be met is that the left side of the assignment is a variable and the right side a number (line 15). Moreover, the numeric value must be in the readable ASCII range (lines 20 and 21).

Once this kind of expression is found, we will change the type of the right side from a number to a string (lines 26 to 31), and replace its numerical value by the corresponding ASCII character (line 32).

The modified pseudocode after running this script is shown in Figure 7.


Figure 7: Assigned values shown as characters

You can find the complete scripts in our FLARE GitHub repository under decompiler scripts

Conclusion

These two admittedly simple examples should be able to give you an idea of the power of IDA’s decompiler API. In this post we have covered the foundations of all decompiler scripts: the ctree object, a structure composed by expressions and statements representing every element of the code as well the relationships between them. By creating a custom visitor we have shown how to traverse the tree and read or modify the code elements, therefore analyzing or modifying the pseudocode.

Hopefully, this post will motivate you to start writing your own scripts. This is only the beginning!

Do you want to learn more about these tools and techniques from FLARE? Then you should take one of our Black Hat classes in Las Vegas this summer! Our offerings include Malware Analysis Crash Course, macOS Malware for Reverse Engineers, and Malware Analysis Master Class.

References

Although written in 2009, one of the best references is still the original article on the Hex-Rays blog.

PacketTotal

The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes, packettotal.com.