Warning of additional cyber attacks and disruptions

Notice to fellow security researchers, partners and customers: Caution and vigilance

CYBER ATTACK. Word cloud concept illustration.

We believe that the data we are seeing in the disruptions on Twitter, Facebook, IoT attacks, data dumps that discredit one side and not the other are targeted and are being coordinated by a group or nation that seeks to gain an advantage in those disruptions. We believe that the likelihood that Russia and maybe even China (as a partner) are involved in the latest disruptions in the US and Social Media, in Ukraine and in other areas seems likely based on the goals that these latest attacks are trying to achieve, so what is the proof we have:

  • Aggression and hate messages and “events” multiplying rapidly
  • Specific presidential candidates being attacked that are not pro Russia
  • People who are against the other candidate have reported attacks (hacks) on their accounts, servers and clients for posting negative comments about the other candidate
  • Sudden and surprising information is being released from data dumps that “suddenly” proof that one candidate did something wrong, that data is from breached systems which are at the very least questionable and in regards to forensics not clean or applicable evidence
  • Timing of data dump releases to disrupt specific candidates shortly before elections with an intention to change people’s perception of that candidate
  • IoT Botnet attacks targeted primarily US based servers and services recently causing many to question the safety of the country and its cyber defense capabilities
  • Russia has moved Nuclear Rockets into close range of the EU and key cities
  • Russia as currently reactivated a mothballed Nuclear Rocket site in its invaded area of Ukraine (Crimea)
  • Multiple Social media accounts are popping up pushing one candidate, attacking other candidate’s supporters and also posting data and pictures that are not all true but have been proven to be placed or planted to cause outrage, disruption and disorder

These signs are typical of Russia and typical of a campaign used by a nation state in Hybrid warfare to destabilize the US and (we believe) NATO. Russia has been fighting NATO for some time now because it has challenged Russia’s claim to illegal land claim in Eastern Ukraine (Crimea).

Screen Shot 2016-04-19 at 10.41.22 PM

We believe that more attacks will happen that seek to disrupt US elections and attempt to hijack voter’s choices for a specific candidate. In addition, Russia has used people that are seen as Terrorists (look like and sometimes are in groups like Daesh, etc.) but actually are FSB or Russian Embedded Agents. If the attacks use a similar tactic and approach as in Ukraine, multiple services, servers and clients are already infected and waiting for C&C servers to send out instructions to start attacks and disruptions or worse. We believe this is happening and that we will see a bigger attack coming up very soon.

Screen Shot 2016-05-22 at 8.45.31 AM

One of the best ways to stop this attack from happening is by flagging false information, identifying disinformation and also finding fake citizens that are embedded to disrupt and aggravate people. Another way to stop these attacks from happening are by looking at all critical infrastructure servers, clients and devices and either blocking any malicious or suspicious communication to the outside (air gaps) or turning off IoT devices that are not secured or locked down against hijacking from an attacker.

 

Lastly reporting suspicious behavior to the FBI, US Secret Service and other researchers, journalists, etc. is a great way to expose potential attackers.

(Additional Information)

Hacktivism, Cyber Crime, Cyber Espionage and Warfare are inherently linked to each other in logical and dependency creating ways. Attacks that happen today are no longer easy to distinguish or qualify correctly as one or another type of attack (because of their complexity) and the fact that the actual goal of a hack or attack is almost never known until more facts and data are obtained.

We believe that new IoT Botnets are being tested currently for their effectiveness with devastating effects, causing disruptions in smaller nations. These tests or POCs (Proof of Concepts) where used in previous attacks that we saw in another mainstream and effective disruption campaign. The last time we saw POC like attacks was back in 2015, when Active Directory Servers sent out new policy updates to their networks that helped create wide spread infections of an entire industry, installed signed drivers that contained the BlackEnergy 3+ Rootkit on them that disrupted the media industry (radio, TV, etc.) and it was a day before local and national elections. The country that got attacked was Ukraine, the year was 2015.

 

These attacks used old rootkits that were repurposed for a new target and were quite successful. Back then in FireSale I saw that my customers where getting infected by what we now know is KillDisk and BlackEnergy 3+. This attack was location aware, was started more than 7 months before the actual attack, and had signatures that we could trace back to APT28 and Sandworm based attacks. No Anti Viruses were able to detect the attacks, it was location aware and used DDOS protected servers in legitimate datacenters that were also used by Symantec, Microsoft and others for updates and patches.

04-11 Treat Map Live

What was interesting was that we saw tactics and a methodology behind the first attack that used very highly customized and legitimate looking phishing emails with png files and later on macro viruses that no Anti-Virus or email security solution could detect or stop. We are still seeing this even today. The first attack lead to 3 others including two electric plants having no electricity and an Airport having to shut down vital systems because of breaches.

FireSale1

(Example FireSale Infector Code)

int EntryPoint() {
    stack[2047] = edx;
    esp = esp - 0x4;
    asm{ popal       };
    if (!CPU_FLAGS & B) {
            LOBYTE(eax) = LOBYTE(eax) - *(int8_t
*)edi + CARRY(EFLAGS(cf));
            *(int8_t *)ebx = *(int8_t *)ebx +
HIBYTE(ebx);
(ebx + 0x8), 0x1);
LOBYTE(eax);
    }
*(int8_t *)(ebx + 0x8) = SAL(*(int8_t *)
*(int8_t *)0x0 = *(int8_t *)0x0 +
*(int8_t *)eax = *(int8_t *)eax +
LOBYTE(ecx);
LOBYTE(eax);
*)(ebp + 0x96a474c6) + HIBYTE(ecx);
*(int8_t *)(ebp + 0x96a474c6) = *(int8_t
            ebx = ebx + 0x1;
            *(int8_t *)(eax + 0x140002c6) = *(int8_t
*)(eax + 0x140002c6) + LOBYTE(edx);
        LOBYTE(eax) = LOBYTE(eax) + 0x3;
        *(int8_t *)edx = *(int8_t *)edx +

else {

asm{ salc
asm{ arpl
asm{ out
edx = ebx + 0x48;
eax = eax - 0x20001635 +
CARRY(EFLAGS(cf));
            *(int8_t *)eax = *(int8_t *)eax +
LOBYTE(eax);
= *(int8_t *)(esi + ebp * 0x4 + 0xaee2a0a4) +
LOBYTE(eax);
asm{ stosb      byte [es:edi], al };
esp = esp + 0x4;
edi = stack[2047];
ebp = ebp ^ *esi;
COND = OVERFLOW(ebp);
if (!COND) {
 };
word [ds:ebx], si };
dx, al };
*(int8_t *)(esi + ebp * 0x4 + 0xaee2a0a4)
                    *(int8_t *)(eax + 0x4908042) =
*(int8_t *)(eax + 0x4908042) + 0xfe + CARRY(*(int8_t
*)(edi + ebx * 0x8) + LOBYTE(eax));
                    esp = esp + 0x4;
                    edi = stack[2048];

}
else {

intrinsic_xchg(LOBYTE(ebx), HIBYTE(ebx));
                    ebx = ebx & *(ebp + 0x60a75d28);

} }

return eax; }

asm{ in
edi = edi + 0x1;
asm{ std
*ebx = ecx;
asm{ int
ebx = ebx + 0x1;
asm{ in

al, dx }; };

0x97 };
al, 0x1f };