Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 118.163.116.196[11/25/2014 7:40:48 AM] ernie_liu: hi
- [11/25/2014 7:42:05 AM] ernie_liu: I asked Albano to check w bureau buddies to see what other info we can get
- [11/25/2014 7:42:33 AM] Mike Opp: it might help him know that its the local Bu guys that were here working it.
- [11/25/2014 7:43:11 AM] *** Marshall Heilman added kevinalbano ***
- [11/25/2014 7:43:15 AM] Marshall Heilman: Get in here Albano :)
- [11/25/2014 7:44:16 AM] Mike Opp: (wave)
- [11/25/2014 7:44:52 AM] kevinalbano: got to get tough
- [11/25/2014 7:45:32 AM] kevinalbano: emails SA Boeing Shih and ASAC Gina Osborn to get the FBI channel started up
- [11/25/2014 7:45:50 AM] kevinalbano: srsly they don't know any of their names
- [11/25/2014 7:46:04 AM] Mike Opp: they sent 12 of them here yesterday
- [11/25/2014 7:46:20 AM] kevinalbano: yah & no one remembers a name
- [11/25/2014 7:46:23 AM] Marshall Heilman: @Opp - just to be clear, you mentioned GSIRT having issues w/ Nitro, but that is different than the syslog data.
- [11/25/2014 7:46:29 AM] Marshall Heilman: so you are working with them on both issues, right?
- [11/25/2014 7:46:40 AM] Mike Opp: correct but they were saying the sys log data somehow fed into NITRO
- [11/25/2014 7:46:45 AM] Mike Opp: but i need to clarify that with them
- [11/25/2014 7:46:51 AM] Marshall Heilman: ok
- [11/25/2014 7:46:58 AM | Edited 7:47:02 AM] Marshall Heilman: I'd like the raw syslog data if possible - would be easier for us
- [11/25/2014 7:47:02 AM] Mike Opp: Kevin who is on the phone will/should be able to answer
- [11/25/2014 7:47:03 AM] Mike Opp: yep agree
- [11/25/2014 7:47:19 AM] Mike Opp: waiting for this conversation to end
- [11/25/2014 7:47:31 AM] Marshall Heilman: k
- [11/25/2014 7:51:52 AM | Edited 7:52:01 AM] kevinalbano: I got the entire FBI team. What time do you want to have a conference?
- [11/25/2014 7:52:05 AM] Marshall Heilman: lol
- [11/25/2014 7:52:13 AM] Marshall Heilman: asap
- [11/25/2014 7:52:18 AM] Marshall Heilman: if possible
- [11/25/2014 7:52:32 AM] kevinalbano: Sony legal had concerns about privilege as it relates to allowing Mandiant and the FBI to collaborate on what could be considered attorney-client work product. Did Sony legal make a decision on this yet?
- [11/25/2014 7:52:47 AM] kevinalbano: Need to work Sony legal. who's got point on this?
- [11/25/2014 7:53:04 AM] Marshall Heilman: I can take point on that. I told the SVP here that we would back channel until that got figured out.
- [11/25/2014 7:53:26 AM] Marshall Heilman: so if the FBI was willing to just pass us data for now, that would be really helpful. We can make it right with them later on
- [11/25/2014 7:53:55 AM] ernie_liu: Denise from FE hit me up. This is on DeWalt's radar so just be aware. I told her once we get a better idea of what we are dealing with then we will let her know if there are places where FE tech can help
- [11/25/2014 7:55:09 AM] kevinalbano: rog; will let you know the time of the meeting.
- [11/25/2014 7:55:38 AM] Marshall Heilman: I had an email exchange with him and asked him to make sure FE calms down
- [11/25/2014 8:02:59 AM] Marshall Heilman: Ernie - when will Will have the dongles? We need to know asap how many we have available
- [11/25/2014 8:16:46 AM] Marshall Heilman: fuck. Manny has to deal w/ a potential compromise on a POS system at TGT right now. Hopefully just a FP, but it's still going to delay him.
- [11/25/2014 8:17:03 AM] ernie_liu: we can get Huy maybe
- [11/25/2014 8:17:22 AM] Marshall Heilman: possibly, but he has another client work he has to work on.
- [11/25/2014 8:17:23 AM] Mike Opp: working on getting alternate comms (Skype) with the GCIRT folks....
- [11/25/2014 8:17:28 AM] Marshall Heilman: so he would have to cram that in after hours
- [11/25/2014 8:21:21 AM] ernie_liu: Matson is headed to the office so we'll know soon
- [11/25/2014 8:21:41 AM] Marshall Heilman: ok great. I'm waiting to hear back from S. Davis to see if we can get malware support as soon as we have something to look at
- [11/25/2014 8:21:49 AM] Marshall Heilman: Siko is offline, so I want to start w. the special ops team
- [11/25/2014 8:22:32 AM | Edited 8:22:37 AM] Marshall Heilman: we can always use Bailer if we come across the linux variant
- [11/25/2014 8:23:34 AM] ernie_liu: JSmith maybe too
- [11/25/2014 8:25:13 AM] Marshall Heilman: good call. talking to davis now.
- [11/25/2014 8:42:00 AM] ernie_liu: Matson is on his way to lab, then Bestbuy, then here at client
- [11/25/2014 8:42:10 AM] ernie_liu: he is getting bunch of USB drives
- [11/25/2014 8:42:15 AM] ernie_liu: let him know if we need anything else
- [11/25/2014 9:02:55 AM] Marshall Heilman: @Albano - SPE legal just gave us the go ahead to work w/ the FBI. SPE is going to call the FBI now, let them know, and get the FBI back on-site
- [11/25/2014 9:03:15 AM] Marshall Heilman: however, I think it would still be good for you to interface with them to see what you can get from your backchanneling that they might not share with the client
- [11/25/2014 9:05:28 AM] *** Marshall Heilman added cglyer ***
- [11/25/2014 9:19:41 AM] kevinalbano: (y)
- [11/25/2014 9:22:45 AM] cglyer: [Tuesday, November 25, 2014 9:22 AM] cglyer:
- <<< another idea - you can use one of willi's script to point at a disk image and export all of the event log entries
- you could potentially do that across as many systems as you had images/drives
- [11/25/2014 9:36:26 AM] *** Marshall Heilman has changed the conversation topic to ""MFR14-240 - Pics and splash screens don't mix"" ***
- [11/25/2014 9:36:43 AM] Marshall Heilman: [Tuesday, November 25, 2014 9:33 AM] steved:
- <<< -i: install and start service (WinsSchMgmt) Windows Schedule Management Service
- will be running with -k indicating the exe is running as a service
- looks like -s can run in standalone mode
- [11/25/2014 9:37:04 AM] Marshall Heilman: this is for the d1c27ee7ce18675974edf42d4eea25c6 file
- [11/25/2014 9:37:58 AM] Mike Opp: it seems the file scans the 43.130.141/24 net for tcp/445 and writing results to c:\windows\system32\net_ver.dat
- SPE\Dayals-1
- London13!
- SPE\JHKim4-1
- !Tomorrow33
- SPE\KManku-1
- M@nday77
- SPE\MMcLean3-1
- @Smiley91
- found the above in memory copy of the file....
- seems to try those creds with this command
- cmd.exe /c wmic.exe /node:"%s" /user:"%s" /password:"%s" PROCESS CALL CREATE "%s" > %s
- [11/25/2014 9:39:19 AM] Mike Opp: If you xor 0x67 that file you get the below information:
- _SPE\Dayals-1|London13!
- SPE\JHKim4-1|!Tomorrow33
- SPE\KManku-1|M@nday77
- SPE\MMcLean3-1|@Smiley91
- 43.130.141.10
- USSDIRIM18|43.130.141.11
- USSDIXCAS23|43.130.141.13
- 43.130.141.14
- USSDIBKP04|43.130.141.15
- [11/25/2014 9:39:22 AM] cglyer: [Tuesday, November 25, 2014 9:37 AM] Mike Opp:
- <<< cmd.exe /c wmic.exe /node:"%s" /user:"%s" /password:"%s" PROCESS CALL CREATE "%s" > %sremote command execution
- [11/25/2014 9:39:27 AM] cglyer: it's like running psexec - but using WMI
- [11/25/2014 9:39:41 AM | Edited 9:39:44 AM] cglyer: there will be very few logs of what they ran through that - if that is what they used
- [11/25/2014 9:40:31 AM] Mike Opp: one odd ball one oddball: UKLONEXT-XMSGV|172.21.40.161
- [11/25/2014 10:39:50 AM] ernie_liu: so we have them in one place, current malware:
- [11/25/2014 10:39:52 AM] ernie_liu: diskpartmg16.exe
- https://mta.mplex.mandiant.com/samples/d1c27ee7ce18675974edf42d4eea25c6
- igfxtrayex.exe
- https://mta.mplex.mandiant.com/samples/760c35a80d758f032d02cf4db12d3e55
- net_ver.dat
- https://mta.mplex.mandiant.com/samples/3efd1c9a28241ea5182c5a0b2d979eb7
- [11/25/2014 10:41:16 AM] Mike Opp: the malware has resources written in Korean
- [11/25/2014 10:41:36 AM] ernie_liu: i blame Seth Rogen
- [11/25/2014 10:41:48 AM] kevinalbano: nah Franco
- [11/25/2014 10:42:17 AM] Mike Opp: they owe this place a ton of money
- [11/25/2014 10:42:28 AM] Mike Opp: and they owe all of us Tesla's and a strand house
- [11/25/2014 11:16:34 AM] kevinalbano: FBI was thinking this was attributed to DarkSeoul
- [11/25/2014 11:17:25 AM] kevinalbano: https://mic.mandiant.com/-/south-korean-organizations-suffer-computer-network-attack-amid-heightened-tensions-on-korean-peninsula
- [11/25/2014 11:32:26 AM] Mike Opp: ok that is tracking with our current theory
- [11/25/2014 11:35:35 AM] Marshall Heilman: malware is 32 and 64bit aware
- [11/25/2014 11:38:06 AM] Marshall Heilman: igfxtrayex.exe (760c35a80d758f032d02cf4db12d3e55) and diskpartmg16.exe (d1c27ee7ce18675974edf42d4eea25c6) both have the same "C2" ips
- [11/25/2014 11:39:17 AM] kevinalbano: FBI is tyring to be on site around 12:30 or 1pm
- [11/25/2014 11:39:46 AM] Marshall Heilman: good
- [11/25/2014 11:39:57 AM] Marshall Heilman: shit. I have to run out around 1 PM for a bit
- [11/25/2014 11:40:06 AM] Marshall Heilman: don't let them get too crazy :)
- [11/25/2014 11:41:20 AM] kevinalbano: i'll be down there if that's okay; need to break bread w/ those guys
- [11/25/2014 11:42:19 AM] Marshall Heilman: of course
- [11/25/2014 11:44:13 AM] Marshall Heilman: [Tuesday, November 25, 2014 11:43 AM] Willi Ballenthin:
- <<< it looks like it recurses through all drives, and for exe or dll files not in windir or program files, it overwrites the data
- [11/25/2014 11:45:31 AM | Edited 11:45:37 AM] Marshall Heilman: malicious service: (WinsSchMgmt) Windows Schedule Management Service
- [11/25/2014 11:45:52 AM] Marshall Heilman: from diskpartmgr16.exe:
- [11/25/2014 11:45:52 AM] Marshall Heilman: Arguments:
- -k: exe is running as a service
- -i: install and start service (WinsSchMgmt) Windows Schedule Management Service
- -s: standalone mode with no service
- [11/25/2014 12:13:59 PM] Marshall Heilman: issvr.exe: https://mta.mplex.mandiant.com/samples/e1864a55d5ccb76af4bf7a0ae16279ba/analysis
- [11/25/2014 12:27:14 PM] ernie_liu: Albano - FBI is on their way
- [11/25/2014 12:42:07 PM] *** Mike Opp added Barry V ***
- [11/25/2014 12:42:12 PM] Mike Opp: Barry will be our additional Intel support
- [11/25/2014 12:42:31 PM] Mike Opp: please add him to the SVN
- [11/25/2014 12:46:24 PM] ernie_liu: sent request for Barry
- [11/25/2014 12:52:29 PM] Mike Opp: thanks Ernie
- [11/25/2014 2:13:12 PM] Mike Opp: ok so malware names for the backdoor ideas
- [11/25/2014 2:13:14 PM | Edited 2:13:18 PM] Mike Opp: TINYFUSE
- [11/25/2014 2:13:19 PM] Mike Opp: ?
- [11/25/2014 2:13:22 PM] Mike Opp: people ok with that
- [11/25/2014 2:13:39 PM] Mike Opp: ANKLEBREAK
- [11/25/2014 2:13:39 PM] Mike Opp: ?
- [11/25/2014 2:13:47 PM] cglyer: ANKLEBITER?
- [11/25/2014 2:13:52 PM] cglyer: j/k
- [11/25/2014 2:14:05 PM] Mike Opp: SKYLARK is too close to home since thats a character in the movie....
- [11/25/2014 2:14:16 PM] Mike Opp: it doesn't pass the if this gets out in the news test to me
- [11/25/2014 2:18:28 PM] Jake Garner: ChickenNugget
- [11/25/2014 2:18:52 PM] Marshall Heilman: KimJong?
- [11/25/2014 2:18:59 PM] Jake Garner: RanchPickles
- [11/25/2014 2:19:02 PM] Mike Opp: TINYFUSE is what I'm think I'm going with for the backdoor
- [11/25/2014 2:19:07 PM] Mike Opp: people cool with that?
- [11/25/2014 2:20:29 PM] Mike Opp: so far the first system that reached out to any of the external IPs for the malware was internal IP 172.21.40.163
- [11/25/2014 2:20:48 PM] Mike Opp: probably need to see if thats a workstation or proxy...but its two octets away from the UK box hardcoded in the malware
- [11/25/2014 2:40:58 PM] Mike Opp: Barry made unc502 to track this under for now
- [11/25/2014 2:51:51 PM] ernie_liu: Looking at the Nitro logs, top 6 talkers to those bad IPs:
- IP -- Sum of Bytes_Sent -- Sum of Bytes_Received
- 172.26.126.10 223062 138630
- 172.21.216.2 130790 81412
- 172.23.144.106 86336 53628
- 172.21.40.163 17488 10738
- 172.27.60.67 7822 4988
- 208.84.227.215 7406 4770
- [11/25/2014 3:01:31 PM] Barry V: we have any pcap?
- [11/25/2014 3:01:34 PM] Barry V: guessing no
- [11/25/2014 3:02:45 PM] Mike Opp: no
- [11/25/2014 3:03:00 PM] Mike Opp: no pcaps only some log data based on request we are sending to the team in VA
- [11/25/2014 3:03:11 PM] Mike Opp: they are heading here tmw so we should get logs quicker at that point
- [11/25/2014 3:18:10 PM | Edited 3:18:31 PM] Barry V: L1s inbound
- [11/25/2014 3:18:21 PM] *** Barry V sent D1C27EE7CE18675974EDF42D4EEA25C6.txt 760C35A80D758F032D02CF4DB12D3E55.txt E1864A55D5CCB76AF4BF7A0AE16279BA.txt ***
- [11/25/2014 3:21:47 PM] Manny: guys on site. whats the address?
- [11/25/2014 3:22:54 PM] Will Matson: 10000 W Washington Blvd
- Los Angeles, CA
- [11/25/2014 3:23:24 PM] Will Matson: Underground parking is on Madison. Valet car, take elevator up to street level. Call me when you get here. Ill come get you
- [11/25/2014 3:23:57 PM] Manny: thx
- [11/25/2014 3:24:09 PM] Barry V: for iisvr.exe - uploading the decoded resources right now. Heres a taste -
- <html>
- <head>
- <title> Hacked By #GOP </title>
- <meta name="Author" content="#GOP">
- <meta name="Keywords" content="#GOP">
- <meta name="Description" content="Hacked By #GOP">
- </head>
- <body bgcolor="#000000">
- <bgsound src="index.wav" loop=infinite>
- [11/25/2014 3:27:33 PM] Barry V: nm they are already in MTA
- [11/25/2014 3:40:51 PM] ernie_liu: also Barry
- [11/25/2014 3:41:14 PM] ernie_liu: any registrant info on the domains in the splash screen that were hosting the zips?
- [11/25/2014 3:41:21 PM] Barry V: looking now
- [11/25/2014 3:41:31 PM] Barry V: but I bet they are all hijacked/decoys
- [11/25/2014 3:41:42 PM] ernie_liu: ya
- [11/25/2014 3:41:57 PM] ernie_liu: there was a susupicious email from dfrank1973.david@gmail.com
- [11/25/2014 3:42:00 PM] ernie_liu: dunno if related
- [11/25/2014 3:42:06 PM] ernie_liu: but could also be lead on registrant info
- [11/25/2014 3:42:13 PM] Barry V: yeah ill dig around
- [11/25/2014 3:45:01 PM | Edited 3:45:11 PM] Mike Opp: just talked to GCIRT they are going to work on the additional NITRO queries now
- [11/25/2014 3:59:44 PM] Barry V: yeah two of the domains are owned by Sony
- [11/25/2014 3:59:50 PM] Barry V: rest look like they got popped
- [11/25/2014 4:00:04 PM] Barry V: that Brazilian one is named like a Moodle instance
- [11/25/2014 4:00:08 PM] Barry V: so almost definitely popped
- [11/25/2014 4:07:12 PM] ernie_liu: so iissvr.exe pulls the splash page and wav file from its own ersources, ya?
- [11/25/2014 4:07:20 PM] Barry V: yep
- [11/25/2014 4:07:36 PM] ernie_liu: the PE time stamp of iisvr.exe is 2014-11-13T02:05:35Z
- [11/25/2014 4:08:12 PM] ernie_liu: so either the timestamp was altered/not changed or those Sony owned sites hosting the data were popped as early as 2014-11-13T02:05:35Z
- [11/25/2014 4:08:38 PM] Barry V: well the PE on the dropper is 2014 11 22 00:06:54 : pe:compiled
- [11/25/2014 4:08:48 PM] ernie_liu: right
- [11/25/2014 4:08:54 PM] Barry V: so its possible the packaged up the defacement piece ahead of time?
- [11/25/2014 4:09:33 PM] ernie_liu: ya - that is why i was confirming the html/wav was pulled from iissver
- [11/25/2014 4:10:48 PM] Barry V: agh I see what you are saying - duh yeah they had to have had control of those servers since the 13th if they added those links to the resources
- [11/25/2014 4:10:58 PM] ernie_liu: ^ yup
- [11/25/2014 4:10:59 PM] Mike Opp: (nod)
- [11/25/2014 4:11:44 PM] ernie_liu: so those pwned sony domains could have more evidence
- [11/25/2014 4:11:53 PM] ernie_liu: did we ask for those already?
- [11/25/2014 4:12:22 PM] Mike Opp: those were two that Marshall asked for i believe
- [11/25/2014 4:38:21 PM] Barry V: TINYFUSE for the wiper, COUNTRYCROCK for the spreader/dropper
- [11/25/2014 4:38:25 PM] Barry V: any objections?
- [11/25/2014 4:39:30 PM] Mike Opp: just want to know why countrycrock?
- [11/25/2014 4:39:45 PM] Barry V: it spreads like butter
- [11/25/2014 4:39:55 PM] Barry V: the Darkseoul ones were called spread.exe
- [11/25/2014 4:40:21 PM | Edited 4:40:27 PM] Barry V: but obv can call it whatever
- [11/25/2014 4:40:29 PM] Mike Opp: i mean i can't believe its not butter
- [11/25/2014 4:45:49 PM] Will Matson: I passed these to Opp. Doesnt seem that we have any intel on them. But Im running searches against one of the images right now.
- \\%s%s\%s%s %scmd.exe /q /c net share shared$ /delete\\%s\admin$\syswow64\\%s\admin$\system32cmd.exe /q /c net share shared$=%SystemRoot%cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone,FULL\\%s\shared$\syswow64\\%s\shared$\system32\\%s\admin$RasSecruity%s%dRasMgrpcalc.exe212.31.102.10058.185.154.99200.87.126.116|igfxtrayex.exe%s|%s|%d %d.%d.%d.%dcmd.exe
- 212.31.102.100
- 58.185.154.99
- 200.87.126.116
- [11/25/2014 5:01:25 PM] Barry V: memory strings?
- [11/25/2014 5:01:50 PM] Will Matson: probably. This image was hit by the mawlare, so there is no file system structure
- [11/25/2014 5:23:05 PM] ernie_liu: @Marshall: http://www.sonyrumors.net/2014/11/24/sony-mobiles-backup-restore-app-hacked-despite-reports/
- [11/25/2014 5:24:41 PM] Barry V: [11/25/14, 5:24:23 PM] Barry V: misleading headline
- [11/25/14, 5:24:26 PM] Barry V: fake app
- [11/25/14, 5:24:27 PM] Barry V: boo
- [11/25/14, 5:24:29 PM] Barry V: -100
- [11/25/2014 5:25:16 PM] Barry V: It seems some Indian developer (Nirav Patel, though I’m sure that’s not their real name) has spoofed Sony’s design and created a fake app to make it look like Sony’s official app has been hacked. From there, the developer used Sony’s signature (com.sonymobile.synchub) and placed it within their app to make it appear as if it’s a preinstalled app. Unfortunately due to Google’s lax policies, the app was able to make it to the Google Play store front and be downloaded. For those who mistook the app to be real and downloaded it, there appears to be little repercussion as the app shows a package error.
- [11/25/2014 5:25:34 PM | Edited 5:25:43 PM] Barry V: TLDR - spoofed app was available on the Google Play store
- [11/25/2014 5:25:56 PM] ernie_liu: ya - we had one of the senior guys in the room asking about phone stuff
- [11/25/2014 5:26:13 PM] Barry V: according to the article its been taken down already
- [11/25/2014 5:27:07 PM | Edited 5:27:18 PM] Barry V: Hows it going over there?
- [11/25/2014 5:27:11 PM] Barry V: spirits low?
- [11/25/2014 5:29:04 PM] Mike Opp: we are the only ones in the room here....
- [11/25/2014 5:29:08 PM] Mike Opp: if that tells you anything
- [11/25/2014 5:29:11 PM] Barry V: ouch
- [11/25/2014 5:29:15 PM] Barry V: they all go home?
- [11/25/2014 5:29:22 PM] Barry V: or did they all quit
- [11/25/2014 5:29:51 PM] Marshall Heilman: fired
- [11/25/2014 5:30:35 PM] Mike Opp: @MATSON - DARK SEOUL MALWARE
- Dropper1 9263e40d9823aecf9388b64de34eae54
- Dropper2 b80153b66fdaafedfc0a65bcb940687d
- Each dropper spawned 2 wipers, leaving us with 4 different wipers:
- Wiper1: 5fcd6e1dace6b0599429d913850f0364
- Wiper2: 530c95eccdbd1416bf2655412e3dddbe
- Wiper3: db4bbdc36a78a8807ad9b15a562515c4
- Wiper4: 0a8032cd6b4a710b1771a080fa09fb87
- [11/25/2014 5:31:10 PM] Mike Opp: report on the linux malware
- [11/25/2014 5:31:12 PM] Mike Opp: http://www.symantec.com/connect/blogs/remote-linux-wiper-found-south-korean-cyber-attack
- [11/25/2014 6:42:02 PM] Mike Opp: older malware from June 2013 that has the RasSecruity & RasMgrp string + service name
- [11/25/2014 6:42:04 PM] Mike Opp: 555668efc483813d2aca11ae3fa1a451
- a6e06dbd6c877e6973419927626942b1
- [11/25/2014 7:01:59 PM] ernie_liu: @Matson - DMIPLAEWH36
- [11/25/2014 7:02:43 PM] ernie_liu: from the splash screen "http://dmiplaewh36.spe.sony[.]com/SPEData.zip"
- [11/25/2014 7:09:55 PM] Marshall Heilman: shutdown -r -t 0
- [11/25/2014 9:59:18 PM] Mike Opp: https://www.youtube.com/watch?v=V7ltuDNEJuc
- [11/25/2014 9:59:26 PM] Mike Opp: might be relevant if you have 40 min to listen.....
- [11/25/2014 10:00:44 PM] Mike Opp: Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND
- On March 20th, 2013, shortly after 2PM, several South Korean financial institutions and TV networks were impacted by unknown malware, which wiped all the data off their computer hard drives before force-rebooting them, thereby sending them into the limbs.
- That coordinated melt down was due to several dormant viruses, later deemed "Wiper", pre-set by their makers to wake up at 2pm. Much was speculated regarding how those were planted in the targeted networks in the first place. In this paper, we lift the lid on the initial infection vector: The targeted infrastructures were running a security management server, to coordinate patching policies across the corporate network from a central point. We demonstrate how the attackers compromised this server, and made it dispatch malicious updates to the computers under its rule.
- We then examine several samples of Wiper used in the attack, and go through the relationships between them; at this point, we show that based on some distinctive characteristics, and the coding style of their author(s), they have ties to other APT cases, some of which we could trace back to 2009.
- [11/25/2014 10:01:14 PM] ernie_liu: http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in
- [11/25/2014 10:02:06 PM] ernie_liu: "The hackers claim to have taken sensitive internal data from Sony. In the email, a hacker who identified as "lena" was vague about how the attack was carried out. "Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in," lena writes. "Im sorry I can't say more, safety for our team is important [sic]." The phrasing is ambiguous, but it suggests that the hackers, if not colleagues of the hackers, claim to be employed by Sony in some fashion."
- [11/25/2014 10:03:21 PM] Mike Opp: or are being help captive in a basement in Kim Jong Uns basement
- [11/25/2014 10:05:06 PM] ernie_liu: Franco!!
- [11/25/2014 10:05:37 PM] ernie_liu: Best publicity/marketing job ever
- [11/25/2014 10:06:21 PM] Will Matson: if this turns out to be a marketing scam for The Interview..
- [11/25/2014 10:07:46 PM] Mike Opp: I actually this this is a false flag campaign.... its actually the Canadians. They are tired of America taking all their stars....Jim Carey, Seth Rogen, Justin Bieber, Jenny McCarthy, and the list goes on
- [7:12:41 AM] Marshall Heilman: gents, bad news. the VSYS-1 (sp?) system we've been seeing is a virtual instance of a Palo Alto. If there was a second virtual instance, it would be called VSYS-2, etc.
- [7:48:37 AM] Marshall Heilman: gents, ignore the email request to sync data. That was premature. We're trying to fix the process of sharing information so that one person from Mandiant (likely me) shares data with a single POC at SPE, that then distributes as ncessary.
- [7:56:22 AM] Marshall Heilman: @Will, Manny - please drop in here which systems you are starting to analyze
- [7:56:36 AM] Marshall Heilman: also, if we can, lets get Jake working on the linux image we have
- [7:59:03 AM] Marshall Heilman: we're now having calls twice daily - 7 AM and 2 PM, fyi
- [7:59:21 AM] Marshall Heilman: I'm going to try and get the dial-in info so we can dial-in remotely if necessary
- [8:05:46 AM] Mike Opp: @Marshall - How you want to handle the email from Leon?
- [8:05:56 AM | Edited 8:06:01 AM] Mike Opp: will we just share the SOD with them?
- [8:06:40 AM] Mike Opp: Also the NITRO runs aren't exactly what we needed and its hard to tell if thats due to the logs available or because of the way they queried for them......I am going to follow up on that this morning
- [8:17:11 AM] Marshall Heilman: side note - you saw my posting about VSYS, right?
- [8:17:22 AM] Marshall Heilman: there is definitely something scrwy about their logs which we're going to need to solve today
- [8:28:03 AM] Marshall Heilman: @Manny, Will, Jake - when performing forensic analysis lets look at scheduled task logs specifically.
- [8:28:42 AM] Marshall Heilman: The way the malware operates is that it runs once, combs through the list of configured systems for it to hit, then exits. So what we're hearing about users logging on and immediately becoming infected doesn't jive with the malware functionality.
- [8:29:34 AM] Marshall Heilman: so either 1) GPOs were used to push some malware 2) scheduled tasks were created to frequently run the malware 3) the attacker ran the malware manually multiple times, or 4) the timing was just coincidental and did not happen as we're being led to believe.
- [8:30:00 AM] Marshall Heilman: also, no one on the phone this morning seemed to know anything about the "kernel-level module loading of index.wav files on Solaris systems"
- [8:30:13 AM] Marshall Heilman: so I think that is going to be a dead end until we look at the Solaris system we've been promised
- [8:30:45 AM] Marshall Heilman: Please make sure we drop all new indicators into the chat with the gsirt team so they are kept up to date. They are supposed to do the same with us
- [8:31:28 AM] Marshall Heilman: and on a whiny note. For whatever reason they didn't bring breakfast in today.... And I decided to skip breakfast relying on them having something :(
- [8:31:42 AM] kevinalbano: they're keeping you on your diet
- [8:32:37 AM] Marshall Heilman: I didn't ask them to do that for me
- [8:48:10 AM] Will Matson: @Marshall, idk if this was one of your items you were trying to remember last night, but we definitely wanted to speak with the guy who was a victim of the wire transfer fraud - to get a timeline of his password change and wire transfers. He never came by yesterday
- [8:49:03 AM] Marshall Heilman: SPE decided to image his Mac and will analyze it themselves for now
- [8:49:43 AM] Marshall Heilman: btw - we did not talk about NTAP or Redline. The timing wasn't right. Apparently they are going to be implementing something called "Paradigm" as network sensors. They are working on it right now. I want to find out more about this device before we push our own agenda.
- [8:55:55 AM] Mike Opp: @Marshall -
- Just another note of NTAP vs. BRO - if we deploy our own NTAP sensors it would have been able to see the internal SMB traffic related to this which would have led to a faster investigation. That could potentially be good for once they connect back incase there are additional systems trying to spread
- [8:57:03 AM] Mike Opp: another benefit would be the net flow plus our own HTTP logs that are trustworthy
- [9:13:00 AM] Mike Opp: Going through the NITRO results for the externals that Will obtained from forensics....that traffic all starts at 1500 GMT on the 24th lining up with the other activity.
- [9:14:06 AM] Mike Opp: but the traffic continued past the point of when they took down the network which is a bit confusing from these results
- [9:14:29 AM] Mike Opp: 11/25/14 5:05 < last allowed connection time stamp to 200.87.126.116
- [9:21:37 AM] Mike Opp: it is like that for all the 3 IPs Matson found yesterday
- [9:21:46 AM] Mike Opp: ill combine into one sheet to analyze
- [9:37:39 AM] Mike Opp: @Marshall - was there an update if they obtained the hostname UKLONEXT-XMSGV ?
- [9:38:22 AM] ernie_liu: hold on Opp
- [9:38:33 AM] Mike Opp: thx Ernie
- [9:44:45 AM] ernie_liu: UKLONEXT-MSGV has been imaged by UK team
- [9:44:58 AM] ernie_liu: they are loading to the GSIRT(?) lab in UK
- [9:45:12 AM] ernie_liu: once it is loaded, I have asked them to fedex the image copy
- [9:45:25 AM] ernie_liu: they will be running the keywords we provided on the image
- [9:46:03 AM] ernie_liu: the labs dont talk to each other so we cant drive from this SPE lab
- [9:46:26 AM] ernie_liu: so we may need to send the UK team carving scripts or anything that can run while we wait for the shipment
- [9:47:01 AM] ernie_liu: they are running the keywords and will provide us the csv of hits. I told them that may be too huge anyway so we'll see
- [9:48:33 AM] ernie_liu: @Opp - did you ever get a reply from 'vikspe@gmail.com' on the IP lookup email I sent?
- [9:48:40 AM] ernie_liu: he says he replied but I dont see it
- [9:48:47 AM] Mike Opp: i never got that...
- [9:48:52 AM] ernie_liu: that could help us with the vsys1 problem
- [9:57:52 AM] ernie_liu: [8:28 AM] Marshall Heilman:
- <<< The way the malware operates is that it runs once, combs through the list of configured systems for it to hit, then exits. So what we're hearing about users logging on and immediately becoming infected doesn't jive with the malware functionality.So maybe it is a timing thing because the malware keeps copying itself when it succesfully connects, right. And the list of targets is hardcoded so every infected machine would be trying every other infected machine (in its list). So once a user logson/powers-on, now that system is avaialble to be pwned
- [10:04:51 AM] Marshall Heilman: that is certainly a possibility
- [10:05:10 AM] Marshall Heilman: another thing we can do is write an good keyword to search for data contained within net_ver.dat
- [10:05:42 AM] Marshall Heilman: I couldn't find anything that stated the net_ver.dat files were overwritten, so it's possible that one of those files exists on every compromised system, along with the status (success or failed)
- [10:05:45 AM] Marshall Heilman: thoughts on this approach?
- [10:10:57 AM] ernie_liu: ya - could be good
- [10:12:12 AM] ernie_liu: good idea - the net_ver format should be consistent across (be hostname | IP | [1,2] | newline or whatever)
- [10:18:07 AM] ernie_liu: Just FYI so we can keep on radar: I am having them (David) check to see if they can access the McAffee management console in case McAfee got the malware thru an automatic detection/upload
- [10:18:38 AM] Marshall Heilman: good call
- [10:19:20 AM] Barry V: do we know specifically which MD5s Mcafee flagged on?
- [10:20:09 AM] ernie_liu: i dont think so. Unless it is contained in the extra.dat
- [10:22:57 AM] Mike Opp: i didn't see it in the extra.dat file
- [10:23:23 AM] Mike Opp: just know it hit on sig "Trojan-FFIP"
- [10:28:16 AM] ernie_liu: you gotta use a McAffee instance to load the extra.dat
- [10:28:35 AM] ernie_liu: (or a tool to do the same)
- [10:29:00 AM] ernie_liu: dunno if they normally have the hash/sig info anyway or if it goes back out to Mcafee to get it if it is a corp instance
- [10:33:58 AM] Will Matson: working thru DMIPLAEWH36
- "At1.job" (wininit.exe)
- Started 11/24/2014 6:11:00 AM
- "At1.job" (wininit.exe)
- Finished 11/24/2014 6:18:55 AM
- Result: The task completed with an exit code of (o).
- [10:34:48 AM] ernie_liu: nice
- [10:34:49 AM | Removed 10:36:21 AM] Will Matson: This message has been removed.
- [10:35:15 AM | Edited 10:35:35 AM] ernie_liu: when is that AT job when converted to UTC?
- [10:35:54 AM] Will Matson: 11/24/2014 14:11:00
- [10:36:16 AM] Will Matson: err. wait. Sorry let me correct what I just said
- [10:37:04 AM] Will Matson: The job starts roughly 7 minutes before the last written time to SPEData.zip. And runs for approx. 8 min
- [10:37:29 AM] Will Matson: SPEData.zip was created 6 hours prior (which I think is our earliest definitive time right now)
- [10:37:41 AM] Will Matson: 11/24/2014 08:38:57 Created E:/Apache24/htdocs/SPEData.zip
- [10:37:58 AM] Will Matson: 11/24/2014 14:11:00 Started "At1.job" (wininit.exe)
- [10:38:16 AM] Will Matson: 11/24/2014 14:18:08 Entry Modified E:/Apache24/htdocs/SPEData.zip
- [10:38:27 AM] Will Matson: 11/24/2014 14:18:55 Finished "At1.job" (wininit.exe)
- [10:41:43 AM] ernie_liu: so they had what they wanted then released the wiper malware - makes sense
- [10:42:17 AM] ernie_liu: and kind a goes back to what i was saying about the PE date time of iisvr.exe: 11/13/2014 2:05:35 AM
- [10:43:24 AM] ernie_liu: if that date is accurate, and iisvr.exe lists your server in its html resrource for the splash screen then they owned that system at least as early as 11/13
- [10:50:31 AM] Will Matson: It looks like they may have tampered with the Security event logs (conjecture), but 0 entries load in Event Log Explorer and Native Windows says its corrupt. Backup log only covers up til Nov 22
- [10:53:08 AM] Will Matson: 11/13/2014 01:58:06
- Type 3 logon from 208.84.227.224
- [10:53:17 AM] Will Matson: @intel ^^
- [10:53:24 AM] Barry V: yerp
- [10:53:35 AM] Marshall Heilman: that is an SPE IP
- [10:53:37 AM] Marshall Heilman: :(
- [10:53:45 AM] Will Matson: boo
- [10:53:52 AM] Barry V: yeah - Ventura CA
- [10:53:57 AM] Marshall Heilman: and we can't guarantee that it is an external IP either, the way things are here
- [10:54:09 AM] Marshall Heilman: but we should definitely ask them to chase that down
- [10:54:40 AM] Barry V: do you guys have their whole IP space? - they have a whole AS so I can try to get all the net blocks assigned to it if you need it
- [10:55:00 AM] Will Matson: ehh, looks like that IP logs in a lot
- [10:58:03 AM] Mike Opp: we don't have their whole IP space
- [10:58:16 AM] Mike Opp: we have some ranges figured out but their NAT'ing is weird on certain ranges
- [10:58:42 AM] *** Marshall Heilman added Chris DiGiamo ***
- [10:58:54 AM] Marshall Heilman: Deeg is going to help w/ the forensic analysis as well
- [10:59:00 AM] Marshall Heilman: @Matson - please hook him up
- [10:59:07 AM] Marshall Heilman: @Ernie - can you bring Deeg up to speed?
- [10:59:08 AM] Chris DiGiamo: :)
- [11:01:42 AM] Mike Opp: (wave)
- [11:12:00 AM] ernie_liu: @Marshall - cant talk to Deeg just yet. talking w these guys and we may be gettting more malware. hopefully not the same one we keep getting. And prob not the mcaffee one
- [11:12:15 AM] ernie_liu: @Barry - is it too late to get joycebot in here?
- [11:12:16 AM] Marshall Heilman: ok
- [11:12:19 AM] Marshall Heilman: moar malware is always good
- [11:12:31 AM] Mike Opp: it is because the chat rooms with the bot are pre set up
- [11:12:38 AM] Mike Opp: we would have to move the entire chat into a new room to do that
- [11:12:47 AM] Mike Opp: if you want to do that we can... its up to you guys
- [11:12:54 AM] Chris DiGiamo: we'll have to do with albanobot
- [11:13:08 AM] Mike Opp: @Albanobot drink (beer)
- [11:13:32 AM] Barry V: yeah - I can set up a new room with the bot - now might be the best time since Deeg just got added
- [11:14:01 AM] Chris DiGiamo: (heidy)
- [11:16:56 AM] Will Matson: so long as we can blame Deeg for moving the chat and not use him as a good excuse, Im okay with it
- [11:17:07 AM] Mike Opp: setting it up now
- [11:20:33 AM | Edited 11:20:59 AM] Barry V: following net blocks are assigned to AS19419 (Sony Pictures Entertainment)
- 173.251.240.0/21 Sony Pictures Entertainment Inc 2,048
- 173.251.240.0/24 Sony Pictures Entertainment Inc 256
- 173.251.248.0/22 Sony Pictures Entertainment Inc 1,024
- 185.64.36.0/22 Columbia Pictures Corporation 1,024
- 208.84.224.0/22 Sony Pictures Entertainment Inc 1,024
- 208.84.224.0/23 Sony Pictures Entertainment Inc 512
- 208.84.227.0/24 Sony Pictures Entertainment Inc 256
- [11:21:19 AM] Mike Opp: also that weird 43.130.141.0/24 range
- [11:21:55 AM] Barry V: Japanese network
- [11:22:01 AM] Barry V: let me see what I can get there
- [11:22:28 AM] Mike Opp: its weird bc the hosts for this are in SD
- [11:22:35 AM] Mike Opp: and the NAT is weird for it
- [11:22:45 AM] Barry V: sounds like their NAT is all public IPs
- [11:22:48 AM] Mike Opp: yep....
- [11:22:56 AM] Barry V: we saw that in the Japanese network for 17 stuff too
- [11:23:06 AM] Mike Opp: yep but not SPE
- [11:23:11 AM | Edited 11:23:19 AM] Mike Opp: it was electronics i believe
- [11:24:30 AM] Barry V: do we know how inter-connected the networks are?
- [11:24:44 AM] Mike Opp: not atm
- [11:26:50 AM] Marshall Heilman: @Ernie - I'm expecting Courtney to drop off the contract sometime soon
- [11:26:55 AM] Marshall Heilman: please let me know once you have it
- [11:38:06 AM] Mike Opp: chat set up with Bot
- [11:38:11 AM] Mike Opp: i think i got everyone in it
- [11:50:39 AM] ernie_liu: @Marshall - some lady came by looking for you. She wouldnt tell me what it was nor would she give me the papers. I must look shady. But was probably the contract
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement