Posts Taged attack

STALKER HELL Ex-boyfriend spied on lover by hiding secret cameras and listening devices in her home

Wayne Bamford, 47, was told he faces a ‘significant custodial sentence’ because of the risks he faces to women

By Robin Perrie

JEALOUS Wayne Bamford is facing jail after he placed covert listening devices in his ex-partner’s bedroom during a stalking campaign.

Bamford, 47, refused to accept their relationship was over after Joanna Dawson ended it and launched a “highly sophisticated” covert operation to keep tabs on her.

He was able to phone in to the devices which then provided a live feed so he could hear what was going on in her bedroom.

Over a period of 15 days he connected to the devices 1,600 times, a court heard.

But the surveillance op was foiled when mum-of-one Joanne sought advice from a spy shop after suspecting he might have bugged her home.

He was told he faces a “significant custodial sentence” because of the risks he faces to women.

His case was heard on the same day that Corrie Star Kym Marsh backed our Stop a Stalker campaign.

Kym, who has twice been targeted, urged readers to sign our petition backing an MP’s bid to increase police power to combat stalkers.

Bamford and Joanne began a relationship in May 2016 and started an accident management business together six months later.

But their relationship quickly turned sour and ended in January 2017.

Prosecutor Anthony Moore told Bradford crown court that Joanne’s suspicions were raised when Bamford appeared to comment on her movements.

She became even more concerned when she contacted a locksmith to boost security and Bamford texted her saying: “There is no need to change your locks”.

She visited a spy shop for advice and was told her what to look for. She returned home and found a listening device in her bedroom.

Joanne told the court: “He played me a recording in my own house and told me he had paid someone to place a device on the outside of my house which I did not believe.

“I went to a spy shop in Leeds and asked them, ‘if I wanted to bug someone’s house what do you do?’ “He told me what to look for.” She later found a second device hidden behind a TV in her bedroom and Bamford, of Gildersome, near Leeds, was arrested.

Bamford admitted stalking causing serious alarm or distress but a trial of issue was held yesterday after the prosecution and defence could not agree on the basis of his guilty plea.

He claimed to have fitted only one of the listening devices and said she had fitted the other to keep tabs on another ex.

But the judge, Recorder Anthony Hawks, said: “I find the complainant entirely plausible.

“I find the defendant evasive and dishonest. I totally reject his account that the complainant was responsible.

“I’m very concerned about the risk you may present to people. You were prepared to engage in a highly sophisticated way to stalk that woman.

Why Do Ordinary People Commit Acts of Espionage?

Political ideology and money serve as motivators for some people to commit acts of espionage, but they’re not the only factors involved.

By Jerad W. ALEXANDER

In mid-July, 2018, Mariia Butina, a 29-year-old assistant to the Russian central bank and long-time Vladimir Putin ally Alexander Torshin, was arrested in Washington, D.C., on a charge of “conspiracy to act as an agent of a foreign government,” according to the U.S. Justice Department. Per the affidavit, Butina was allegedly involved in an operation lead by officials within the Russian government to infiltrate the Republican party, including members of the Trump campaign, and the National Rifle Association, for the purposes of aligning right-wing political interests with similar interests in Russia. Butina’s actions dovetailed with continued efforts by Russian operatives to commit cyber espionage to influence U.S. elections.

According to the affidavit, two American citizens provided Butina intelligence and guidance on her efforts in the United States.

 
MI5, the intelligence agency of the United Kingdom, defines espionage as “the process of obtaining information that is not normally publicly available, using human sources (agents) or technical means (like hacking into computer systems). It may also involve seeking to influence decision-makers and opinion-formers to benefit the interests of a foreign power.” As Butina and countless others throughout history, such as spies like Julius and Ethel Rosenberg, have discovered, espionage is a dangerous game, one that can lead to imprisonment or even death. What motivates people to commit acts of espionage is as important as the ramifications of their actions.

Naturally, simple ideology serves as a motivator to commit espionage, but it’s not the singular cause. According to a Spring 2016 article of The Intelligencer: Journal of U.S. Intelligence Studies, ideology “is adopted by an individual to the degree that it reflects the individual’s ego. In that sense, an ideology is like another motivation – money – in that it serves as a vehicle for the individual to express a personal value or belief; an ideology is chosen in order to confirm conscious or unconscious beliefs the individual has already internalized. In the case of espionage, a particular ideology may serve as either the actual motivation for a spy to breach the trust placed in them or simply as a means of rationalizing that behavior.”

A Combination of Factors


Three concurrent elements need to exist within an individual to make them prone to acts of espionage — a personality dysfunction, personal crisis and opportunity.

According to Dr. Ursula Wilder, a clinical psychologist with the Central Intelligence Agency, four personality elements are essential to the entry into espionage: psychopathy, narcissism, immaturity, and grandiosity.

“A psychopathic person is a person whose approach to reality is ruthless and cold,” she stated in an interview at the International Spy Museum in Washington, D.C. “They have no conscience, or they have very limited capacity to feel guilt. So, their whole approach to life is predatory. They’re excitement seeking. They love to con people. It’s a game. This is all they can do to connect with other human beings. So that kind of person will commit espionage either flat-out for self-interest or because it’s fun, or both.”

“The next is narcissism,” she explained. “A narcissistic person is fundamentally ego-centric. They can only experience the world with themselves at the center. They are very much needy for and will provoke circumstances that will permit them to be at the center of attention. They believe that what they need, want and desire is the truth. They will get greedy for attention. That kind of person will commit espionage as a grab for fame. Someone like that will commit espionage because it makes them feel big and important.”

Regarding immaturity, Wilder explained an individual prone to commit acts of espionage (in comparison to a professional intelligence agent), either for or against their nation, is “an adult who can only function as an adolescent. These people live their lives in a blend of fact and fantasy. They do have a conscience, they can feel deep guilt afterwards, but fantasy is much more real to them than it is to adults who are grounded to reality, so to them committing espionage is a bit of a game, a fantasy, and online they have this illusion that if they do it online, if they just turn off the machine it goes away. They have a fantasy about the implications of their actions, and although on some level they might grasp the reality of it, it’s not real to them. The grandiosity applies to all three.”

An individual must be up against some form of personal crisis that produces distress. According to a paper released by the CIA titled “Why Spy?”, a survey of agency employees “identified emotional instability related to ambition, anger leading to a need for revenge, feelings of being unrecognized and unrewarded, and loneliness as the top vulnerabilities on the road to espionage. They ranked such problem behaviors as drug abuse and illicit sex as second, and various mental crises or stresses brought on by debt, work issues, or psychological factors such as depression as third.” Regarding opportunity, access matters. An individual must have access to sensitive information of some caliber that could be of use to a foreign power. All three combined — the personality, the crises, and the access — serve as fertile soil for acts of espionage.

It’s important to make the distinction between ordinary people who commit espionage and individuals who join intelligence services.

“People who join the intel community spent years preparing themselves — school, applying, screening — there’s a huge amount of drive and ambition, identification, pride,” says Dr. David L. Charney, a psychiatrist with the National Office of Intelligence Reconciliation, known as NOIR, a nonprofit dedicated to educating the intelligence community on the management of insider threats. This would include people with access to sensitive information who flip, such as Edward Snowden or Reality Winner. “They’re not coming in to be spies; they join for loftier reasons. The question is what makes a person go bad. That’s when you have to get more psychological.”

According to Charney, at the core of espionage can be an intolerable sense of personal failure, and not necessarily a shifting ideology. “Going back to the ideological spies of the 1930s and ’40s, we run across people all the time who you know have personal demons that are driving them, but they wrapped their demons into the current issue of the day to give it a higher-minded packaging. Any time you try to understand you have to dig a little deeper.”

Navy veteran raped schoolgirl and planted hidden camera

Scott Forbes plied a 14-year-old girl with alcohol during sex attacks in Edinburgh.

A former serviceman raped a schoolgirl and sexually assaulted another underage girl 

By STV

Scott Forbes also placed a hidden camera in another victim’s bedroom and recorded footage of her while she was naked and getting dressed.

Jailing him for nine years on Monday, a judge told Forbes, 49, that the corrosive effect of his behavior on victims was “incalculable”.

 Lord Woolman said: “You have altered the course of their lives.”

Forbes, formerly of Firrhill Park, in Edinburgh, was convicted of five offences committed between 2009 and May last year, including rape, sexual assault and possessing and making indecent images of children.

He locked a 14-year-old in a house in Edinburgh and made sexual remarks to the child and molested and raped her and photographed her naked body.

He also plied another 14-year-old with drink, showed her pornography, molested her and took pictures of her naked body while she was intoxicated at an address in Edinburgh on May last year.

Forbes was also found to have set up equipment at a house in Bonnyrigg, in Midlothian, to covertly shoot and record footage of a third victim in April last year.

Lord Woolman also ordered at the High Court in Edinburgh that the Royal Navy veteran should be kept under supervision for an extra four years after his release.

The judge said he had “narrowly” decided against calling for a full risk-assessment report, which can lead to the making of an Order for Lifelong Restriction.

He told Forbes he was prepared to treat him as a first offender and noted that he had medical problems which have prevented him working for the last eight years.

Defence counsel David Nicholson said Forbes continued to deny the serious sexual offending.

Mr Nicholson said Forbes had been on long term sick leave following a variety of health problems.

He told the court that Forbes has a neurological condition and was previously diagnosed with post traumatic stress disorder.

The defence counsel said that arose primarily from Forbes’ service when he was stationed in Iraq and the Arabian gulf.

He added: “He is not somebody with any difficulty with drugs or alcohol.”

Following the sentencing, police praised victims who came forward to give evidence against Forbes.

Detective Sergeant Jonny Wright, of Edinburgh’s Public Protection Unit, said: “Scott Forbes is a devious individual who took advantage of each of the victims’ trust.

“I want to commend their bravery in coming forward, which has led to Forbes’ conviction.

“I would also like to reassure any victims of sexual crime that there is no time limit to reporting offences and we will always investigate.”

Police Scotland added: “Anyone with information about sexual offences can contact Police Scotland on 101, or report this anonymously to the independent charity Crimestoppers on 0800 555 111.”

Are millennials keeping their data safe?

Norton reports one in three millennials use the same password for all accounts; 53 percent have shared passwords with friends or family.

By DECCAN CHRONICLE

While the awareness level in millennials is high about the latest trends in technology and gadgets, it is alarming to see how the knowledge is not being translated well into practice, making them an easy prey for hackers. According to the Norton Cybersecurity Insights Report, one in three millennials use the same password for all accounts; approximately 53 percent of millennials have shared desktop passwords with friends or family members. These trends, witnessed amongst millennials, seem to have put them in a vulnerable position and a common victim of cybercrime.

“Despite a steady stream of cybercrime sprees reported by media, millennials appear to feel invincible and skip taking even basic precautions to protect themselves,” said Ritesh Chopra, Director, Norton business for India.  “This disconnect highlights the need for consumer cyber safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime.”

This International Youth Day, Norton would like to share tips on how millennials and consumers can take a few steps towards building a more secure online presence.

Craft a strong, unique password using a phrase that consists of a string of words that are easy for you to memorize, but hard for others to guess. Don’t tie your password to publicly available information as it makes it easier for the bad guys to guess your password. The longer, the better! Additionally, if your account or device enables it, consider two-factor authentication for an extra layer of security. Finally, once you’ve created a strong password, stick with it until you’re notified of a security breach. If you feel overwhelmed, use a password manager to help!
Using unprotected Wi-Fi can leave your personal data vulnerable to eavesdropping by strangers using the same network so avoid anything that involves sharing your personal information when connected to an open Wi-Fi network. If you do use public Wi-Fi, consider using a Virtual Private Network (VPN) to secure your connection and help keep your information private.
Make it a habit to change default passwords on all network-connected devices, like smart thermostats or Wi-Fi routers, during set-up. If you decide not to use Internet features on various devices, such as smart appliances, disable or protect remote access as an extra precaution. Also, protect your wireless connections with strong Wi-Fi encryption so no one can easily view the data traveling between your devices.
Think twice before opening unsolicited messages or attachments, particularly from people you don’t know, or clicking on random links.
Protect your devices with a robust, multi-platform security software solution to help protect against the latest threats.

Man wanted for voyeurism after hidden camera found in Scarborough restaurant washroom

Hidden camera

WATCH ABOVE: Two spy cameras have been discovered inside public washrooms in two Toronto restaurant locations in the past week. Spy camera detectors can be used if you feel your privacy is in question. Tom Hayes reports.

Toronto police are looking to identify a man wanted for allegedly placing a hidden camera in a Scarborough restaurant washroom.

Police said the suspect entered the business located at Midland Avenue and Silver Star Boulevard on May 9 around 6:27 p.m. and affixed a fake wall socket with a hidden camera inside the washroom.

Authorities released a security image of the suspect on Monday.

He is described as Asian, between 25 and 40 years of age, clean-shaven, short black hair and thin-to-medium build.

He was last seen wearing a red sweatshirt/jacket with blue stripes on the sleeves, tan pants and blue shoes.

Police are also investigating a similar incident inside a Starbucks washroom at the corner of Yonge and King streets in downtown Toronto earlier this month.

In that case, police said a camera was discovered in one of the coffee shop’s two unisex bathrooms on the wall behind an electrical outlet, under the sink and facing the toilet.

Anyone with information is asked to contact police at 416-808-4200 or Crime Stoppers anonymously at 416-222-TIPS.

Source: Global News

 

Police: Espanola man confesses to placing camera in neighbor’s home

Johnny Chacon

ESPANOLA, N.M. (KRQE) – An Espanola man is accused of spying on his female neighbor by planting a camera in an unusual place.

The woman says she went to replace the bottle in her Glade Air Freshener when she found a hidden camera.

When police played the video showing the man who put it there, the woman says she recognized her neighbor, 67-year-old Johnny Chacon.

Police say Chacon admitted to breaking into the woman’s house and swapping out her air freshener for one with a recording device hidden inside.

The woman says she had never invited Chacon into her house and has no idea when he planted the device.

Chacon is charged with voyeurism and breaking and entering. 

Source: KRQE

Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers

goo.gl Public Analytics

• We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing.

• A number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella.

• We assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus.

• Initial attack targets are commonly software and gaming organizations in United States, Japan, South Korea, and China. Later stage high profile targets tend to be politically motivated or high value technology organizations.

• The Winnti umbrella continues to operate highly successfully in 2018. Their tactics, techniques, and procedures (TTPs) remain consistent, though they experiment with new tooling and attack methodologies often.

• Operational security mistakes during attacks have allowed us to acquire metrics on the success of some Winnti umbrella spear phishing campaigns and identify attacker location with high confidence.

• The theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with potential secondary objectives based around financial gain.

Report Summary

The purpose of this report is to make public previously unreported links that exist between a number of Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade. Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets. Our primary telemetry consists of months to years of full fidelity network traffic captures. This dataset allowed us to investigate active compromises at multiple organizations and run detections against the historical dataset, allowing us to perform a large amount of external infrastructure analysis.

Background

The Winnti umbrella and closely associated entities has been active since at least 2009, with some reports of possible activity as early as 2007. The term “umbrella” is used in this report because current intelligence indicates that the overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap. We assess that the different stages of associated attacks are operated by separate teams/actors, however in this report we will show that the lines between them are blurred and that they are all associated with the same greater entity. The Winnti and Axiom group names were created by Kaspersky Lab and Symantec, respectively, for their 2013/2014 reports on the original group. The name “Winnti” is now primarily used to refer to a custom backdoor used by groups under the umbrella. Multiple sources of public and private threat intelligence have their own names for individual teams. For example, LEAD is a common alias for the group targeting online gaming, telecom, and high tech organizations. Other aliases for groups related include BARIUM, Wicked Panda, GREF, PassCV, and others. This report details how these groups are linked together and serve a broader attacker mission. The many names associated with actors in the greater intelligence mission are due to the fact that they are built on telemetry of the intelligence provider which is typically unique and dependent on their specific dataset. This report focuses heavily on networking related telemetry.

We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously published intelligence. Their operations against gaming and technology organizations are believed to be economically motivated in nature. However, based on the findings shared in this report we assess with high confidence that the actor’s primary long-term mission is politically focused. It’s important to note that not all publicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However, TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations. We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.

In 2015 the People’s Liberation Army of China (PLA) began a major reorganization which included the creation of the Strategic Support Force (SSF / PLASSF). SSF is responsible for space, cyber, and electronic warfare missions. Some of the overlap we observed from groups could potentially be related to this reorganization. Notably, key incident details below include attacker mistakes that likely reveal the true location of some attackers as the Xicheng District of Beijing.

Tactics Techniques and Procedures (TTPs):

Though the TTPs of the attacking teams vary depending on the operation, their use of overlapping resources presents a common actor profile. Key interests during attacks often include the theft of code signing certificates, source code, and internal technology documentation. They also may attempt to manipulate virtual economies for financial gain. While unconfirmed, the financial secondary objective may be related to personal interests of the individuals behind the attacks.

Initial attack methods include phishing to gain entry into target organization networks. The group then follows with custom malware or publicly available offensive tooling (Metasploit/Cobalt Strike), and may use a number of methods to minimize their risk of being detected. Such techniques include a particular focus on “living off the land” by using a victim’s own software products, approved remote access systems, or system administration tools for spreading and maintaining unauthorized access to the network.

We have observed incidents where the attacker used other victim organizations as a proxy for unauthorized remote access. In these cases, organization 1 had been compromised for a long period of time, and the attacker accessed victim organization 2 via the organization 1 network.

Delivery and C2 domains routinely have subdomains which resemble target organizations. Additionally, their C2 domains are used across many targets, while subdomains tend to be created and removed quickly and are unique to a particular target or campaign. Also noteworthy is that the actors set their domains to resolve to 127.0.0.1 when not in use, similar to what was originally reported on by Kaspersky Lab (see below).

The actor often uses TLS encryption for varying aspects of C2 and malware delivery. As noted in the “Infrastructure Analysis” section of this report, the actor primarily abuses Let’s Encrypt to sign SSL certificates. We also observed many cases in which self-signed certificates were used in attacks.

Overall, the Winnti umbrella and linked groups are lacking when it comes to operational security. However, some activities linked to these groups follow better operational security and infrastructure management approaches. This may be a clue to the division of responsibilities by team and skill level within the broader organization.

Targets:

The Winnti umbrella and linked groups’ initial targets are gaming studios and high tech businesses. They primarily seek code signing certificates and software manipulation, with potential financially motivated secondary objectives. These targets have been identified in the United States, Japan, South Korea, and China.

Based on the infrastructure, links to previous reporting, and recently observed attacks, the broader organization’s main targets are political. Historically this has included Tibetan and Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent international technology organizations.

One example of a politically focused lure by the Winnti umbrella and linked groups is an end of 2017 document titled “Resolution 2375 (2017) Strengthening Sanctions on DPR of KOREA” which is a malicious file associated with the C2 infrastructure described here – see MD5: 3b58e122d9e17121416b146daab4db9d.

Some Key Public Reports:

2013:
Kaspersky Lab publicly reported on the original Winnti group, technical details around the Winnti samples, and various honeypot analysis methods. Most noteworthy is the Winnti umbrella’s targeting of gaming organizations in search of code signing certificates, virtual currencies, and updating mechanisms which could potentially be used to attack victims’ clients. Interestingly, this was the first identified trojan for the 64-bit Microsoft Windows operating system with a valid digital signature as noted by the author. The abuse of signed applications is a very effective attack approach that the entity continues to use.

2014:
Novetta released an outstanding report detailing “Operation SMN,” in which they collaborated with a number of private organizations on a large scale malware eradication operation which is linked to the original Winnti group by the malware being delivered. In the report, the actor is named Axiom. Novetta reported links to publications from as far back as 2009 that also link the group to the Chinese state intelligence apparatus with high confidence. Links exist to various known attacks and actor groups, such as “Operation Aurora,” Elderwood Group’s successful 2010 attack against Google and many other organizations. Another link exists to the successful compromise of the security organization Bit9 in 2013, where their own product was used to sign and spread malware to their customers. In addition, FireEye’s “Operation DeputyDog” detailed attacks on Japanese targets from the same attacker infrastructure. Many other incidents are detailed in the Operation SMN report. Following all of these details back in time, we can see an overlap in TTPs and targets from the APT1 report by Mandiant, which serves as a great historical example of Chinese intelligence cyber operations in their most basic form.

2016:
Cylance released a blog post reporting on digitally signed malware used in targeted attacks against gaming organizations in China, Taiwan, South Korea, Europe, Russia, and the United States. Cylance refers to the attacking entity as “PassCV” in their reporting. Cylance successfully identified a large quantity of malware binaries which were signed with valid certificates stolen from a number of gaming studios in East Asia. In addition to detailing the individual certificates and signed malware, they identified a significant amount of network infrastructure which contain various interesting links to our own findings.

2017 – March/April:
Trend Micro reported on attacks that abused GitHub for use in malware command and control, which they attributed to the original Winnti group. Amusingly, Trend Micro later reported on an individual linked to the group and the attacks who happens to be a fan of pigs.

2017 – July 5th:
Citizen Lab reported on attacks against journalists by an actor mimicking China-focused news organizations HK01, Epoch Times, Mingjing News, and Bowen Press. As Citizen Lab noted, these news organizations are blocked in China for their political views. The report notes that malware used in these attacks was linked to a stolen code signing certificate mentioned in the Cylance PassCV post. That overlap, in addition to infrastructure links from a Palo Alto Unit 42 blog post, strongly links this attack to the previously mentioned reports as well as to our own. As Unit 42 reports, the attacks against entities in the government of Thailand used the “bookworm” trojan.

2017 – July/October:
ProtectWise 401TRG published our own findings and an update on LEAD using open source and public tooling in attacks against Japanese gaming organizations. These attacks are linked with high confidence to ongoing operations in the United States and East Asia.

Other Noteworthy Events:
In 2017, multiple supply-chain attacks occurred which had some similarities to the Winnti umbrella and associated entities. For example, Kaspersky reported on ShadowPad, a large-scale compromise of NetSarang, which resembles the Winnti and PlugX malware. In addition, Kaspersky and Intezer identified notable code similarities to the Winnti umbrella and APT17 in the compromise of Piriform, which allowed attackers to sign and spread altered versions of the CCleaner software to a large customer base.

Analysis of Attacks on Initial Targets

Throughout 2017 and 2018, ProtectWise 401TRG was involved in a number of detection and incident response engagements with our customers that linked back to the Winnti umbrella and other closely associated entities. Through the analysis of public and private intelligence, we have successfully identified similar attacks, which allow us to assess with high confidence that the details below follow a global attack trend as the Chinese intelligence operations have evolved over time.

2017 Operations:
One of the most common tactics used by the Winnti umbrella and related entities is phishing users whose credentials may provide elevated access to a target network. We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective.

In 2017 the entity focused most of its efforts around technical job applicant email submissions to software engineering, IT, and recruiting staff, which we originally reported on at our 401trg.pw blog. The phishing lures used multiple languages, including Japanese as in the below example:

The approximate translation is as follows:

I saw your job posting. My main languages are Object-C, JAVA, and Swift, and I have 7 years experience with Ruby and 6 years experience with PHP. I have 5 years experience developing iOS apps, as well as Android apps, AWS, Jenkins, Microsoft Azure, ZendFramework, and smartphone application payment processing. I also have 5 years experience with MSSQL, Mysql, Oracle, and PostgreSQL. Please see here: [malicious link]


The process that followed a target clicking the malicious link evolved as the attacker progressed through the campaigns. The links consistently sent the victim to a fake resume, but the exact format of that resume changed over time; we have observed resumes being delivered as DOC, XLS, PDF, and HTML files. Once opened, the fake resumes performed various actions in an effort to download malware onto the victim host. During the same time period, we also observed the actor using the Browser Exploitation Framework (BeEF) to compromise victim hosts and download Cobalt Strike. In this campaign, the attackers experimented with publicly available tooling for attack operations. During this infection process, the actor was known to check the target operating system and deliver malware, signed by a previously stolen key, for the appropriate host environment. In some cases, valid Apple certificates stolen from victims were used in this process, which linked the attack to additional victim organizations.

Post-compromise actions by the attacker followed a common pattern. First they attempted to spread laterally in the network using stolen credentials and various reconnaissance efforts, such as manually examining shares and local files. The primary goal of these attacks was likely to find code-signing certificates for signing future malware. The secondary goals of the attackers depended on the type of victim organization, but were often financial. For example, gaming organizations tended to fall victim to manipulation or theft of in-game virtual currencies. Non-gaming victims may have experienced theft of intellectual property such as user or technology data.

2018 Operations:
More recently, various attack campaigns from the Winnti umbrella and associated groups have been very successful without the use of any exploits or malware. Phishing remains the initial infection vector but the campaign themes have matured. In 2018, the campaigns have largely been focused on common services such as Office 365 and Gmail.

It is important to note that attackers likely have additional information on their target organizations’ preferred email solutions based on previous incidents or open source intelligence.

In more recent phishing campaigns conducted by the Winnti umbrella and associated groups, URL shortening services have been used. For example, Google’s URL shortening service goo.gl was used over the past weeks, allowing us to gain insight into the scale of this campaign using publicly available analytics.

As you can see from the above screenshot, this particular phishing campaign ran from March 20th to March 28th, 2018. Notably, the link was created on February 23rd, 2018, indicating roughly three weeks of preparation for the attacks. These metrics allow us to gain insight into who clicked the link in a phishing email and was directed to a phishing or malware delivery landing page. According to Google analytics, there were a total of 56 clicks. 29 were from Japan, 15 from the United States, 2 from India, and 1 from Russia. 33 of the clicks were from Google Chrome, and 23 were from Safari. 30 were from Windows OS hosts, and 26 were macOS hosts.

In general, the attackers phish for credentials to a user’s cloud storage, and would be expected to later attempt malware delivery in the cases of a failed credential phish or valueless cloud storage.

In cases where the victim uses O365 and/or G-suite for enterprise file storage, the attackers manually review the contents for data of value. If code signing certificates are stored here, the primary mission has been accomplished, as they may be easily downloaded. In other cases, the attackers attempt to use other files and documentation in the cloud storage to help them traverse or gain privileges on the network. The targets in 2018 include IT staff, and commonly sought out files include internal network documentation and tooling such as corporate remote access software.

Once the attackers gain remote access to the network via malware or stolen remote access tooling and credentials, the operation continues as we’ve seen, though their post-compromise actions have become more efficient and automated. Internal reconnaissance is performed by scanning the internal network for open ports 80, 139, 445, 6379, 8080, 10022, and 30304. The choice of ports by the attacker indicates a strong interest in internal web and file storage services. An interesting addition is the use of 30304, which is the peer discovery port for Ethereum clients.

In the attackers’ ideal situation, all remote access occurs through their own C2 infrastructure, which acts as a proxy and obscures their true location. However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng District.

Visualizing Attacker Infrastructure

Based on the various incidents we have been involved in, in addition to past public reporting and open-source intelligence, we can construct a map representing the infrastructure most closely associated with the Winnti umbrella and closely related entities. For the sake of producing an accurate representation of the infrastructure, we are excluding any shared infrastructure (such as hosting provider IPs used for many unrelated domains) and low confidence indicators. Please note this is not an exhaustive list of all active infrastructure in use by the group.

As detailed below, this infrastructure spans at least eight years of activity by the Winnti umbrella and related groups. Please note, as this section heavily references the “Some Key Public Reports” section, above, we recommend reading that first. Indicators are provided in Appendix A of PDF (see top of page).

1. The area of the map labeled #1 is the phishing, malware delivery, fake resume, and C2 infrastructure. This includes domains, IPs, malware hashes, SSL certificates, and WHOIS information. In this section of the infrastructure, we primarily observe the network and file indicators which would be used against targets valued for code signing certificates, software manipulation, and potential financial manipulation. The indicators detailed in the 2017 & 2018 Initial Target section of this report are located in #1. Infrastructure in this area is currently in use and not entirely historical.

2. This area is a network that we assess is associated with the umbrella with low confidence. The most interesting findings here are the large number of Let’s Encrypt SSL certificates in use and the overlap with attacker exclusive infrastructure. This proposed relationship is generated by infrastructure links alone, as no malicious activity has been confirmed to or from region #2. Infrastructure in this area is currently in use and not historical.

3. Area #3 is linked to the initial attack infrastructure (#1) by domain WHOIS details, likely from operational security mistakes. We assess with high confidence that these infrastructures are linked. Based on the lax structure and naming of this section, it is highly probable that it is used for attacker experimenting and development. Some examples include domains such as “nobody.will.know.whoami[.]la”, “secret.whoami[.]la”, and “no.ip.detect.if.using.ipv6[.]la”. Infrastructure in this area is currently in use and not historical.

4. This area has various links to #3 in which an individual software developer is identified. We asses this connection with low to medium confidence and will refrain from publicly sharing details in this report. This area contains many personally operated domains and SSL certificates. Infrastructure in this area is currently in use and not historical.

5. Area #5 of the map is part of what Novetta reported on as Operation SMN in 2014. Infrastructure in this area is purely historical and based on Novetta’s reporting, which we can link to area #1 via known umbrella infrastructure. The vast majority of indicators in this area are the many associated hashes, combined with their C2 destination domains and IPs.

6. This area of the map is what Cylance reported on as PassCV in 2016. The vast majority of infrastructure and indicators here are stolen code signing certificates, malware signed with the certificates, and C2 domains. This area contains information on many victims of campaigns related to area #1. Infrastructure in this area is historical. We assess that this area is linked to the Winnti umbrella with high confidence.

7. This section represents infrastructure identified by Citizen Lab in their July 5th 2017 reporting on attacks against journalists. As they originally identified, one of the NetWire binaries was signed with a stolen certificate linked to #6, the Cylance PassCV report. We were able to further expand this section by pivoting off of additional domain WHOIS information.

8. Lastly is area #8, which links back with high confidence to #7 (Citizen Lab reporting) and #6 (PassCV). This area consists of domains, IPs, MD5 file hashes, and further WHOIS operational security mistakes. This area is similar in functionality to #1 and #3, serving as infrastructure for both high-value politically focused attacks and developer personal use. This section links to the online identities of an individual we asses to be associated with the Winnti umbrella or a closely related group at a medium to high confidence. Infrastructure in this area is currently in use and not historical. One example of malicious activity in this area was the document detailing the strengthening of sanctions against North Korea, above. These activities are similar to the type of politically motivated targeted attacks Citizen Lab reported on. Some infrastructure in this area is currently in use and is not completely historical.

Investigative Findings

Based on incident response engagements, research into the associated attacker infrastructure, and previously reported research, we can summarize our findings as follows:

1. The Chinese intelligence apparatus has been reported on under many names, including Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.

2. The overlap of TTPs and infrastructure between the Winnti umbrella and other groups indicates the use of shared human and technology resources working towards an overarching goal. Operational security mistakes allow the linking of attacks on lower value targets to higher value campaigns. Reuse of older attack infrastructure, links to personal networks, and observed TTPs play a role in this overlap.

3. The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13.

4. Initial attack targets are commonly software organizations in the United States, Japan, South Korea, and China. Later stage high profile targets tend to be political organizations or high-value technology companies.

5. The attackers grow and learn to evade detection when possible, but lack operational security when it comes to the reuse of some tooling. Living off the land and adaptability to individual target networks allow them to operate with high rates of success.

Conclusion

We hope the information we’ve shared in this report will help potential targets and known victims in addition to the greater information security community. Though they have at times been sloppy, the Winnti umbrella and its associated entities remain an advanced and potent threat. We hope that the information contained within this report will help defenders thwart this group in the future.

We’d like to extend a special thank you to all the victims, targets, researchers, and security vendors who have shared their own findings over the years.

Indicators

Indicators can be found in the PDF version of this report and our GitHub Detection IOC repository. Enjoy!

Source: 401 TRG

Senior New Zealand naval officer accused of hiding camera in embassy toilets

Alfred Keating

Alfred Keating pleads not guilty over discovery of miniature camera in embassy bathroom in Washington where he was defence attache

One of New Zealand’s most senior naval officers is accused of hiding a secret camera in the toilets of the New Zealand embassy in Washington, in an attempt to obtain intimate footage of people using the bathroom.

Alfred Keating, 58, was a commodore in the New Zealand navy and was one of the country’s most senior naval officers before he resigned last month.

Keating was serving as a defence attache embassy in Washington in July 2017. On 27 July a small covert camera was discovered in a unisex bathroom in the embassy when it fell out of a hiding spot in a heating duct.

It had been positioned to capture images of anyone using the toilet. The embassy toilet was generally used by approximately 60 embassy staff.

New Zealand police travelled to Washington to investigate, and brought the recording device back to be forensically examined.

The investigation revealed the device had been in place for some months, as the homemade platform it was mounted on was covered in a thick layer of dust.

On the day it was discovered the camera had been activated at 9am and had captured 19 images over a five-hour period of people using the bathroom.

A search warrant of Keating’s home in New Zealand led to him being charged with attempting to obtain intimate visual recordings.

The prosecution alleges that Keating’s computer contained software to operate the camera, and also that his DNA matched that found on the SD card inside the camera. He has pleaded not guilty to the charges.

Keating joined the navy in 1976 and has studied engineering in the UK; worked as a team leader on the Australian and New Zealand Anzac frigate project; served as New Zealand’s assistant naval attache and senior technical officer in the US; and worked as the assistant chief of navy in Wellington.

Source: The Guardian

Man arrested for hidden cameras in woman’s home

  • A man in his 20s was booked without detention for installing cameras in and outside a woman’s home, Busan local police said Tuesday.

  • The man is charged with entering the victim’s residence 12 times while it was empty and installing the hidden cameras inside the home.

According to the police, the man spotted the victim in January around the Haeundae neighborhood in Busan and tracked her to home. The man installed a camera in the form of a black box outside the woman’s door to discern the code to the door lock.

The 27-year-old is also being charged with hanging pornographic pictures on her door twice.

The man, masked and gloved, was caught by a neighbor who saw him inside the woman’s house on Feb. 16. The man reportedly admitted to his actions during interrogation when presented with CCTV footage.

Police said “the hidden cameras were so small that it was not easy to discover them unless you looked very closely.”

Source: The Korea Herald

Somebody’s watching! When cameras are more than just ‘smart’

Every year the number of smart devices grows. Coffee machines, bracelets, fridges, cars and loads of other useful gadgets have now gone smart. We are now seeing the emergence of smart streets, roads and even cities.

Devices such as smart cameras have long been part of everyday life for many, as communication devices, components in security and video surveillance systems, to keep an eye on pets, etc.

The latest smart cameras can connect to the cloud. This is done so that a user can watch what’s happening at a remote location using a variety of devices.

The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses. This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.

An initial analysis using publicly available sources showed that there are almost 2,000 of these cameras on the Internet with public IP addresses.

Hanwha SNH-V6410PN/PNW SmartCam: specifications

This device is capable of capturing video with resolutions of 1920×1080, 1280×720 or 640×360, it has night vision capability and a motion sensor, and supports two-way communication, i.e. apart from capturing video and sound it can also produce sound using an in-built speaker. The camera works via a cloud-based service; in other words, it doesn’t connect directly to a device such as a computer. It is configured by creating a wireless hotspot on the camera and connecting it to the main router via Wi-Fi. Users can control the camera from their smartphones, tablets or computers. It should be noted that the camera’s data can only be uploaded to the cloud; there is no other way of communicating between the user and the camera.

The camera is based on the Ambarella S2L system (ARM architecture). Amboot is used as its initial loader. After a standard boot, Amboot loads the Linux core with a specific command as a parameter:

After that, systemd launches. The system then boots as normal. Different partitions are mounted, and commands fromrc.local are executed. When executing rc.local, the file mainServer is launched in daemon mode, which is the core of the camera’s operation logic. mainServer executes the commands that are sent to it via UNIX socket /tmp/ipc_path via binary protocol. Scripts written in PHP as well as CGI are used to process user files. While launching, mainServer opensUNIX socket /ipc_path. Analysis of the PHP scripts has shown that the main function responsible for communication with mainServer is in the file /work/www/htdocs_weboff/utils/ipc_manager.php.

Communication with the user

When a command arrives from the user (e.g., to rotate the camera, select a tracking area, switch to night vision mode, etc.), it is analyzed. Each command or parameter has its own flag assigned to it, which is a constant. The main flags are documented in the file /work/www/htdocs_weboff/utils/constant.php. Later on, the packet header and payload is created, and a request is sent via UNIX socket /tmp/ipc_path to mainServer.

An analysis of the file ipc_manager.php shows that no authentication is used at this stage. The request is sent on behalf of the user ‘admin’.

This method of communicating commands is used when camera communication is done both via HTTP API and via SmartCam applications. In the latter case, the packet is generated in the application itself and sent to the camera in a message body using the XMPP protocol. When accessing this file from the outside via HTTP API and SmartCam application, it can be accessed only through web server digest authentication.

Loopholes for intruders

The following vulnerabilities were identified during the research:

• Use of insecure HTTP protocol during firmware update
• Use of insecure HTTP protocol during camera interaction via HTTP API
• An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
• Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
• A feature for the remote execution of commands with root privileges
• A capability to remotely change the administrator password
• Denial of service for SmartCam
• No protection from brute force attacks for the camera’s admin account password
• A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
• Communication with other cameras is possible via the cloud server
• Blocking of new camera registration on the cloud server
• Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
• Restoration of camera password for the SmartCam cloud account

After some additional research we established that these problems exist not only in the camera being researched but all manufacturer’s smart cameras manufactured by Hanwha Techwin. The latter also makes firmware for Samsung cameras.

Below we give a more detailed account of some of our findings.

Undocumented functionality

As mentioned above, we detected, among others, an undocumented capability that allows manipulations with the camera’s web interface.

Interestingly, in addition a buffer overflow-type vulnerability was detected inside of it. We reported the issue with undocumented feature to the manufacturer, and it has already fixed it.

Vulnerability in the cloud server architecture

Another example of a dangerous vulnerability in this smart camera can be found in the cloud server architecture. Because of a fault in the architecture, an intruder could gain access via the cloud to all cameras and control them.

One of the main problems associated with the cloud architecture is that it is based on the XMPP protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server.

In the process of communicating with the cloud, the camera sends the user’s credentials and a certain set of constants. After analyzing the data sent, a remote attacker is able to register existing cameras in the cloud that have not been registered there yet. As a result of this, the cameras could subsequently not able to register in the cloud and, as a consequence, are not able to operate. In addition, an attacker can communicate with the cloud on behalf of an arbitrary camera or control arbitrary cameras via the cloud.

Attack scenarios

An interesting attack vector is the spoofing of DNS server addresses specified in the camera’s settings. This is possible because the update server is specified as a URL address in the camera’s configuration file. This type of attack can be implemented even if a camera doesn’t have a global IP address and is located within a NAT subnet. This sort of attack can be implemented by taking advantage of the peculiarities and vulnerabilities that exist in the Hanwha SmartСam cloud architecture. An attack like this could result in the distribution of modified firmware to cameras with the undocumented functionality loophole preinstalled, which will give privileged rights on those cameras.

If an intruder gains privileged rights (root) on a camera, they gain access to the full Linux functionality. This means the camera can be used as a foothold from which to attack devices located on local (within a NAT subnet) or global networks.

In one attack scenario, an arbitrary camera can be cloned and its image signal spoofed for the end user without much difficulty. To do so, an intruder will have to use cloud interactions to find out the target camera’s model, serial number and MAC address. The attacker then resets the password using a vulnerability in the password generation algorithm and modifies the firmware of the cloned camera (which is an identical camera located on the attacker’s side). The victim’s camera is then remotely disabled. As a result, the victim will receive a video signal from the attacker’s cloned camera.

Other possible scenarios involve attacks on camera users. The camera’s capabilities imply that the user will specify their credentials to different social media and online services, such as Twitter, Gmail, YouTube, etc. This is required for notifications about various events captured by the camera to be sent to the user. An attacker would then be able to exploit this capability to send phishing and spam messages.

Conclusion

What can a potential attacker do with the camera? Our research has demonstrated that they have a number of options.

For one, the attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras. An attacker can gain access to an arbitrary SmartCam as well as to any Hanwha smart cameras.

What are the implications for a regular user? A remote attacker can gain access to any camera and watch what’s happening, send voice messages to the camera’s on-board speaker, use the camera’s resources for cryptocurrency mining, etc. A remote attacker can also put a camera out of service so it can no longer be restored. We were able to prove this hypothesis three times 🙂

We immediately reported the detected vulnerabilities to the manufacturer. Some vulnerabilities have already been fixed. The remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.

Fixed vulnerabilities were assigned the following CVEs:

CVE-2018-6294
CVE-2018-6295
CVE-2018-6296
CVE-2018-6297
CVE-2018-6298
CVE-2018-6299
CVE-2018-6300
CVE-2018-6301
CVE-2018-6302
CVE-2018-6303

By Vladimir Dashchenko, Andrey Muravitsky
Source: SecureList