RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report. The reasons given for publishing the report: …to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group. You can download the summary technical report here (PDF) – 2 pages And the full espionage report here (PDF) – 34 Pages If the full report is a little TL;DR for your time or taste – or even Read More

Command and Control Using Powershell and Twitter

Initially I wanted to update and extend @obscuresec‘s Powershell Twitter Bot, the problem is this was written in early 2013 and relied on Twitter’s API 1 which required no authentication. The current Twitter API 1.1 does require authentication and encryption and although doable from the perspective of Powershell, the code is far too verbose for my purposes. With these hurdles I took a closer look at the modus operandi of the Russian criminal group using Hammertos and they avoided using the API and had the code simply reach out to the URL of the Twitter handle and look for a hashtag. I though this Read More

Criminals increasingly using social media as command-and-control (C2)

A paper entitled: C&C-AS-A-SERVICE: ABUSING THIRD-PARTY WEB SERVICES AS C&C CHANNELS caught my attention yesterday which looks at the growth in criminals leveraging popular web services for Command & Control (C2). The web services cited are: Google Docs, Twitter, Facebook, Microsoft Technet, YouTube, VKontakte, Jaiku, Tumblr, Google+, Yahoo Mail, Gmail, Google Talk, MSN Messenger, Skype, Google Calender So, quite a few options for the criminal as you can see. Why do criminals use Third-party web services for C2? One benefit for the criminal in utilising this strategy is that traffic to these websites looks legitimate, is often encrypted (HTTPS) and will blend in with legitimate use Read More

IT Security Red Team Operations: The Raison d’être

Basically I’m hijacking and plundering a superb talk given by J Wolfgang Goerlich at GrrCON 2014 to lay out the heartbeat of this blog, which can be summed up as the raison d’être for IT security Red Team operations. The following two stand-out quotes lifted from the talk should be shouted from the rooftops: “Without studying offence we can’t plan for good defence” and “Without exercising the defence, we have no assurance that it works.” Simple truths, not emphasised enough in infosec in my opinion. IT Red Team security operations are a natural response to the above quotes. What are IT Red Team Operations? Read More