Monday, 31 August 2020

Who Attacked Czechia in April 2020?


On Friday April 17th, 2020 the Brno University Hospital in the Czech Rebpublic experienced a massive cyber attack.  Between the hours of 5am and 8am "something" occurred on their network.  The "something" was bad enough that the entire network had to be shut down.  Officials working with the Czechian government attempted to "recover" the data loss.  

Immediately when I hear "data recovery," I can assume that data was destroyed.  Also when an entire network is shut down, the incident implies that the malware was spreading.  With these two pieces of information I am going to make the leap and say that the Brno University Hospital had ransomware.

It's a safe assumption.

The news was big enough to make it to the western hemisphere as well [8].  Mike Pompeo wagged his finger at the screen saying:

“We call upon the actor in question to refrain from carrying out disruptive malicious cyber activity against the Czech Republic’s healthcare system or similar infrastructure elsewhere,”

and further.

“The United States has zero tolerance for malicious cyber activity designed to undermine U.S. and international partners’ efforts to protect, assist, and inform the public during this global pandemic...expect serious consequences."

My curiosity revolves around who-dun-it.  Brno University Hospital is the biggest institute in the city of Brno that was doing Covid-19 tests.  So it was a big target.  A spokesperson for the hospital said that they encounter cyber attacks of this nature regularly and has defended against all of them[4].  Which is what a good face for the company should say.  However the flip side of the coin would mean that something was different this time.  If these had been blocked before, what's different?

This attack had even been flagged a few days prior by Czechia's National Cyber and Information Security Information Agency (NUKIB) stating that infrastructure was "at risk."

Coincidentally, another hospital in Czechia experienced strange activity a few days before.  They reported elevated levels of scans occurring at their network.  They were smart and made back-ups immediately. [4]

NUKIB stated that a "serious and advanced adversary" was responsible.  It kind of blows my mind that NUKIB would say this.  The nations cyber-security agency publicly said that an advanced adversary was responsible.  I don't think any government agency in our world would make this statement lightly.

The United states knew almost immediately that the Czech Rebublic health, "and other" [8] infrastructure was at risk.  There is only a small handful of "serious and advanced adversaries" in our world.  Honestly, America knew who the culprit was. 

Let's flash forward 3 months.  It is now July 2020.

Mid July, Britain's National Cyber Security Centre publicly announced that Russian hackers sponsored by the state were attempting to steal COVID-19 related data.

Of course the Russian news agency denied all of these allegations, basically saying "You can't prove it..."

The NCSC pinned the attacks on a group named APT29.  Stating that a variety of tools and spear-phishing was in use. [7]

Now it is August 2020.

Russia has a vaccine!![9] Unfortunately experts say they have cut corners and rushed the vaccine out the door.  Their health officials say it is "safe and effective", even Putin's daughter got the vaccine.  But what else can you expect from a country where a majority of their national stations and newspapers are owned by the government [10].

As an extra jab, and honestly which I feel is directed at America, the vaccine is called "Sputnik-V" in honour of the world's first satellite.

I know I'm speculating here, all I have done is collect data to make a hypothesis.

Here are the proven facts:

- Two hospitals in the Czech Republic attacked, data stolen/corrupted

- Czechian National Security Agency confesses a "serious advanced adversary" at play.

- Russia has a huge cyber-criminal underground [11] (An "advanced adversary")

- The United States knew about the attack on the hospitals almost immediately.  (They monitor everything, let's not kid ourselves)

-Russian hacker group(s) were proven by multiple agencies to be actively targeting Covid-19 research facilities.

So here is my Hypothesis:

I will write it as a note to the people of the Czech Republic.

"Dear Citizens of the Czech Republic,

For what it's worth I sympathize that your country was attacked.  While people like Mike Pompeo can say their will be 'severe consequences,' please don't hold your breathe.  Yours[cyber attack] was but the first publicly disclosed incident in what I am very confident was a deluge of attacks against other research facilities that either never told anyone their was an incident or have no idea that data was stolen and still is being stolen.

The "seriously advanced adversary" that attacked you, was known by global powers.  They knew that you were a target before the incident.  

I don't know what to say but 'good-luck' because you are quite literally in the middle of a cyber battle ground being fought every day by global powers positioning themselves for strength.

My advice, and I urge you to take it.  Route out the nation-states resident in your critical infrastructure.  They are there and they are listening to everything.

Andrew"



Reference:

[1] https://hotforsecurity.bitdefender.com/blog/mysterious-cyberattack-cripples-czech-hospital-amid-covid-19-outbreak-22566.html

[2] https://www.google.com/amp/s/www.washingtonpost.com/politics/2019/06/25/prague-protesters-demand-resignation-prime-minister-andrej-babi/%3foutputType=amp

[3] https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/

[4] https://www.reuters.com/article/us-czech-cyber-ostrava/czech-hospitals-report-cyberattacks-day-after-national-watchdogs-warning-idUSKBN21Z1OH 

[5] https://www.cybersecurityintelligence.com/national-cyber-and-information-security-agency-nukib-4219.html 

[6] https://www.fnbrno.cz/

[7] https://www.thechronicleherald.ca/news/canada/russia-trying-to-steal-covid-19-vaccine-data-say-uk-us-and-canada-474082/ 

[8] https://www.euractiv.com/section/defence-and-security/news/us-says-concerned-by-threat-of-cyber-attack-against-czech-republic-healthcare/ 

[9] https://www.bbc.com/news/world-europe-53735718 

[10] https://en.wikipedia.org/wiki/Media_freedom_in_Russia 

[11] https://www.ecfr.eu/publications/summary/crimintern_how_the_kremlin_uses_russias_criminal_networks_in_europe

Monday, 24 August 2020

"No Log" VPNs Not Safe for Much longer

 


VPN is becoming (already is) an essential tool for anyone who wants to surf the internet and have an their traffic encrypted and shielded from snooping eyes.

There are lots of service providers and it can seem overwhelming when selecting the right VPN provider.  

*Pro tip: Don't even consider a VPN provider if they keep logs.

What are VPN logs?  It's in the name, when you use their service they keep track of what you did and where you went (on the internet).  Obviously if we are paying for a VPN service we must have some interest in privacy so why should we care if they keep logs?  The problem is that when someone (authorities) requests these logs the company must hand over the logs.  Effectively all that privacy you are paying for is undone.  Hence the advice, use a "no-log" VPN service provider.

This is good advice, but what happens when those "no-log" providers still have data on you?  Everything you do online leaves a footprint to a degree even if that footprint is encrypted.

Pirate Bay has long been a spot on the internet to acquire various digital items that you want to torrent.  I'm not going to discuss the ethics of this right now ;)

Pirate Bay has been shutdown before [3] and there are a lot of people that have an interest in Pirate Bay being gone forever.  However those folks who tend to the Pirate Bay are not interested in losing that traffic.  Pirate Bay utilizes the services of OVPN a "zero-log" VPN service.

On a surface level if I was hosting a torrent site, ya I would want stuff encrypted and I would not want any logs.  However their is an anti-piracy group (Rights Alliance) who are actively trying to acquire information on OVPN for the purpose of shutting down Pirate Bay [1].

This is where the problem arises.  If a "no-log" has no data on it's users then how could anyone find a specific user?  If a "no-log" were brought to court, what could they actually turn over? 

Well that is what is happening right now, Rights Alliance, the anti-piracy group mentioned earlier, is trying to bring OVPN to court.  They have hired a supposedly resourceful and successful pen-testing company to find out as much it can about OVPNs users.

While there are no logs to be handed over, OVPN does have a database of users and they do have servers that are connected to users (the entire nature of their business).  As well OVPN is able to see who is connected to what IP address at any given moment. The pent-testing company fully understands the relationship between data and information.  When data it is collected and correlated it becomes information and information has power.

Why is this a big deal?

if OVPN, a "no-log" VPN service provider, is brought to court and loses why couldn't this happen to other "no-logs"?  If Pirate-Bay goes down because of the collection of this data, which it has to do in order to have it's service, It is conceivable that any "no-log" could be brought to court and a user could be handed over using the exact same methodology.

Our online privacy is constantly at risk.  Freedoms are not necessarily lost all at once, they are handed over bit by bit.

This is something to keep an eye on.

Reference:

[1] https://hothardware.com/news/ovpn-says-it-has-no-data-to-turn-over-in-legal-case 

[2] https://hothardware.com/news/hong-kong-vpn-leak 

[3] https://www.engadget.com/2014-12-16-pirate-bay-shutdown-explainer.html

Tuesday, 18 August 2020

Proxy Daisy Chain

If you value anonymity and privacy then you likely are familiar with proxies and VPN.

Kali Linux has an amazing feature built into it that makes using proxychains so much easier.  There are loads of great resources out there to teach you how to set up and use proxychains on your system.  For some great tutorials check out the references at the bottom [1][2][3]. (These are great tutorials!)

For myself I want to focus on a companion script I wrote to automate parts of the proxychains process.

 In order for the script to work you need to also use my script "proxy_list.py" you can find it under projects in this blog called "Proxy Import Script."  Very quickly, the import script retrieves a list of free proxies and creates a list, which then makes this list available where ever you need it.

Proxychaining is incredibly easy.  The method that my script is working with needs to have a set list of proxy addresses.  I only have access to free proxies online.  I don't want to go to the site and copy and paste it into the configuration file.  The below script will automate this for us.  

In previous blogs I have gone through the code line by line, I am not going to do that for this one.  Essentially this is what is happening:

- list of proxies imported

-open conf file

-search for particular lines matching pattern and update local list

-check to see if the script has been run before by removing old proxies

-add new proxies based on number selected by user

-clear the file

-print local list back into conf file

-boom we have an updated /etc/proxychains.conf file

 


This method does work, however you are at the mercy of the location where the free proxies were scraped from.  Also who knows who owns these free proxies, you take the risk on when you use them.

This script was fun! Honestly the better method would be to:

1. uncomment "socks4         127.0.0.1 9050"

2.install tor service

3.run tor service

This works so much faster.  My scrape proxychain scripts work, but if you are looking for a proxy-chain that will work every time, go with tor.

*take a look below for some setup things you should consider if you want to get my script working on your system.

Preset up of proxychains.conf

1. make a back up "cp /etc/proxychains.conf /etc/proxychains.conf.bak 

Modifying /etc/proxychains.conf

1.comment out "strict_chain"

2.comment out "random_chain"

3.uncomment "dynamic"

3.make sure that "proxy_dns" is uncommented

5. comment out "socks4 127.0.0.1 9050" we are not setting up our system for Tor


Reference:

 [1] https://www.youtube.com/watch?v=qsA8zREbt6g&t=557s

[2] https://www.geeksforgeeks.org/how-to-setup-proxychains-in-linux-without-any-errors/

[3] https://thecybersecurityman.com/2018/08/08/pentest-edition-evade-detection-using-tor-and-proxy-chains/

installing proxychains to debian system:

https://zoomadmin.com/HowToInstall/UbuntuPackage/proxychains

Monday, 10 August 2020

How To: Find Random Devices on the Internet



I have said it before, but I love hping3.  It's incredibly handy for all kinds of packet manipulation.

One feature I wanted to demonstrate is sending ICMP packets.

ICMP(Internet Communications Message Protocol) is very important as it is practically used for network management.  When I want to see if a host is available/accessible on my network I send a quick ping and the target sends a ICMP packet back to me with the details of its status in the header.

ICMP is powerful because it is a tool that can evoke a response from the target without an actual error being present.

So for curiosity sake let's compare a simple ping with hping3:

ping 192.168.1.55

is the same as

hping3 -1 -c 1 192.168.1.55

The only slight difference is that the ping will continue running until you stop it and the hping3 option sends only one ICMP packet.

If you are anything like me you may occasionally wonder about the vasteness of the Internet.  It's huge and that is only considering the clearnet when we attempt to comprehend the enormity of the deep web it's then that our brains really start to wrinkle.

I did an experiment with hping3.

I wanted to use hping3 to send an ICMP packet out to the web and find a device.  I didn't want to think about where the packet was going, or what type of device may be on the other end.  I wanted to find a way to essentially stand in a room (the Internet) and yell any name that came to me and see who responds.

I found a way and it was incredibly easy.

hping3 -1 x.x.x.x --rand-dest -I wlan0 --fast

Run this command from your terminal and you will be sending a single ICMP packet out to completely random hosts over the internet.

You will get results very quickly, and honestly why wouldn't you, there are close to 26 Billion IoT devices connected to the internet

hping3 -1 192.168.1.x --rand-dest -I wlan0

reference:
[1] https://medium.com/@iphelix/hping-tips-and-tricks-85698751179f

Tuesday, 4 August 2020

The Twitter Hack and Why You Should Phreaking Care



*picture [1]


In the news recently there has been lots of posts about the Twitter hack.  I have read a few of them and this blog entry is going to be on the same subject, however I want to focus on just a few keys aspects of the hack and leave the investigative journalism to others.

There is a strong chance that you have read details on the Twitter hack as well and also understand the who/how/what of it. ([2] wonderful piece on how the hackers were caught).
     
We know it was primarily carried out by 3 people, we know that government services were able to track down the perpetrators communications via public chat servers, we know that the hackers were also confirmed based on a repetition of IP address.

This is all interesting, but I just find it fascinating that a 17 year old and a couple of his global buddies were able to hijack as many "powerful" twitter accounts as they did. [5]

Taking over social media accounts is not new.  It happens daily and [3] a lot. If you think about it it is really not that hard.  If a hacker wants to learn something about you all they need to do is poke around a bit in your public account to learn a lot about you.  Why stop with one social media account? Gather enough information from a variety of online sources and I am sure that someone who put a minimal amount of effort in could guess your favourite breed of dog, or what the name of the street is where you grew up.

...Better yet...

... how about a targeted spear fishing attempt on a "randomly" selected employee?

This is in fact how the gentlemen were able to compromise as many accounts as they did.  A specific Twitter employee was compromised and with the information gathered they gained access and knowledge about internal systems.

Why you should Phreaking care!

So this is not just a catchy tagline to draw in readers of my blog.  It is actually a word that has faded a bit from mainstream language.

In the 70s 80s our hacker ancestors explored the limits of the telecommunications hardware.  These folks became affectionately called phreaks or phreaker.[6]

in the 90s when email was way more mainstream we encountered a popular social engineering technique of fishing.  (trolling email accounts to obtain personal information).

As language tends to do, it evolved and since the two techniques produce such similar results the two merged--> phishing (this term is widely used now).

Phishing has continued to evolve in a way that we can better understand it's specific usage.  There is a difference between receiving a general email from Fedex saying you have a package to pick up "Please please please click the link!" [7]; and receiving an email that is a spoofed email of your boss that has detailed actual information about you. [8]  This later one is spear-phishing.

This is how the three people were able to abuse Twitter, spear-phishing. 

Twitter, this massive company was abused and embarrassed by the simplest of social engineering techniques.  So why is this significant?  Well if it can happen to them, why can't it happen to you? To your company?  Do you personally have hundreds of thousands to spend on security infrastructure (unlike Twitter that does)? 

I have worked in this field for long enough to know how easy it is for clients to receive phishing scams. I have also on numerous occasions (as have many of my colleagues) had clients clicking on the tempting link that has been sent to them. 

The primary take away that we should take from the incident with Twitter is that phishing attacks are extremely easy and with a minimal amount of effort can be executed by folks with, honestly, very little actual skill. 

You can put all kinds of policies to protect your organization assets, but all it takes is for one mistake from a well meaning person inside and the attacker can gain access to your systems and exploit you.

One of the best ways to combat phishing scams is education, have regular discussions with your employees/team about the subject of phishing.  Remind people what is at stake.  Phishing is so popular that it is not a question of if it will happen, it is a question of when.



Reference: