Hackin9

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrate how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Speigel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networks—which initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed for by NSA and possibly other members of the "Five Eyes" intelligence community, was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, The Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau.

Read 8 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:

/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php

I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi (GET/POST) associated with TheMoon Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.

/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js

This last example is URL encoded:

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Which equate to: [3]

-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions= -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n

[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status