(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / NGA headquarters. A trove of top secret data processed by NGA contractor Booz Allen Hamilton was left exposed on a public Amazon cloud instance. (credit: Trevor Paglen)

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton. And the files within were connected to the US National Geospatial-Intelligence Agency (NGA), the US military's provider of battlefield satellite and drone surveillance imagery.

Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer's remote login (SSH) keys and login credentials for at least one system in the company's data center.

[Update, 5:10 PM] UpGuard's post suggested the data may have been classified at up to the Top Secret level. A Booz-Allen spokesperson told Ars that the data was not connected to classified systems. However, the credentials included in the store could have provided access to more sensitive data, including code repositories.

Read 6 remaining paragraphs | Comments

OpenLDAP 'servers/slapd/back-mdb/search.c' Denial of Service Vulnerability
Sudo '/src/ttyname.c' Local Privilege Escalation Vulnerability
Mozilla Network Security Services CVE-2017-7502 Denial of Service Vulnerability
strongSwan CVE-2017-9022 Denial of Service Vulnerability
Multiple Hitachi Products CVE-2017-9295 XML External Entity Information Disclosure Vulnerability
Juniper Junos Space CVE-2017-2305 Remote Privilege Escalation Vulnerability
Microsoft Domain Controller Remote Code Execution Vulnerability

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[CVE-2017-5688] Executable installers are vulnerable^WEVIL (case 52): Intel installation framework allows arbitrary code execution with escalation of privilege


In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" />

Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions.

Digital Shadows WCry

ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows:

Internet Storm Center Infocon Status