Tuesday, 18 December 2018

Operation Icarus - 2018: An Independent Research and Analysis

On 12 December 2018, while I was checking for some security news on Twitter, i stumbled upon a post with the hashtag #OpIcarus. The post was made by a Twitter user using the handle @LorianSynaro on 11 December calling for others to join in the cause and naturally, target financial organizations (FOs) worldwide.


A list of targets called "World Banking Cartel Master Target List" was shared in the form of a Ghostbin link. In this list, over 150 FOs were listed as targets.


The list however bears striking similarities to the list posted on Pastebin in 2016.
https://pastebin.com/dVyqyJi5 (posted 22 March 2016)
https://pastebin.com/QcqqEdKw (posted 10 October 2016)

These lists were used in the first #OpIcarus campaign back in 2016. The only addition to the 'new' list in Ghostbin is 11 FOs under the "The Biggest Banks of the Globe (from the Internet):". Everything else from the "Federal Reserve of America"  downwards are recycled from the 2016 Pastebin lists.

As of 18 December 2018 since the posting of that Tweet and the target list, the following FOs websites were claimed to have been successfully "brought down" by the campaign's participants using the hashtag #tangodown accompanied with screenshots from check-host.net as evidence.

An example of a Tweet showcasing a successful attack with the #Tangodown hashtag
The Victims

By @LorianSynaro:
  • http://www.bkam.ma/
  • http://www.banxico.org.mx/
  • https://www.bankofalbania.org/
  • http://www.centralbankbahamas.com/
  • https://www.bancaditalia.it/
  • https://www.rba.gov.au/
  • http://www.cbiraq.org/
  • https://www.bcu.gub.uy
  • https://www.bis.org/

By @Pryzraky
  • https://www.centralbankofindia.co.in/english/home.aspx

By @__sh1z3n
  • http://www.centralbank.org.bb/ 
References:
https://twitter.com/__sh1z3n/status/1074909637395267589
https://twitter.com/Pryzraky/status/1073711856513093632
https://twitter.com/LorianSynaro/status/1074342005852004353
https://twitter.com/LorianSynaro/status/1073960930025893889
https://twitter.com/LorianSynaro/status/1073317278786162688
https://twitter.com/LorianSynaro/status/1072596945259114497

Initial Findings:

One of the things I found was that out of the 11 FOs attacked, 4 of them were not in the target list. They were:
  • https://www.centralbankofindia.co.in/english/home.aspx
  • http://www.centralbank.org.bb/
  • https://www.bis.org/
  • http://www.cbiraq.org/ 
Out of the 11 FOs, 10 of them are not deemed as critical website. This means that these 10 websites are simply banking organization information, help sites and client references rather than banking websites where customers visit to login and perform any digital monetary transaction. Also I observed no complains raised in social media on the inaccessibility of these affected websites.

DDoS or DoS?

One of the things I was interested to know is the participants' technical capabilities and the tools used to perform the attacks. To do this, I had to look at past #OpIcarus campaigns and identify what were the tools used.

One of the handful posts found to be sharing tools for #OpIcarus
Interestingly, most of the tools shared by past #OpIcarus participants were similar to the list of tools recommended above. Tools like TorsHammer, Xerxes and Slowloris are "web stressing tools" designed to test the response of web server and can be used individually. These tools are publicly available tools and are technically classified as denial of service (DoS) testing tools - NOT DDoS tools. Of course, one man's testing tool is another man's attacking tool.

TorsHammer for example is one of the most common tools used by participants to conduct DoS attacks. Even the description sounds promising.

A fave tool with 187 downloads this week!

As a matter of fact, TorsHammer has been 'recommended' to use for targeting unprotected web servers running on Apache.

TorsHammer used against Apache or IIS 

The question now is...is TorsHammer and similar DoS tools were used by this current #OpIcarus campaign's participants? To find this out, I had to use several open source databases such as IPV4info.com and Shodan to find out the IP addresses of these websites and the web services used. 

Without naming the specific FOs:
  • 5 were running on Apache
  • 1 was running on nginx
  • 3 were running on IIS 7.5-8.5
  • 2 were undetermined
There is a possibility that a DoS tool was used to bring down these systems (based on the majority of Apache based servers affected) rather than a massive distributed computers targeting these web servers. BUT I need corroboration to confirm my theory. The only way to do that is to chat with the participants themselves!


Not only did i get the confirmation that one of the participants were using DoS tools like Hammer and Goldeneye. I was also shared with a link to all the other tools used by the group -mostly DoS/web stresser tools.

Tools used by Anonymous members

While tools like TorsHammer, Xerxes and Slowloris have been reported to work well on Apache and IIS web servers, Goldeneye has been reported to successfully work on nginx.

nginx not able to withstand Goldeneye
At this point, I am pretty confident that most of the targeted websites that were successfully brought down were most likely attacked by web stresser tools rather than a full fledged DDoS attack. However, one of the participants @Pryzraky who claimed to have successfully brought down the only FO website that are relied on by customers to perform digital transactions, seemed to use a different technique than the others. 

@Pryzraky not only has a Twitter and Facebook profiles but also has a YouTube channel. One of the videos posted was a live demonstration of him targeting the website of NASA. The method used? An IRC botnet! This is the only participant so far that I've researched to actually use DDoS attack technique.

Taking down NASA using an IRC botnet
Conclusion:
Seeing how some of the FOs targeted were not listed in the 'Target List' shows that the list is there to promote fear rather than actual targets itself. At the same time, seeing the websites of those FOs affected where most of them are simply static websites conveying information of the FO rather than to perform login or digital transaction highlights the possibility that the participants are relying on low hanging fruits (indulging in stressing at everything and post those that were successful).  

Hence, it is possible to see malicious traffic/activities in some FO's networks but as long the FO introduced proper and adequate security protection technologies and processes (WAF, Firewall rules, Patching) learning from past hacktivists campaigns, I would see this campaign having little to no substantial impact to the major or mature FOs.

It is also important to note that the number of participants involved in this campaign is so much lesser than what it used to be (in the hundreds) in 2016. Most of the Twitter accounts, Facebook pages and groups dedicated to Operation Icarus have little to no activity since mid 2017. 
https://twitter.com/__sh1z3n/status/1074909637395267589

Wednesday, 31 October 2018

Solving an OSINT Challenge


During the SANs SEC487 class, Micah provided a link to an Instagram picture while demonstrating the many techniques on social media intelligence. During the talk, he challenged the class to find the location of this image. It wasn't an official challenge but i was intrigued and i want to challenge myself to see what i could find. Of course it was 2 pm and my after lunch syndrome kicked in and my eyes were tired but this surprise challenge is what prevented me from sleeping in class!

So the challenge was: Find the location of this image. An image the trainer took and posted on his Instagram.
The Flag: Find this place
First thing i did was to screenshot the image, open in paint, save in JPEG format and look at the possible clues in this image.



Extracting the Image from Instagram 

Potential clues/artifacts that could be pivoted

After looking at the clues, I did what many would probably do - use Google Image to see if similar images would provide me the answer - but as i expected... all were strikingly similar but none were the answer.

Google Image results


Next, using Google search and with the two clues 'Constitution' and '2000', i attempt to see if any results would actually makes sense to me. As the image appeared to be possibly a park, keywords 'constitution' and 'park' were used but the results were plenty. I am definitely not going to use each of these results and locate them in Google Maps.
Results when keying the term 'constitution park'
I then used the keywords '2000' and 'constitution' and I got a result that sounded American and the others just didn't make sense to me.

Results when keying in '2000 constitution'
 Using the result '2000 constitution ave' and put it on Google Maps, i found something. But it didn't look like a public park to me. So yeah, definitely not the answer.
Trying out the first 'logical' result

Similarly to using Google search engine, i tried the same keywords on Google Maps and again, plenty of results. I was sure it's one of the hundreds but I don't think i was gonna visit one by one. 

Google Map's results when keying '2000 constitution'

Google Map's results when keying '2000 constitution park'
So after wasting over 20 mins, i went on to find another way. This time I need to find information that could tell me where he was at that time. The clue was at his Instagram pic on a publicly set URL link. Date: 17 November 2017.

Date of Picture Posted

What i did then was to visit his Instagram account in the hopes of getting to see what other pics he might have posted that could provide some clues to where he was at. But unfortunately, his Instagram account was set to Private! So nothing!

Instagram Account is Private
I even went to his personal website and find posts within the date range of 10 November to 20 November but nothing! Absolutely nothing that could help me. Then i recall he has a Twitter account that was set to public! With his twitter handler and using advanced search, i was hoping to find something.

Twitter Advanced Search Option
 That's when i found a single post that could be the holy grail to find what i eventually was looking for. It was a Retweet of a post from a Twitter account tagging him - dated 14 Nov 2017!
Retweeted on 14 November. A possible clue!
 Accessing the original post, the next clue was '@hcpss_arl'. And yeah that's him for sure!

Confirmed his physical presence at this location
Visiting the Twitter account of @hcpss_arl led me to its website

Twitter Profile of HCPSS ARL
Visiting the Twitter account of @hcpss_arl led me to its website and the address! The Google Map link was definitely a bonus!
  
Address of the institution Micah was at
Now that I am here, what next??????

Location of the Institution on Google Maps

This is where my keywords search came in handy! If you have not notice it before, Google Maps provide results that are nearest to the location you are viewing at that moment. So by typing 2000 constitution it will get me all the address with 2000 constitution closest to the location of the map i am currently viewing. In this case it showed as 2000 Constitution Avenue Northwest Washington, DC. 

The first result that is closest to the institution

The distance from the institution to the 2000 Constitution Avenue
 This was the time my confidence level shot up because the location definitely looks like a park to me!
Looks like a Huge Park!!!


Now time to find where exactly the location of the image was taken. Street View to the rescue!!

Street View of the location 
 And finally!!! Found the exact location where the artifacts in that original image are present - now on the Street View itself!

Location Finally Found!

When i showed this to a classmate, he asked a very good question. The Tweet was dated 14 November and the image posted on his Instagram was dated 17 November. So in a way, although i got my answer right, I was actually drawing invisible dots to connect the timeline of events. 

This was where I need to come out with a theory myself to justify my connecting of the invisible dots... so two theories are:
1) Micah could have stayed a few days around the area of the institution before he drove down to the park on the 17th.
2) Micah could have drove down to the park after his lesson, took that pic on 14 November itself and decided to post it on the 17th instead.

Only the trainer knows the logical and true answer and unfortunately I wasn't able to get it from him. But i was pleased to see his reaction when i told him that I found the location and his response was "Oh You Did?!".  I am definitely not sure if this was how it was intended to find the location to the image and I'm sure some of the readers stumbling upon this blog would probably go... "meh.." but nonetheless I was happy to 'capture the flag'!



Tuesday, 30 October 2018

SANS SEC487 OSINT Training and CTF

I had a great week attending the OSINT SEC487 training conducted by SANS here in Singapore. Initially i wanted to take the SANS Cyber Threat Intelligence FOR578 training as my current field of work is exactly that however, due to schedule and commitment, i couldn't sign up for it. But as I was going through the list of available training that could benefit and enhance my daily job, i stumbled into this OSINT course and thought this could definitely help for my everyday investigation. You see, part of my job is to analyse threat actors, their IOCs, researching about their TTPs and all those CTI stuffs using open source and tools to deliver the work. So when i saw the modules of this training, I knew this would be something that would definitely benefit my current scope of work.

Micah Hoffman (@webbreacher) the OSINT trainer

The wallpaper of the VM provided for the training

I thoroughly enjoyed the training and Micah was a great trainer, well spoken and easily understood. In spite of me doing OSINT and applying it during my work and personal research since 2013, I learned a handful of new things, new techniques and new features of every day things we rely on during the course of training. I would definitely recommend anyone who wants to have an understanding of OSINT especially if you are in the field where you have to rely on open source resources, fundamentals of the deep and dark net and a feel of finding information legally without hacking. One should consider having this training. I do hope SANS would consider exploring an advance version of this expanding its 'sock puppet' technique into a full cyber HUMINT for intelligence collection, gathering, analysis and reporting as a module.

While the training is all fun and good, I was greatly looking forward for the sixth day Capture the Flag event! That's when you get to apply the techniques you learned and apply them AND if you do well, the winning team will get the rare SANS coin. 

The SANS SEC487 CTF winner coin


The CTF on the sixth day was a tough one. It wasn't straight forward. You don't know if the answer you found was the right answer and the good thing was you can use whatever technique you learned to find them. The more you think out of the box, the more ways you are able to expand your findings. To win this CTF was not just by doing well but you need to present your findings to everyone and eventually be voted by everyone. In that manner, it was indeed a tough process to win. Imagine thinking you have done well but eventually not voted as the winner. So yeah, tough one!

So after a full five hours of 'find, research, analyse, recommend and report' I was happy that our team - all very passionate in their tasks were able to be voted the winner! 

The winning team posing with the trainer

This is my third SANs training and the third time winning their sixth day CTF challenge! The last time was way back in 2013!

SANs 560 (GPEN), 542 (GWAPT) and 487 (OSINT) CTF coins.

Blogposts on past SANs CTF experiences:
http://securityg33k.blogspot.com/2013/09/sans542-gwapt-ctf-won.html
http://securityg33k.blogspot.com/2013/11/sans-560-gpen-training-and-ctf-event.html
http://securityg33k.blogspot.com/2014/01/sans-holiday-hack-challenge-2013.html