Month: December 2014

Internet of Things (IoT) meets the Internet of Holidays (IoH)

As the OpenDNS Security Labs team took some much needed time off, we found ourselves wondering what “toys” would be connected to the Internet throughout the holiday season, and what traffic patterns would emerge as a result. This blog post will detail some of our findings through the lens of the Internet of Things (IoT) connected devices, home automation products, toys, and wearable devices.

Belkin International, Inc., an American manufacturer of consumer electronics that specializes in connectivity devices, had a relatively flat showing throughout the holiday season. The only item of note was an uptick on Monday, December 15th at 04:00 UTC. We cannot directly correlate this anomaly with any recent events so this will likely remain a mystery.
heartbeat.belkin.com
Competitor D-Link Corporation (Chinese: 友訊科技), a Taiwanese multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan, saw a similar pattern in traffic destined to signal[.]mydlink[.]com
signal.mydlink.com
If we look at signal[.]eu[.]mydlink[.]com, however, we notice a surge on Christmas Eve and Boxing Day (spanning multiple timezones). Again, another curious spike on December 9 that cannot be correlated to anything of consequence.
signal.eu.mydlink.com
One of the most noticeable spikes after Christmas was related to the Phillips Hue lighting devices. We saw peaks of more than 1,800 queries per interval which is likely associated with the installation and configuration of the lights. With the recent announcement of the 12 Monkeys television series synchronizing with Hue home lighting to match the onscreen action, we find ourselves wondering what this traffic will look like in the coming weeks.
my.meethue.com
Google-owned Nest saw very little increase during the holidays, perhaps due to the complexity required to install the devices – compared to that of a simple lightbulb. We find ourselves wondering if this will spike in the new  year and if spikes will be seen predominantly on non-workdays.
nest.com
Arrayent, Inc., a software company that has developed the Arrayent Connect Platform, experienced a sizable spike in traffic to its primary domain arrayent[.]com. The largest spikes we saw, however, were before the holidays even started – perhaps people purchasing new appliances before their guests arrived?
arrayent.com
You may not have heard of Arrayent before but you’ve probably heard of some of the brands they partner with.
arrayent-brands-slider
We looked at some of these brands including Whirlpool (whirlpool-sw1[.]arrayent[.]com).
whirlpool-sw1.arrayent.com
and Chamberlain (chamb-api[.]arrayent[.]com), a manufacturer of garage door openers and associated equipment.
chamb-api.arrayent.com
So what caused the Arrayent spike? We’re still investigating.

August[.]com, makers of the August Smart Lock, saw a significant increase leading up to and continuing through the holidays. We saw peaks as high as 3,537 queries per interval during our analysis timeframe.
august.com
The most interesting spikes, and perhaps the most concerning if you are a parent of a small child, was that of traffic associated with educational entertainment company Leapfrog. The company homepage – leapfrog[.]com – saw a significant post-Christmas surge to more than ~31,000 queries per interval. At first glance, we thought this might be related to parents’ searching for instructions on how to configure the devices for their kids, registration of the devices, and even application downloads.
leapfrog.com
Looking at some of the co-occurring domains we noticed the lfcam[.]leapfrog[.]com domain had an abnormal spike as well. One can only assume that this is in some way related to a LeapFrog camera (hence ‘lfcam’) either registering or, even more alarming, uploading pictures taken by users of the devices.
lfcam.leapfrog.com
The devicelog[.]leapfrog[.]com domain also sees a significant increase that likely correlates with newly purchased devices. Are these diagnostic messages being sent up to the LeapFrog cloud or are they usage statistics for actions taken on the devices?
devicelog.leapfrog.com
Perhaps the most depressing, yet predictable, traffic pattern observed was that of the FitBit wireless-enabled wearable devices and activity trackers. With the start of Hanukkah (on December 18) and throughout Christmas we noticed a steady decline in callbacks to api[.]fitbit[.]com. The low point, Thursday, Dec 25 at 22:00 UTC, dropped to 429 queries per interval – or as it shall henceforth be known, “The Turkey Coma Canyon”.
api.fitbit.com
We hope you enjoyed this blog post. Now throw on your activity tracker, install that connected garage door opener, install your thermostat, and hook up your new washer and dryer!

The post Internet of Things (IoT) meets the Internet of Holidays (IoH) appeared first on OpenDNS Security Labs.

Was it Korea? Probably Not…

So, was it North Korea that breached Sony Pictures Entertainment (SPE)? The FBI, Whitehouse, and a pile of other people are telling you it is. But if you were to ask me my position on the matter…simple answer, unlikely

4615968575_hiddenTruth1_xlarge

  • This was a coordinated attack targeting Sony Pictures Entertainment (SPE) and utilized a Server Message Block (SMB) Worm Tool to conduct cyber exploitation.
  • This SMB Worm Tool is equipped with a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.
  • The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure.
  • The malware has the ability to propagate throughout the target network via built-in Windows shares – this is what makes it a worm. 
  • Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems.
  • There are no callback domains associated with this malware since connections are inbound only on a specified port number.
    • 203.131.222.102 / Thailand
    • 217.96.33.164 / Poland
    • 88.53.215.64 / Italy
    • 200.87.126.116 / Bolivia
    • 58.185.154.99 / Singapore
    • 212.31.102.100 / Cypress
    • 208.105.226.235 / United States
According to an FBI press release:
As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Some items of note (provided without any tinfoil hat, partisanship, or prejudice):
  1. The wording is carefully and purposefully used:
    • “the FBI now has enough information to conclude that the North Korean government is responsible for these actions.” – note, this does not clarify whether the Republic of North Korea launched, ordered, encouraged, or simply commented on the action. The use of the word “responsible” is purposefully vague.
  2. Correlation forcing causation:
    • “there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” – bad guys share code and are notoriously lazy. They will use whatever it takes to get the job done. As such, code is borrowed from other attackers, purchased in underground markets, etc.
    • “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” – If you’ve ever seen a movie or television show where ‘hacking’ is depicted, you already know that attackers “hop” from server to server to conduct their nefarious activities. This is as much to hide their tracks as it is to leverage distributed resources.
    • “the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.” – again, similarities in tools and code are not enough to assign attribution.
The FBI, and other agencies, argue that the totality of the data is what makes them positive of the North Korean involvement.
In my opinion, the above components of the “total data” could be a false flag (http://en.wikipedia.org/wiki/False_flag) meant to push the investigation towards an uninvolved third-party. This would not be the first instance of false flag hacking attribution.
It is my recommendation that organizations make a conscious decision to refer to the breach simply as “The Sony Breach” and make no association to the Republic of North Korea, “cyberwar”, or “state sponsored attacks” when discussing this, and future breaches that may draw similarities.

The evidence provided thus far, or lack thereof, makes parroting and perpetuating this information irresponsible, at best, and potentially dangerous in extreme circumstances.

References:
Attack components:

SMB Worm Tool: 

This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

Listening Implant: 

During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase “National Football League.” Additionally, this implant listens for connections on TCP port 195 (for “sensvc.exe” and “msensvc.exe”) and TCP port 444 (for “netcfg.dll”). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, “HTTP/1.1 GET /dns?\x00.” The controller then responds with the string “200 www.yahoo.com!\x00″ (for “sensvc.exe” and “msensvc.exe”) or with the string “RESPONSE 200 OK!!” (for “netcfg.dll”). The controller sends the byte “!” (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

Lightweight Backdoor: 

This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

Destructive Hard Drive Tool: 

This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

Destructive Target Cleaning Tool: 

This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

Network Propagation Wiper: 

The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

OpenDNS to Host the No Big Thing (NBT) Conference

logoWith BayThreat 2014 being cancelled, OpenDNS has offered to host the first day of the two day No Big Thing (NBT) conference. In a short time, the organizers of the event have had an amazing group of speakers, sponsors, and volunteers help organize a great hacker conference.

The event is currently at capacity but there is a waitlist that anyone can add themselves to.

The event includes two days of advanced information security presentations, food, drinks, and a hallway track for socializing. Starting Friday, December 5th at 2:00pm PST, OpenDNS opens its doors to kick off the conference at 135 Bluxome Street.

Schedule:

Friday, December 5th at OpenDNS (135 Bluxome St, San Francisco, CA 94107)

TimeSpeakerTopic
2:30-3:30Richo Healy“Audible networking with Groundstation”
3:30-4:30MainBoard“point bREak : trolling BBS applications and users back in the 90s”
4:30-5:00Jason Craig“SIGINT isn’t just for the government anymore”
5:00-6:00Speaker TBATopic TBA
6:00-6:30Provided dinner break
6:30-7:00Ping Yan“Applied statistics and machine learning techniques on in-app events”
7:00-8:00Alex Pinto“From Threat Intelligence to Defense Cleverness: A Data Science Approach”
8:00-10:00Provided tacos and cerveses
10:00-?Hosted party at bar TBA

 

Saturday, December 6th, the conference is being hosted at the Salesforce office (121 Spear St, San Francisco, CA 94105) starting at 10:00am.

TimeSpeakerTopic
10:00-11:00Kymberlee Price“More Libraries! More Vulnerabilities! More Things!”
11:00-12:00Morgan Marquis-Boire“Eve, Mallory, and Jack Bauer: Real threats for RealPeople”
12:00-12:30Ben Sadegh“How bug bounty hunters do and don’t”
12:30-1:00Provided lunch
1:00-2:00Wartortell“The trials and tribulations of an APTmalware author”
2:00-3:00John Menerick“Breaking or Protecting the Internet’s BuildingBlocks”
3:00-4:00TBA + break
4:00-5:00Dan Hranj and Josh Schwartz“Red vs Blue”
5:00-6:00Evan Booth“MacGyveresque creative problem solving”
6:00-8:00Provided dinner and drinks
8:00-10:00Hosted party at bar TBA
10:00-?Cash Bar Crawl (check Twitter for location updates)

 

Each evening will have a hosted happy hour and dinner with an afterparty at a local bar. We hope to see you there!

Check out our the official Twitter account for the latest announcements: @nbtcon.

For directions to OpenDNS, please use the following map for a point of reference:

Screenshot 2014-12-01 10.01.31

The post OpenDNS to Host the No Big Thing (NBT) Conference appeared first on OpenDNS Security Labs.

Scroll to top