Putnam County State Government Hacked by Ghost Squad Hackers

As if you need yet another reminder why our local elections and Government are not safe, earlier today, October 30th 2019, “M1rox” of Ghost Squad Hackers announced a hack of the Putnam County State Government of Ohio. Though no data was leaked in conjunction with today’s announcement, the defacement of the counties website indicates that hacker was able to gain full root access over the entire website itself – theoretically along with all of its data.

While the hacker may not necessarily have had any political motives, at least in terms of conducting espionage for other countries, the news comes within weeks of Mississippi’s warning that close to 75% of the states offices are not prepared to mitigate,deflect or handle a cyber attacks again them. Expectedly enough, upon analyzing the website myself, Putnam Counties home website lacks even an SSL. Regardless, as M1rox once again reminds us, our state and local Governments are far from safer as we continue to inch closer towards 1 year until elections.

Target: hxxp://putnamcountyohio.gov/
Deface: http://putnamcountyohio.gov/index.htm
Deface Mirror: https://defacer.id/archive/mirror/7291500

 

Behind The Headlines, Understanding The Circumstances Surrounding The Creation of The Silex Botnet

For those of you whom might not be aware, news of the Silex Botnet was first broke by Akamai and published on ZDNet by Catalin Cimpanu on June 26th. Now, normally I would link to ZDNet’s article and give them full credit for their reporting on the matter, but they would never link to this follow up report by yours truly – so fuck them, honestly. With that established, what I have is a transcript of a conversation from the hacker(s) whom built the botnet, the physical source code of the botnet itself, as well as an interview with the hacker whom trained the botnets creator(s). You may have heard of them before? It’s “0x20k” of Ghost Squad Hackers, ranked as one of the worlds top 10 botnet builders.

But, without any further adieu, lets start with the good and juicy stuff – shall we? Here’s a full copy of the source code for the Silex Botnet. Please note that I will be keeping the plain text file redacted, so you’re just going to have to learn C language and structure the code yourself if you really want it that bad.

Full 6 Page Source Code – Silex Botnet:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/07/Silex.pdf”]

With that out of the way, lets talk about why all of this happened in the first place. According to the botnets architect, “Light The Sylveon,” it was actually all just an accident/mistake – really. In a transcript of a conversation seen by Rogue Media Labs, Light goes on to explain how they are “sorry” for having created the botnet and “didn’t know it would have such a large impact, to be honest.” As a result, Light is actually considering “quitting” the underground Black-Hat life, though they have plans to continue learning and becoming a better botnet builder in the future.

As for why the hackers behind the creation of the botnet reached out to me, it’s because they want the tech world to know that the Silex Botnet was never meant to become as large as it has, that Light is not some attention seeking whore – so to speak – and that they are honestly sorry for what has happened because of it. Essentially, Light was messing around with some new ideas/concepts and created something they weren’t fully prepared to handle – nothing more, nothing less.

As for an update on the Silex Botnet‘s rein of destruction, according to Light, as of July 2nd 2019, the botnet has already bricked over 10,000 devices worldwide – up from around 2,000 devices a little less than a week ago on June 26th. Additionally, for those of you whom might not have been read into it, Silex literally has no other purpose than to seek and destroy – completely blocking owners from their own devices. The source code of Silex itself was essentially designed to be a carbon-copy of Brickerbot, only with their own unique spin on it. Silex also does not round up devices for use in DDoS or Crypto-mining like most other modern botnets, nothing like that. Instead, Silex merely just searches and destroys, infecting devices with the intent of locking the owners out of the device, wiping all storage space, dropping its firewall rules and bricking it off completely. Kind of cool, for an accident anyways – right?

Lastly, Light was trained by “0x20k” of GSH, which probably explains how/why Silex attacks through default Telnet credentials – the primary means through which 20k’s Ficora Botnet also infected Internet of Things (IoT) devices in the past. On top of this, Light claims to have developed Silex with the help of 3 other hackers, whom did not want to be identified/implicated publicly.

Ghost Squad Hackers Begin Rolling Out Source Codes To New Tools Coded by Different Group Members

I may be a little late to the game on this posting, but this doesn’t mean I don’t have some inside information on the subject. But, for anyone whom might not have been aware, throughout the course of June 2019 “S1ege,” “Neckros” and “D4rkstat1c” of Ghost Squad Hackers (GSH) have become very active in unveiling a series of highly advanced tools to the world. Interestingly enough, world famous botnet builder “0x20k,” also of Ghost Squad Hackers, released a statement this morning reading “lets say (GSH) isn’t that active anymore, but soon will” – perhaps indicating that a large scale operation may be immanent or has already long since been underway, especially considering the release of the following tools.

S1ege

Entitled “Ghost Delivery” and released to the public for the first time on June 5th, the tool is a Python script used to generate obfuscated .vbs script that delivers payload (payload dropper) with persistence and windows antivirus disabling functions. Moreover, in statements to Rogue Media Labs, S1ege explained:

This tool creates a obfuscated .vbs script to download a payload hosted on a server to %TEMP% directory, execute payload and gain persistence by editing registry keys and creating a scheduled task to run payload at login. Features: Downloads payload to TEMP directory and executes payload to bypass windows smart screen. Disables Defender, UAC/user account control, Defender Notifications, injects/creates Command Prompt and Microsoft Edge shortcuts with payload path (%TEMP%/payload.exe), adds a scheduled task called “WindowsDefender” for payload to be run at login and obfuscates the vbs delivery script. This tool also has a serveo function to deliver obfuscated vbs script. Prerequisites Python 2.7

S1ege also goes on to specify that “Neckros and Necronomikon coded Javascript encoder.” Perhaps most importantly, S1ege also stated that the free version of this tool will not be available forever, so best get the source code while you still can. Consequentially enough, this might also explain why they would dump something like this out in the open, perhaps baiting buyers to pay for the more advanced version they’ve kept to themselves.

Source Code: https://github.com/s1egesystems/GhostDelivery/blob/master/GhostDelivery.py
File README: https://github.com/s1egesystems/GhostDelivery/blob/master/README.md

D4rkstat1c

Unfortunately, D4rkstat1c is one of the members of Ghost Squad Hackers I’ve never worked with before – but learned of their recent releases via “M1r0x.” But, according to a press release posted online dated June 30th 2019, D4rkstat1c explains how their new tool “Red Ghost” is a “Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.” Moreover, new privilege escalation techniques were just added/updated last night – July 1st 2019.

Source Code: https://github.com/d4rk007/RedGhost/blob/master/redghost.sh
Red Ghost README: https://github.com/d4rk007/RedGhost/blob/master/README.md

On top of this, D4rkstat1c also released the framework of another tool earlier in June called “Blue Ghost,” a self described “network tool designed to assist blue teams in banning attackers from Linux servers.” Going on to explain how “This tool utilizes various Linux network tools and bash scripting to assist blue teams on defending Debian and Ubuntu based servers from malicious attackers.

Installation: https://github.com/d4rk007/BlueGhost/blob/master/install.sh
Source Code: https://github.com/d4rk007/BlueGhost/blob/master/.blueghost
Blue Ghost README: https://github.com/d4rk007/BlueGhost/blob/master/README.md

Presidency International School of Bangladesh Hacked/Defaced by M1r0x of Ghost Squad Hackers

Late last night, during the early morning hours of May 5th 2019, “M1r0x” (@M1r0x_) of Ghost Squad Hackers announced the hack/defacement of the website belonging to The International School of the Presidency in Chattogram, Bangladesh. It’s not exactly known how M1r0x was able to compromise the site, all we know at this point is that they were able to edit the websites ‘About Us’ section with an advertisement for Ghost Squad and all of the groups members – an edit which is still visible to the public at the time of this article. In a message attached to the hack, M1r0x also stated that they ‘were back‘ – perhaps indicating that more hacks are on the way.

This is also M1r0x‘s 3rd such hack, deface and/or data theft of a South Eastern Asian institution within the last 3 months, adding to a hack of Bung Subdistrict Administrative Organization of Thailand last month, and a hack of Rahmatullah Model High School in Bangladesh a month before that. Prior to that, M1r0x had been making their presence felt in conjunction with the ongoing operations surrounding #OpSudan.

Read More: https://roguemedia.co/?s=%22M1r0x%22&x=0&y=0

Hack of Presidency International School 5/5/2019

Website: hxxps://presidencybd.edu.bd/web/index.php
Deface: https://presidencybd.edu.bd/web/mpage_principal.php
Deface Mirror: https://mirror-h.org/zone/2112005/

Image may contain: text

 

https://twitter.com/M1r0x__/status/1125000689065897984

Exclusive: A Look Into The Indictment Charges Against Russia’s “Fancy Bears”

From Dark Reading to Infosec Magazine to Security Affairs, Bleeping Computer and Softpedia, almost every source for cyber related news has come out with a story the last several days covering the indictment of 7 GRU (Russian Military Intelligence & Russian Intelligence Directorate) operatives by Attorney General Jeff Sessions and the United States Department of Justice. Each is being charged with various hacking related crimes carried out over the course of the last several years, allegedly including the hacking of the World Anti-Doping Agency and Democratic National Committee – among many others.

However, instead of writing a 6th different article about the news for RogueSecurity, I am going to include some pieces of information that none of the other authors or articles could possibly know or include. For example, you might not know it, but during my time within the Anonymous Hacker Collective the “Fancy Bears” were one of my contacts for the WADA leaks, and I was personally involved in the leaking of information resulting in the dismantling of the United Cyber Caliphate – both of which are implicated in the DOJ’s latest press release this week.

But before getting into that, piecing together different parts of the story, as was reported by Sergui Gatlan of Softpedia News, before the US announced its indictment of 7 GRU operatives, Dutch authorities first implicated 4 of them in a cyber attack against the Organization for the Prohibition of Chemical Weapons (OPCW) dating back to this past April. In his coverage of the news, Gatlan explaines how the four “GRU operatives named by the Dutch Military Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) are two hackers Evgenii Mikhaylovich Serebriakov and Aleksei Sergeyevich Morenets, and their two support agents Alexey Valerevich Minin and Oleg Mikhaylovich Sotnikov.” Adding that “According to official statements, the four GRU agents were known as Unit 26165 operatives, also known as Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).

Official Press release from Dutch Authorities: https://www.justice.gov/opa/page/file/1098576/download

On top of that, as was also reported by Lawrence Abrams of Bleeping Computer, those 4 men and three additional others, including “Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, and Dmitriy Sergeyevich Badin,” were each indicted on separate charges by the United States Government. Yermakov, Malyshev and Badin are each said to have belonged to a separate wing of the Russian military going by the name of “Unit 26165.

About the indictments in question, US Attorney General Jeff Sessions was quoted as saying that all 7 GRU operatives were going to be charged with “multiple felonies, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program.” Later adding that “We are determined to achieve justice in these cases and we will continue to protect the American people from hackers and disinformation” – though it is an almost certainty the hackers will never be extradited from Russia.

Press Release from US Department of Justice: https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and

Additionally, according to another press release from the UK’s National Cyber Security Centre (NCSC) this week, one of 3 groups joining Dutch Authorities and the United States Federal Bureau of Investigation in a joint investigation of the “Fancy Bears,” dating back to 2015 the GRU is allegedly known to have operated under the alias of the following cyber groups:

  • APT 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • STRONTIUM
  • Tsar Team
  • Sandworm

Official Press Release from NCSC: https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed

United Cyber Caliphate Implicated As Russian Intelligence?

This is where the UK’s Cyber Security Centre got it outright wrong, in my humble opinion. Even their own release predicates the list by saying we are “highly confident” and “almost certain” the GRU was behind all these groups, incidents and hacks, but that doesn’t necessarily mean the GRU actually was – does it?

The fact of the matter is that the United Cyber Caliphate’s doxx list was directly placed into my hands, and I have had direct contact with various people, groups and hacking leaders associated with it for many years now – including the people behind the hack of the Caliphate in 2016; Ghost Squad Hackers. In fact, through the Anonymous Intelligence Agency, I am the source which first leaked the entire doxx list directly into the hands United States Central Intelligence Agency before it ever went public….

Knowing this, and knowing several of the partners involved, I can say with absolute certainty that “Russia” and Russian operatives have/had absolutely nothing to do with the CyberCaliphate, its formation or its later collapse. Having direct personal knowledge of this also calls into serious question the viability of at least some of the other groups/charges implicated in the aforementioned report.

Doping, Lies, Cover Ups & The 2016 Olympic Games

The other part of the news I would like to call into question is all of “misinformation” and “politics” surrounding the 2016 Olympic games. Quoting Jeff Sessions’ own press release, “As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a concerted effort to draw media attention to the leaks through a proactive outreach campaign.” Going on to explain how “The conspirators exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message.

This is particularly interesting to me because, as it turns out, I was one of those 186 reporters/sources named by Sessions and the US Justice Department…..

With that established, I would just like to have a brief discussion about the true size and scope of all the politics at play here, behind closed doors and out of the public eye. Of course, this conversation contains so much “privy” information that it is almost hard not to make it sound like some sort of conspiracy theory. So, try and do your best to keep up.

Yes, Russian hackers/agents/operatives were indeed hacking various countries and international agencies, and yes, some Russian athletes may very well indeed have tested positive. But not all 111 Russian athletes banned from the games that year tested positive, nor did every single member of Russia’s special Olympics team. Additionally, do you remember how Serena Williams, the single largest competitor named in the banned substance leak, was beaten handily in the opening round of the games? Think that was just an accident?

As was reported by Dark Reading, “US officials allege that the Russian intelligence operatives stole credentials and personal medical histories, including data pertaining to the therapeutic use of otherwise prohibited substances, of some 250 athletes from 30 countries. They then released the information in a selective and often misleading manner and made it appear as if it was being leaked by Fancy Bear, a hacking outfit that has long been suspected of being associated with Russia’s GRU.

According to Jeff Sessions, “The goal was to retaliate against the organizations and the individuals that had exposed Russia’s doping program by systematically spreading misinformation to discredit and delegitimize their efforts. Among the goals was an effort to damage the reputations of athletes by making misleading claims about their use of banned or performing enhancing drugs.

The fact of the matter is that Olympic Games have been and always will remain highly political. You may remember Germany was once banned from the games entirely? Similarly, what happened to Russia in 2016 was no different. Russian Olympians were smeared and banned from the games as punishment for the Russian Government going around the world and hacking so many countries, whilst also interfering in various international elections. Consequentially enough, this is also why groups like the Fancy Bears arose and went so far out of their way to do what they did. The DOJ’s wording this week was very “clever,” but the fact of the matter is that clean Russian athletes were banned from the games while athletes from Western Democracies, such as Serena Williams, whom tested positive for banned substances, were given free passes to continue competing. This is also why the Fancy Bears leaked these peoples medical records just before the games first kicked off, to show people what truly goes/went on behind the scenes.

Lastly, from the DNC and Hillary Clinton to the World Anti-Doping Agency (WADA), regardless how mad it may make you, none of the information leaked by “the Russians” has ever proven to be false or untrue. So, don’t let “politics” or “Nationalism” confuse “intelligence.

Other Notes from The Implications

Having covered the Russian Zapad War Game drills back in 2017, one of the most interesting pieces of information I came across from all the reporting this week was the fact that the 4 Russian agents implicated by the Netherlands were driving around different countries in rental cars, using previously unseen technology to hack various public buildings. This was particularly interesting to me because, as part of the 2017 Zapad drills, I specifically remember reporting how the Russian military had debuted “programmable hacking Drones” with the capability of flying over different targets, bouncing computer programs/codes/signals/ to them and thus uncovering things like passwords and/or other sensitive information about devices they flew over. For example, these drones had the capability of hacking dozens of soldiers personal Facebook accounts as the flew by. 2017 also marked the first time in history the Russian military was willing to make these machines public knowledge.

As was also covered by Softpedia News this week, “Peter Wilson, UK’s ambassador to the Netherlands, told the BBC that the (GRU) unit had “sent officers around the world to conduct brazen close access cyber operations” involving Wi-Fi networks hacking among other infiltration techniques.” Adding that “Using intelligence from UK agents, the Dutch MIVD were able to find out that the GRU hacking team was planning an operation using a new technique at the OPCW.

For example, “When intercepted, the boot of the car they were in contained hacking equipment one can use to intercept login details and the antenna used to access Wi-Fi networks was pointed at the OPCW headquarters.

What They Found Inside The Trunk:

 

Image may contain: text

All said and done, GRU agents are said to have conducted this style of car hacking attack in Malaysia, Brazil, and Switzerland. However, the true extent of the operation and the number of countries, politicians, landmarks or building compromised is impossible to quantify at the present moment in time. Relating the two stories together, from “fly-by” drone hacking to “drive-by” car hacking, the Russians seem to have perfected the art of mobile hacking.