Sunday, August 31, 2014

FUD and Bullshit: The case of Sam Bowne

What with the express purpose of our organization being responsible disclosure and security research, I felt it necessary to discuss the recent case of Sam Bowne. Here is a link to Mr. Bowne's report of the situation, which is incredibly thorough. But for those of you with the attention span of a goldfish: Sam found an anonymous FTP server via google dorking, Found Patient PII data, notified the organization of what appears to be a HIPAA violation RESPONSIBLY, and NOT as a classroom demonstration as SC magazine and seem to be implying.

Behind every bullshit story is a potential grain of truth. Perhaps Sam discussed the incident and the school/health system's response or lack thereof as an example during a class regarding computer system vulnerabilities, and some student misinterpreted Sam's story. More likely to me is media spin by SC magazine and news star looking for clickbait.

Conjecture aside, this is an issue near and dear to us, because it's a core mission for us to notify companies of potential problems just like this. I feel that in information security, a lot of companies still have a "shoot the messenger" mentality, which ultimately led to this situation.

A few people we've spoke with through social media regarding this story state that working with ISACs ( Information Sharing and Analysis Centers -- organizations that handle sharing sensitive information to organizations within a certain sector -- E.G. REN-ISAC for higher education, ES-ISAC for electrical/gas scada, FS-ISAC for finance, etc.) and CERTs as a proxy or partner for disclosure has the advantage of insulating oneself from fallout like this.

WeAreTheArtillery partners with Law Enforcement,  Private organizations, ISACs and CERTs worldwide to ensure that information is disclosed properly and issues are resolved fully, especially if we do not get a response from organizations we speak to directly. Thus far, we've fared remarkably well and have suffered no fallout, but situations like Sam's are troubling to say the least.

It is a risk that comes with the territory. Ultimately, there will be misrepresentation of facts, and corporations with shoot the messenger mentality like this. Our sysadmin who set up this system can do no wrong, but the security researcher who is telling you there is a problem and attempting to assisting in resolving it? fuck that guy.

Friday, August 29, 2014

BossaBot - New IRC Backdoor Running Around out in the wild.

Greetings Artillerymen and women,

As I was combing through RFI attacks on the IDS to fish for IP addresses to add to the RFI blacklist for project OverWatch, something new caught my eye. I'm use to seeing perlbot payloads and have been considering added a malware menageria to the OverWatch project for budding malware analysts to cut their teeth on for fun. Once a while, a binary payload comes in and it tends to be a little more interesting.

Enter BossaBot. So sadly, I wasn't the first to discover this new bot out in the wild, but my experiences with this bot and the author of that article differ in various ways. Let's start with the similarities.

1) BossaBot appears to be spread via RFI attacks via CVE 2012-1823, 2311, 2335 and 2336 (all related). Here is the PHP an attack bot attempts to execute:

As you can see, tons of Base64 encode blocks and obfuscated variable names. Let's take away the bullshit and cut to the chase:
If you're not fluent in PHP (Don't worry, I'm not either) this script checks to see if a file exists in the system's tmp directory. If it doesn't exist, it will try to wget two files and execute both of them.

The script attempts to wget binary files from hxxp:// and hxxp:// the filename "8FcGFwAT" is a 64-bit binary, while gcRLUd8K appears to be a 32-bit payload. I got to work setting up a FakeNet network and dropping the binaries on a Linux VM. FakeNet is so damned useful. Start it up and it'll catch DNS requests, HTTP requests, can do custom listeners, and so many other functions. For an amateur malware analyst like me, it makes dynamic analysis insanely easy. I combined this with a python-based irc server called miniircd . Getting this to run on a windows host with FakeNet was trivial; simply remove all instances of the chroot and setuid code and it'll run with no complaints. I was able to log the bot joining the channel #sloboz on port 8067/tcp. I didn't bother trying to test commands or determine capabilities, but could do so if there's enough demand.

Here are my observations:
-Execution sleeps for a few seconds.
-Queries for irc[.]dreamboxdb[.]com (
-Connects to on port 8067
-Joins Channel #sloboz for commands.

I did run strings against the binary,  and I think I may have found hints of another channel as well #bitchly_ or #bitchly

Here are SHA-1 sums for the two files I pulled:
0779f7734d06c1657f20e966c6633867f81fee8c  gcRLUd8K
bb5c5a893dda5314cb60f7214f339183b285f59c  8FcGFwAT

What surprises me about this is how quickly it appears to be spreading. I got news of this malware yesterday, the first article was published on 8/26, the malware has already changed CnC, and I already have over 40 attack attempts from 16 unique bots.

I've decided to add another category to OverWatch for tracking known BossaBot hosts pitching the exploit and this payload. Enjoy!


Sunday, August 24, 2014

Clarification on "Getting Shit Done"

Since it came up as a question from someone in the information security whom has years upon years of experience, I feel that explaining "We Get Shit Done" needs to be further unfurled and explained.

When we say we inform someone of malware hosted on their network, or of an inadvertently exposed server or sensitive information we don't just send an e-mail "THIS SHIT IS OUT THERE. MIGHT WANNA FIX THAT." And call it a day.

Our process for responsible disclosure is usually:

"We are a group of concerned security researchers called WeAreTheArtillery. Our mission is to find systems on the internet serving malware, inadvertently exposed services and/or inadvertently exposed sensitive information. We are here to inform you regarding the follow systems:"
We usually input IP addresses, hostnames, WHOIS information, screenshots, etc.

"We found X problem with Y IP address. We discovered X by doing Z. X is a problem for these reasons. Here is a list of potential solutions or remediations for X problem."

We always try to offer more than one solution for a given problem that we have found. We do not want organizations we contact to feel like FIX IT OR DO NOT FIX IT. THE CHOICE IS YOURS. We also understand that larger organizations have change control and change management procedures to go through. We are willing and available maintain constant contact and full confidentiality until the problem can be properly resolved.  Here's where we differentiate:

"If you need any assistance in resolving X problem or need further expertise, please feel free to reach out to us and we can guide you through resolving X."

Let me make this abundantly clear. We aren't here to point out your flaws and laugh at you. That isn't how you get shit done, that isn't how problems get resolved. We want to be a trusted partner that security researchers can disclose to and ensure the problem is fixed. We want to be a trusted organization that can partner with private companies and LEO as required. If our goals were not clear initially, I sincerely hope that this clarifies our mission.

Those "wins" that I mentioned moments ago? We worked directly with security and NOC contacts at said organizations and directly with the FBI to achieve our goals and offered ourselves as steadfast professionals willing to assist, and we will continue to do so.

A proper Introduction

Hello and Welcome to the WeAreTheArtillery blog.

We figure it's high past time for a proper introduction to our organization, our mission and our goals. This little party started with a joke what was now a few weeks ago:

"I propose a counterpart to I am the Cavalry, called I am the Artillery."
Infosec being what it is, plenty of folks loved the snark. What began as a joke very very quickly took flight:

"How about We are the Artillery instead? I am the artillery sounds self-centered."
"Cavalry changes tend to devolve into hand-to-hand combat, whereas Artillery requires a coordinated effort."
"Firing for effect."
"Our tag line is Get. Shit. Done. Here is our official spokesperson."
Before we knew it, our organization became a thing. You see, some of us got tired of the same old bullshit. This post to exemplifies what it is we're trying to change about Information Security:

"For decades, the 'cyber' security industry (*shudder*) has been FUD'ing up the joint with Die Hard/er doomsday scenarios.  This has followed a tried and true process:
1)  IT Security people couldn't hack it (PUN!) in their own lane, so they picked on the easier embedded systems / SCADAs / Internet of Thingies
2)  IT Security people 'discover' low hanging fruit that has always been in the industry (hardcoded passwords, zero patching, default everything) and claim expertise and success
3)  Give con talk
4)  Get hype
5)  Nothing happens because there is no hard evidence to convince you (the asset owners) that you should care
6)  Create cool sounding group, get all altruistic, get more hype
7)  Nothing happens...
8)  GOTO 2"

Some of us decided we have had enough of this bullshit and formed this loosely knit group.

Okay, that's all well fine and good, but what do you actually _do_ ? We get shit done. Getting shit done can be defined as:

1. Elimating FUD wherever you find it. A well-known security vendor is FUD'ing shit up? Call them out on it. Only by calling them out on rampant FUD and bullshit will we finally be able to get them to back up their bullshit with hard facts and numbers, and end the rampant abuse and overuse of stupid ass buzzwords, like APT, etc. being used as a sole justification for whatever snake oil they happen to be selling at the time. I guess you could say " did it first and does it better." and we'd agree with you, but we're going to do this anyhow.

2. Eradication of malware wherever it is found. There are several organizations that swear themselves to this (MalwareMustDie immediately comes to mind -- and we willingly partner with them, and will willingly partner with anyone who wants and needs our help on this front).

Wherever we find malware, we will do everything we can to notify parties responsible for the assets, and the internet as a whole. If you want to see examples of this, check out our github project, OverWatch. OverWatch is essentially a free malware "Intelligence Feed". Some of our members have visibility on wide swaths of internet hosts, see very interesting things on a daily basis, and wanted to share this information freely. We don't charge for this, we don't ask for anything in return. You shouldn't have to pay for an intelligence feed to get warning of a potential threat or be notified of malware running rampant across the internet. Take this information, make your network a better place.

3. Scanning for vulnerable hosts on the internet responsibly and informing asset owners of vulnerable hosts with absolutely no security checks in place. This could be anything from publicly acessible admin consoles, remote control sessions with no credentials required, exposed services that in all reality should never be exposed to the internet, etc. If you want an example of this. Take a look at Viss and co.'s work on twitter regarding VNC, and expand that to other services.We'll be enacting this soon. First, we need to get a static page up for people to request we don't scan them, configure VPS systems for scanning, Etc.

4. Google dorking. This sort of relates to 3, but deserves its own category. Google Dorking, or Google Hacking is using google's search index and querying it in unique ways to reveal sensitive information about a site or an organization. Google will slurp up anything that its crawlers find if there isn't a robots.txt or NOFOLLOW option on a webpage to tell it to NOT index something.This isn't super high-tech scanning, this isn't hacking in the "traditional" sense, but the fact of the matter your information may potentially be out there somewhere. Would you rather us find it and inform you, or would you rather someone else found it and took advantage of it to compromise your organization? Google Dorking is a fairly general term for this project, and expands into other indexes as well such as shodan and PUNKspider.

5. Other projects and ideas as they come or are possibly requested. We're always open to new ideas.

Overall, these aren't incredibly complex projects, nor do they require extreme amounts of skill but just to give you an idea, this group has been formed for little more than two weeks and already we have found and taken down

-Exposed ICS/Electrical grid data
-Exposed SCIF blueprints and financial data
-Anonymous FTP Servers hosting malware, compromised creds and network information for a variety of organizations
-Anonymous FTP Servers hosting sensitive application data for organizations
-Exposed hadoop master nodes

and this is just a start.

We're looking to make the internet a better place. We want and need your help. If you are interested in getting involved, here are a couple of ways you can do so:

1. Feel free to use us as an intermediary for disclosure. If you see something -- (malware, a vulnerable service, exposed sensitive information, etc.) and do not wish to disclose to a company or an organization yourself or accept that risk, you can use us as an intermediary. We will accept that burden for you. Contact us at with the subject "DISCLOSURE" and as much information about the organization and the security problem you uncovered as you can in order to express the gravity of the situation to them. Include screenshots if you can, how your discovered the issue and/or steps to reproduce if at all possible. You will be given full credit for the notification (if you so desire it) and the details will NOT be shared outside of the affected organization (until after the problem has been confirmed as resolved. If you do not wish to contact us via e-mail, reach out to us via twitter:

@da_667 The Major
@munin - The Commissar

...and we will set up a more secure method of disclosure (XMPP - OTR, Cryptocat, etc.) in order to accomodate you.

2. Feel free to contribute to projects 1-4, or come up with a project 5 and let us know more about it. Don't know how to google hack/google dork or anything of that nature? reach out to us. We're more than willing to share knowledge. E-mail with any information you care to provide, or questions you have and we will properly credit you with this information (if you so desire). Feel free to collaborate with us as you desire!

3. Resources. We need money for hosts on various VPSes for scanning the internet. Hosting websites, domains, SSL certs, etc. If you want to support us via financial means we will gladly accept any resources you are willing to offer to our little organization. We aren't begging for money and we aren't making donations mandatory. I guess you could call it a tip jar? Leave something if you so desire. We'll be setting up paypal and/or various *coin wallets to accept donations.

WeAreTheArtillery and we're here to get shit done. Welcome.

Sunday, August 17, 2014

Doing Web Security the Right Way (Undoing/Unfucking FUD)

Recent came across this interesting little message Via Twitter, just moments ago today:

This message links to this article. You'll notice my first mistake was in retweeting this without even looking at it. Here I was trying to be helpful and... gah. never mind. let me redress some of the points the author made:
...and countless ways for you to counter attack
No. Just no. Hackback is REALLY grey area. There are entire books dedicated to attacking attackers and a lot of legislation is still very unclear surrounding this. Unless you are a professional, known the difference between "Venom and Poison" and are willing to accept the risks... Don't go after would-be hackers. Contact professionals. Like us. People (person) who retweets things randomly.
Begin by running a full local anti-virus/malware scan. If possible, identify the machine which was hacked.
Countless articles and organizations are starting to say what information security professionals have known for years "The Era of A/V is drawing to a close; AV is dead." What does this term mean to you? Doing an Antivirus scan to identify the machine that was hacked is  no longer enough these days; see services like Virustotal. VT takes a file or a file's cryptological hash and compares it with a variety of Antivirus applications. Sometimes the malware is detected, other times it isn't. Most of the time you're lucky maybe half of all antivirus software VT tests against will detect malware. (Disclaimer: If something isn't detected on VirusTotal it is not a be-all-end-all, but it's usually not a good sign.). The point is: A/V scanning is good place to start, but alone is no longer enough.

Additionally the author makes no effort to differentiate between scanning the client workstation versus scanning the attacked web server.
Change your passwords at least once a month. It is also vital to conjure up complex passwords which make use of upper and lower case, symbols and numbers.
Okay, fair enough. Regularly changing account passwords for management consoles *is* a fairly decent idea. Complex passwords will make brute force attacks against admin consoles or SSH access that much more of an impossibility.

Never keep a document on your computer which is labelled, or contains the words ‘password’ or ‘username’. This is the easiest way for hackers to access all of your accounts and cause havoc. If you struggle to remember passwords, make use of an app like 1Password.
Questionable at best. 1Password and/or Keepass require you to store a database on your filesystem locally. Likely any would-be attack would notice a file with a .kdbx extension or whatever the hell extension lastpass uses fairly easily. The better solution would be to ensure that if you use a password management suite (which you really REALLY should) like Keepass , Lastpass or 1Password , that you should take reasonable measures to protect your files. (Password protect your Windows/Linux/Mac user account, Encrypt the drive holding this data, restrict file permissions for your password database file, etc.) That way the point above is entirely moot. Proper access control to your password management tools trumps obscurity anyday.

Do regular updates to ensure that you have the latest version of your operating system available. This way your software can detect and disable most of the latest hacks.
Patching your systems (Your local workstation and, if possible your VPS/hosting server) is a regular part of  system maintenance. If you aren't setting an update schedule for your web server and/or your workstation, you're doing it completely wrong. Be aware that patching is only one part of security; that 0-days, or vulnerabilities to software or an operating system that are unknown to software vendors are a very real thing that no amount of patching will save you from.

In addition to 0-days are "forever day" vulnerabilities; related to the "It's not a bug; it's a feature" crowd. Essentially these are vulnerabilities in Software that will never be patched for whatever reason. Patches are a very big part of software security. Update your webserver, software packages, Workstation and software packages regularly, as soon as new updates are made available, but ensure you know that patching is not the be-all end-all of security.

Consider using source as opposed to open source CMS. However, if you are using open source CMS, make sure that you always have the latest version installed, ensuring that all your plugins are up to date.
Absolute FUD plain and simple. Closed-Source and/or Open CMS systems are almost as likely to be hacked if poor security controls are maintained. Proper web server security, .htaccess, encryption, user account management, are all things that can I can take forever to explain, and In fact am working on writing documentation on doing the right way. Know that for now however this is absolute FUD. Use a CMS that works for you. If it happens to be open-source, all the better.

Avoid investing in low budget hosting plans, as the more costly plans also tend to have all the latest updates in terms of potential threats.
Good gods. This is just folklore at this point. The only differences between low-cost and higher cost hosting plans are usually bandwidth and system resources. Choosing a lower cost hosting solution has no, real tangible impact on the likelihood of your site getting hacked. This statement is bullshit through and through. Again, choose a solution that fits for your organization and budget.

Do not keep client lists on the server; rather access them remotely when you need to. Otherwise your clients may receive spam from the hacker in question.
 In most cases you really won't have a choice in the matter for this; Customer PII will need to be kept in a database that is used by a web application that is hosted on a web server. It's a fact of life. What you CAN do to make it harder for would-be hackers would be to HASH and SALT passwords, and MINIMIZE storage of personal information. Know the law. If you store Credit Card data or other PII that you need to have reasonable measures in place to protect and you may be subject to PCI and other regulatory compliance. Long story short: Storage of customer data on servers is an inevitability. Good security practices will make it less painful. We will discuss some of these practices in the future. Moral of the story: Don't blindly retweet shit.