Tag Archives: GCHQ

GCHQ disrupts Anonymous using Denial of Service attack

A PowerPoint presentation that was prepared for a NSA conference back in 2012 showed that the Joint Threat Research Intelligence Group or JTRIG executed a project named Rolling Thunder. The aim of the attack was to drive away members of Anonymous from internet chat rooms.

JTRIG was also noted to enter chat rooms used by Anonymous to identify hackers within the room, armed with this information they would be able to build cases against these hackers and, in turn, gain knowledge of who was involved in particular attacks.

Sources familiar with Rolling Thunder confirmed to NBC that the intelligence agency had targeted particular chat rooms where they believed groups of Anonymous members were gathering to discuss criminal activities.

Not only did the actions of GHCQ disrupt the grouping of Anonymous members but it also disrupted other hacktivists who were arranging Letter Drops, Protests and other legal ways of protesting against their chosen causes.

The documents include excerpts from the chat room including one user trying to check if he was the only one affected, “Was there any problem with the IRC network? I wasn’t able to connect the past 30 hours.” Another user responds “Yeah, We’re being hit by a syn flood. I didn’t know whether to quit last night, because of the DDoS.”

In a statement from GHCQ to NBC a spokesperson confirmed, “All of GCHQ’s work is carried out in accordance with a strict legal and policy framework.”

Source: NBC News | Image by Shuttershock

GCHQ disrupts Anonymous using Denial of Service attack – Neowin.

computer keyboard

Intelligence agencies will work alongside the private sector to combat cybercrime. Photograph: Martin Rogers/Workbook Stock

Cyber-security experts from industry are to operate alongside the intelligence agencies for the first time in an attempt to combat the growing online threat to British firms.

The government is creating a so-called fusion cell where analysts fromMI5 and GCHQ, the domestic eavesdropping agency, will work with private sector counterparts.

The cell is part of the Cyber Security Information Sharing Partnership (Cisp), launched on Wednesday, to provide industry with a forum to share details of techniques used by hackers as well as methods of countering them.

At any one time there will be about 12 to 15 analysts working at the cell, based at an undisclosed location in London.

“What the fusion cell will be doing is pulling together a single, richer intelligence picture of what is going on in cyberspace and the threats attacking the UK,” a senior official said.

“What we are trying to do is get that better intelligence picture and push it out to industry in a way that they can take action on, so it is very action-orientated.”

Although the industry representatives will not have direct access to classified intelligence material, they will face security vetting.

The Cisp initiative grew out of talks in 2011 between industry and David Cameron. It led to a pilot project last year involving 80 leading companies, codenamed Programme Auburn. It will be expanded to cover 160 firms from the finance, defence, energy, telecoms and pharmaceutical sectors.

With companies reluctant to discuss cyber-attacks or breaches of security in public, officials acknowledge that confidentiality is crucial, so companies involved will not be named.

“Everything about information-sharing has to be based on trust,” another official said. “Most companies still remain cautious about talking about the cyber threats they face in public.”

The firms will have access to a secure web portal, described as a “Facebook for cyber-security threats”, run on social network lines, where they can choose who they share information with.

It is expected that other firms will be invited to join as the scheme develops, although officials stressed that future expansion would be at a pace consistent with maintaining trust and confidentiality.

Launching the scheme, the Cabinet Office minister, Francis Maude, said the government was determined to make Britain one of the safest places to do business in cyberspace.

“We know that cyber-attacks are happening on an industrial scale and businesses are by far the biggest victims of cybercrime in terms of industrial espionage and intellectual property theft, with losses to the UK economy running into billions of pounds annually,” he said.

“This innovative partnership is breaking new ground through a truly collaborative partnership for sharing information on threats and to protect UK interests in cyberspace.”

MI5 and industry join forces to fight cybercrime | Technology | guardian.co.uk.

Cyber attack methods

Video: Cyber attacks are developing at a quick rate, says the report

Enlarge

The UK‘s armed forces are now so dependent on information and communication technology that they could be “fatally compromised” by sustained cyber attacks.

The Defence Select Committee has produced a report that questions the military’s contingency plans and urges the Government to do more to address the threat.

“It is our view that cyber security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention,” said committee chairman James Arbuthnot MP.

“The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents.”

Cabinet Secretary Francis Maude is the minister responsible for cyber security, but the report recommends that more ministers should engage and take on responsibility.

“Unless we have a really vigorous approach to defending against the sort of cyber attacks that are developing at a rather quick rate day by day, minute by minute, second by second, unless we have a really vigorous approach we are at risk of our armed forces as well as the whole of the rest of the government infrastructure being compromised,” Mr Arbuthnot told Sky News.

GCHQ
GCHQ is considered a world leader

Dr Andrew Murrison, the Minister for International Security Strategy, has defended the Government’s efforts.

He said: “There’s no complacency and we will continue in a very rapidly evolving field to make sure we do absolutely everything to reduce the chance of there being a significant attack here.”

GCHQ, the Government’s communications headquarters, is considered a world leader.

Under the Strategic Defence and Security Review in 2010, £650m was allocated to a new cyber security programme.

It showed significant recognition of the threat, but in truth no budget can ever be big enough. According to the Boston Consulting Group, the UK is the best prepared country to face a cyber attack.

But countries like Israel, China and the United States are well advanced, and are bettering their systems at a quicker pace.

Major General Jonathan Shaw, the former head of the Defence Cyber Security Programme, told Sky News that the UK competes favourably.

He said: “The way that British government is organised and the security side is actually extremely effective at coping with threats.

“It’s a very collegiate atmosphere and the ability of GCHQ to spread their knowledge across government actually gives us a real advantage over someone like the United States which has a much more stovepipe government system.”

What is not known is how offensive the UK‘s strategy is. The Government is clear about the threat it faces, but declines to speak about any aggressive action it takes against states regarded as hostile.

The Defence Select Committee’s report should be seen as an attempt to reinvigorate the military and Government’s efforts – not as an outright criticism of what has been done.

Cyber Attack Threat: UK Armed Forces Warned.

Stage 1/3

  • Download the PNG with hex numbers and type them to create binary file.
    This is first part and it’s meant to be executed (it’s x86 32bit code).
eb 04 af c2 bf a3 81 ec 00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a 3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00 00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41 75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89 df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31 db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34 06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88 17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8 9d ff ff ff 41 41 41 41
  • Second part is in “iTXt” chunk of PNG, base64 encoded. Decode it and append to first part.
    1st part ends with “AAAA” marker, 2nd part starts with “BBBB”.
iTXt chunk data:
QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==
  • Run the shellcode. On windows, I converted it to inline asm in form of
 __asm __emit 0xEB;
 __asm __emit 0x04;
 ...etc...
  • Or you can just find any exe and copy bytes at entry point.
  • Run in debugger, add breakpoint just before INT 0x80 call.
    Decrypted text will be placed on stack:
GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1
  • Description of what shellcode does:
    This is RC4 decoder with key set to 0xDEADBEEF. TEXT chunk data format is:
<magic 'BBBB'><encrypted length - 4byte word><encrypted bytes...>
  • Download this JS file for stage 2

Stage 2/3

  • You can get JS here: 15b436de1f9107f3778aad525e5d0b20.js
  • File is pretty self-explanatory. Just write the code to emulate VM, no secrets there.
  • When you run it and reach HLT instruction, memory will contain:
000: 31 04 33 AA 40 02 80 03 52 00 72 01 73 01 B2 50 << 1st decryption code
010: 30 14 C0 01 80 00 10 10 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
100: 32 00 75 0C 31 08 33 32 40 02 80 03 52 00 72 01 << 2nd decryption code
110: 73 03 B2 00 C3 B0 00 30 1B C0 01 FF 00 00 00 00  (decrypted by 1st one)
120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
130: 00 00 75 10 01 00 00 00 00 00 00 00 00 00 00 00
140: CC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
150: 7D 1F 15 60 4D 4D 52 7D 0E 27 6D 10 6D 5A 06 56 << Unknown data block
160: 47 14 42 0E B6 B2 B2 E6 EB B4 83 8E D7 E5 D4 D9
170: C3 F0 80 95 F1 82 82 9A BD 95 A4 8D 9A 2B 30 69
180: 4A 69 65 55 1C 7B 69 1C 6E 04 74 35 21 26 2F 60
190: 03 4E 37 1E 33 54 39 E6 BA B4 A2 AD A4 C5 95 C8
1A0: C1 E4 8A EC E7 92 8B E8 81 F0 AD 98 A4 D0 C0 8D
1B0: AC 22 52 65 7E 27 2B 5A 12 61 0A 01 7A 6B 1D 67
1C0: 47 45 54 20 2F 64 61 37 35 33 37 30 66 65 31 35 << Solution ASCII text
1D0: 63 34 31 34 38 62 64 34 63 65 65 63 38 36 31 66  (decrypted by 2nd code)
1E0: 62 64 61 61 35 2E 65 78 65 20 48 54 54 50 2F 31
1F0: 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00
200: 37 7A 07 11 1F 1D 68 25 32 77 1E 62 23 5B 47 55 << Another unknown block
210: 53 30 11 42 F6 F1 B1 E6 C3 CC F8 C5 E4 CC C0 D3
220: 85 FD 9A E3 E6 81 B5 BB D7 CD 87 A3 D3 6B 36 6F
230: 6F 66 55 30 16 45 5E 09 74 5C 3F 29 2B 66 3D 0D
240: 02 30 28 35 15 09 15 DD EC B8 E2 FB D8 CB D8 D1
250: 8B D5 82 D9 9A F1 92 AB E8 A6 D6 D0 8C AA D2 94
260: CF 45 46 67 20 7D 44 14 6B 45 6D 54 03 17 60 62
270: 55 5A 4A 66 61 11 57 68 75 05 62 36 7D 02 10 4B
280: 08 22 42 32 BA E2 B9 E2 D6 B9 FF C3 E9 8A 8F C1
290: 8F E1 B8 A4 96 F1 8F 81 B1 8D 89 CC D4 78 76 61
2A0: 72 3E 37 23 56 73 71 79 63 7C 08 11 20 69 7A 14
2B0: 68 05 21 1E 32 27 59 B7 CF AB DD D5 CC 97 93 F2
2C0: E7 C0 EB FF E9 A3 BF A1 AB 8B BB 9E 9E 8C A0 C1
2D0: 9B 5A 2F 2F 4E 4E 00 00 00 00 00 00 00 00 00 00
2E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • VM code does this:
 for(i=0;i<80;i++) mem[0x100+i]^=i+0xAA;
 for(i=0;i<51;i++) mem[0x1C0+i]^=i*3+0x32;
  • Stage 2 solution text is:
GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0
  • Unknowns:
    There are still some encrypted blocks of memory that looks suspicious.
    Because both decryption routines used XOR pattern in form of i*X+Y, I have
    tried bruteforcing decoding for these unknown parts as well.
    See end of page for more details.

Stage 3/3

<4 byte magic><8byte password><4byte word1><4byte word2><4byte word3>
  • First bytes of file (magic) must be gchq.
  • Then Exe does unix CRYPT hash with hqDTK7b8K2rvw salt of the 8 byte password,
    result must match hqDTK7b8K2rvw. But you can easily NOP this check
    at 0x0040119C and everything will still work fine.
  • Another way is to bruteforce this hash, solution is cyberwin.
  • Exe then does GET request to server in following format:
GET /hqDTK7b8K2rvw/%x/%x/%x/key.txt
  • HEX numbers are the words 1,2,3 from license file.
  • There is small hint where to find these, exe prints to console:
loading stage1 license key(s)...
loading stage2 license key(s)...
  • where at stage1 it reads one word, in stage2 two words.
  • In stage 1 code, just at beginning, EB 04 instruction skips over 4 bytes.
    This is the key for first stage: 0xa3bfc2af
  • For stage 2, in JS code is unused variable firmware with values 0xd2ab1f05, 0xda13f110.
  • So complete license.txt file in HEX is:
67 63 68 71 63 79 62 65 72 77 69 6E AF C2 BF A3 05 1F AB D2 10 F1 13 DA 61
  • This translates to:
GET /hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt HTTP/1.0
  • Server returns:
Pr0t3ct!on#cyber_security@12*12.2011+
  • Note that running EXE will not do proper request to server, so you will have to copy
    the URL to browser. This is due to not including “Host:” header in request.
  • When you use this on main page, you get redirected to:
    http://canyoucrackit.co.uk/soyoudidit.asp with following text:
So you did it. Well done! Now this is where it gets interesting.
Could you use your skills and ingenuity to combat terrorism and cyber threats?
As one of our experts, you'll help protect our nation's security and the lives
of thousands. Every day will bring new challenges, new solutions to find – and
new ways to prove that you're one of the best.
  • This was fun to do, don’t you think?

The end? Maybe not

There are speculations that this simple solution is just some form of honeypot.
First HTTP get was with HTTP/1.1, but later it’s HTTP/1.0.
Then there are unused bytes in VM memory.

  • I have checked all images on web page, no other hidden data except the base64 chunk
    in PNG file.

  • Part of memory after VM is run:
100:  32 00 75 0C 31 08 33 32 40 02 80 03 52 00 72 01
110:  73 03 B2 00 C3 B0 00 30 1B C0 01 FF 00 00 00 00
120:
130:  00 00 75 10 01 00 00 00 00 00 00 00 00 00 00 00
140:  CC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • Note the similarity of these blocks. What I think this means is you should mix these
    together in some way to create new decryption VM instructions to continue.
    But tried XORing or replacing non-zero bytes… no luck.

  • Also the 3 blocks seems to be RC4 encrypted.Probably not, see below. They all share same key, this
    can be seen on MSB bits of cryptext. Data blocks are all 112 bytes long
    at offsets 0x150, 0x200, 0x270.
    Tried the firmware values and also 0xDEADBEEF without getting anything useful.
    3 Blocks may decrypt to 3 ASCII HEX words needed for licence.txt to get right server reply.

  • See the graphical interpretation of these binary blocks on right ——————————————->
    You can see MSB bits are same for all blocks, as expected if result is ASCII text.

  • This MSB pattern seems to be too periodic, this this isn’t using RC4. It looks more like
    XOR i*X+Y pattern we seen for decrypting code and URL.
  • One solution (that makes all MSB bits zero as expected for ASCII text) is this:
for(i=0;i<112;i++) mem[0x150+i]^=i*5+31;
for(i=0;i<112;i++) mem[0x200+i]^=i*5+31;
for(i=0;i<112;i++) mem[0x270+i]^=i*5+31;
  • One firmware value is 0xd2ab1f05 = 1F=31 05=5 -> values for above algorithm. Coincidence?
  • This is the result:

b;<N~uo?Ik<F6:c<(`;p5:?t|("(|Uac|4I["Z_xZyU{a+5cE}|K?SD.Y85sjvz:*^p@,Dd=83;?e0bnP3R$ZF:V,L~O 5wS&[km?6x5M;7A+X-
(^.?,%Ugu;O4x;"?<Dh<uy<tTPYcO|ui:9S-5YhY0!vU(k3e`rL.5ms;C`~o`6hW]TA[fqh_k4smCk}{$a;gY9_y?z76gZ'n0AOi3eY6Lib8W%(
J~cHR)j*2I3`&bu!gV;L9j4pA%^eB::{0%qjE)RcVax:/xsk}*.=u[KT@IWk9/N7aHpA_$5H'LCW76XHtRA*krs|WZxu|U;d^&!]V

          Formated to 3 lines, for 0x150, 0x200 and 0x270 block contents. It may or may not be single block. Ctrl-C safe.
  • It’s not really readable, but all characters are in printable range 0x20-0x7F.
    I found it to get MSB bits zero, but it also produced just printable characters!
    This looks interesting.
  • From 96 characters in range 0x20 – 0x7F are all used except: 0x23 0x31 0x3E 0x47 0x51 0x6C 0x7F
    There is total 90 unique characters… base 90 code?
  • Converted this block from base 96 to base 16 and used ent entropy analyzer program on this data:
Entropy = 7.133685 bits per byte.

Optimum compression would reduce the size
of this 273 byte file by 10 percent.

Chi square distribution for 273 samples is 288.70, and randomly
would exceed this value 7.21 percent of the times.

Arithmetic mean value of data bytes is 127.7070 (127.5 = random).
Monte Carlo value for Pi is 3.022222222 (error 3.80 percent).
Serial correlation coefficient is 0.014271 (totally uncorrelated = 0.0).
  • Same for base 90 to base 16:
Entropy = 7.284051 bits per byte.

Optimum compression would reduce the size
of this 269 byte file by 8 percent.

Chi square distribution for 269 samples is 219.21, and randomly
would exceed this value 94.91 percent of the times.

Arithmetic mean value of data bytes is 126.8067 (127.5 = random).
Monte Carlo value for Pi is 3.090909091 (error 1.61 percent).
Serial correlation coefficient is 0.040349 (totally uncorrelated = 0.0).
  • Is this just a random fill to put something in memory?

Solution to www.canyoucrackit.co.uk