Mediaboss Marketing

Introduction

Being in a research team exposes us to a variety of attacks on different platforms, of different types, scope, and volume. It also gives us the opportunity to select particularly interesting attacks that target our customers and to analyze them.This blog will give you a taste of the CrimeOps (criminal operations) behind one of these attacks the KashmirBlack botnet.

In the following sections well describe the DevOps behind the KashmirBlack botnet, discuss the purpose of the botnet, and the journey we took during our research. For the bits-and-bytes about the entities, the operation and the infection technique of the KashmirBlack botnet, please wait for our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.In order to make this magic work properly, with minimal interruptions, there should be a proper architecture design and stable infrastructure, with a solid DevOps implementation to overcome the challenges of the delivery process.

Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 mostly innocent surrogate servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

Well inspect the evolution and version deployment of the botnet during the research period, from November 2019 until the end of May 2020. And well see how it uses cloud-based services such as Github, Pastebin and Dropbox as ways to hide and control the botnet operation, and show how it has entered new domains such as cryptominers and site defacement.

In the Appendix you can find indicators of compromise (IOC).

According to Wikipedia, DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from Agile methodology .

Simply put, CrimeOps is the utilization of DevOps practices to facilitate crime the DevOps behind the KasmirBlack botnet and its infrastructure support continuous delivery processes to enable an agile software development cycle. Well show how those are being accomplished in conjunction with a CrimeOps strategy.

Figure 1 below offers a hint to the complexity of the botnet and the different entities that play a role in this operation. The color of the entities reflect their characteristics: red for malicious services created by the owner of the botnet, orange for victims used by the botent, green for innocente.

Heres a high-level description of the entities:

Figure 1: KashmirBlack botnet flow diagram

To better understand this diagram weve broken down the flow into pieces in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

Security research investigation can sometimes be like a crime scene investigation. However, our crime scene will be spread all over the network, with no body in place. We, therefore, need to collect the clues and fingerprints that will allow us to construct a picture of the virtual crime.Here is the journey of our research.

We started our surveillance on the KashmirBlack botnet in January 2020 and began to uncover the operation piece by piece, by answering three main questions: When? How? And What?

The KashmirBlack botnet operation, as we know it, started in around November 2019. We have two pieces of evidence that support this timeline. The first, found in our data lake, shows the earliest exploitation attempts of PHPUnit RCE vulnerability (CVE-2017-9841) to infect our customers with the KashmirBlack malicious script. The other is the date of one of the exploits in repository B November 6, 2019.

This question is answered in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

To answer this question we had to take a more active approach to the investigation. We went undercover and impersonated a spreading bot in the botnet and, without actually attacking any targets, started to collect information about the botnets victims. Then, in order to understand the purpose of those victims as pending bots, we had to become a victim ourselves. We created a CMS honeypot and attacked it with our spreading bot, as such we became a pending bot in the KashmirBlack botnet.

We witnessed five types of purposes for the botnet: crypto mining, spamming, defacement, spreading and pending bot.The next section will describe more deeply some of the purposes mentioned above.

According to Wikipedia, Monero is actively encouraged to those seeking financial privacy, since payments and account balances remain entirely hidden, which is not the standard for most cryptocurrencies.The KashmirBlack botnet uses the XMRig miner to mine Monero coins to a remote wallet on a HashVault pool.Examining its code gave us a glimpse into the wallet from where we could see that the mining operation started on March 31, 2020.

The attacker payment address is: 44qSPEgLnC5CF7ajChi4UZK5Z89tiaXiwcU8BGJ1yNB8NcrwhuiSrRRb3gSmhaGLAB8ERuJs3FhdmAgJfiGjHA9mM21DHE8

Taking into account that the mining operation was limited to a maximum of 50% of the infected hosts CPU, with a hash rate of 16,000 hashes per second, we could conclude that there were around 80 infected victim hosts.

Figure 2: The attacker mining activity

Infected by the KashmirBlack botnet, our honeypot was converted into a spamming bot.When trying to access the honeypots login page, the visitor was redirected to: hxxp://134.249.116.78 which performed an additional redirection to one of many clickbait sites.

Figure 3: One of spamming bot redirection to clickbait site

One important piece of evidence we collected from the KashmirBlack botnet concerned the identity of the attacker behind the operation.Below we can see the defacement signature:

Figure 4: KashmirBlack Defacing attack signature

We suspect the owner of the KashmirBlack botnet is the hacker Exect1337 a member of the Indonesian hacker crew PhantomGhost.Figure 5 below is a screenshot of another defacement attack performed by the PhantomGhost crew:

Figure 5: Site that was hacked by the Indonesian hackers crew PhantomGhost

In the Appendix you can find Appendix C IOC to check if your site has been infected.

The KashmirBlack botnet has a massive infrastructure that gives it the ability to transform very quickly and easily.Once the infrastructure is in place, minor modifications can change the entire botnets purpose. Every component is independent and can be easily replaced by another of the same type without interfering with the botnet operation. In this section well describe the evolution of the botnet over the research period and the DevOps strategy that enables it to carry out its crimes.

The evolution of the botnet focuses on two main domains: the botnet expansion process in terms of exploits and payloads deployment, and the other on the infrastructure to make it more agile.

Exploits & Payloads Deployment Process

November 2019, repository B contained 15 exploits and payloads, in comparison for today where the repository contains more than 20.Our assumption is that until March 2020, the maintainer of the botnet focused only on expansion, the build phase. Once the botnet becomes big enough new payloads start emerging.

On March 15, 2020, we noticed a new payload had been added under repository B. This payload downloads a cryptominer into the spreading bot machine to start mining for Monero coins. Later, on May 1, 2020, another exploit and payload bundle was added, and used for site defacement. Further updates with minor changes inside the exploit code were conducted on May 11, 2020.

Each deployment to repository B, triggered a process that cloned all the bundles into the repository. This indicates some sort of CI/CD process used by the KashmirBlack botnet maintainer.

Infrastructure Changes

The earliest record of KashmirBlack botnet included one server used as repository A and one server used as repository B.

May 15, 2020, saw the start of a more significant change.Infrastructure changes were carried out over the next week and a half, including:

There were three main reasons behind these changes:

As the botnet size increased, so too did the load on the repositories, as more bots fetched files from these repositories. Secondly, since some of the repositories were actually legitimate sites, they couldnt be considered to be permanent entities in which to store payloads and exploits. By increasing the number of repositories, the botnet achieved two important features redundancy and load balancing.

Repository A had been scaled from a single server to at least seven servers.Repository B had been scaled from a single server to 74 domains, hosted on 53 different hosts.

The addition of a new entity, repository A load balancer, allowed scalability. A request to the load balancer returned the address of one of the multiple repositories in repository A. To integrate this change into the botnet operation, an additional change in the botnet malicious script was required.Figure 6 below shows this infrastructure change.

Figure 6: The infrastructure change of repository A load balancer

The C&C is the most sensitive and important component in the entire operation. Securing it is vital.Two internal changes were made in order to avoid interfering with the C&C:

As described above, we impersonated a spreading bot and triggered a fake reporting request to the C&C with our honeypot details. One and a half hours later, the attacker visited our honeypot and tried to infect it with the botnet malicious script.We assume the attacker grew suspicious and, as a result, decided to change the logic of communication with C&C.

On May 8, 2020, three days after our honeypot was infected, we saw an update of the reporting address from hxxps:///adeliap/404.php to hxxps:///adeliap/405.php.

On May 26, 2020, the botnet malicious script was updated with a bot tracking mechanism designed to achieve two goals. The first was to secure the botnet and the second was to manage the deployment process of malicious script updates.At the time we interrupted the botnet operations natural flow with our honeypot, the botnet had no measures in place to know which bot performed which attack.But the simple architecture change of adding the registration of a bots IP and country while it communicated with the C&C allowed the C&C to track the operation of each bot in the botnet. Figures 7 and 8 show the previous version vs. the current version of the C&C communication.

Figure 7: Previous C&C communication

Figure 8: Current C&C communication

In the next section well show how this change allowed the C&C to manage the deployment process of new versions of the malicious script to the bots.

The above infrastructure changes created a situation where some spreading bots were communicating with the botnet entities by using the new infrastructure while others were only aware of the old one. In order to align them all, a new payload was added under repository B with the updated malicious script. Now, the C&C could instruct all old spreading bots to fetch a new malicious script and register it in the C&C. This step helped to manage the deployment process of new versions of the malicious script to all spreading bots.

Figure 9 below shows the spreading bot transformation.The orange entities represent the old infrastructure while the blue represent the new infrastructure.

Figure 9: Botnet Malicious Script Deployment

Another interesting infrastructure emerged during a regular monitoring activity on September 24, 2020. The KashmirBlack botnet entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C&C. We saw evidence that the Dropbox API is being used to fetch attack instructions and upload attack reports from spreading bots.Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C&C operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.

Figure 10 below shows the current flow diagram of the KashmirBlack botnet.

Figure 10: KashmirBlack botnet flow diagram

KashmirBlack botnet evolution timeline:

Figure 11 below shows the events of the botnet evolution on a timeline.Purple indicates activities that are related to the expansion process (exploit and payload bundle deployment), Green indicates activities that are related to infrastructure changes,Orange indicates our interference with the botnet activity,Gray indicates general activities.

Figure 11: KashmirBlack botnet evolution timeline

This blog describes a complex and constantly evolving botnet operation; only possible with a well-designed infrastructure.

During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

We saw how building and maintaining a botnet is very similar to an application development process. It requires code maintenance, version control, infrastructure, and deployment cycles.The hacker behind the botnet needs to act as architect, developer, and DevOps. To create a stable botnet that will carry out the intended CrimeOps, the hacker needs to design both the operation and its entities. In addition, he needs to think about factors such as backups, failover, redundancy, scalability, and more.

The KashmirBlack botnet consists of many entities. There are several traces that indicate a server is compromised and taking part in the botnet. Each entity in the botnet has different indications of infection. For additional details about IoC see the Appendix.

Imperva WAF customers are protected and are not affected by the botnet operation. The WAF has a layered approach to block such activity.The Bad Bots policy will detect the malicious traffic of the bots to the site and the Malicious File Upload policy will block webshell upload. In addition Remote Code Execution signatures will prevent the payloads execution and the Backdoor Protection mechanism will prevent backdoor usage by the attacker.

Be safe & secure,Imperva.

Read: CrimeOps of the KashmirBlack Botnet Part II >

The post CrimeOps of the KashmirBlack Botnet Part I appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Ofir Shaty. Read the original post at: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/

Read the original:
CrimeOps of the KashmirBlack Botnet Part I - Security Boulevard

For nine seasons, the television series Touched By An Angel inspired viewers in its stories centered around angels helping people in their everyday lives. The CBS drama series was centered on an angel named Monica (Roma Downey) and her supervisor Tess (Della Reese) as they passed along messages from God to those needing help.

Since its first season debuted in 1994, the show was nominated for eleven Primetime Emmy Awards as well as three Golden Globes. The TV show, created by John Masius and perfected by Executive producer Martha Williamson was so popular, there was even a spinoff series, Promised Land, that ran for three seasons.

Touched By An Angel was one of those shows that it seems like everyone was on. Some of their most notable guest stars over the years included Wynonna Judd, Rue McClanahan, Maya Angelou, Angela Lansbury, Ann-Margret, Carol Burnett, Celine Dion, Kirk Douglas and Jack Black.

Here's what all of your favorite cast members have been up to since the show wrapped in 2003.

The Irish actress has been very busy since her days playing the kindhearted angel Monica. She's appeared on numerous made for TV films as well as the show The Division and miniseries The Bible,in which she played Mary, mother of Jesus. She is also a producer, producing many of her own Biblical themed TV shows and films including Messiah and A.D. The Bible Continues. Downey has been married to TV producer Mark Burnett since 2007 and they share his two children from his previous marriage as well as her daughter from her previous marriage.

Tess was a bit tough and at times sarcastic, but she always played a meaningful role in Monica's cases throughout the series. Following her time on the show, Reese appeared on TV shows like That's So Raven, The Young and the Restlessand Signed, Sealed, Delivered on the Hallmark Channel in addition to numerous seasonal made for TV films. Reese, who was an ordained minister in the '80s, retired from acting in 2014. She passed away in 2017 at the age of 86.

Andrew, the Angel of Death, became a regular on the series after first appearing in a recurring role in season 2. In addition to playing his Touched By An Angel role in the spinoff series Promised Land, he only acted in a few more roles, including holiday films Once Upon a Christmas and Twice Upon a Christmas. Dye passed away in San Fransisco, California in 2011 reportedly due to heart problems.

Oh, Gloria. The accident-prone but well meaning angel that becomes a main cast member in the last two seasons of the show. Bertinelli was married to rocker Eddie Van Halen until 2007 and they share a child, Wolfgang. She has gone on to appear in numerous additional TV shows, including her main role on Hot in Cleveland as well as become a Food Network star with her own series, Valerie's Home Cooking.

Read More:'Designing Women' Cast: Then and Now

The country star appeared on five episodes of the show as Sheriff Wayne Machulis and one episode as Jed Winslow. Travis has continued making the occasional acting appearance over the years, including the holiday film Christmas on the Bayou. In 2013, he suffered a viral upper respiratory infection and massive stroke and wasn't sure if he would recover let alone sing again. After years of rehabilitation and therapy, he is not only able to sing and perform again, but he sang live at his own induction into the Country Music Hall of Fame in 2016.

Cruz appeared as the angel Rafael for 16 episodes throughout the series run. He is still acting, booking roles on shows like CSI: Crime Scene Investigation, Shark, Eagleheart, Castle, Love Lifeand the film Drag Me to Hell.

Academy Award winner Cloris Leachman had a recurring role on the series as the archangel Ruth. She is still an incredibly active actor even later in life. She had a main role on Raising Hope, competed on Dancing With The Starsand has appeared on numerous other shows including Malcolm in the Middle and Thanks.

Jasmine Guy played the role of fallen angel Kathleen for 3 episodes. Guy has been on a number of shows since her arc on Touched By An Angel, including Grey's Anatomy, Dead Like Me, The Vampire Diaries, and Drop Dead Diva.

Read the original here:
'Touched By An Angel' Cast: Where Are They Now? - Wide Open Country

When Fannie Flagg first wrote her novel, Fried Green Tomatoes at the Whistle Stop Cafe, she had no idea anyone would want to turn it into a film. When Hollywood came calling to bring the small Alabama town of Whistle Stop to the big screen, it ended up being a major box office hit and gave southern women a chance to shine.

Executive producer and director, Jon Avnet, initially hired Carol Sobieski to write the Fried Green Tomatoes. The initial draft was a musical (which as we know did not pan out) so Fannie Flag herself came in to make edits to the script which is what ended up making it to the screen. Both women received an Oscar nomination for Best Adapted Screenplay at the 1992 Academy Awards.

Just like the 1987 novel, the film follows a discontent housewife who befriends an old lady in a nursing home in the small town of Whistle Stop. The old lady regales her new friend with stories of her relatives from years before which are seen in flashbacks. The film was impeccably cast and is exactly how you'd picture Whistle Stop to look.

The film and story have become so beloved, there is even a new TV show launching starring Reba McEntire. Three decades later, here's where all of the beloved cast members of the film have been.

Jessica Tandy, also known for her Oscar-winning performance in Driving Miss Daisy, received a Best Supporting Actress nomination for the role of Ninny Threadgoode, the old lady who befriends Evelyn Couch. The year before the film was released, Tandy was diagnosed with ovarian cancer but continued working. Before her death in 1994, she had appeared in multiple more films -- Used People, To Dance with the White Dog, A Century of Cinema, Camilla, and Nobody's Fool.

Kathy Bates did an impressive job playing depressed housewife Evelyn Couch. Bates is also a celebrated actress having won an Academy Award, two Emmys, and two Golden Globes. She has since appeared on countless TV shows including Six Feet Under, Harry's Law, American Horror Story, and The Big Bang Theory as well as films like Titanic, The Blind Side, and The Highwaymen.

Mary Stuart Masterson did an incredible job playing Idgie Threadgoode, who is devasted at the loss of her brother Buddy until his former girlfriend Ruth steps in to bring her back to life. Masterson appeared in Benny & Joon, Bad Girls, and The Postman, as well as TV shows NCIS, Blindspot, and For Life.

Ruth Jamison is the straightlaced former girlfriend of Idgie's deceased brother and the two women end up having a deep attachment to each other. Idgie even rescues her from her abusive husband Frank in Georgia and brings her back home where they open up the Whistle Stop Cafe. Parker went on to star in the show Weeds, as well as films The Portrait of a Lady, Red Dragon, Saved!, Red, and Red Sparrow.

The sweet family cook Sipsey, who had worked for Papa and Mama Threadgoode, comes to work for Idgie and Ruth at the Whistle Stop. Despite being in her 90s, Tyson is still a busy actress in Hollywood. She has appeared on How to Get Away with Murder, House of Cards, Madam Secretary, and Cherish the Day in recent years. Fun fact, in the 80s she was married to musician Miles Davis!

Read More:The 'Fried Green Tomatoes' Whistle Stop Cafe's Mixes Are Available Online

Sweet Chris O'Donnell was the perfect choice to play Buddy Threadgoode who tragically loses his life at the beginning of the film. O'Donnell was a bit of a heartthrob in the 90s in films like The Three Musketeers, Circle of Friends, Batman Forever, and The Bachelor. Since 2009 he's been starring on NCIS: Los Angeles. O'Donnell has been married to wife Caroline Fentress since 1997 and they have 5 children together.

Evenlyn's disappointing husband, Ed Couch, couldn't have been captured better. Gailard Sartain, who had been a regular on Hee Haw in the 70s, has continued appearing in multiple films including The Patriot, The Replacements, and Elizabethtown. He was also well-known for his appearances in several of the Ernest films.

Abusive husband to Ruth, Frank Bennett, is quite scary in the film so it took an impressive actor to be able to pull it off. Nick Searcy has since been in The Fugitive, Cast Away, Flicka, The Last Song, Moneyball, and The Shape of Water.

Local sheriff Grady Kilgore investigates the mysterious death of Frank in the film. Basaraba is what you could call a "career police officer" because he frequently plays them on the screen. He has appeared in Boomtown, CSI: Crime Scene Investigation, Brooklyn South, Blue Bloods, and Mad Men. Recently he was even in the Scorsese film, The Irishman.

Big George, son of Sipsey the cook, also joins the Whistle Stop Cafe and impresses all of their guests with his BBQ skills. Shaw is still acting, his recent credits include Jeepers Creepers 3 and A Christmas Winter Song. Did you know that his cousin was soul singer Sam Cooke?

Continued here:
'Fried Green Tomatoes' Cast: Where Are they Now? - Wide Open Country

Share This Story!

Let friends in your social network know what you are reading about

Shreveport Police Domestic Violence investigators have a man behind bars for charges after a Wednesday domestic violence incident turned shooting.

A link has been sent to your friend's email address.

A link has been posted to your Facebook feed.

From Staff Reports Published 7:55 a.m. CT Oct. 15, 2020

To subscribe to The Times go to https://help.shreveporttimes.com/subscription-services Shreveport Times

Shreveport Police Domestic Violence investigators have a man behind bars for charges stemming from a Wednesday morning domestic violence incident turned shooting.

Just after 10a.m., patrol officers responded to reports of a shooting in the 4300 block of Illinois Street at the Clear Horizon Apartment Complex. Arriving officers located a 25-year-old woman suffering from one gunshot wound to the abdomen. She was transported to Ochsner LSU Hospital with what was described as non-life threatening injuries.

Officers made contact with the womans boyfriend, 20-year-old Cadarious Davis, who advised that he was attempting to leave the apartment following a verbal domestic dispute between him and the victim. Davis saidas he was attempting to leave a struggle ensued over his backpack which contained a .9mm handgun. The gun allegedly discharged during that encounter and struck the victim. Davis rendered first aid until officers arrived.

Cadarious Davis(Photo: Shreveport Police)

Investigators with the Crime Scene Investigation Unit and Domestic Violence Units were summoned to the scene. Detectives procured a search warrant for the residence and CSIU photographed the scene and collected evidence.

Davis was transported to the Shreveport Police Complex for interviews. During their ongoing investigation, detectives learned that Davis was accused of battering the shooting victim in a separate incident back in August of 2020. The battery was allegedly committed in the presence of two children. After reviewing photos and evidence in that case, they determined that probable cause did exist for his arrest relative to that incident.

Following interviews with investigators Davis was charged with one count of felon in possession of a firearm and two counts of domestic abuse battery with child endangerment. The investigation is ongoing.

Read or Share this story: https://www.shreveporttimes.com/story/news/crime/2020/10/15/police-make-arrest-connection-domestic-shooting/3661791001/

Oct. 16, 2020, 6:47 a.m.

Oct. 16, 2020, 10:24 a.m.

Oct. 16, 2020, 3:30 p.m.

Oct. 15, 2020, 1:37 p.m.

Oct. 16, 2020, 3:13 p.m.

Oct. 16, 2020, 9:12 a.m.

Here is the original post:
Shreveport police make arrest in connection with domestic shooting - Shreveport Times

The Santa Clara County Sheriffs Office Bomb Squad is investigating a reported explosion on Mantelli Drive that sent a man to a trauma center Oct. 12.

According to Gilroy Police, at about 2:20pm, the Gilroy Fire Department responded to the 1700 block of Mantelli Drive on the report of an explosion. First responders on scene found a man who had suffered serious injuries from the blast, and transported him to a local trauma center.

According to Gilroy Police Sgt. John Ballard, the 53-year-old man, who lived at the residence, suffered traumatic injuries to his right hand.

The cause of the explosion is under investigation. Ballard said investigators from the Gilroy Police Crime Scene Investigation Team and county bomb squad received a search warrant for the residence and are working to determine what kind of explosives were involved. It does not appear to have been a drug lab, according to Ballard.

The 1700 block of Mantelli Drive, between Rancho Hills Drive and Learnard Way, may be closed for multiple days, police advised. Ballard said Tuesday morning that police hope to have an update on the road closure later in the day.

More:
Police investigate Gilroy explosion that injured man - Morgan Hill Times