Intrusions Affecting Multiple Victims Across Multiple Sectors. Risk Evaluation. NCCIC Cyber Incident Scoring System NCISS Rating Priority Level Color Yellow MediumA medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. Details. While NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network. Figure 1 Structure of a traditional business network and an IT service provider network. Technical Analysis. How to run your first Marathon Mentorship U. S. Department of Defense Abbreviations Acronyms. Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk. Peertopeer file sharing is the distribution and sharing of digital media using peertopeer P2P networking technology. P2P file sharing allows users to access. Centralized File Movement Tracking Information System' title='Centralized File Movement Tracking Information System' />Based on technical, organizational and managerial feasibilities and corresponding examples, this article suggests that egovernment is an evolutionary phenomenon and. SAM. gov The System for Award Management SAM is the Official U. S. Government system that consolidated the capabilities of CCRFedReg, ORCA, and EPLS. The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures TTPs. The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of Power. Shell and the open source Power. Sploit tool to enable assessment, reconnaissance, and lateral movement. Command and Control C2 primarily occurs using RC4 cipher communications over port 4. IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this documents associated STIX package and. The indicators should be used to observe potential malicious activity on your network. User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti virus signatures. The observed malware includes PLUGXSOGU and REDLEAVES. Although the observed malware is based on existing malware code, the actors have modified it to improve effectiveness and avoid detection by existing signatures. Both REDLEAVES and PLUGX have been observed being executed on systems via dynamic link library DLL side loading. The DLL side loading technique utilized by these malware families typically involves three files a non malicious executable, a malicious DLL loader, and an encoded payload file. The malicious DLL is named as one of the DLLs that the executable would normally load and is responsible for decoding and executing the payload into memory. REDLEAVES Malware. The most unique implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan RAT that is built in Visual C and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2. Capabilities. System Enumeration. The implant is capable of enumerating the following information about the victim system and passing it back to the C2 system name,system architecture x. IP address, andprimary drive storage utilization. Command Execution. The implant can execute a command directly inside a command shell using native Windows functionality by passing the command to run to cmd. Command Window Generation. The implant can also execute commands via a remote shell that is generated and passed through a named pipe. A command window is piped back to the C2 over the network as a remote shell or alternatively to another process or thread that can communicate with that pipe. The implant uses the mutex. Red. Leaves. CMDSimulator. Mutex. File System Enumeration. The implant has the ability to enumerate data within a specified directory, where it gathers filenames, last file write times, and file sizes. Network Traffic Compression and Encryption. The implant uses a form of LZO compression to compress data that is sent to its C2. After compression, the data for this implant sample is then RC4 ciphered with the key 0x. A6. F6. 86. E3. 13. Network Communications REDLEAVES connects to the C2 over TCP port 4. API function Internet. Open. Url. W. The data is not encrypted and there is no SSL handshake as would normally occur with port 4. RC4 cipher. Current REDLEAVES samples that have been examined have a hard coded C2. Inside the implants configuration block in memory were the strings in Table 1. Table 1 REDLEAVES Sample Strings Found in C2. QN4. 86. 9MD mutex used to determine if the implant is already running Varies from sample to sample2. INCO Unknownwindir. RC4 Key. While the name of the initial mutex, QN4. MD in this sample, varies among REDLEAVES samples, the Red. Leaves. CMDSimulator. Mutex mutex name appears to be consistent. Table 2 contains a sample of the implant communications to the domain windowsupdates. TCP port 4. 43. Table 2 REDLEAVES Sample Beacon BEGIN SAMPLE BEACON 0. C 1. 4 6f 6. 8 6e 1. C cf 4. 9 8. 1 a. I. m. 1. H. C 9. 2 e. L. j. f. 0. 00. C 7b 1. C dc 4. 4 a. 2 7. D. r. M. 3. 0. C 3f e. R. 6i. y. 00. 00. C 1. 3 7. 9 7a d. A 8. t. 0. 00. 00. C f. 8 3. 2 4. 9 ef 2d e. I. 0. 00. 00. C 5e 4b 7. Krj. G. m. y END SAMPLE BEACON REDLEAVES network traffic has two 1. RC4 encrypted compressed payload. The first header comes in its own packet, with the second header and the payload following in a separate packet within the same TCP stream. The last four bytes of the first header contain the number of the remaining bytes in little endian format 0x. The second header, starting at position 0x. C, is XORd with the first four bytes of the key that is used to encrypt the payload. In the case of this sample, those first four bytes would be john or 0x. ASCII hex codes. After the XOR operation, the bytes in positions 0x. C through 0x. 0F contain the length of the decrypted and decompressed payload. The bytes in positions 0x. To demonstrate, in the sample beacon, the second header follows 0. C 1. 4 6f 6. 8 6e 1. The length of the decrypted and decompressed payload is 0x. XOR 0x. 6a. 6f. 68. The length of the encrypted and compressed payload is 0x. XOR 0x. 6a. 6f. 68. This is verified by referring back to the sample beacon which had the number of remaining bytes set to 0x. C 0x. 7c. Strings. Failed To Start The Game Cannot Find Essential Information. Note Use caution when searching based on strings, as common strings may cause a large number of false positives. Table 3 Strings Appearing in the Analyzed Sample of REDLEAVES Unique Ascii strings redautumnalleavesdllmain. INCOjohn. 12. 34. Feb 0. 4 2. 01. 51. Alvin Toffler. Note The following are notes from the above book. I found the book seminal, eye opening, life changing. I recommend that you buy and read the entire book. Only by reading the entire book will you get the whole picture. The following quotes, I hope, will whet your appetite. Colby Glass. This book. The Third Wave is for. Toffler 1. 98. 0, 1. Civilization can be divided into three major phases. First Wave the agricultural revolution. Second Wave the industrial revolution. Third Wave the information age just now beginning. Each wave, or civilization phase, develops its own super. Zeitgeist, with which it explains reality and. This ideology impacts all the spheres. Humanity faces a quantum leap forward. It faces the. deepest social upheaval and creative restructuring of all. Without clearly recognizing it, we are engaged in. What is happening now is nothing less than a global. Toffler 1. 98. 0, 1. The industrial revolution took a. Today history is even more. Third Wave will. sweep across history and complete itself in a few. Toffler 1. 98. 0, 1. A powerful new approach to historical analysis. Social Wave Front Analysis. It focuses our. attention not so much on the continuities of history. It identifies key change. Toffler 1. 98. 0, 1. Extent of spread Today the First Wave has virtually. Only a few tiny tribal populations, in South America. Papua New Guinea, for example, remain to be reached by. Toffler 1. 98. 0, 1. Toffler 1. 98. 0, 2. In all of them, power was. In all of them, birth determined ones. Toffler 1. 98. 0, 2. The First Wave was dominant until around 1. Extent of spread. Europe. North America, and some other parts of the globe the western. Soviet Union, Japan, Hong Kong, Singapore, Taiwan, Australia. New Zealand, South Korea, and parts of mainland China. Toffler 1. 98. 0, 1. In all, industrial. Toffler 1. 98. 0, 2. Industrialism was more than smokestacks and assembly lines. It was a rich, many sided social system that touched every. First. Wave past. It produced the. daily newspaper and the cinema, the subway and the DC 3. It. gave us Bauhaus buildings and Barcelona chairs, sit down. It. universalized the wristwatch and the ballot box Toffler. The Civil War was fought over who would rule the continent. MASS DISTRIBUTION. This led to This. The so called. father, mother, and a few children, with. Toffler 1. 98. 0, 2. To free workers for factory labor, key functions of the. CARE OF THE AGED was turned over to poor houses. Toffler 1. 98. 0, 2. As work shifted out of the fields and the home. The early. mine, mill, and factory owners of industrializing England. Andrew Ure wrote in 1. Built on the. factory model, MASS EDUCATION taught basic reading. Beneath this overt. It consisted and. Factory labor demanded workers who. It demanded workers who would take. And it demanded men and women prepared to slave away at. Toffler 1. 98. 0, 2. Schools. hospitals, prisons, government bureaucracies, and other. Toffler 1. 98. 0. BUREAUCRACY. Music provides a striking example. As the Second. Wave arrived, concert halls began to crop up in London. Vienna, Paris, and elsewhere. With them came the box. The more tickets he could sell, naturally, the more. Hence, more and more seats were. In turn, however, larger concert halls required. The result was a shift from chamber music. Toffler 1. 98. 0, 3. Industrialization, however. Toffler 1. 98. 0, 3. Hence, huge amounts of. INFORMATION had to be written down and then accurately. This gave rise to the postal. Hence. MASS MEDIA and mass advertising arose. The mass. circulation newspaper and magazine became a standard part. PRODUCTION AND. CONSUMPTION. Until the industrial revolution, the vast bulk of. Toffler 1. 98. 0, 3. Pecuniary transactions were a fringe on a world of. The Second Wave violently changed this situation. It virtually wiped out of existence. Everyone became almost. Toffler 1. 98. 0, 3. The market place moved from a peripheral position to. Most people were sucked. This explosive expansion of the. Toffler 1. 98. 0. It is a reflection of the central. ALL societies in which. Toffler 1. 98. 0, 4. Behavior came to be seen as a set of transactions. Instead of a society based on friendship, kinship, or. Second Wave a civilization based on contractual ties. Even husbands and wives today speak of. The cleavage between these two roles producer and. The very same person who as a producer was taught by. Toffler 1. 98. 0, 4. One of the most common sexual stereotypes in. Toffler 1. 98. 0. As the Second Wave took over, it demanded that men. Every operation depended on many men. Personal. feelings had nothing to do with the situation. This victory of interdependence over self. In one. place the older form of work stubbornly held on. This. place was the home. Each home remained a decentralized unit engaged in. If one family failed to reproduce. The housewife continued, as always, to perform a. She produced,. Women, prepared from birth for the tasks of. Toffler 1. 98. 0, 4. Every civilization has a hidden code a set of rules or. As industrialism. It consisted of a set of six interrelated principles that. Growing naturally out of the. Toffler. Usually associated with mass production, few people. The jack of all trades was replaced with the. Adam Smith, in a classic passage, described the. A single old style workman, performing. By contrast, Smith described a. Together they were able to produce more than forty eight. Toffler 1. 98. 0, 4. Specialization brought the emergence of the professions. Whenever the opportunity arose for some group of specialists. Thus, health in Second. Wave societies came to be seen as a product provided by a. Education was. supposedly produced by the teacher Toffler 1. Lenin argued that the masses could not bring about a. What was needed, he. Toffler 1. 98. 0, 5. Second Wave people dealt with time differently. In a. market dependent system. Expensive. machines cannot be allowed to sit idly. If one group of workers in a plant was late in. Thus punctuality, never very important in. Toffler 1. 98. 0, 5. Not by coincidence, children in industrial cultures were. Toffler 1. 98. 0, 5. Certain hours were set aside for. Standard length vacations, holidays, or coffee breaks. Women, primarily engaged in noninterdependent. Second Wave. husbands continually complained that their wives kept them. Toffler 1. 98. 0, 5. For similar reasons urban populations tended to look. Toffler 1. 98. 0. We became almost totally dependent on highly. The Second Wave. Toffler 1. Work was concentrated in the factory. The poor were concentrated in ghettoes. In First Wave. societies the poor live with relatives. Criminals were concentrated in jails. In First Wave. societies, criminals are fined, whipped, or banished from one. The insane were concentrated in assylums. In First Wave. societies, the insane stayed with their families, or were. The education of children was concentrated in schools. In First Wave societies, children are educated in the home. The early nineteenth century, in fact, has been called. THE TIME OF THE GREAT INCARCERATIONS when criminals were. Toffler 1. 98. 0, 5. Concentration has continued to operate as the Second Wave. There are only three major auto companies. U. S. Two Japanese firms produce all the VCRs in the. In each area of production aluminum, beer, cigarettes. The Second Wave created in us an infatuation with. Big became synonymous with. Toffler 1. 98. 0, 5. The workers and managers of Matsushita Electric Company. Japan, chant this song every morning when they exercise.