And why emails containing confidential information should be encrypted
The Saudi Cables are a leak from the Saudi Arabian Ministry of Foreign Affairs (SMoFA). It’s a juicy leak, mostly in Arabic. It’s an excellent source for reconnaissance information and a great example of OSINT.
A senior consultant from Microsoft emailed the deployment guide for Configuration Manager and Operations Manager to the Saudi Ministry of Foreign Affairs. The document is from 2012, but it’s not likely the SMoFA has drastically changed their configuration. One of the requirements lists computer discovery should be less than one day. An attacker could use this information as a time limit when setting up a rogue device inside the network. Some of the vendors listed in the document are F5, Cisco, Juniper Firewalls, Tread Micro, Microsoft SQL and Active Directory.
In 2015 a sales and or consultant from McAfee/Intel Security emailed the SMoFA a list of customers in Saudi Arabia. The list shows many Saudi clients who use McAfee End Point Protection (EPO). It is the centrally managed anti-virus and security offering from McAfee/Intel. The sales person did not encrypt the email. It is a pain in the arse to change a central managed anti-virus or security manager. Expensive, time-consuming and highly likely the customer’s listed still use the product in 2017. I will also remind folks, it’s damn difficult to uninstall McAfee/Intel anti-virus. John McAfee the creator, and former owner made a video to help people try and uninstall the product: https://youtu.be/bKgf5PaBzyg An attacker can use what end point protection is installed on a victim machine to their advantage. There have been numerous exploits allowing compromise of EPO and other, similar products. US-CERT issued an alert in 2013 about an exploit tool targeting EPO: https://www.us-cert.gov/ncas/alerts/TA13-193A The document also contains some useful email addresses.
URL with document: https://wikileaks.org/saudi-cables/doc129973.html
An undated internal asset scan of the SMoFA’s network. It lists host names, MAC addresses, system specifications, internal IP addresses operating systems and descriptions of the assets. Want to know information about their Domain Controllers, Proxies, WSUS update servers, Oracle app servers, Visa servers and so on? Very rich in internal asset information. Looking at the system specifications, it looks like from around 2013-2015. The leak displays gold such as VM Biometric Application and VM Embassy Finance site. The list is in Excel format, and it’s long.
An employee from the SMoFA emailed Phase 2 of a FireEye internal vulnerability assessment report to another SMoFA employee. The report is over 212 pages long and dated from late 2014. The report scope covers an internal network assessment against the servers and virtual machines focused on “exploitable vulnerabilities which could allow unauthorised access to systems and/or sensitive data.” I think the word irony comes to mind since this document was leaked. In my experience, not everything is patched up or fixed after a penetration or vulnerability test is completed and presented. There are gems such as “With root access, consultants were able to compromise the password hashes in the shadow file.” & “Use an MS-SQL client to interact with the remote server. Use the following credentials: Account: admin Password: admin”
URL and document: https://wikileaks.org/saudi-cables/doc129821.html
Number 1 – Operation Cleaver Report
A follow up with a security investigation report, Incident ID: 0020-1114 attached. The 14-page report is about a compromise by the Iranians starting in 2014. The communication starts with requests to disable user accounts, reset passwords and other precautions using indicators of compromise information. Some of the user accounts listed are in other SMoFA IT related communications and appear to be the part of the IT security team of the SMoFA. A summary of the report:
An incident is reported on 19 November 2014 regarding a workstation making suspect HTTP requests. The workstation was critical, and an investigation was launched immediately. After forensics, the focus shifted to two administrative workstations and an SMoFA proxy server. One of the workstations has a process “netscp.exe” which was a Trojan “Gen.Variant.Kazy” calling to IP 188.8.131.52. This IP is now registered to UK-Redstation. It’s listed in Robtex, but not Netcraft, Shodan or Wayback Machine. The process “netscp.exe” was not detected by their McAfee EPO end point anti-virus and security protection. The SMoFA report lists the Cylance Operation Cleaver report and IOCs confirming the incident.
Social engineering took place against a system administrator via his LinkedIn profile. It was a job offer on 14 July 2014. The email sent contained a link to a resume creation suit that submits resumes to a fake employer called Teledyne. The SMoFA administrator both gave away personal information by submitting his resume the action installed TinyZBot malware 21 July 2014. Access to the SMoFA network using anonymous FTP and SOAP (checkupdate.asmx) on 25 July 2014. VPN access using the compromised account was also granted on the same day. The malware was finally detected by their anti-virus with a signature update 2 December 2014.
Figure 1 Pastebin Cylance Operation Cleaver Iranian retaliation graphic
The SMoFA report contains steps they took to detect, contain, eradicate and lessons learned. Some of those lessons learned are which IP ranges are no longer allowed to access the proxy and an IP address blocked on the firewall. When the report was written, it noted they only stored logs for seven days; no SIEM, firewalls rules needed to be tuned and reviewed. Typical stuff that happens to an operational network which isn’t adequately being managed with a security focus. The report also gives a packet snapshot. The report provides insight into how the SMoFA handles an incident.
Figure 2 Sample packet capture output from the SMoFA report
URL and document: https://wikileaks.org/saudi-cables/doc129906.html
Pastebin to the Cylance report: https://pastebin.com/zz1FP4Zq