False Compromise additions

This commit is contained in:
arcanedev 2022-01-10 02:08:15 +00:00
parent 3f68bd1743
commit cabb585b31
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0

View File

@ -465,11 +465,22 @@ You will likely not come out unscathed from the psychological toll of withholdin
## False Compromise
Malware with computing is still in the early stages. It truly is the wild west in many regards. For an extra layer of plausible deniabilty, embed a tailored backdoor or malware variant. This method will not protect you if there are logs that correlate your activity and no logs correlating connection attempts.
The vast majority of cases related to online operations become unsolved mysteries in the archives of law enforcement. Most happenings become heresay or mere hunches.
Take APT groups and nation-states as an example; the majority of cyberwarfare that occurs today is between state-funded APT groups with a primary focus of non-attribution. Despite how many correlating clues lead back to the APT groups and their communications with nation-states, the water remains murky.
In replacement or in conjunction with the killswitch, consider weaponizing your own variant of ransomware. You could create a maintain ownership of the key or you could accept the loss of your data. The malware could also perform shred functions as with any script that you could program.
Not only does the embedded malware render your data inaccessible, but it provides another level of plausible deniability. "I was not aware my infrastructure was being used for that."
Technically, "malware" implies the application of code that will create adverse or undesired action to the system. This is not truly malware, but rather programmed code with the function to mimic malicious functions.
The vast majority of cases related to online operations become unsolved mysteries in the archives of law enforcement. Most happenings become heresay or mere hunches. Take APT groups and nation-states as an example; the majority of cyberwarfare that occurs today is between state-funded APT groups with a primary focus of non-attribution. Despite how many correlating clues lead back to the APT groups and their communications with nation-states, the water remains murky. In replacement or in conjunction with the killswitch, consider weaponizing your own variant of ransomware. You could create a maintain ownership of the key or you could accept the loss of your data. The malware could also perform shred functions as with any script that you could program. Not only does the embedded malware render your data inaccessible, but it provides another level of plausible deniability. "I was not aware my infrastructure was being used for that." Technically, "malware" implies the application of code that will create adverse or undesired action to the system. This is not truly malware, but rather programmed code designed to mimic malicious function.
On GNU/Linux, there are many ways to embed malware on the system. Some of which leverage crontabs or other variants of scheduling tools. Aliases can be altered to perform malicious functions rather than the desired results. System process in `bin/` directories can perform unintended tasks, or simply be swapped out and/or linked to alternate processes. Some files such as `/etc/rc.local` or `/home/$USER/.bashrc` can contain commands to execute upon booting to the disk or logging into a user account respectively. Analyzing the newest trends of threat actors can useful to determine indicators of compromise (IOC). Kinsing[^41] and other threat actors that leverage new vulnerabilities to compromise internet-facing systems and embed cryptominers provide insight into the world of persistence, along with a competitive nature that stunts competition. The sub-sections listed below identify remnance that could indicate past compromise.
### Cron example
echo "*/30 * * * * sh /etc/.newinit.sh >/dev/null 2>&1" > /etc/$crondir
### Service Creation
Make a file under /etc/systemd/system/$service_name.service
If using a runit service manager, create a file under /etc/sv/$service_name
### /tmp/ executions
Many hardened systems append the flag `noexec` to the `/tmp/` partitions to prevent malicious code from being executed in that partition. For the sake of compromise, consider creating files that appear to be reference points from a past compromise. Some files in crypto-mining cases have names such as `.zsh`, `.zshs`, `kdevtmpfsi`, `libsystem.so` under the `/tmp/` directory.
### Placing SSH keys under the root user
Unexpected SSH keys can be a sign of compromise, and they typically do not belong under /root/.ssh/ directory as they are primarily controlled by a less-privileged user account.
## Traceless Procurement
There are a few concepts to touch on this topic.
@ -485,23 +496,23 @@ Zcash (ZEC) was ground-breaking in the implementation of a protocol known as Suc
Monero is often hailed as the privacy king of cryptocurrency. While it has commendable features with its RingCT protocol, the overarching theme is obscurity rather than traceless transactions.
"The fundamental problem of coin mixing methods though is that transaction data is not being hidden through encryption. RingCT is a system of disassociation where information is still visible in the blockchain. Mind that a vulnerability might be discovered at some point in the future which allows traceability since Moneros blockchain provides a record of every transaction that has taken place."
This operates similar to a mixnet where it is difficult to discern the originating address from a transaction. One of Monero's developers publicly admits that "zk-SNARKs provides much stronger untraceability characteristics than Monero (but a much smaller privacyset and much higher systemic risks)." Intelligence agencies have placed their eyes on Monero for some time. The United States has even brought in a private firm called CipherTrace who claims to have built tools capable of tracing transactions.[^41] At the time of writing, these are unsubstantiated claims; there is no evidence to suggest that Monero has been deobfuscated.
This operates similar to a mixnet where it is difficult to discern the originating address from a transaction. One of Monero's developers publicly admits that "zk-SNARKs provides much stronger untraceability characteristics than Monero (but a much smaller privacyset and much higher systemic risks)." Intelligence agencies have placed their eyes on Monero for some time. The United States has even brought in a private firm called CipherTrace who claims to have built tools capable of tracing transactions.[^42] At the time of writing, these are unsubstantiated claims; there is no evidence to suggest that Monero has been deobfuscated.
Pirate Chain's ARRR addresses the fungibility problem of Zcash by removing the transparent address schema (t-tx) and forcing all transactions to use Sapling shielded transactions (z-tx). "By consistently utilizing zk-SNARKs technology, Pirate leaves no usable metadata of users transactions on its blockchain." This means that even if the blockchain was compromised down the line, the adversary would obtain little to no useful metadata. The transactions contain no visible amount to no visible address from no visible address. The underlying cryptography would have to be broken or the viewing/spending keys would have to be intercepted in order to peer into the transactions. For an adversary without key possession, the trace is baseless. "A little bit of math can accomplish what all the guns and barbed wire cant: a little bit of math can keep a secret." - Edward Snowden
While I could write mounds of literature diving into the depths of cryptocurrency, I have brought forth only what is useful to the aims of anti-forensics. There is no real purpose in regurgitating quotations from various whitepapers and protocol designs. Any further research into the matter is up to you. If this has peaked your interest, consider diving into the various communities, protocol specifications, and whitepapers.
- Further information pertaining to zk-SNARKs - [^42]
- Monero (XMR) Whitepaper - [^43]
- Pirate Chain Whitepaper - [^44]
- Further information pertaining to zk-SNARKs - [^43]
- Monero (XMR) Whitepaper - [^44]
- Pirate Chain Whitepaper - [^45]
## Defensive Mechanisms
System security or hardening is vital for successful operations. Lack of hardening could result in your machines being cut through like hot butter. Center for Internet Security (CIS)[^45] and Defense Information Systems Agency (DISA) with Standard Technical Implementation Guides[^46] both have decent system hardening standards that are to be applied to all DoD contractor, government, and affiliated nodes. For Linux and Unix systems, Kernel Self-Protection Project (KSPP)[^47] is a great resource for kernel configuration settings.
System security or hardening is vital for successful operations. Lack of hardening could result in your machines being cut through like hot butter. Center for Internet Security (CIS)[^46] and Defense Information Systems Agency (DISA) with Standard Technical Implementation Guides[^47] both have decent system hardening standards that are to be applied to all DoD contractor, government, and affiliated nodes. For Linux and Unix systems, Kernel Self-Protection Project (KSPP)[^48] is a great resource for kernel configuration settings.
Hardening procedures fall in line with the concept of minimizing architecture and running processes on a system. This makes each system easier to audit with less noise/clutter, and reduces the attack surface for exploitation. Hardening should encompass patches, scans with most recent virus definitions, restrictive permissions, kernel hardening, purging unnecessary software, and disabling physical ports, unnecessary users, filesystems, firmware modules, compilers, and network protocols.
System hardening is far from a quick and easy process, unless you have preconfigured images for systems. For small operations lacking technical prowess, preconfigured operating systems such as TAILS or Whonix mentioned in the Operating System section assure the greatest security and the least hassle.
If the goal is to run a more persistent lightweight OS with minimal functionality, I suggest running a variant of Arch Linux that does not use SystemD (Consider runit, OpenRC, or s6). If wide community support is needed, Arch with a hardened configuration will be your best bet. For the tech-savvy, hardened variants of Gentoo are ideal.
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^48] was started but has not yet come to fruition. PlagueOS[^49] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^50] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^51]. Do note that the listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^52]
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^49] was started but has not yet come to fruition. PlagueOS[^50] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^51] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^52]. Do note that the listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^53]
## Physical Precautions
@ -536,13 +547,13 @@ It's evident that poking powerful players could result in irreversable consequen
The OS selection should be oriented towards amnesia. TAILS could be leveraged with a USB, and the drive in the system could simply be a dummy (filled with insignificant data, vacation pictures, etc). The physical wireless chipset should be removed and replaced with a wireless dongle and attached only when needed. While I prefer hardware mitigations over software mitigations, you may not wish to fry the USB ports or desolder the SATA ports. The BIOS should be password-protected, and the USB ports at the very least can be disabled from the menu. If you will be operating from public locations, consider running a blank keyboard with a privacy screen covering the LED.
Fortunately, amnesiac solutions are growing. One can run TAILS with the HiddenVM project.[^53] HiddenVM is precompiled VirtualBox binaries to allow running virtual machines without an installation directly on TAILS. HiddenVM leverages the TAILS amnesiac system with Veracrypt's hidden partitions for plausible deniability. In this way, Whonix can be ran from TAILs and there will not be an overlapping use of TOR.
Fortunately, amnesiac solutions are growing. One can run TAILS with the HiddenVM project.[^55] HiddenVM is precompiled VirtualBox binaries to allow running virtual machines without an installation directly on TAILS. HiddenVM leverages the TAILS amnesiac system with Veracrypt's hidden partitions for plausible deniability. In this way, Whonix can be ran from TAILs and there will not be an overlapping use of TOR.
If a live USB with minimal processing power is not your niche, consider running a hardened base Linux, preferably using a Windows Manager (WM) over a full Desktop Environment (DE), to act as a hyper-visor that runs amnesiac virtual machines such as Whonix. If the option is taken to avoid live boot, the hardware selection becomes more important. First off, it would be in your best interest to use at least 16 GB of RAM. Secondly, consider using one SSD and one HDD. The HDD will be used to hold files, while the SSD is used for facilitating performance for the host OS. As previously stated, HDDs can be wiped by degaussing or overwriting physical sectors while this should be assumed an impossibility for an SSD. Each VM on the host should have a primary function; separate cases and even processes should have separate VMs. For the more technical, sandboxing applications can be used to add nested layers of security. Consider using a sandboxed profile[^54] for your virtualization software, whether it be KVM[^55] or VirtualBox[^56]. Inside the VM, use sandboxing to isolate your processes.
If a live USB with minimal processing power is not your niche, consider running a hardened base Linux, preferably using a Windows Manager (WM) over a full Desktop Environment (DE), to act as a hyper-visor that runs amnesiac virtual machines such as Whonix. If the option is taken to avoid live boot, the hardware selection becomes more important. First off, it would be in your best interest to use at least 16 GB of RAM. Secondly, consider using one SSD and one HDD. The HDD will be used to hold files, while the SSD is used for facilitating performance for the host OS. As previously stated, HDDs can be wiped by degaussing or overwriting physical sectors while this should be assumed an impossibility for an SSD. Each VM on the host should have a primary function; separate cases and even processes should have separate VMs. For the more technical, sandboxing applications can be used to add nested layers of security. Consider using a sandboxed profile[^51] for your virtualization software, whether it be KVM[^56] or VirtualBox[^57]. Inside the VM, use sandboxing to isolate your processes.
Note: Amnesiac computing is highly advised for journalists with state targets on their back. Most malware will not be able to persist through different sessions, and often they will have to interact with hostile platforms and networks.
If a mobile device is deemed a necessity, leverage GrapheneOS on a Google Pixel. Encrypt all communications through trusted services or peer-to-peer (P2P) applications like Briar.[^57] Route all device traffic through TOR with the use of Orbot. Keep the cameras blacked out with electrical or gorilla tape. The concept of treating all signals as hostile should be emphasized here as the hardware wireless chipset cannot be desoldered. Sensors and microphones can successfully be disabled, but the trend with smaller devices is that they run as a System on a Chip (SoC). In short, multiple functions necessary for the system to work are tied together in a single chip. Even if you managed not to fry the device from the desoldering process, you would have gutted the core mechanisms of the system, resulting in the newfound possession of a paperweight.
If a mobile device is deemed a necessity, leverage GrapheneOS on a Google Pixel. Encrypt all communications through trusted services or peer-to-peer (P2P) applications like Briar.[^58] Route all device traffic through TOR with the use of Orbot. Keep the cameras blacked out with electrical or gorilla tape. The concept of treating all signals as hostile should be emphasized here as the hardware wireless chipset cannot be desoldered. Sensors and microphones can successfully be disabled, but the trend with smaller devices is that they run as a System on a Chip (SoC). In short, multiple functions necessary for the system to work are tied together in a single chip. Even if you managed not to fry the device from the desoldering process, you would have gutted the core mechanisms of the system, resulting in the newfound possession of a paperweight.
### Market Vendor
Let's assume the vendor is selling some sort of vice found on the DEA's list of schedule 1 narcotics. Fortunately in this use-case, unlike that of the anonymous activist (or the journalist in some cases), OPSEC is welcomed with open arms. In fact, vendors are even rated with their stealth (both from shipping and processing) as one of the highest criteria in consideration, along with the markets being TOR friendly, leveraging PGP, and ensuring full functionality without Javascript. Given the ongoing nature of these operations, and that they are tailored towards privacy and security, a more persistent system will likely be the best fit.
@ -711,20 +722,21 @@ Donations to support projects under https://git.envs.net/WhichDoc are welcome wi
[^38]: Jumping Airgaps - https://arxiv.org/pdf/2012.06884.pdf
[^39]: https://assets.documentcloud.org/documents/6747427/2.pdf
[^40]: Jung, C. G. (2014). Modern man in search of a soul. Routledge.
[^41]: CipherTrace - https://ciphertrace.com/ciphertrace-announces-worlds-first-monero-tracing-capabilities/
[^42]: ZkSnarks - https://z.cash/technology/zksnarks
[^43]: Monero Whitepaper - https://www.getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf
[^44]: Pirate Chain Whitepaper - https://pirate.black/files/whitepaper/The_Pirate_Code_V2.0.pdf
[^45]: CIS - https://www.cisecurity.org
[^46]: DISA STIGs - https://public.cyber.mil/stigs
[^47]: KSPP - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[^48]: Whonix Host - https://www.whonix.org/wiki/Whonix-Host
[^49]: PlagueOS- https://git.envs.net/whichdoc/plagueos
[^50]: BubbleWrap Sandbox - https://github.com/containers/bubblewrap
[^51]: SalamanderSecurity's PARSEC repository - https://codeberg.org/SalamanderSecurity/PARSEC
[^52]: Linux Hardening - https://madaidans-insecurities.github.io/guides/linux-hardening.html
[^53]: FOIA request for Palantir operations -https://www.documentcloud.org/search/projectid:51061-Palantir-September-2020
[^54]: HiddenVM - https://github.com/aforensics/HiddenVM
[^55]: KVM - https://www.linux-kvm.org/
[^56]: Oracle VirtualBox - https://virtualbox.org
[^57]: Briar P2P Messenger - https://briarproject.org
[^41]: https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
[^42]: CipherTrace - https://ciphertrace.com/ciphertrace-announces-worlds-first-monero-tracing-capabilities/
[^43]: ZkSnarks - https://z.cash/technology/zksnarks
[^44]: Monero Whitepaper - https://www.getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf
[^45]: Pirate Chain Whitepaper - https://pirate.black/files/whitepaper/The_Pirate_Code_V2.0.pdf
[^46]: CIS - https://www.cisecurity.org
[^47]: DISA STIGs - https://public.cyber.mil/stigs
[^48]: KSPP - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[^49]: Whonix Host - https://www.whonix.org/wiki/Whonix-Host
[^50]: PlagueOS- https://git.envs.net/whichdoc/plagueos
[^51]: BubbleWrap Sandbox - https://github.com/containers/bubblewrap
[^52]: SalamanderSecurity's PARSEC repository - https://codeberg.org/SalamanderSecurity/PARSEC
[^53]: Linux Hardening - https://madaidans-insecurities.github.io/guides/linux-hardening.html
[^54]: FOIA request for Palantir operations -https://www.documentcloud.org/search/projectid:51061-Palantir-September-2020
[^55]: HiddenVM - https://github.com/aforensics/HiddenVM
[^56]: KVM - https://www.linux-kvm.org/
[^57]: Oracle VirtualBox - https://virtualbox.org
[^58]: Briar P2P Messenger - https://briarproject.org