[PLUG] understanding Russian threats (was: Re: Massive Breach in Panera

brent timothy saner on 4 Apr 2018 14:03:49 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Date: Wed, 4 Apr 2018 17:03:35 -0400
Autocrypt: addr=brent.saner@gmail.com; keydata= xsFNBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABzStCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+wsF8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKTOwU0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAHCwV8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=A+kRAsKlAAOo28sjftfU9jqJIMQ+5W91uuCIkcFZ9dE=; b=bqro4Zn63/Nvf9gPzBRSr7IUhQCsqbF1Zy0++miiiOoulHFg1Qmml9Vd1Y+2xGxceo gOjE4LmeG3R0ctaJxFY/f26Ben0NcvbC1/ZGWlfGijJZhbk91M85wclDLDJf/NTtGOBg ieHsC8B1X05x0bDpugrThVE/h4drkB5bfB/h7ZDu0TM1DCgqIMepUoZloxLy/qpZmy/X U6GF3JGJe5u0GUCqE5JO0+5M0sA+BoiOHJ3mB8HEF6RXqC3O9yLElP1zVu93CMuhoDai OXQECC/6ECp4LPuS7pzyHKEwpxf75zY4Ku7hHZKxCJjf1sXa/pXFoaQIe+Mt7pGCHfVs cb4A==
Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 04/04/2018 04:24 PM, george@georgesbasement.com wrote:
> While the security breach revealed in this clearly documented discussion
> is important to inform IT managers about the privacy risks to affected
> individual accounts of blind usage of canned proprietary software, I've
> been following another risk growing out of the Russian interference with
> our 2016 election.
> 
> This has been going on since September 2016 and continues to the present
> day. The Russians are working on the logistics of attacking our entire
> installed software base with the aim to control a massive shutdown of the
> Internet by pushing a "Czar" button at the Troll farm ...
> 
> They have been developing a technique of activating an arbitrarily large
> number of compromised Russian-language websites worldwide from the Remote
> Access Ports shared by a number (presently about two dozen) of Russian and
> Seychelles-based servers controlled by a handful of actors. They now are
> able to engineer the nearly simultaneous arrival of HEAD / HTTP requests
> made by the numerous compromised Russian-language websites.
> 
> Starting December 2017 and since they have apparently been escalating to
> the
> near-simultaneous sending of PORT requests to deliver compromised WordPress
> applications, plugins, etc. to minimally protected WordPress installations
> so as to compromise them or their servers.
> 
> They're doing this to my webpage (anonymized on the 'Net) even though there
> is no WordPress software on its server, but I presume that the attempt is
> spread among as many prospective victims as possible without evaluating or
> winnowing the unproductive instances.
> 
> To whom should these activities be reported ? I've gotten no feedback of
> any
> kind since I went public with this, and the only "visitors" to the website
> (pinthetaleonthedonkey.com) are RU, UA, CN, TR, IR, KR and various
> WordPress
> attackers, all 403'd or promptly added to the site's .htaccess file. Google
> occasionally visits, but in-depth readers are few and far between.
> 
> These efforts will be exceedingly difficult to stop because the compromised
> Russian-language websites are scattered worldwide and the Port 3389 servers
> are all out of our reach. However, if the Powers-That-Be can gain
> admittance
> to the Access Files of the compromised servers that are on friendly ground,
> then the presently hidden activating servers might be traced from the
> timing
> and identity of the specific requests documented in
> pinthetaleonthedonkey.com.
> 
> George Langford

do you talk about anything *other* than what you perceive to be a
targeted attempted campaign by Russian actors-in-power aimed at you,
Some Guy Who Runs His Own Server?

because that's literally all you post about. this isn't even relevant to
panera's breach.

you haven't gotten any feedback on this because it's unrealistic.

let's break it down:

first off, your first premise of russians conducting a widescale attack
doesn't suit them. if anything, they prefer targeted, narrow-scope
compromise attempts but it's a lot cheaper and easier to conduct psyops,
which they definitely engage in a lot more than any sort of direct
digital attack. when you conduct an attempted compromise, you never do
it wide-scale because that's how you blow your cover, period. (not to
mention the cost involved in something like that.) they spend their
money where there'd be an actual payoff - .gov's, gov contractors, and
the like. i doubt your nonexistent Wordpress server holds US state
secrets. (sidenote: the US gov sites do not use Wordpress.)

secondly, "They're doing this to my webpage (anonymized on the 'Net)" -
if it's anonymized, how do you know it's russian in origin?

third, "To whom should these activities be reported ?"
certainly not to a LUG, assuming it's actually valid.

"the Port 3389 servers are all out of our reach" - what does this have
to do with Wordpress probes?

"of the specific requests documented in pinthetaleonthedonkey.com" -
stop peddling your website.

lastly, anyone can tell you that wordpress probes have been happening in
large number from a slew of IP ranges for... well, forever. it's a part
of being on the 'net, and it certainly predates any russian involvement
in US 2016 election. it's mostly a bunch of skids with a bot farm trying
to deface wordpress websites because it's easy. state-level operations
are much less noisy.

(inb4 "you're one of them!")

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
  - From: Calvin Morrison <mutantturkey@gmail.com>

References:
- Re: [PLUG] Massive Breach in Panera Bread
  - From: george@georgesbasement.com

Prev by Date: Re: [PLUG] Massive Breach in Panera Bread
Next by Date: Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Previous by thread: Re: [PLUG] Massive Breach in Panera Bread
Next by thread: Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Index(es):
- Date
- Thread