Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Pan

Calvin Morrison on 4 Apr 2018 14:13:51 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)

From: Calvin Morrison <mutantturkey@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Date: Wed, 4 Apr 2018 17:13:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=H8ndUaLLtubWg3g8zqmLhefQLa3LCOJmoOZx8BhgVWo=; b=EiNcKp6/SDR/g+LmeRTi2DWmNFr5jdBuTpFRXugnnutlMGvG2zNpetkPA6CIexLB7x vbEbmLp5QFdzBvCL6U9yg8k2HdWTKM6LLfsafk5p9maF4EkUR35hVXt+Ugy04R3RN1u9 W+EYwbX6YIpVuFKz9iDVi2AOEPev7SiDqK3ys3LAY5y0jvL0nlXWLTOcKskrCjcj1OMl 228d60t0CeH6mzBZjEGA8VU+nxW8x984A5xMD6CZUR9RNePLQwt3pvyvnt6If4K/ay7G UR2P/Tl8Y4xBWWGlrfgnRa3jVEjIKvbKr7rORc+hA00b/2v463sJHCDy27SHTKbwzTkl XimQ==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

I for one embrace our new russian overlords! I am actually learning
Russian on duolingo right now.

On 4 April 2018 at 17:03, brent timothy saner <brent.saner@gmail.com> wrote:
> On 04/04/2018 04:24 PM, george@georgesbasement.com wrote:
>> While the security breach revealed in this clearly documented discussion
>> is important to inform IT managers about the privacy risks to affected
>> individual accounts of blind usage of canned proprietary software, I've
>> been following another risk growing out of the Russian interference with
>> our 2016 election.
>>
>> This has been going on since September 2016 and continues to the present
>> day. The Russians are working on the logistics of attacking our entire
>> installed software base with the aim to control a massive shutdown of the
>> Internet by pushing a "Czar" button at the Troll farm ...
>>
>> They have been developing a technique of activating an arbitrarily large
>> number of compromised Russian-language websites worldwide from the Remote
>> Access Ports shared by a number (presently about two dozen) of Russian and
>> Seychelles-based servers controlled by a handful of actors. They now are
>> able to engineer the nearly simultaneous arrival of HEAD / HTTP requests
>> made by the numerous compromised Russian-language websites.
>>
>> Starting December 2017 and since they have apparently been escalating to
>> the
>> near-simultaneous sending of PORT requests to deliver compromised WordPress
>> applications, plugins, etc. to minimally protected WordPress installations
>> so as to compromise them or their servers.
>>
>> They're doing this to my webpage (anonymized on the 'Net) even though there
>> is no WordPress software on its server, but I presume that the attempt is
>> spread among as many prospective victims as possible without evaluating or
>> winnowing the unproductive instances.
>>
>> To whom should these activities be reported ? I've gotten no feedback of
>> any
>> kind since I went public with this, and the only "visitors" to the website
>> (pinthetaleonthedonkey.com) are RU, UA, CN, TR, IR, KR and various
>> WordPress
>> attackers, all 403'd or promptly added to the site's .htaccess file. Google
>> occasionally visits, but in-depth readers are few and far between.
>>
>> These efforts will be exceedingly difficult to stop because the compromised
>> Russian-language websites are scattered worldwide and the Port 3389 servers
>> are all out of our reach. However, if the Powers-That-Be can gain
>> admittance
>> to the Access Files of the compromised servers that are on friendly ground,
>> then the presently hidden activating servers might be traced from the
>> timing
>> and identity of the specific requests documented in
>> pinthetaleonthedonkey.com.
>>
>> George Langford
>
> do you talk about anything *other* than what you perceive to be a
> targeted attempted campaign by Russian actors-in-power aimed at you,
> Some Guy Who Runs His Own Server?
>
> because that's literally all you post about. this isn't even relevant to
> panera's breach.
>
> you haven't gotten any feedback on this because it's unrealistic.
>
> let's break it down:
>
> first off, your first premise of russians conducting a widescale attack
> doesn't suit them. if anything, they prefer targeted, narrow-scope
> compromise attempts but it's a lot cheaper and easier to conduct psyops,
> which they definitely engage in a lot more than any sort of direct
> digital attack. when you conduct an attempted compromise, you never do
> it wide-scale because that's how you blow your cover, period. (not to
> mention the cost involved in something like that.) they spend their
> money where there'd be an actual payoff - .gov's, gov contractors, and
> the like. i doubt your nonexistent Wordpress server holds US state
> secrets. (sidenote: the US gov sites do not use Wordpress.)
>
> secondly, "They're doing this to my webpage (anonymized on the 'Net)" -
> if it's anonymized, how do you know it's russian in origin?
>
> third, "To whom should these activities be reported ?"
> certainly not to a LUG, assuming it's actually valid.
>
> "the Port 3389 servers are all out of our reach" - what does this have
> to do with Wordpress probes?
>
> "of the specific requests documented in pinthetaleonthedonkey.com" -
> stop peddling your website.
>
>
> lastly, anyone can tell you that wordpress probes have been happening in
> large number from a slew of IP ranges for... well, forever. it's a part
> of being on the 'net, and it certainly predates any russian involvement
> in US 2016 election. it's mostly a bunch of skids with a bot farm trying
> to deface wordpress websites because it's easy. state-level operations
> are much less noisy.
>
> (inb4 "you're one of them!")
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
  - From: Paul Walker <pjwalker76@gmail.com>

References:
- Re: [PLUG] Massive Breach in Panera Bread
  - From: george@georgesbasement.com
- [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
  - From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Next by Date: Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Previous by thread: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Next by thread: Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread)
Index(es):
- Date
- Thread