Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Torsploit - NSA tools behind attack | CONFIRMED

Post a reply

This question is a means of preventing automated form submissions by spambots.
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbdown: :thumbup: :wave: :wtf: :yawn:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review

If you wish to attach one or more files enter the details below.

Expand view Topic review: Torsploit - NSA tools behind attack | CONFIRMED

Re: Torsploit - NSA tools behind attack | CONFIRMED

by parityboy » Sun Oct 19, 2014 5:44 pm

Marques was arrested originally in late July. There is no public data confirming how that initial arrest came to be - how the FBI got on Marques initially. In this week's reports, the FBI is saying that they have "linked" Marques to U.S. bank accounts that were used to pay for servers leased at an unspecified hosting company in France. Did they get those bank records after the raid in late July - or before, and use them to trace to Marques? We don't know, yet.
Which means they had a reason to be watching the guy in the first place. Loads of people pay for servers located in foreign countries - so what? That's not enough reason for the FBI to be watching someone, so the real question is how did he manage to stick himself on their radar? I don't think the very fact that he was running Freedom Hosting was the reason, so perhaps one of the hidden site owners let on their (possibly CP) site was being hosted by Freedom Hosting.

Even if that were so, what would happen next? Was it public fact that Marques ran Freedom Hosting? Did the FBI contact him and ask him to collaborate? Did he accept or refuse? If he accepted, what then? Assuming the Hidden Services were configured correctly, could Marques (with access to all of the servers as their leaser/renter) be able to know which sites held what? On paper yes - they were very likely VPS instances, so their virtual drives could be mounted and read (and possibly written, too); I'm willing to bet they weren't encrypted (that's something I need to play with actually), but would he be interested in trawling through them?

OK, so suppose he refused. It would be trivial then for the FBI to "ask" the data centre for access to the machines. However, if the FBI were after one particular site (and assuming the hidden servers were paid for anonymously) neither Marques nor the DC would know (or should know) which sites were sitting on which IP addresses on which piece of hardware - I doubt they would be willing to go through (possibly hundreds) of VMs.

Could that explain why all of the hidden servers were infected with Torsploit, rather than a few?

If Marques wasn't aware of the FBI's interest in him, then something else must have leaked - billing information certainly isn't enough. IP address? Somebody's (physical or electronic) mouth? Association with someone "known to us"? "unmasked with NSA-devised techniques" doesn't really tell us anything.

I'll throw something else in. The FBI is a police organisation; investigating and solving crimes, and bringing people to justice is what they do. The NSA however is a political organisation (as far as I can see). they are effectively the specialist SIGINT wing of CIA, spun out as an independent "business unit".

So the question is: why would they get involved in this? What's in it for them? What attracted them to it? Could be an axis of a) the FBI having no luck taking down a site and being embarrassed by that fact and b) the NSA having a chance to flex their muscles against Tor (and get a bigger budget)?

pitcher/catcher IP FOIA to NSA: classified

by cryptostorm_admin » Sat Oct 04, 2014 1:12 am

Last year, there was quite a bit of back and forth regarding two IP addresses associated with the Torsploit attack on Tor hidden services. A summary of that discussion can be found here.

Since then, the folks at Baneki Privacy Labs did an FOIA request on the National Security Agency specifically regarding these two IP addresses (dubbed, last year, "pitcher" and "catcher," respectively).

Here's the reply they received...
The relevant text is as follows...
"...we have determined that the fact of the existence or non-existence of the materials you request is currently and properly classified matter in accordance with Executive Order 13526, as set forth in Subparagraph (c) of Section 1.4. Thus, your request is denied pursuant to the first exemption of the FOIA..."
Interesting, indeed...

Our understanding is that the folks at Baneki are continuing to work on the post-review forensics associated with those two IP addresses. However, this latest reply from the NSA perhaps gives further credence to the initial findings suggesting direct NSA involvement in Torsploit's C&C infrastructure.

  • ~ cryptostorm_admin

Re: Torsploit - NSA tools behind attack | CONFIRMED

by Guest » Sat Oct 05, 2013 5:09 pm

Baneki wrote:{continued forward from existing Torsploit thread, to increase ease of access for newcomers to the topic ~admin}
  • 1. Torsploit made use of a fresh Firefox 0day, which means it was coded quite recently; it couldn't have been old, nor obviously could it date back to 2002. If it's "CIPAV," then it's something so new and so fresh-coded that it's the same as the old tool in name only.
I just wanted to correct that it wasn't a 0day exploit, it wast an almost 1month exploit. In fact, the latest version of Tor browser bundle at that time (17.0.7ESR) was unaffected by this exploit. This bug was fixed in Firefox because it was already known. I mean by this that it wasn't a state-of-the-art attack.

When was torsploit FH .js iframe injection first observed?

by Pattern_Juggled » Sat Oct 05, 2013 2:02 pm

That's useful timing info in terms of how this played out.

There's still a host of tactical questions regarding torsploit that remain unanswered. These facts about what happened on what time and on what date - not just what the press reported (which often was either rumour, or was just printed because someone else already printed it) but from firsthand (or close thereto) observations - are extremely useful. Sometimes they help bolster a given hypothesis; more likely, and often more definitively, the can serve as disconfirmation of hypotheses that might be otherwise congruent with known facts, but don't fit a new one.

The old adage is that a bucket full of confirmatory findings is emptied by just one drop of concentrated disconfirmation. Some of the theories going around don't meet known, verified facts - whether these facts are "small" or not generally matters not one whit. A successful theory must match all observed facts, without exception.

To me, the biggest dark spots on the map for torsploit - and the Silk Road takedown - relate to the rooting of the underlying servers: when, how, for how long, to what ends, with what tools? The "who" could still theoretically be in question - since we don't know the vector used to root the boxes, we can't really conjecture. It could be they got passwords from an angry ex-lover (random hypothetical example) - in which case no tech capabilities were required. More likely, it might seem, is a pretty high-calibre offensive intrusion capability... but that's still merely a hunch at this point.

As to who do the "Magneto"-injecting .js served by the compromised hosts, that's really not subject to meaningful dispute at this point in time. As we've said all along: NSA.

Re: Torsploit - NSA tools behind attack | CONFIRMED

by Guest » Sat Oct 05, 2013 1:29 pm

The injected code was first noticed (afaik) by Cloud from 4Pedo on Saturday 3th (Aug) around 2PM UTC. This was after the initial downtime for all sites hosted on FH.

After 2PM some sites returned like normal but not all of them, those that returned included the Torexploit, not only in the "server down" message but also in every normal webpage.

On Monday August 5th around 4 PM UTC all Freedom Hosting website went down.

Later that month OPVA (Onion Pedo Video Archive) went down without notice and hasn't returned since. We don't know if this is related in any way, this was the largest video site out there.

Re: Torsploit - NSA tools behind attack | CONFIRMED

by Guest » Sat Oct 05, 2013 3:51 am

"5. We have heard nothing from the FBI about any arrests or planned arrests of anyone targeted by Torsploit injection de-anonymisation. Indeed, as many folks have pointed out, the method through which Torsploit did this didn't seem to make any effort to ensure there was enough forensically-valid data to power actual prosecutions in a U.S. courtroom... which is what the FBI is paid to do.

I disagree. Assuming they captured the data, they now have probable cause to issue search warrants after they get the data from the ISPs. They won't announce any raids or arrests until after they happen. It would take at least 3-4 months to get their ducks lined up to start the raids.

"Accessing" and "receipt" are crimes re CP. They can theoretically prove one visited a known CP site - so that is that. Intent is another matter. I am assuming the visitors to these sites have already cleaned up their computers.

Re: Torsploit Reloaded...

by Guest » Sat Oct 05, 2013 12:45 am

Also posted was an NSA prsentation saying Tor sucks cuz encryption is too hard.

With Javascript off to stop most exploits, diasbled cookies, and a simple add on to put a damper on browser fingerprinting, whats left besides 0-days?

Throws firefox/torbrowser within a sandbox/chroot jail, and even within a VM on top of that, then what? I can think of any vectors left, of course they probably have 0-days for VM's, cant rule that out

Re: Torsploit Reloaded...

by Pattern_Juggled » Sat Oct 05, 2013 12:15 am

"Several attacks result in implanting malicious code on the computer of Tor users who visit particular websites. The agencies say they are targeting terrorists or organized criminals visiting particular discussion boards, but these attacks could also hit journalists, researchers, or those who accidentally stumble upon a targeted site."
From the Guardian's recent article on the NSA's attacks on Tor.

So, there's your proof.