Thursday, August 13, 2020

North kivu records the highest number of new Covid19 cases again

As of confirmed tests on wednesday,51 new confirmed cases (26 in North Kivu, 13 in Kinshasa, 7 in Ituri, 3 at Kongo Central, 1 in Upper Ulle and 1 in North Ubangi) out of 413 tested samples, 59 new people cured (42 in Kinshasa and 17 in the other provinces), 9 deaths.
Since the beginning of the epidemic, the cumulation of cases has been 9.589, including 9.588 confirmed cases and 1 probable cases:
• Kinshasa: 7.793 cases
• North Kivu: 498 cases
• Kongo-Central: 427 cases
• Haut-Katanga: 314 cases
• South Kivu: 295 cases
• Lualaba: 88 cases
• Ituri: 80 cases
• High Ulle: 40 cases
• Tshopo: 26 cases
• North Ubangi: 7 cases
• Kwilu: 6 cases
• Ecuador: 5 cases
• South Ubangi: 5 cases
• Haut-Lomami: 1 cases
• Kasai: 1 cases
• Kasai-Central: 1 cases
• Kwango: 1 cases

The US could soon have a fieldable hypersonic weapon if tests on the B-52’s ability to carry the ARRW continue to be successful

What could be the final test for the US Air Force’s B-52 Stratofortress bomber to field the AGM-183A Air-launched Rapid Response Weapon (ARRW) was carried out in California on Saturday. The next step will be to test-fire the hypersonic missile from the huge bomber, which could come later this year.
The US could soon have a fieldable hypersonic weapon if tests on the B-52’s ability to carry the ARRW continue to be successful. An August 8 test flight off the coast of California “verified system integration with the B-52 launch platform and telemetry while practicing concepts of operations that will be utilized during its first Booster Test Flight later this year,” the Air Force said in a news release .
During the test, the AGM-183A IMV-2 (Instrumented Measurement Vehicle) slung underneath the B-52’s huge wings successfully transmitted telemetry and GPS data back to ground stations at Point Mugu Sea Range, a vast testing range that extends off the coast of California near Los Angeles.
“This is a major milestone for the program, the team and our Air Force,” Brig. Gen. Heath Collins, Air Force program executive officer for weapons, said in the release. “ARRW is the first step in bringing game-changing hypersonic capabilities to our Warfighters.”
The first ARRW captive-carry test happened in June 2019, and if the ARRW’s test firings are successful, the missile could be declared operational in late 2022..
The Air Force chose to continue development of Lockheed Martin’s ARRW over its competitor design, the Hypersonic Conventional Strike Weapon (HCSW) by the same firm, back in February. The missile is reportedly capable of reaching speeds of Mach 20 , or roughly 15,300 miles per hour - too fast for the vast majority of air defense systems to detect and intercept.
The US lags behind the international hypersonic arms race , as both Russia and China have already developed and fielded hypersonic weapons in recent years
looked to its huge size as an asset by seeking to turn the B-52 into a “missile truck” capable of hauling dozens of cruise missiles and hypersonic missiles, both conventionally armed and nuclear-tipped, up into the skies. A similar future is envisioned for the Air Force’s B-1B Lancer fleet.
However, not all these tests have gone successfully: another test back in June of the Hypersonic Air-breathing Weapon Concept (HAWC) being developed by the Pentagon’s Defense Advanced Research Projects Agency (DARPA) saw the hypersonic weapon fall off the B-52 in mid-flight . That test, like this one, was flown out of Edwards Air Force Base.

USA deploys B-2 stealth bombers in indian ocean

The deployment of the bombers comes as the Chinese People’s Liberation Army (PLA) is scheduled to hold naval manoeuvres in the waters off the Zhoushan Islands on 16-17 August, according to the country's Maritime Safety Administration.
US B-2 stealth bombers have arrived at the Naval Support Facility Diego Garcia located in the Indian Ocean after a 29-hour flight "to ensure a free and open Indo-Pacific", Pacific Air Forces announced on Wednesday in a press release.
The B-2s were dispatched from the 509th Bomb Wing at Whiteman Air Force Base in Missouri earlier this week to support Pacific Air Forces’ Bomber Task Force missions, the press release adds.
"We are excited to return to this important location. [Diego Garcia] puts the 'INDO' in INDOPACOM", the Pacific Air Forces quoted Lt. Col. Christopher Conant, BTF commander, as saying, "This Bomber Task Force is our National Defence Strategy in action. We are sharpening our lethality while strengthening relationships with key allies, partners, and our sister-service teammates. Despite a global pandemic, the Airmen of Whiteman Air Force Base and Air Force Global Strike Command stand ready to support INDOPACOM and the Department of Defence in achieving our nation’s strategic objectives".
The move comes as China intends to hold two military drills near Zhoushan, an archipelago some 550km north of Taiwan, according to China's Maritime Safety Administration.
The United States and China have been engaged in a spat over a wide range of issues, including the COVID-19 pandemic, Hong Kong's new security law, and territorial disputes in the South China Sea.
Tensions were further heightened after US Health and Human Services Secretary Alex Azar paid a visit to Taiwan, marking the highest-level visit by a US Cabinet official to the territory since 1979, when Washington switched its official recognition to Beijing and established formal diplomatic relations with the People's Republic of China.

General smith Gihanga worried of the worsening security in Haut katanga

Appointed last July at the head of the 22nd military region by the President of the Republic, General Smith Gihanga expressed concern about the precarious security situation in the province of Haut-Katanga, specifically in the city of Lubumbashi . He promises to put in place new strategies against persistent insecurity in this region. It was on the occasion of his first meeting with the governor of Haut-Katanga Jacques Kyabula.
"We met the governor, he gave us a grim picture of the situation prevailing in the province, in the city of Lubumbashi today. We are going to set up strategies to meet this challenge that awaits us", said the General Smith Gihanga.
The new head of the 22nd military region took this opportunity to call on the population to trust the Armed Forces of the Democratic Republic of the Congo.
"It is up to the population to trust us, especially in the new team which has just been appointed head of the 22nd military region. It is our constitutional mission, that of securing the population and their property, defending the integrity of our territory "he clarified.
The province of Haut-Katanga is going through a period of insecurity marked by urban banditry. Earlier this week, the residence of the opponent Moïse Katumbi was visited, as in several districts of the city of Lubumbashi, by unidentified armed men. Several voices including human rights organizations have denounced this security situation in this part of the country.

The congolese minister for youth announced a bill that has been tabled compelling all state diploma students to go for a 6 month military training

A bill imposing military training of 6 months after the state diploma is already on the table. This is an announcement made by the National Minister of Youth during the international youth day celebration.

Wednesday, August 12, 2020

Threat hunting and detection on proxy web logs

Web Proxies generate a common set of information that can be used for threat hunting and detection. These information contains
Duration, HTTP Status, Bytes In, Bytes Out, Protocol, HTTP Method, HTTP Version, URL Category, URL Hostname, URL Path, URL Query, Mime Type, FIle Name, User Agent.
Below, I explained how we can use this information to hunt or detect threats.
Duration
This information shows how long the transaction has taken. Malware can communicate with the C2 server over the HTTP(S) protocol. When this is the case, it asks for commands periodically. This period doesn't have to be a constant value like every 10 minutes. Malware can also use jitter to make random-looking requests. Also, keeping the connection open can also be used by malware. In any case, it needs to either ask for commands very often or keep the connection open.
Technique
Calculate the sum per SourceIP-DestinationIP pair over 12/24 hours
What to look for
Higher values may indicate beaconing. Keep in mind that not all beacons are malicious. That's why we are hunting.
Note : If you apply the same method to your public websites, you can detect web scraping or customer data scraping.
HTTP Status
Users visit websites, post something, sometimes upload some data, or download a file. In normal conditions, these transactions have an HTTP 200 result. When it comes to malware, it is possible to use HTTP error codes as a C2 channel. Also, most malware use DGA(domain generation algorithm) in order to keep the connection persistent if one of the domain is blocked. In such a case, the malware keeps getting HTTP errors and tries the next domain.
Technique
1. Calculate the total count of the HTTP Status Codes per SourceIP or per SourceIP-DestinationIP over a specific time period.
2. List URLs having only HTTP Errors.
What to look for
1. Higher values of an uncommon HTTP Status Code may indicate C2 activity.
2. Higher values of HTTP errors for a website can indicate failed C2 activity.
Bytes In
In normal conditions, when a user visits a website, downloads a file, etc., each transaction has a different size. On the other hand, malware visits the same page every time. This makes the downloaded content has the same size unless the attacker starts interacting with the victim machine.
Technique
1. Calculate the count of BytesIn per Source-Destination pair over 12/24 hours. You have the best chance when the attackers sleep as there is no interaction.
2. Calculate the ratio of count(BytesIn) per Source-Destination pair. This is for comparing the attacker interaction versus idle status.
What to look for
1. Higher values may indicate beaconing. C2 servers reply with the same data, making Bytes In value the same.
2. Higher values of ratio may indicate C2 beaconing.
Bytes Out
A normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website.
Technique
1. Calculate the sum of BytesOut per Source-Destination pair over 12/24 hours.
2. Calculate the ratio of count(BytesOut) per Source-Destination pair over 12/24 hours.
What to look for
1. Higher values may indicate data exfiltration.
2. Higher values of ratio may indicate beaconing.
HTTP Method
In normal circumstances, a user web traffic contains a large amount of HTTP GET, a small amount of HTTP POST methods. Other HTTP methods, such as HTTP PUT, are expected to be seen less.
Technique
Calculate the ratio of the POST or PUT over GET per Source-Destination over 4/8/12/24 hours.
What to look for
Higher values of ratio may indicate beaconing or exfiltration.
URL Hostname
Usually, a user visits websites that are in the top 1M list. In some cases, an unpopular website can be visited by lots of users as well (think about 3rd parties having business with the company).
Technique
1. Compare with top 1M domains and calculate the hit count.
2. Calculate hit count per Hostname.
What to look for
1. Hit count <5 and Hostname is not in the top 1M may indicate malicious payload delivery.
2. Small number of hit count may indicate malicious payload delivery.
URL Path
When an attacker compromises a website and uses it as a C2 server, the malware most probably uses the same URL Path for C2 communication.
Technique
Calculate count per Source-Destination-URLPath pair.
What to look for
Higher values may indicate beaconing.
URL Query
URL query information is seen when you search for an item on a website. Malware does the same when asking the C2 server if there is anything to run on the victim machine. The query can be encoded/encrypted as well.
Technique
1. Calculate count per Source-Destination-URLQuery.
2. Calculate the length of URLQuery.
3. Look for base64 encoded strings in URLQuery.
What to look for
1. Higher values may indicate beaconing.
2. Higher values may indicate encoded data, a sign of exfiltration or beaconing.
3. Encoded strings may indicate beaconing or exfiltration.
Mime(Content) Type
Unfortunately, most web proxies fail to determine the exact type of content.
Technique
List mime type per Source-Destination pair.
What to look for
Uncommon mime types may indicate a malicious file.
User Agent
Normally, all applications have their own user agent information. Malware can try to mimic a legitimate application user agent but sometimes fail to do that with a small typo.
Technique
Calculate count within the environment(long tail analysis).
What to look for
Lower values may indicate a malicious binary existence.
URL Category
In most environments, there are commonly blocked web categories like Hacking, Pornography, Dynamic DNS, etc. Uncategorized web sites are a pain and sometimes this category has to be allowed for the sake of business continuity.
Technique
Query for Uncategorized, Dynamic DNS, and other suspicious categories. Calculate dcount of SourceAddress by URLHostname.
What to look for
Small dcount values may indicate abnormal/suspicious/malicious activity. If an uncategorized URL is visited by many users, it is less likely that the URL is malicious.
HTTP Version
There are four HTTP versions — HTTP/0.9, HTTP/1.0, HTTP/1.1, and HTTP/2.0. The current version is 1.1 and the future one will be 2.0.
Technique
Check HTTP versions
What to look for
HTTP/0.9 and HTTP/1.0 are old. This may be an indication of malicious activity.
Protocol
Web proxies are able to determine the protocol by analyzing the traffic.
Technique
Compare ports with their standard protocols.
What to look for
Common Protocol-Uncommon Port or Common Port-Uncommon Protocol may indicate malicious traffic.
File Name
It's not always possible to properly log names of the files that are downloaded from the internet. If it's logged properly, file names can be used for hunting. Some malware droppers download randomly named files.
Technique
Entropy analysis on filenames.
What to look for
May indicate malicious payload delivery.



Hope this guide will help you.

Bunagana border inclusive,Uganda Communications Commission (UCC) through the Rural Communications Development Fund (RCDF) has launched a Wi-Fi hotspot project covering five border posts across the country

The project, to be implemented by Blue Crane Communications Limited, an Internet Service Provider, will provide broadband services at the five border posts of Mutukula (Kyotera); Vurra (Arua); Malaba (Tororo); Elegu (Amuru); Bunagana (Kisoro).
Launching the project at the UCC head office on Wednesday, UCC Ag. Executive Director Irene Kaggwa Sewankambo, who was flanked by the Director RCDF Nyombi Thembo, said the project aims to provide connectivity in transit areas to facilitate business and support the fight against COVID-19.
Mr George Waigumbulizi, a Director at Blue Crane, said his company would deliver a bandwidth capacity of 5Mbps per user at the selected sites.
Being in line with the RCDF Phase III Guidelines that prioritise broadband connectivity and access, the Wi-Fi hotspot project will enable the public in the beneficiary areas to access free and reliable internet connectivity.
This intervention is also informed by the National Broadband Policy, which seeks to promote broadband coverage across the country. The policy defines broadband for Uganda as robust connectivity that is affordable, reliable and delivers a minimum of 5Mbps to the user for applications, content and services.
In targeting border towns, UCC/RCDF recognised that people in transit areas have unique communication needs that can be addressed through access to public Wi-Fi hotspots as long as they own a Wi-Fi capable device. Wi-Fi in such locations is even more suitable and convenient because it doesn’t require a SIM card or existence of a subscription relationship with a service provider.
Through this project, the Commission will also be able to contribute to the fight against COVID-19 by addressing the communication needs of people transiting through the said border posts, some of which have been identified by the Ministry of Health as hotspots in the fight against the pandemic.
By providing free broadband service, it is believed that the experience will spur market demand among the local user population, and eventually drive uptake of broadband services in these areas.
The project also aims to increase the number of ICT devices such as computers and smartphones in the area, as well as encourage digital literacy, thereby reducing the digital divide.
Besides improved social services, the selected areas are expected to experience the ease of doing business through e-commerce and e-government services, thus contributing to social-economic transformation.

As written BY UCC

1502 displaced congolese helplessly stranded in kalungu after fleeing clashes in Rutare and muko

A total of 1,502 displaced people who fled the clashes in Rutare and Muko are unassisted and stranded in the town of Kalungu in the Kalehe territory in South Kivu.

According to Hakizimana Bwira Moïse, spokesperson for these displaced persons, they do not have food and sick children do not have access to health care.

"More than 500 displaced people have come from Rutare and others from Muko to Masisi in North Kivu. The lives of all these displaced people are in danger. They have no food, children are caught hand in the bag in the fields and patients do not even have medicines, "he said on this wednesday.

He calls on the authorities and humanitarian organizations to provide assistance to these displaced people in order to save their lives.

It should be remembered that clashes between armed groups are recurrent in the territory of Kalehe and in the surrounding entities.

North kivu records the highest number of new COVID19 case for the third time in less a fortnight

Out of 462 samples tested on Tuesday, the multisectoral committee to fight the coronavirus pandemic confirmed 39 new confirmed cases, including 26 in North Kivu, 7 in Kinshasa, 3 in Kongo Central, 2 in Haut-Uélé and 1 in North. Ubangi.

No new deaths among the confirmed cases. But 46 new people came out of covid-19 treatment centers, and among patients followed at home, including 25 in Kinshasa and 21 in other provinces.

Since the start of the epidemic declared on March 10, 2020, the cumulative number of cases is 9,538, including 9,537 confirmed cases and 1 probable case. In total, there were 225 deaths (224 confirmed cases and 1 probable case) and 8,421 people cured.

The 17 affected provinces are Kinshasa 7,780 cases; North Kivu 472 cases; Kongo Central 424 cases; Haut-Katanga 314 cases; South Kivu 295 cases; Lualaba 88 cases; Ituri 73 cases; Haut-Uélé 39 cases; Tshopo 26 cases; Kwilu 6 cases; Nord-Ubangi 6 cases; Ecuador 5 cases; Sud-Ubangi 5 cases; Haut-Lomami 1 case; Kasai 1 case; Kasaï Central 1 case and Kwango 1 case.

Network forensics and IOC

Indicator of compromise (IOC) in computer forensics is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.” Wikipedia
Hello w0rld! In this post I am planning to do a brief introduction into network forensics and how network monitoring can be used to identify successful attacks. Network monitoring is essential in order to identify reconnaissance activities such as port scans but also for identifying successful attacks such as planted malware (such as ransomware) or spear-phishing. Generally when doing network forensics the network footprint is of significant importance since it allows us to replicate the timeline of events. With that said, network footprint can still be obscured/hidden by using cryptographic means such as point-2-point encryption. Even if you can’t see the actual traffic because it is encrypted, what you can see is the bandwidth load which might be an IoC.
In incident response the first step is the time that is needed for the attack realization. If the attack is not realized then of course there is no ‘incident response’ (doh!). There is a list of things that the analyst should go over in order to try to identify if an attack was successful. The list is not definite and there are far more things that need to be checked than those discussed here.
Whether an attack is targeted or non-targeted, if it is utilizing the Internet connection in any way it will leave network footprints behind. In targeted attacks we see things like spear-phishing and USB planting that quite often are targeting susceptible individuals with lack of security awareness. Non-targeted attacks might include attack vectors such as malware, ransomware, malicious javascripts, flash exploits, etc. This is not exhausting since flash exploits and malicious javascripts can be used also in a targeted fashion.
By identifying the Indicators of Compromise (IoC), we can have briefly describe each attack vector as follows depending on the network footprint that will have:
  • IP addresses
  • domain names
  • DNS resolve requests/response
  • downloadable malicious content (javascripts, flash, PDF files with embedded scripts, DOCX with Macros enabled)
There are also indicators coming out from behavioural analysis. For example a malware which contacts a Command & Control server will ‘beacon’ in a timely (usually) fashion. This ‘beaconing’ behaviour can be identified by monitoring spikes of specific traffic or bandwidth utilisation of a host. Moreover it can be spotted by monitoring out-of-hours behaviour since a host shouldn’t send data except of X type (which is legit) or shouldn’t be sending any data at all.
Ransomware will encrypt all accessible filesystems/mounted drives and will ask (guess what!?) for money! Most likely it will be downloaded somehow or will be dropped by exploit kits or other malware. Sometimes it is delivered through email attachments (if mail administrator has no clue!). As stand-alone ‘version’ ransomware comes in portable executable (PE file) format. However variants of Cryptolocker are employing even PowerShell for doing so. In order to detect them we need a way to extract the files from the network dump. There are couple of tools that does this such as foremost but it is also possible to do it ‘manually’ through wireshark by exporting the objects. This assumes that the file transfer happened through an unencrypted channel and not under SSL.
Malware might serve many different purposes such as stealing data, utilizing bandwidth for DDoS, or used as a ‘dropper’ where a ransomware is pushed. One of the more concerning is turning a compromised host into a zombie computer. Fast flux malware have numerous IPs associated with a single FQDN whereas domain flux malware have multiple FQDN per single IP. The latter is not ideal for malware authors since this IP will be easily identified and traffic will be dropped (a bit more about ‘sinkhole‘ in the next paragraph!).
Assuming that we are after a fast flux malware that uses a C&C, then there are ways to locate the malware by looking for beaconing. Quite often these malware make use of DGAs (Domain Generation Algorithms) which basically hide the C&C IP behind a series of different domain names. Malware that uses DGA are actively avoiding ‘sinkhole’ which allows ISPs to identify the malicious IP (C&C) and leading to the ‘blackhole’ of the traffic, shunning the communication of the infected system with it.
An infected host will attempt to resolve (through DNS) a series of domain names acquired from the DGAs, This behaviour will lead to lots of ‘Non-Existent’ NX responses from the name server back to the infected machine. Monitoring the number ofNX responses might help us identify infected systems. Moreover monitoring the DNS queries should also help.