Are there wireless telecommunications or network or security terms or acronyms that you keep hearing, but that whose meanings are unclear to youIntrusions Affecting Multiple Victims Across Multiple Sectors. Risk Evaluation. NCCIC Cyber Incident Scoring System NCISS Rating Priority Level Color Yellow MediumA medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. Details. While NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network. Figure 1 Structure of a traditional business network and an IT service provider network. Technical Analysis. The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures TTPs. The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of Power. Shell and the open source Power. Writing Fiction Janet Burroway Ebook Readers. Sploit tool to enable assessment, reconnaissance, and lateral movement. For a stream cipher to be secure, its keystream must have a large period and it must be impossible to recover the ciphers key or internal state from the keystream. PDF Recursive ORAMs with Practical Constructions Sarvar Patel and Giuseppe Persiano and Kevin Yeo 2017963 PDF Noninteractive proofs of proof. Command and Control C2 primarily occurs using RC4 cipher communications over port 4. IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this documents associated STIX package and. The indicators should be used to observe potential malicious activity on your network. User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti virus signatures. The observed malware includes PLUGXSOGU and REDLEAVES. Although the observed malware is based on existing malware code, the actors have modified it to improve effectiveness and avoid detection by existing signatures. Both REDLEAVES and PLUGX have been observed being executed on systems via dynamic link library DLL side loading. The DLL side loading technique utilized by these malware families typically involves three files a non malicious executable, a malicious DLL loader, and an encoded payload file. The malicious DLL is named as one of the DLLs that the executable would normally load and is responsible for decoding and executing the payload into memory. REDLEAVES Malware. Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk. Welcome to Oracle VM VirtualBox VirtualBox is a crossplatform virtualization application. What does that mean For one thing, it installs on your existing Intel or. REDLEAVES network traffic has two 12byte fixedlength headers in front of each RC4encrypted compressed payload. The first header comes in its own packet, with the. In cryptography, RC4 Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below is a stream cipher. While remarkable for its simplicity and speed. The most unique implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan RAT that is built in Visual C and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2. Capabilities. System Enumeration. The implant is capable of enumerating the following information about the victim system and passing it back to the C2 system name,system architecture x. IP address, andprimary drive storage utilization. Command Execution. The implant can execute a command directly inside a command shell using native Windows functionality by passing the command to run to cmd. Command Window Generation. The implant can also execute commands via a remote shell that is generated and passed through a named pipe. A command window is piped back to the C2 over the network as a remote shell or alternatively to another process or thread that can communicate with that pipe. The implant uses the mutex. Red. Leaves. CMDSimulator. Mutex. File System Enumeration. The implant has the ability to enumerate data within a specified directory, where it gathers filenames, last file write times, and file sizes. Network Traffic Compression and Encryption. The implant uses a form of LZO compression to compress data that is sent to its C2. After compression, the data for this implant sample is then RC4 ciphered with the key 0x. A6. F6. 86. E3. 13. Network Communications REDLEAVES connects to the C2 over TCP port 4. API function Internet. Open. Url. W. The data is not encrypted and there is no SSL handshake as would normally occur with port 4. RC4 cipher. Current REDLEAVES samples that have been examined have a hard coded C2. Inside the implants configuration block in memory were the strings in Table 1. Table 1 REDLEAVES Sample Strings Found in C2. QN4. 86. 9MD mutex used to determine if the implant is already running Varies from sample to sample2. INCO Unknownwindir. RC4 Key. While the name of the initial mutex, QN4. MD in this sample, varies among REDLEAVES samples, the Red. Leaves. CMDSimulator. Mutex mutex name appears to be consistent. Table 2 contains a sample of the implant communications to the domain windowsupdates. TCP port 4. 43. Table 2 REDLEAVES Sample Beacon BEGIN SAMPLE BEACON 0. C 1. 4 6f 6. 8 6e 1. C cf 4. 9 8. 1 a. I. m. 1. H. C 9. 2 e. L. j. f. 0. 00. C 7b 1. C dc 4. 4 a. 2 7. D. r. M. 3. 0. C 3f e. R. 6i. y. 00. 00. C 1. 3 7. 9 7a d. A 8. t. 0. 00. 00. C f. 8 3. 2 4. 9 ef 2d e. I. 0. 00. 00. C 5e 4b 7. Krj. G. m. y END SAMPLE BEACON REDLEAVES network traffic has two 1. RC4 encrypted compressed payload. The first header comes in its own packet, with the second header and the payload following in a separate packet within the same TCP stream. The last four bytes of the first header contain the number of the remaining bytes in little endian format 0x. The second header, starting at position 0x. C, is XORd with the first four bytes of the key that is used to encrypt the payload. In the case of this sample, those first four bytes would be john or 0x. ASCII hex codes. After the XOR operation, the bytes in positions 0x. C through 0x. 0F contain the length of the decrypted and decompressed payload. The bytes in positions 0x. To demonstrate, in the sample beacon, the second header follows 0. C 1. 4 6f 6. 8 6e 1. The length of the decrypted and decompressed payload is 0x. XOR 0x. 6a. 6f. 68. The length of the encrypted and compressed payload is 0x. XOR 0x. 6a. 6f. 68. This is verified by referring back to the sample beacon which had the number of remaining bytes set to 0x. C 0x. 7c. Strings. Note Use caution when searching based on strings, as common strings may cause a large number of false positives. Table 3 Strings Appearing in the Analyzed Sample of REDLEAVES Unique Ascii strings redautumnalleavesdllmain. INCOjohn. 12. 34. Feb 0. 4 2. 01. 51. Unique Unicode strings Red. Leaves. CMDSimulator. Mutex. QN4. 86. 9MD. Name. PipeMore. Windowsnetwork. A Z0 9b tca z. A Zd0 9h0 9a f. A Fnrrn qwa z. A Zz0 9Malware Execution Analysis. File Name Veetle. Player. exe. MD5 9d. File Size 2. 57. KBDescription This is the executable that calls the exports located within libvlc. File Name libvlc. MD5 9. A8. C7. 62. D9. 7A2. 32. 97. 4CA0. A6. A3. File Size 3. Wireless, Telecom and Computer Glossary. Are there wireless telecommunications or network or security terms or acronyms that you keep hearing, but that whose meanings are unclear to you Your prayers have been answered. Check this alphabetic list of 2,4. If the term you are looking for is not listed, please suggest it to us. We will define it for you, and add it to this list for the benefit of other readers, also. For tongue in cheek, humorous definitions of many of these terms, check out our alternative acronyms page. We recommend that you copy only the URL pointing to this page, and not the entire page, as we update it frequently. You are welcome to incorporate definitions from this page for your own use. Please contact us if you wish to license a customized version of this glossary. This license will include regular updates, and can be customized to include your own company logo. Cool features Every time you cross reference a term it will be highlighted in pink. You can also highlight a definition by clicking on the word, phrase or acronym in the left column. You can then click on the button below the index to show only the highlighted term. The search feature produces a condensed list of terms based on a search pattern. Search patterns are regular expressions, so stick to single words composed of letters and possibly numbers unless you are familiar with this concept. To search for multiple words enter text like word. Within a definition words in blue link to an external website when clicked and words in teal jump to another definition in this glossary when clicked. You can also use the following index to find the approximate location of a term, or the Find capability built into your browser. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 9 Basic Ethernet at 1. Mbitsec. Ethernet running at 1. Mbitsec. Ethernet running at 1,0. Mbitsec. QAM with 7 bits per symbol. QAM with 4 bits per symbol. First Generation. Refers to analogcellular systems. A cdma. 20. 00 notation that indicates that one carrier is being used. Compare with 3x. See Ev. DOSee EVDVcdma. 20. Mcps. The theoretical top speed is 1. Second Generation. Refers to digital cellular and PCS wireless systems oriented to voice and low speed data services. Receive, Reshape an optical signal. See 3. RQAM with 5 bits per symbol. Third Generation. Refers to the next generation of wireless systems digital with high speed data. Being standardized by 3. GPP and 3. GPP2. 3G Internet Appliance. Generation Partnership Project for W CDMA GSM3rd Generation Partnership Project for cdma. G Service Provider. Reshaping, Retiming, Reamplifying an optical signal. See 2. RThree Way Call. A cdma. 20. 00 notation that indicates that three carriers are being used. Compare with 1x. Not widely implemented. Although this allows higher maximum speeds, the average speed per user will not change significantlycdma. Mcps. Fourth generation All IP wireless system that will probably be based on OFDM to provide downlink rates of 1. Mbps to 1 Gbps and uplink rates of 1 1. Mbps. QAM with 6 bits per symbol. An IEEE committee that standardizes a wireless Ethernet replacement technology in the ISM band. Mbps in the 2. 4. GHz band. 8. 02. 1. Mbps in the 5 GHz band. Mbps in the same band as 8. A Wi. Fi. WLAN variant that is higher speed 5. Mbps than 8. 02. Because it also operates in a different frequency band it has proven less popular than 8. The range of this protocol is also lower and the LOS requirements more stringent. See ADRCIEEE Wireless LAN system providing throughput of about 1. Mbps but see ADRCAn IEEE standard for network interoperability between WLAN protocols. An IEEE standard for operation of their WLAN protocols outside the normal frequency bands e. An IEEE standard for Qo. S in their WLAN protocols 8. An IEEE standard for interconnection between wireless APs. A second generation version of Wi. Fi providing 5. 4 Mbps raw throughput typically a user data rate of about half that in the same 2. GHz frequency band as 8. This gave it an advantage over 8. An IEEE standard for spectrum and transmit power management for their WLAN protocols. Enhanced security for IEEEWLAN protocols. An adaptation of 8. WLAN protocols to the Japanese 4. GHz frequency band. A proposed IEEE standard for RRMA group for editorial maintenance of IEEE8. WLAN standards. A future IEEEWLAN protocol that promises raw data rates of 5. Mbps in either the 2. GHz or 5 GHz band and thus will likely eventually replace 8. The protocol is scheduled for completion in 2. See EWCA proposed IEEE standard for ITS. Also known as WAVEA proposed IEEE standard for handoff between APs. A proposed IEEE standard for mesh networking. A proposed test specification for IEEEWLAN standards. A proposed standard for authorization of users on IEEEWLANs. A proposed wireless network management standard for IEEEWLAN protocols. A proposed standard for the protection of system management information in IEEEWLAN protocols. A proposed standard for operation of IEEEWLAN protocols in the 3. GHz frequency band. See Bluetooth. IEEEWi. Max radio interface. An IEEEgroup studying MBWAIEEE standard for Ethernet. PSK with 8 states, allowing the coding of 8 bit combinations. It is used in EDGE. QAM with 3 bits per symbol. The ES service code in many parts of the United States, Canada and a few other countries. A An IP host address. Interface between BSC and MSC. Interface between BTS and BSCAssisted GPS. Network provides information to mobile device to acquire satellite signals and may assist with processing of received data. Interface between the MSC and BSThe primary CAVE authentication key, used to generate SSDAnalogDigital. Usually used in the context of conversion from analog to digital or vice versaGSM authentication algorithm. GSM data encryption algorithm. A stream cipher for the encryption of 1. GSM bursts e. g. Intended to be stronger than A52 it has a number of serious flaws. A deliberately weakened stream cipher for the encryption of 1. GSM bursts e. g. The stronger version is A51. An encryption algorithm for GSM and EDGEGSM voice encryption algorithm. Used to generate Kc. Authentication, Authorization and Accounting entity. See RADIUS and Diameter. AAL Adaptation Layer. Active Antenna Systems. Augmented BNF. Defined in RFC2. Average bit rate. Alternate Billing Service. Authentication Centre. Stores information for authenticating mobiles, and encrypting their voice and data transmissions. Analog Control Channel. See FSKAsynchronous Control Character Map. Access Overload Class. CDMA Access Control by Call Type. Automatic Call Distributor. Distributes incoming calls to one of a number of people equally able to handle them e. Adaptive CELPAlgebraic CELPAuthentication Control Function. Automatic Code Gapping. A method of shedding load in telecommunications systems. Access Channel. Acknowledgement signal. Adjacent Channel Leakage Ratio. The ratio of the on channel transmit power to the power measured in one of the adjacent channels. An important W CDMA parameter. SS7. ISUP Address Complete message. Response to IAMAdjacent Channel Power. Authorization Call Routing Equipment. Used for routing calls to cellular phones with a cordless mode. Abbreviated Dialing. Architecture Document. Advertising Agent. Provides information to a MS on the services provided by a 3. G network. Application Data Delivery Service. See SMSApplication DF. Interference from signals at slightly different frequencies. Indicates that the data in an EF on a SIM, USIM or R UIM card can only be read or modified when the card is being provisioned by the operator including OTA. See ALW, CHV1, CHV2, NEV. Abbreviated Dialing Numbers. Adaptive Differential PCMAggregate Data Rate Caveat. A warning that most wireless data rates are aggregate, meaning that all users share the bandwidth, and often they are raw rates higher than the actual user throughput could ever be even on an unloaded system.