3710099047?profile=RESIZE_710xSummary

RedXray is a cyber threat notification service that simplifies cybersecurity monitoring for organizations and supply chains.  This document summarizes threats reported by Red Sky Alliance’s RedXray for an Automotive Group based in the United Kingdom over the past three years.  In this timeframe, data from multiple collection indices was observed.  This is a clear example of an auto dealership being targeted with malware. 

Raw data is also available in companion .CSV files.

Details

RedXray “hits” are derived from primary sourced intelligence collections and take inputs from customer infrastructure, such as domains and IPs.  The following is an example of the RedXray dashboard displaying threats for domains, networks and companies associated with the UK-based automotive company.

3710056997?profile=RESIZE_710x

RedXray focuses on four general categories: Malware Infections, Data breaches, Malicious emails, and Phishing.  The following are examples for the unnamed automotive group with context and general mitigations.  

 

RECENT DATA (< 6 MONTHS AGO):

Data breaches & leakage

This includes any sensitive data that has been compromised whether as a result of malware infection or a 3rd party database breach.  Breach data can come from a number of other sources on the deep and dark webs.  The following are examples of breach data captured for the unnamed automotive group:

3710066327?profile=RESIZE_710x

What does this mean?

Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information (PII).   RedXray contains the raw breach data so you can easily view what type of data has been exposed.  If the breach data contains passwords, then Red Sky Alliance recommends enforcing a password reset and investigating whether there has been unauthorized access of the account. In this case, email addresses and passwords are included in the breach data but redacted above for privacy.

 

HISTORICAL DATA (> 6 MONTHS AGO):

Malware infections

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole_traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits.  The following shows a keylogged login portal in which an email address associated with the UK-based automotive company logged into in May of 2015:

3710074004?profile=RESIZE_710x

What does this mean?

If your IP address or domain is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint.  This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate.  For keylogger related activity, the traffic may be the result of a captured weblog or clipboard data captured by a keylogger. In this case, it appears an employee of the automotive group visited a web portal login page designed to record the keystrokes of its visitors. For this type of instance, all traffic should first be inspected before escalating to incident responders. Red Sky Alliance can help with support.

 

Malicious Emails

It is good to be aware of malicious email campaigns targeting your organization because it serves as an early warning. If your domain or IP address shows up in this collection, then it was observed in the header of an email that has been identified as malicious (1 or more AntiVirus detection). The following are examples of email accounts associated with the UK-based automotive company being directly targeted by emails with malicious attachments. 

3710084361?profile=RESIZE_710x

What does this mean?

It should be noted that some AV vendors classify emails as malicious when they are benign.  All malicious emails hits only indicate targeting, not malware infections or data-loss. The above image shows the UK-based automotive company’s email addresses who previously received malicious emails. However, this does not directly indicate that malware infections have taken place, but that multiple company associated email addresses were targeted and have received emails with malicious attachments.

 

Pastebin

Pastebin is a site used by bad actors to post data, which may be sensitive, for others to view it freely. Oftentimes the hacking group Anonymous will use Pastebin to list targets for the group’s members to attack. The following are examples of Pastebin hits in which email users connected to the UK-based automotive company were mentioned.

3710088676?profile=RESIZE_710x

What does this mean?

A Pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each Pastebin hit must be individually analyzed to determine context.

 

Phishing

Phishing attacks are responsible for a large amount of compromised credentials.  Our Threat-Recon collection aggregates phishing data and we allow searching of keywords in this data set in order to identify both targeted phishing attacks and spoofed URLs.  RedXray does not show phishing hits for the UK-based automotive group at this time.

 

What does this mean?

If you receive a phishing hit (ThreatRecon) in RedXray then the first step is to first identify if the phishing campaign is targeting an organizational account or targeting the organizations customers.  Red Sky Alliance can assist in providing context to these hits.

 

Conclusion

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is located in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at  (888)-(RED)-(XRAY) or (888)-733-9729, or email feedback@wapacklabs.com    

Website: https://www.wapacklabs.com/

LinkedIn: https://www.linkedin.com/company/wapacklabs/

Twitter: https://twitter.com/wapacklabs?lang=en

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES