REDXRAY WARNING & TRIAGE REPORT AUTOMOTIVE GROUP

3631331977?profile=RESIZE_710xRedXray is cyber threat notification service that simplifies monitoring for organizations and supply chains.  This document summarizes threats reported by Wapack Labs’ RedXray for a USA New England automotive group and their associated dealerships.  Wapack Labs observed hits in most collections throughout the past 3 years.  The most recent data set is in our breach data collections and being reported.

Our raw data may be provided in a companion .CSV files.

RECENT DATA (< 6 MONTHS AGO):

Details

RedXray “hits” are derived from primary sourced intelligence collections and take inputs from customer infrastructure, such as domains and IPs.  The following is example of the RedXray dashboard displaying threats for domains, networks, and companies associated with the auto group.

3631326334?profile=RESIZE_710xRedXray focuses on four general categories: Malware Infections, Data breaches, Malicious emails, and Phishing.  The following are examples with context and general mitigations.

Malware infections

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits.  Regarding our New England dealer group example, there is no <6 month related keylogger data in our collections, yet keylogger infiltration to an auto dealership is a grave matter.

What does this mean?

If keylogger related activity is discovered, the traffic may be the result of a captured weblog or clipboard data captured by a keylogger.  All traffic should first be inspected before escalating to incident responders.  Wapack Labs can help with support.

3631327201?profile=RESIZE_710x

Data breaches & leakage

These indicators include any sensitive data that has been compromised whether as a result of malware infection or a 3rd party database breach.  Breach data can come from several other sources on the deep and dark webs.   The following is example of breach data captured for the company:

What does this mean?

Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information (PII).   RedXray contains the raw breach data so a dealership can easily view what type of data has been exposed.  If the breach data contains passwords, then Wapack Labs recommends enforcing a password reset and investigating whether there has been unauthorized access of the account. Passwords are redacted here for privacy but are available for verification in the profile.

HISTORICAL DATA (> 6 MONTHS AGO):

Malicious Emails

It is good to be aware of malicious email campaigns targeting your organization because it serves as an early warning.   If your domain or IP address shows up in this collection, then it was observed in the header of an email that has been identified as malicious (1 or more Antivirus detection).

One of the Hyundai dealerships in our example group, is using a mail server (173.x.x.x) which was targeted in 2017 with TSPY_LIMITA.AUSIF.  The malware is spyware that arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.[1]

3631328175?profile=RESIZE_710xFigure 3 - Malicious Email Targeting Hyundai Mail Server IP

One IP (165.x.x.x), identified as a mail server for the group, was targeted with the same malware around the same time.  There are malicious emails linked to other company IP’s, but none more recent than 2017.

 3631328510?profile=RESIZE_710x

Figure 4 - Trojan Email Sample Targeting Mail Server

Below is an example of one of these attacks:

What does this mean?

The raw email should be inspected to see whether it was sent to/from your organization, or if it was spoofed using the monitored organization’s data.  It should be noted that some AV vendors classify emails as malicious when they are actually benign.  All malicious emails hits only indicate targeting, not malware infections or data-loss.

Pastebin

Pastebin is a site used by bad actors to post data, which may be sensitive, for others to view it freely. Oftentimes the group Anonymous will use Pastebin to list targets for the group’s members to attack.


The following hit in RedXray shows a Pastebin post containing IP’s used by this auto group:

3631329661?profile=RESIZE_710xAlthough the target in this specific Pastebin post example are targeting “The Illuminati,” the auto group is sharing a mail server with the target; therefore the IP provides services to both targeted groups.  In other words, they may see collateral damage on their networks/hosts as a result of attacks targeting other companies/groups sharing the same mail server.

Pastebin posts from Anonymous’ “#OPIsrael” and “#OPkilluminatie” both include mail server IP addresses used by the auto group.

What does this mean?

A Pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each Pastebin hit must be individually analyzed to determine context.

Conclusion

Wapack Labs strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks.  Wapack Labs can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Wapack Labs is located in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-603-606-1246, or feedback@wapacklabs.com   

 

Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en

[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_limita.ausif

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES