X-Industry

All Articles (167)

3049916660?profile=RESIZE_710xSUMMARY

Russian President Vladimir Putin and Chinese President Xi Jinping have met twice already in 2019 for summits on economic cooperation.  A series of agreements has been concluded at these meetings, mostly focused on Russian cooperation on China’s Belt and Road infrastructure construction. Putin had initially been hesitant to join in these…

Beginning in April 2019, Wapack Labs SOC observed an uptick in alerts for inbound PHP exploit attempts affecting multiple clients. These alerts indicate attacks on vulnerable systems through the use of malicious PHP code in HTTP requests. If these attacks are successful, they can result in data exfiltration as well as remote control of victim servers.

Apple IDs are a popular target for hackers because they can enable theft of financial data and other personally identifiable information (PII). These are often obtained through phishing campaigns intended to trick users into entering their personal data. In June 2019, Wapack Labs identified one such campaign that is leveraging a large infrastructure and a phishing kit dubbed ‘Allantibots’. Allantibots is a sophisticated phishing package and is characterized by its ability to spoof the Apple…

2743271172?profile=RESIZE_710xThe Cyberspace Administration of China (CAC) issued a new draft cybersecurity regulation on 21 May 2019.  This draft is a planned extension of the Cybersecurity Law issued in 2017 that placed greater restrictions on foreign firms operating in China.  The new regulation creates the requirement for review of imported network equipment to determine…

2649401126?profile=RESIZE_710x

Mirai is a self-propagating malware that infects networked devices and turns them into remotely controlled bots.  Targets include devices in the Internet of Things (IoT) such as IP cameras and home routers and access is achieved with either software exploits or via authentication with factory default credentials. Mirai is frequently updated to…

 

On 1 May 2019, Russian President Vladimir Putin signed “Internet sovereignty” bill.  New requirements to use ISPs to track traffic origin will likely force traffic decryption and support of internal censorship efforts.  In the future, Russia will develop its own DNS system to conduct special Internet controls.  Currently, LinkedIn is banned in Russia.  Russian national payment system, Mir, was developed after several Russian banks were denied services by US-based Visa and…

Beware of Evil Clippy! Evil Clippy (EC) is a malicious tool that modifies Microsoft Office documents at the file format level. EC generates malicious versions of documents that are able to evade antivirus engines that use static analysis and manual inspection of macro scripts for detection. EC does this by taking advantage of undocumented features, unclear specifications, and deviations from intended implementations.

2405230492?profile=RESIZE_180x180Research Overview

Background: The detonation of a nuclear weapon at high altitude or in space (~30 km or more above the earth’s surface) can generate an intense electromagnetic pulse (EMP) referred to as a high-altitude EMP or HEMP. HEMP can propagate to the earth and impact various ground-based technological…

RDPwrap is a very popular open source third-party Windows Remote Desktop Protocol (RDP) tool offered by Stas’M’Corp from Moscow, Russia. Wapack Labs discovered that RDPWrap creates a local Denial-of-Service (DoS) vulnerability on Windows 10 systems, which could allow an attacker on the system to terminate users RDP sessions. By allowing the attacker to terminate RDP sessions without warning, it is particularly dangerous if the attacker notices an administrator on the system via RDP;and does…

Remote Desktop Protocol (RDP) Inception is a popular RDP attack that is used to laterally infect computers on a network. RDP is a popular method for Windows Systems Administrators to remotely access systems they manage. As a result, it has become a frequent target for attackers. This report provides technical details on the RDP inception attack.

IR-19-060-002…

A Windows Remote Desktop Protocol (RDP) Man-in-The-Middle (MiTM) attack occurs when an attacker has positioned themselves to be on the same subnet as the victim; and proceeds intercepting/tampering with the victims RDP session traffic. Windows RDP servers offer some security mechanisms against MiTM attacks on clients, such as Enhanced TLS and Credential Security Support Provider (CredSSP) protocol, but adversaries can easily bypass these features.…

Remote Desktop Protocol (RDP) serves as an entry point for an attacker that desires to move laterally throughout an organization via RDP session hijacking. In order to persist and consistently be able to access the compromised RDP account an attacker must place a backdoor on the system. Attackers use binary replacement and registry debugger methods to backdoor RDP and other popular Windows accessibility services: osk.exe, Magnify.exe, Narrorator.exe, DisplaySwitch.exe, AtBroker.exe. Sticky…

2271211259?profile=RESIZE_710xThe People’s Republic of China has claimed the whole of the South China Sea as its sovereign territory ever since coming to power in 1949.  However, several other countries have historical claims over some of the islands, and the Law of the Sea Treaty gives several of these countries rights to economic zones that overlap with Chinese claims. …

During the time frame 26 March 2019 until 18 April 2019, leaker Lab_Dookhtegan dumped information, photos, and source code allegedly belonging to APT34 / OilRig via their Telegram messenger channel.  The leak highlights Iran’s heavy use of ASP web shells on compromised exchange servers to launch attacks and exfiltration via DNS.  Several tools from APT34 / OilRig were released (high confidence): PoisonFrog, base.aspx, webmask_dns, FoxPanel222 nodeJS phishing kit, HighShell,…

2210160469?profile=RESIZE_710xIn April 2019, Krebs reported that Wipro, an Indian IT outsourcing company, was the victim a successful cyber attack by suspected state-sponsored actors.  The actors leveraged ScreenConnect, a remote administration tool, to gain access to various Wipro systems which were then used as launching points for additional attacks against Wipro’s customers.…

In February 2019, conflict between India and Pakistan over the disputed territory of Kashmir escalated into the worst violence there is decades.  An Islamic extremist suicide bomber with a vehicle packed with explosives attacked an Indian police convoy in Kashmir, killing 40.  This provoked a military response by India, with Indian Air Force fighter jets carrying out a bombing raid into Pakistan proper for the first time since 1971.  India claimed they were attacking a…