INTELLIGENCE REPORT: A YEAR LOOK BACK

10921768884?profile=RESIZE_400xEnd of 2022 - Week Ending 30 December 2022:

  • Red Sky Alliance identified 19,712 connections from new IP’s checking in with our Sinkholes
  • Frantech[.]ca in NYC hit 23x
  • Analysts identified 867 new IP addresses participating in various Botnets
  • 2022-2023ZeroBot
  • Ten (10) Data Set Stats
  • Red Sky Tools
  • Red Sky Partners
  • LastPass

Link to .pdf : IR-22-364-001_weekly364.pdf

IP

Contacts

199.195.249.252

56

87.236.20.241

49

185.151.48.131

49

68.178.224.252

48

62.210.185.4

37

199.195.249.252 was reported 23 times. Confidence of Abuse is 84%  ISP:  Frantech Solutions;  Usage Type:  Data Center/Web Hosting/Transit:  Domain Name:  frantech.ca;  Country: USA, City: NYC, NY
https://www.abuseipdb.com/check/199.195.249.252

Compromised (C2) IP’s 

On 28 December 2022, Red Sky Alliance identified 19,712 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Sykipot follows. 

 Malware Activity   

Malware Variant

Times Seen

sality

17391

corkow

1245

sykipot

452

shiz

293

maudi

207

  

For a full black list – contact analysts: info@wapacklabs.com

Botnet Tracker

On 28 December 2022, analysts identified 867 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2022-12-27T01:20:51

HTTP proxy|port:80

8.219.60.145

2022-12-26T11:00:24

HTTP proxy|port:80

8.219.141.77

2022-12-24T21:10:26

HTTP proxy|port:80

8.219.158.54

2022-12-22T19:10:24

HTTP proxy|port:80

8.219.159.77

2022-12-24T19:10:27

HTTP proxy|port:80

8.219.172.178

  

MALICIOUS CYBER TRENDS:


Recorded Future Top 5 Threat Actors and Malware for 12 28 2022 (rankings change daily)

 

A YEAR LOOK BACK:

The year of 2022, saw Red Sky Alliance move from the US east coast State of New Hampshire to the State of Colorado and is now a 100% Red Sky Alliance brand.  Our ten (10) different data sets continued to provide our clients the needed indicators of compromise to help protect their networks.  Most notably, our Dark Web collection was fully automated and we are scraping between 70 and 80 forums and marketplaces. 

‘First’ Seen Data Collection of 2022 – Samplings:

Breach Data:

10921776071?profile=RESIZE_584xOur analysts collect from more than just the large known data breaches.  We have proprietary processes to collect breach data from less visible sources.

Sinkhole Data:

10921777258?profile=RESIZE_584xRed Sky runs a proprietary sinkhole and collect indicators from known former malicious domains.  This data is not available from any other source.

Botnet Tracker:

10921777677?profile=RESIZE_584xBefore 2020, this data set tracked IPs that communicated with known botnet IPs.  From 2020 to present, we track publicly accessible open web proxies.  This is because bad actors can use these proxies to leverage attacks while masking their own IP.

Dark Web Marketplaces (and Forums):

10921778091?profile=RESIZE_584xDark Web data is collected from a variety of pages on the Tor network and their plain web mirrored counterparts or plain-web forums with intent overlap.  This includes forums, ransomware listings, and marketplaces.  Data found in this is broad as it will contain companies already breached, various login credentials (personal and business), and variety of software, identification papers, and counterfeit items for sale.

Keylogger:

10921778655?profile=RESIZE_584xWe collect against known keylogger aggregation points.  Red Sky uses propriety processes to determine where these aggregation points are and collect against them.  This data is not yet seen by other companies with the same data from this collection.  Data includes the attacking server, indicators, and victim IP (if known).

Malicious Emails:

10921778275?profile=RESIZE_584xThis is a collection of indicators extracted from the headers of emails where malicious attachments are detected. This includes email routing information, senders, recipients, and subject lines.  On records where possible, we have determined industry sector and geolocation.

Other Red Sky Alliance Data Sets:

Source Code Secrets - We collect authentication keys, usernames and passwords, and api keys from open sources where users may have failed to properly configure they're github, gitlab, or bitbucket repositories.

Threat Recon - Aggregation of other open source threat intel mainly concerning IPs of known threat actors.

"Paste" Sites (i.e. Pastebin) - This index contains domains, emails, and IP addresses extracted from sites, such as pastebin.com. Indicators in this collection are geolocated when possible. We personally store these references for informational requests, well after the original link may have been removed

** Keep in mind, that our data has been collected since over 10+ years.  This is important for a solid historical look at collection points through our Products: RedXray and CTAC and then once set up properly, a daily look at your threat picture. 

Red Sky Alliance Collection and Analysis Tools

RedXray

Our RedXray product was totally developed by our engineers to help company IT professionals and analysts to pro-actively monitor any domain they want to keep an eye on.  This could be their own networks, or other domains they deem need monitoring.  The RedXray product provides daily notifications with indicators derived from our ten (10) different data sets.  This product was developed for the Defense Industrial Base (DIB) to help easily protect companies from malicious intrusions. 

CTAC

Our Cyber Threat and Analysis Center (CTAC) is an Kibana/Elastic Stack product, which is a more encompassing analytical tool for companies and analysts.  CTAC offers an open, REST API for integration with as many other systems as needed.  These are tools that offer low learning curves, yet large user bases.

With both of our RedXray and CTAC products, the year of 2022 saw many new improvements to help our clients better support their cyber security programs. 

Cyber Intelligence Reporting

10921779498?profile=RESIZE_584xSeveral years ago, we established the Red Sky Alliance information portal [redskyallicne.org].  Here we share tactical cyber reports, full technical cyber intelligence reports and our weekly Redshort webinars.  Below is our 2022 break down in this support we provide free of change.  For 2023, this site will be open to any who wish to participate.   

2022 Partners

Red Sky Alliance together with Quackenbush Benefit Agency is providing needed ID protection services.  They have been in business since 1999 and are working with families, small businesses, and employers to protect them from various events with a host of services.  Two popular services include legal and cyber/digital identity protection for people and businesses.  We also partner with healthcare providers and various affordable insurance products for life and health.

Cyrisma

Our coordinated effort assists Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) and provides a unique “Inside Outside” cybersecurity service approach that will provide affordable, simplistic, and accessible cybersecurity in a matter of hours.  Cyrisma is a SaaS based ecosystem that provides a single interface to identify sensitive data, vulnerable systems, insecure configurations, track mitigation progress, and assign accountability.  Organizations that utilize this solution see significant ROI against their resources, time, money and people, while meeting compliance mandates.

Dun and Bradstreet (DnB)

The Dun & Bradstreet Marketplace contains raw data derived from Red Sky Alliance database breaches.  This includes both public breaches and those leaked on the deep or dark web.  Breach data is a collection meaning the data is unparsed and unsanitized.  The type of data depends on the breach.  For example, some may list an email and password combination while others may just have Pii such as names and addresses.

Cysurance

As insurance providers are taking a closer and closer look at providing coverage against cyber-attacks.  Cysurance, in cooperation with Red Sky Alliance, continues to offer coverage to  managed service providers, specialty insurance brokers, and other small business partners as an add-on service that protects data, operations and revenues.  Cysurance offers services to ease insurance complexities by eliminating underwriting and confusing, lengthy application processes.

Snowflake

Red Sky Alliance saw the beauty of providing our data through the Snowflake platform to offer an innovative way to protect networks.   Snowflake’s founders started from scratch and built a data platform that would harness the immense power of the cloud.  They engineered Snowflake to power the Data Cloud, where thousands of organizations have seamless access to explore, share, and unlock the true value of their data.

GLOBAL TRENDS:   


LastPass - Password manager LastPass announced last week that hackers had accessed and copied a backup of data including customers’ passwords in an encrypted format.  People who use LastPass and have a weak master password, or one which may be associated with their email address or telephone number on another service, may need to consider that all of their passwords have been compromised and need to be changed, the company said.  “If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” LastPass CEO explained, describing so-called credential stuffing attacks.[1]

The announcement follows the company disclosing an incident from August in which “some source code and technical information were stolen from our development environment” — details that were subsequently used in the most recent attack.  In an update to its existing post, rather than a new one, LastPass, said that the data gained during the August breach was “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

The threat actor — as the data stolen in the first attack was used to support the second attack, this suggests it is the same individual or group behind both — was then able to access the decryption keys for LastPass’ cloud storage and dual storage containers.  This is what has caused the most concern among onlookers as it enabled the attackers to copy the backups which LastPass keeps of its customers’ unencrypted account information “including company names, end-user names, billing addresses, email address, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The threat actor also accessed “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”  In bold text, its blog post said that these encrypted fields are “secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.”   LastPass’s encryption and hashing methods would make it “extremely difficult” for the threat actor to ‘brute force’ guess master passwords — referring to the practice of guessing a password by using a computer to generate every possible key (aaaaa, aaaab, aaaac, etc.) until one of them works.

AES-256 has a large number of possible keys; 2 to the power of 256.  As this explainer from the 3blue1brown YouTube channel shows, it would take hackers with today’s technology an impossibly long time to brute force a key of that size.   There are no publicly known attacks that would allow someone to brute force the key for material encrypted with a complete implementation of 256-bit AES (Advanced Encryption Standard) within a smaller period of time, although some attacks have been proposed against incomplete implementations.   “Password managers are a natural target for someone trying to gain unauthorized access to your accounts, because a successful attack provides access to all of a user’s stored passwords,” warns guidance from the United Kingdom’s National Cyber Security Centre (NCSC).

Despite this risk, NCSC still recommends using password managers as long as the service complies with technical standards which include preventing the service itself (and thus any attacker) from being able to access the decryption key.  LastPass wrote: “The master password is never known to LastPass and is not stored or maintained by LastPass.   The encryption and decryption of data is performed only on the local LastPass client.”  However, the company has been criticized for its handling of the incident and for failing to encrypt additional customer data.   The blog post added that any customers which use LastPass’ default settings, including using a unique master password consisting of a minimum of twelve characters, do not need to take any actions. However those with weaker passwords, including business customers who do not use LastPass’ federated login services, were told they “should consider minimizing risk by changing passwords of websites you have stored.  This remains an ongoing investigation.  We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution,” LastPass added.  “We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”

[1] https://therecord.media/lastpass-hackers-accessed-and-copied-customers-password-vaults/

10921779684?profile=RESIZE_584x

Topics by Tags

Monthly Archives