Intel Reports

Activity Summary - Week Ending on 13 January 2023:

• Red Sky Alliance identified 17,493 connections from new IP’s checking in with our Sinkholes
• Beget[.]ru in Russia hit 20x
• Analysts identified 244 new IP addresses participating in various Botnets
• Red Sky Breach Data Collection
• GrubHub Breach and AMEX
• Credential Stuffing
• Cyber Attack Statistics and Trends
• UK Media Attack
• Hack The Box

Red Sky Alliance Compromised (C2) IP’s 

On 11 January 2023, Red Sky Alliance identified 17,493 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@wapacklabs.com

 Red Sky Alliance Malware Activity   

Red Sky Alliance Botnet Tracker

On 11 January 2023, analysts identified 244 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

Red Sky Alliance Breach Data Collection

Since 2013, Red Sky Alliance has collected Breach Data to help our clients better protect their networks.  Our researchers collect from more than just the large known data breaches.  We have proprietary processes to collect breach data from less visible sources.  Breach data hits are from public database leaks. Depending on the nature of the leaked database, exposed information may vary from just email addresses to username and password combinations and other personally identifiable information.  Our collection set contains raw breach data so you can easily see what type of data has been exposed.  If the breach data contains passwords, then or analysts recommend enforcing a password reset and investigating whether there has been unauthorized access to that account.  Some companies believe that the disclosure of “old” or historical passwords is low risk. This is false, however, as many attackers use old passwords to brute force/predict current passwords.  Old passwords can also be used in fraud/phishing attacks to build trust.  And if needed, historical data can be used in an incident response and help to build a criminal case against the hacker(s). 

Last 90 Days

Looking a bit further in our CTAC breach data and using “American” as a search term, 917 hits were observed in the last 90 days. 

Unfortunately, there were numerous examples of American Express credit card information seen in the GrubHub logs breach.  If you are one of those card holders, well your card information has been stolen.  Below is an example of a victim card hold.  The name and password have been redated to help protect this poor fellow. 

Though this hack could have been dated, our collection shows that names and passwords are still being sold in the dark web that can possibly be used to brute force current credit card data. 

Credential Stuffing - Food delivery services like DoorDash, Grubhub, Instacart, Seamless and Stop & Shop GO Pass do not provide any 2FA options.  If there are none available, then all it would take to hijack an account on those services is a stolen username and password, and that's exactly what credential stuffing is designed to do.  The guy above was just hungry and ordered dinner through GrubHub.  I hope that he fixed his ID theft.

Credential stuffing is simple.  There are hundreds of millions of stolen username-password pairs, or credentials, floating around online (as seen above), obtained from data breaches or successful phishing attacks.  Because many people reuse their passwords, a lot of those stolen credentials will unlock more than one online account.[1]  So, cybercriminals have created computer programs that fire stolen credentials at website login pages like bullets from a machine gun.  A fair number of those credentials will successfully log in and give the criminals access to online accounts.  If those accounts contain credit-card information, or permit one-click ordering or free delivery, then it's party time for the crooks. They can change the delivery address on the account to have burritos, beer or groceries sent to their buddies. If the credit-card information isn't properly protected, the card numbers can be stolen too.

MALICIOUS CYBER TRENDS:

Cyber Attack Statistics and Trends - Cyber-attacks have been rated the fifth top rated risk in 2020 and become the new norm across public and private sectors.  This risky industry continues to grow in 2023 as IoT cyber-attacks alone are expected to double by 2025.  Plus, the World Economic Forum’s 2020 Global Risk Report states that the rate of detection (or prosecution) is as low as 0.05 percent in the US.[2]  If you are one of the many that run a growing startup, you know the landscape is ever changing and 2020 brought on several changes, to say the least.  The pandemic affected all types of businesses, big and small.  If anything, the pandemic amplified cybercrime due to the uncertainty around remote working and how to protect your business.

Cybercrime, which includes everything from theft or embezzlement to data hacking and destruction, is up 600% as a result of the COVID-19 pandemic. Nearly every industry has had to embrace new solutions and it forced companies to adapt, quickly. 

Costs of Cybercrime:  Cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015.  At a growth rate of 15 percent year over year, Cybersecurity Ventures also reports that cybercrime represents the greatest transfer of economic wealth in history.

Cybercrime for Small and Medium Businesses:  Cyber attacks on all businesses, but particularly small to medium sized businesses, are becoming more frequent, targeted, and complex.  According to Accenture’s Cost of Cybercrime Study, 43% of cyber attacks are aimed at small businesses, but only 14% are prepared to defend themselves.  Not only does a cyber attack disrupt normal operations, but it may cause damage to important IT assets and infrastructure that can be impossible to recover from without the budget or resources to do so.   Small businesses struggling to defend themselves because of this.  According to Ponemon Institute’s State of Cybersecurity Report, small to medium sized business around the globe report recent experiences with cyber-attacks:

• Insufficient security measures: 45% say that their processes are ineffective at mitigating attacks. 
• Frequency of attacks: 66% have experienced a cyber attack in the past 12 months.
• Background of attacks: 69% say that cyber attacks are becoming more targeted. 

The most common types of attacks on small businesses include:

• Phishing/Social Engineering: 57%
• Compromised/Stolen Devices: 33%
• Credential Theft: 30%

By understanding the targets of attacks and consequences, as a business leader you can minimize the potential, gain value in your cybersecurity efforts, and even prevent future attacks.

Longtail Cost of Cyber Attacks:  The long tail costs of a data breach can extend for months to years and include significant expenses that companies are not aware of or do not anticipate in their planning.  These costs include lost data, business disruption, revenue losses from system downtime, notification costs, or even damage to a brand’s reputation.

In the visual to the right, we outline the impacts a business may face from the first year up to the third year.

Impact and Severity of Cyber Attacks:  Cyber-attacks can impact an organization in many ways — from minor disruptions in operations to major financial losses. Regardless of the type of cyber-attack, every consequence has some form of cost, whether monetary or otherwise.  Consequences of the cybersecurity incident may still impact your business weeks, if not months, later.  Below are five areas where your business may suffer:

• Financial losses
• Loss of productivity
• Reputation damage
• Legal liability
• Business continuity problems

Ransomware attacks are becoming more prevalent as a concern.  At the end of 2016, a business fell victim to a ransomware attack every 40 seconds.  This is expected to rise to every 11 seconds by 2021, according to a report by Cybersecurity Ventures.  This cyber attack occurs when malicious software is used to restrict access to a computer system or data, until the victim pays ransom requested by the criminal.

Cyber Attacks by Industry:  Some industries are more vulnerable to cyber-attacks than others, simply due to the nature of their business. While any industry could be subject to a data breach, those most at risk are businesses that are closely involved with people’s daily lives.  Companies that hold sensitive data or personally identifiable information are common targets for hackers. Types of businesses or organizations that are most vulnerable to cyber-attacks include:

• Banks and financial institutions: Contain credit card information, bank account information, and personal customer or client data. 
• Healthcare institutions: Repositories for health records, clinical research data, and patient records such as social security numbers, billing information, and insurance claims. 
• Corporations: Has inclusive data such as product concepts, intellectual property, marketing strategies, client and employee databases, contract deals, client pitches, and more. 
• Higher education: Hold information on enrollment data, academic research, financial records, and personally identifiable information like names, addresses, and billing info. 

In the visual below, we break down common types of cyber incidents and the varying impacts on industries.

Breach Discovery:  Breach discovery is when the company or business becomes aware that the incident occurred.  According to IBM, it takes a company 197 days to discover the breach and up to 69 days to contain it.  Companies that contained a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days.  A slow response to a data breach can cause even more trouble for your company. It can result in a loss of customer trust, productivity, or major fines. 

A data breach response plan is a proactive way to be prepared in the event that a breach does occur. Having a risk management strategy in place to combat incidents such as breaches can minimize the impact on your company and bottom line. An incident response plan, for example, provides guidance for your team during the phases of detection, containment, investigation, remediation, and recovery.

Information Security Spending:  Global spending on cybersecurity products and services is predicted to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021.  This is a 12-15% year-over-year cybersecurity market growth from 2021.

Global Security Spending:  Let’s take a look at how cybersecurity spending has grown around the globe — broken down by product or service.

Who’s Behind Data Breaches?  The average person might assume the files on a company database are a bunch of boring documents, but hackers know the hard truth about that hard drive.  According to Verizon’s Data Breach Investigations Report, the majority of cyber-attacks are triggered by outsiders, insiders, company partners, organized crime groups, and affiliated groups.  We break down the percentages of each:

How to Reduce the Risk of Cyber Attacks?  With the increasing threats of hackers mishandling your data, implementing processes to prevent data security breaches is the most responsible course of action after having adequate professional data breach insurance. 

Data breach laws vary by state, so depending on where your business is located, there are different factors to take into consideration.  Notifications around the breach, what’s covered, and penalties will look different depending on the incidence and state you’re located in.

1. Reduce Data Transfers: Transferring data between business and personal devices is often inevitable as a result of the increasing amount of employees who work remotely. Keeping sensitive data on personal devices significantly increases vulnerability to cyber attacks.
2. Download Carefully: Downloading files from unverified sources can expose your systems and devices to security risks. It’s important to only download files from sources and avoid unnecessary downloads to lower your device susceptibility from malware.
3. Improve Password Security: Password strength is the first line of defense against a variety of attacks. Using strings of symbols that don’t have a meaning, regular password changes and never writing them down or sharing them is a crucial step to protecting your sensitive data.
4. Update Device Software: Software providers work hard on continuously making their software more secure, and regularly installing the latest updates will make your devices less vulnerable to attacks.
5. Monitor for Data Leaks: Regularly monitoring your data and identifying existing leaks will help mitigate the potential fallout from long-term data leakage. Data breach monitoring tools actively monitor and alert you of suspicious activity. 
6. Develop a Breach Response Plan: Data breaches can happen to even the most careful and disciplined companies. Establishing a formal plan to manage potential data breach incidents, primary cyber-attack response plan, and cyber-attack recovery plan will help organizations of any size respond to actual attacks and contain their potential damage. 

It is clear that businesses are under a constant threat of cybercrime and must take steps to defend their data.  Do not wait until it’s too late, take steps today to prevent future data breaches and the consequences that follow. Akin to the need for having adequate cyber liability insurance, having adequate data protection is essential.

Your Credit Information - Investigative journalist Brian Krebs recently revealed troubling details of a security vulnerability on the official website of Experian, a global leader in consumer and business credit reporting.  The vulnerability was being exploited by identity theft scammers meanwhile Experian had no idea about it.[3]   Typically, Experian offers credit reports after people answer several multiple-choice questions related to their financial background.  However, by the end of 2022, the Experian website was allowing users to bypass these MCQs and directly access the report after entering their name, birth date, address, and Social Security Number.

The information was revealed by Ukraine-based security researcher Jenya Kushnir about this glitch, which was being exploited by identity thieves as they could obtain stolen identities through Telegram chat channels dedicated to this purpose.  Kushnir wrote: “I want to try and help to put a stop to it and make it more difficult for to access, since not doing shit and regular people struggle.  If somehow I can make a small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”  According to his findings, cybercriminals could trick the Experian website into allowing them access to any user’s credit report simply by editing the address in the browser URL bar at some point during the identity verification process.

Researchers then cross-checked Kushnir’s claims by seeking a copy of his credit report from Experian through annualcreditreport.com.  This website offers Americans a free copy of their credit report once a year.  The report is issued by three major reporting bureaus. The visitor has to provide their name, birth date, address, and Social Security Number.  When Brian Krebs provided this information, he was redirected to Experian.com to finish identity verification.  That’s the stage when the MCQs appear.

At this stage, if he changed the URL’s last part from “/acr/oow/” to “/acr/report,” his credit report will appear.  When he was redirected to the Experian website, it did not display the MCQs and the URL “/acr/OcwError” was displayed, stating that it didn’t have sufficient data to verify his identity.  Next, the site offered Krebs three options:

1. Send an email for a credit report with identity verification documents;
2. Call Experian;
3. Upload identity proof on the website.

But, when researchers changed the URL to “/acr/report” as Kushnir had told him, he was shown his full credit file even though Experian could not verify his identity.

These findings were shared with Experian on 23 December 2022 and the notification was acknowledged by the company’s PR team on 27 December 2022.  During this time, the exploit was patched.  It is, however, unclear for how long this issue was known to identity thieves and was being exploited.

Experian Security and Data Breaches

Experian is one of the world’s leading credit reporting agencies that collects and aggregates information on over 1 billion people and businesses.  It has access to data from 235 million individual US consumers, as well as 25 million U.S. businesses, making it a powerful tool for financial institutions, employers, landlords and more.

Yet at the same time, Experian is also known for large-scale data breaches and critical security flaws.  A few years ago, one such flaw allowed attackers to obtain customers’ account access and their credit freeze PIN numbers.

In August 2020, it was revealed that Experian suffered a massive data breach in which the personal details of 22 million customers were stolen.  In another incident, Serasa Experian, Brazil chapter of Experian, suffered yet another data breach in which 223 million people had their data leaked on a hacker forum.

GLOBAL TRENDS:   

UK Media Attack - The Guardian has confirmed it was hit by a ransomware attack in December 2022 and that the personal data of its UK staff members has been accessed in the incident.  The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief both confirmed the news in an update emailed to staff on 11 January.  They described the incident as a “highly sophisticated cyber-attack involving unauthorized third-party access to parts of our network,” most likely triggered by a “phishing” attempt in which the victim is tricked, often via email, into downloading malware.  The Guardian said it had no reason to believe the personal data of readers and subscribers had been accessed.  It is not believed that the personal data of Guardian US and Guardian Australia staff has been additionally accessed.  The Information Commissioner’s Office, the UK’s data watchdog, has been informed of the attack, as well as the UK police.  The message to staff said there had been no evidence of data being exposed online, so the risk of fraud is considered to be low.

The attack was detected on 20 December and affected parts of the company’s technology infrastructure. Staff, most of whom have been working from home since the attack, have been able to maintain production of a daily newspaper, while online publishing has been unaffected.  “We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organization,” said the Guardian.  “These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes, and kinds, in all countries.”  They added: “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”

The Guardian has been using external experts to gauge the extent of the attack and to recover its systems.  Although the Guardian expects some critical systems to be back up and running “within the next two weeks”, a return to office working by UK staff has been postponed until early February in order to allow IT staff to focus on network and system restoration.  According to a government report last year, two in five UK businesses reported cyber security breaches or attacks in the previous 12 months.

Positive News - Hack The Box – There has long existed a divide in the world of computer hacking between those who are taking a malicious approach to crack a system, and those who are using the same techniques to understand the system's vulnerabilities, help fix them and at the same time fight against the malicious actors.  Today, Hack The Box, one of the startups that's built a platform to help cultivate more of the white hats with a gamified approach, is announcing $55 million in funding to expand its business after racking up 1.7 million users.  The funding is being led by Carlyle, with Paladin Capital Group, Osage University Partners, Marathon Venture Capital, Brighteye Ventures and Endeavor Catalyst Fund also participating.

The UK startup is not disclosing valuation at the moment, but for some context, has raised just over $24 million since being founded in 2017 (with about $15 million of that in equity: the company says it's now raised about $70 million).  Its last valuation, previously updated in 2021 after it raised $10.6 million, was a very modest $52 million.  "Modest" because the scale of what the company has achieved is pretty impressive.  The 1.7 million community members that use the platform cover both individuals who have joined HTB on their own steam to learn skills and get certifications, as well as some 1,500 enterprises, universities, governments and other organizations that have sent their teams to HTB to be put through their paces.

The company says it currently runs some 450 "hacking labs" across more than 300 machines.  Similar to companies like Kahoot (which works in a very different environment to be clear, K-12 education and corporate training) the idea with HTB is that its learning environment is built around gamification, simulations with avatars and narrative scenarios that are designed to throw users into what are built to mimic classic cyber hacks of varying and increasing sophistication.  It also has a "pro lab" tier that takes on typical network configurations, such as Active Directory or fully patched e nvironments, to test and train people on different attacks and approaches around common enterprise tools and scenarios.  Penetration testing, misconfigurations and evading endpoint protections are among the situations that are thrown at users.

In addition to its training platform for individuals and teams, it offers a careers platform, where those looking to hire ethical hackers, or ethical hackers looking for work, can connect.  This is very cool. 

HTB is not the first nor only company to build cyber training around a gamified environment.  US Cyber Games, built in conjunction with US government organizations, is built out as a mass-player environment that is used to identify and train would be white-hat hackers. (It also has a careers service too)  HTB is actually one of the US Cyber Games' sponsors and supporters.  Others like SafeTitan, Phished and Immersive Labs offer a range of approaches both for technical teams as well as employees to help raise awareness.  The latter is not a category currently addressed by HTB, although it's an obvious area into which it might grow.  “Our mission is to create and connect cyber-ready humans and organizations through highly engaging hacking experiences that cultivate out-of-the-box thinking," said the CEO and co-founder, in a statement.  "The game in cyber has changed with defensive, reactive and recovery postures not being fit-for-purpose in the face of an ever-increasing and ever-evolving wave of sophisticated attacks.  A new proactive offensive & defensive approach is needed to take the fight to cybercriminals rather than waiting to be hit.  From individual security professionals to companies, this means adopting a ‘hacker mindset’, learning to think and act like an attacker.  This is the kind of mindset that we cultivate through Hack The Box.”

Something we have been regularly returning to on TechCrunch at the moment is the fact that funding has become a lot harder to come by in certain segments of tech. HTB is in one of the categories that is continuing to see attention, not least because security breaches certainly have not slowed down with the rest of the economy. That's one reason why investors would back those in the field that are scaling and have so far done so with relatively little outside capital.  “The demands on security and IT professionals have never been greater. An industry-wide talent shortage and an exponentially growing number of cyber threats place great importance on professionals and organizations to maintain best-in-class security practices," said a director at Carlyle.  "Hack The Box is a pioneer in constantly providing fresh and curated training and upskilling content, in a fully gamified and intuitive environment, enabling individuals and organizations to tackle real-world hacking problems.  We are excited for the next stage of Hack The Box’s evolution and are proud t

[1] https://www.tomsguide.com/news/food-delivery-credential-stuffing-attacks

[2] https://www.embroker.com/blog/cyber-attack-statistics/

[3] https://www.hackread.com/experian-vulnerability-exposed-credit-reports/