Intel Reports

Activity Summary - Week Ending on 26 January 2023:

• Red Sky Alliance identified 28,460 connections from new IP’s checking in with our Sinkholes
• ReliableSite hit 171x
• Analysts identified 577 ‘new’ IP addresses participating in various Botnets
• Red Sky Keylogger Data Collection – Highest month in 2022
• CrySIS/Dharma
• Microsoft HTML
• We need more cybersecurity professionals

Red Sky Alliance Compromised (C2) IP’s 

On 25 January 2023, Red Sky Alliance identified 28,460 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@wapacklabs.com

Red Sky Alliance Botnet Tracker

On 25 January 2023, analysts identified 577 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

Red Sky Alliance Keylogger Data Collection

Our analysts routinely collect against known keylogger aggregation points.  We use propriety processes to determine where these aggregation points are and collect against them.  We have not yet seen other companies with the same data from our collection.  Data includes the attacking server, indicators, and victim ip (if known).  Our biggest “new” collection was on 4 April 2022, with 5125 keylogged accounts. 

Example of a new keylogged account from 17 January 2023. 

While there are legitimate and legal uses for keyloggers, many uses for keyloggers are malicious.  In a keylogger attack, the keylogger software records every keystroke on the victim's device and sends it to the attacker.  In fact, several years ago, our analysts discovered a keylogged account that was employed by a German middle manager had keylogged a subordinate and not only was he fired, but investigated by the Bavarian Police for computer crimes. 

MALICIOUS CYBER TRENDS:

CrySIS/Dharma ransomware family.[1]

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

CrySIS/Dharma Ransomware Overview, by FortiGuard

The CrySIS/Dharma ransomware family has been around for several years – dating to at least 2016. It nominally operates using a Ransomware-as-a-Service (RaaS) model.  However, it should also be noted that at least one version of the ransomware had its source code leaked, allowing anyone to purchase and repurpose it for their own ends.  Due to this proliferation of versions, it’s become a game of “whack-a-mole” when new ones pop up with different operators.

CrySIS/Dharma Ransomware Infection Vector:  Several methods have been used by CrySIS/Dharma operators to gain access to an environment—most famously, exposed Microsoft Remote Desktop Protocol (RDP) servers. It has also been delivered via phishing with attachments disguised as installation files for legitimate software, including AV vendors.

CrySIS/Dharma Ransomware Execution:  When launched, the ransomware sets the console to codepage 1251, which covers the ability to use Cyrillic languages such as Russian, Ukrainian, and Bulgarian.

Figure 1.  Console codepage set to 1251

It also deletes shadow copies of the system to hamper any attempts at recovery.

Figure 2.  Deletion of the host’s volume shadow copies using VSSadmin.

An additional copy of the ransomware is copied to the host’s “~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folder to ensure it runs in the event the system is restarted before encryption has occurred.

Figure 3.  A new copy of the ransomware copied into the Startup folder.

All files of interest, such as personal and operational documents (it does not touch system files), are then subjected to encryption.

Figure 4. A selection of files of interest for CrySIS/Dharma

Encrypted files have an extension generally referring to the threat actor controlling the ransomware. These tend to vary widely, as seen in the following images.

Figure 5.  Files encrypted by CrySIS/Dharma variation 1.

Figure 6.  Files encrypted by CrySIS/Dharma variation 2.

Figure 7.  Files encrypted by CrySIS/Dharma variation 3.

In an unusual step, once encryption is complete, the malware launches the Microsoft HTML Application (MSHTA) to process and display a file called “Info.hta”. Copies of this file are stored in four separate locations on the host:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
• C:\Users\<victim account>\AppData\Roaming
• C:\Users\<victim account >\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
• C:\Windows\System32

“Info.hta” is essentially an HTML file containing the ransom's details.

Figure 8.  Contents of “Info.hta”.

While there are variations in the ransom notes, all contain a method to contact the attacker to discuss the details of the ransom. A unique ID, which appears to be based on the characteristics of the victim system, is also displayed.

Figure 9.  CrySIS/Dharma ransom note variation 1.

Figure 10.  CrySIS/Dharma ransom note variation 2.

Figure 11.  CrySIS/Dharma ransom note variation 3.

In addition to its “Info.hta” file, a separate file called “info.txt” is also dropped. It contains a truncated set of instructions to contact the attacker. A copy is dropped at the following locations:

• C:\
• C:\Users\Public\Desktop
• C:\Users\<victim account >\Desktop

Figure 12.  Contents of the “info.txt” file.

CrySIS/Dharma ransomware variants with the following AV signatures:

• W32/Crysis.L!tr.ransom
• W32/Crysis.W!tr.ransom

IOCs

File-based IOCs:

GLOBAL TRENDS:   

The need for cybersecurity professionals has never been greater. Given the ever-expanding roles of technology, data and AI in the enterprise, the need to protect, detect and remediate against cyber-attacks is of existential importance across every sector.  At the same time, organizations of all kinds are grappling with the much-discussed cybersecurity talent shortage.  A wide variety of opportunities abound, and the field needs a diverse array of talents and skills.  As an aspiring or current practitioner weighing possible career options, consider the following eight cybersecurity roles.[2]

1. Security administrator - Seniority: Entry-level to midlevel. The security administrator is an operational role overseeing an organization's security on a day-to-day basis and troubleshooting and triaging problems as they arise. Typical tasks might include the following:

• network scanning;
• activity monitoring;
• security tool configuration and support;
• secure data backup management;
• user account administration;
• user privilege management; and
• security policy implementation, in partnership with governance, risk and compliance teams.
• A wide variety of opportunities abound, and the field needs a diverse array of talents and skills.

2. Security operations center analyst - Seniority: Entry-level to senior-level. The security operations center (SOC) analyst role involves uncovering potential cyber attacks by monitoring for unusual digital activity. SOC analysts use traditional log monitoring, as well as more advanced AI-based tools, that alert to suspicious behavior. Many cybersecurity professionals' first jobs are in the SOC, and an entry-level analyst could go on to hold any number of positions in the field.

While junior SOC analysts' responsibilities are operational in nature -- reviewing and processing alerts from security tools to weed out false alarms and escalate potential red flags -- senior SOC analysts shoulder more advanced responsibilities.  These might include the following:

• handling high-priority security incidents;
• researching emergent threats and incorporating findings into the monitoring and analysis framework;
• training and managing junior analysts;
• researching cybersecurity trends, tools and technologies and making recommendations for adoption; and
• engaging in threat hunting and threat management.
• Regardless of seniority, a SOC analyst needs an eye for detail, the ability to troubleshoot and an interest in threat research.

SOC team roles and responsibilities.  A variety of cybersecurity roles exist within the typical SOC, from entry-level security analysts to senior security architects.

3. Digital forensic engineer - Seniority: Entry-level to senior-level. As the term suggests, digital or computer forensics involves retroactively investigating confirmed security incidents, such as data breaches. Digital forensic engineers -- also known by titles such as cyber forensic investigators and computer forensic analysts -- seek to uncover and understand the scope of attacks, who perpetrated them and how.

A digital forensic engineer's responsibilities may include the following:

• gathering and analyzing digital evidence, including log and alert data;
• recovering and analyzing data from damaged or corrupted devices;
• documenting the sequence of events that unfolded during a security incident;
• providing evidence and analysis to legal and law enforcement teams; and
• offering expert analysis and testimony in judicial proceedings.

To be successful in this role, a digital forensic engineer must have the following:

• strong problem-solving skills;
• advanced technical abilities, with expertise in programming, ethical hacking and OSes;
• an understanding of the legal requirements involved in evidence gathering; and
• an avid interest in piecing together evidence to make a case.

While many digital forensic engineer, analyst and investigator roles require significant experience, related entry-level positions do exist. In some cases, for example, junior technicians may need only a bachelor's degree and relevant technical skills to get started in digital forensics.

4. IT auditor - Seniority: Entry-level to senior-level. The IT auditing role involves evaluating an organization's security practices and technological infrastructure to assess the following:

• security gaps and corresponding business risks;
• adherence to compliance laws; and
• efficiency and effectiveness of the overall security deployment.

After assessing an organization's risk profile, an IT auditor makes formal recommendations for improvement to key stakeholders. Other key responsibilities of an IT auditor include developing, implementing and updating the audit framework.  IT auditors need strong interpersonal skills and the ability to build relationships across their organizations; the ability to interpret and implement security frameworks; and an interest in meeting regulatory requirements effectively and efficiently.

5. Application security engineer - Seniority: Midlevel to senior-level. The application security engineering role focuses on protecting an organization's applications from attackers throughout the software development lifecycle and the application lifecycle. Appsec engineers may work in standalone teams or as integrated members of DevSecOps teams.

An appsec engineering position typically involves the following:

• identifying and implementing security controls -- including hardware, software, techniques and procedures -- and establishing internal security standards to prevent unauthorized application access;
• working closely with developers and software architects to ensure they use secure coding practices;
• implementing application logging, authentication and authorization systems; and
• creating a framework for assessing incorporation of binaries from public libraries such as GitHub to ensure security.

Today's appsec engineers may also oversee API security and recommend best security practices for third-party application use.

6. Network security engineer - Seniority: Midlevel to senior-level. Network security engineers aim to minimize network security vulnerabilities without sacrificing uptime. They need technical skills, the ability to troubleshoot problems as they arise and extensive knowledge of common and emerging cyber threats.

A network security engineer's responsibilities typically include the following:

• deploying, configuring, managing and testing network security hardware and software -- including routers, firewalls, VPNs and endpoint devices -- to defend against cyber threats;
• managing network access;
• monitoring the network for unusual activity;
• troubleshooting network security issues; and
• supporting the development of network security policies, processes and designs.

Today's network security engineers may manage infrastructure in traditional on-premises, cloud or hybrid environments.

7. Penetration tester - Seniority: Midlevel to senior-level. Also known as ethical hackers, pen testers work to proactively uncover enterprises' security vulnerabilities by modeling attacker behavior. Pen testers try to breach networks and systems by exploiting known and unknown technical vulnerabilities and by engaging in social engineering. Their goal is to uncover security weaknesses before malicious hackers do.

Necessary skills include the following:

• building automated scripts;
• keeping up with security vulnerabilities disclosed publicly and on the dark web;
• creating detailed pen test reports identifying exploitable weaknesses; and
• recommending policy changes and updates to user training methods.

Pen testers may work for dedicated in-house teams or for third-party firms that serve multiple organizations.

8. Security architect - Seniority: Senior-level. The security architect role overlooks the entire security posture of an organization. It includes the following responsibilities:

• drafting security policies that align with the organization's risk appetite;
• architecting remediation and mitigation plans in case of cyber attacks; and
• identifying new security and technology trends to incorporate into the cyber framework.

For security architects who are managers -- leading teams of security engineers -- people and communication skills are also important.

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants?lctg=141970831

[2] https://www.techtarget.com/searchsecurity/tip/Cybersecurity-roles-to-consider