10949112467?profile=RESIZE_400xActivity Summary - Week Ending on 26 January 2023:

  • Red Sky Alliance identified 28,460 connections from new IP’s checking in with our Sinkholes
  • ReliableSite hit 171x
  • Analysts identified 577 ‘new’ IP addresses participating in various Botnets
  • Red Sky Keylogger Data Collection – Highest month in 2022
  • CrySIS/Dharma
  • Microsoft HTML
  • We need more cybersecurity professionals

 

IP

Contacts

104.243.33.125

92

51.195.193.170

74

65.109.183.206

65

145.255.72.10

65

107.150.37.66

63

104.243.33.125. was found in AbuseIP.  This IP was reported 171 times. Confidence of Abuse is 100%  ISP: Reliablesite.net LLC;  Usage Type: Data Center/Web Hosting/Transit;  Domain Name:  reliablesite.net:  Country US, City, Miami, Florida
https://www.abuseipdb.com/check/104.243.33.125

 

Red Sky Alliance Compromised (C2) IP’s 

 

On 25 January 2023, Red Sky Alliance identified 28,460 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Sykipot follows.

 

 Red Sky Alliance Malware Activity   

Malware Variant

Times Seen

sality

25509

corkow

1684

sykipot

460

shiz

453

maudi

289

 

For a full black list – contact analysts: info@wapacklabs.com

 

Red Sky Alliance Botnet Tracker


On 25 January 2023, analysts identified 577 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2023-01-20T21:50:49

HTTP proxy|port:80

8.219.161.100

2023-01-23T19:10:40

HTTP proxy|port:999

8.242.176.198

2023-01-18T16:50:50

HTTP proxy|port:80

23.237.218.181

2023-01-22T15:20:27

HTTP proxy|port:80

35.232.181.223

2023-01-24T04:20:41

HTTP proxy|port:999

38.41.0.92

   

Red Sky Alliance Keylogger Data Collection

 

Our analysts routinely collect against known keylogger aggregation points.  We use propriety processes to determine where these aggregation points are and collect against them.  We have not yet seen other companies with the same data from our collection.  Data includes the attacking server, indicators, and victim ip (if known).  Our biggest “new” collection was on 4 April 2022, with 5125 keylogged accounts. 

10949114058?profile=RESIZE_584x

Example of a new keylogged account from 17 January 2023. 

10949113884?profile=RESIZE_584xWhile there are legitimate and legal uses for keyloggers, many uses for keyloggers are malicious.  In a keylogger attack, the keylogger software records every keystroke on the victim's device and sends it to the attacker.  In fact, several years ago, our analysts discovered a keylogged account that was employed by a German middle manager had keylogged a subordinate and not only was he fired, but investigated by the Bavarian Police for computer crimes. 

MALICIOUS CYBER TRENDS:

CrySIS/Dharma ransomware family.[1]

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

CrySIS/Dharma Ransomware Overview, by FortiGuard

The CrySIS/Dharma ransomware family has been around for several years – dating to at least 2016. It nominally operates using a Ransomware-as-a-Service (RaaS) model.  However, it should also be noted that at least one version of the ransomware had its source code leaked, allowing anyone to purchase and repurpose it for their own ends.  Due to this proliferation of versions, it’s become a game of “whack-a-mole” when new ones pop up with different operators.

CrySIS/Dharma Ransomware Infection Vector:  Several methods have been used by CrySIS/Dharma operators to gain access to an environment—most famously, exposed Microsoft Remote Desktop Protocol (RDP) servers. It has also been delivered via phishing with attachments disguised as installation files for legitimate software, including AV vendors.

CrySIS/Dharma Ransomware Execution:  When launched, the ransomware sets the console to codepage 1251, which covers the ability to use Cyrillic languages such as Russian, Ukrainian, and Bulgarian.

10949114695?profile=RESIZE_400xFigure 1.  Console codepage set to 1251

It also deletes shadow copies of the system to hamper any attempts at recovery.

10949115064?profile=RESIZE_400xFigure 2.  Deletion of the host’s volume shadow copies using VSSadmin.

An additional copy of the ransomware is copied to the host’s “~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folder to ensure it runs in the event the system is restarted before encryption has occurred.

10949115654?profile=RESIZE_584xFigure 3.  A new copy of the ransomware copied into the Startup folder.

All files of interest, such as personal and operational documents (it does not touch system files), are then subjected to encryption.

10949117062?profile=RESIZE_584xFigure 4. A selection of files of interest for CrySIS/Dharma

Encrypted files have an extension generally referring to the threat actor controlling the ransomware. These tend to vary widely, as seen in the following images.

10949117454?profile=RESIZE_584xFigure 5.  Files encrypted by CrySIS/Dharma variation 1.

10949117675?profile=RESIZE_584xFigure 6.  Files encrypted by CrySIS/Dharma variation 2.

10949118265?profile=RESIZE_584xFigure 7.  Files encrypted by CrySIS/Dharma variation 3.

In an unusual step, once encryption is complete, the malware launches the Microsoft HTML Application (MSHTA) to process and display a file called “Info.hta”. Copies of this file are stored in four separate locations on the host:

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\<victim account>\AppData\Roaming
  • C:\Users\<victim account >\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Windows\System32

“Info.hta” is essentially an HTML file containing the ransom's details.

10949118475?profile=RESIZE_584xFigure 8.  Contents of “Info.hta”.

While there are variations in the ransom notes, all contain a method to contact the attacker to discuss the details of the ransom. A unique ID, which appears to be based on the characteristics of the victim system, is also displayed.

10949119062?profile=RESIZE_584xFigure 9.  CrySIS/Dharma ransom note variation 1.

10949119285?profile=RESIZE_584xFigure 10.  CrySIS/Dharma ransom note variation 2.

10949119877?profile=RESIZE_584xFigure 11.  CrySIS/Dharma ransom note variation 3.

In addition to its “Info.hta” file, a separate file called “info.txt” is also dropped. It contains a truncated set of instructions to contact the attacker. A copy is dropped at the following locations:

  • C:\
  • C:\Users\Public\Desktop
  • C:\Users\<victim account >\Desktop

10949120664?profile=RESIZE_584xFigure 12.  Contents of the “info.txt” file.

CrySIS/Dharma ransomware variants with the following AV signatures:

IOCs

File-based IOCs:

SHA256

419bc8196013d7d8c72b060da1a02d202d7e3eb441101f7bcb6d7667871a5c16

5c2fb1c42f007093be5e463f70ee7e7192990b3385a3cbcc71043980efa312e0

6a0017262def9565b504d04318c59f55bea136ac3dd48862d1ae90ff6b963811

b557bf11d82d3d64d028a87584657d25dba0480295ed08447f10c7a579dee048

b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39

e9253218e30b30c8bb690b2ab02eef47b8b5c8991629d814b2af6664151e9a2f

 

GLOBAL TRENDS:   


The need for cybersecurity professionals has never been greater. Given the ever-expanding roles of technology, data and AI in the enterprise, the need to protect, detect and remediate against cyber-attacks is of existential importance across every sector.  At the same time, organizations of all kinds are grappling with the much-discussed cybersecurity talent shortage.  A wide variety of opportunities abound, and the field needs a diverse array of talents and skills.  As an aspiring or current practitioner weighing possible career options, consider the following eight cybersecurity roles.[2]

  1. Security administrator - Seniority: Entry-level to midlevel. The security administrator is an operational role overseeing an organization's security on a day-to-day basis and troubleshooting and triaging problems as they arise. Typical tasks might include the following:
  • network scanning;
  • activity monitoring;
  • security tool configuration and support;
  • secure data backup management;
  • user account administration;
  • user privilege management; and
  • security policy implementation, in partnership with governance, risk and compliance teams.
  • A wide variety of opportunities abound, and the field needs a diverse array of talents and skills.
  1. Security operations center analyst - Seniority: Entry-level to senior-level. The security operations center (SOC) analyst role involves uncovering potential cyber attacks by monitoring for unusual digital activity. SOC analysts use traditional log monitoring, as well as more advanced AI-based tools, that alert to suspicious behavior. Many cybersecurity professionals' first jobs are in the SOC, and an entry-level analyst could go on to hold any number of positions in the field.

While junior SOC analysts' responsibilities are operational in nature -- reviewing and processing alerts from security tools to weed out false alarms and escalate potential red flags -- senior SOC analysts shoulder more advanced responsibilities.  These might include the following:

  • handling high-priority security incidents;
  • researching emergent threats and incorporating findings into the monitoring and analysis framework;
  • training and managing junior analysts;
  • researching cybersecurity trends, tools and technologies and making recommendations for adoption; and
  • engaging in threat hunting and threat management.
  • Regardless of seniority, a SOC analyst needs an eye for detail, the ability to troubleshoot and an interest in threat research.

SOC team roles and responsibilities.  A variety of cybersecurity roles exist within the typical SOC, from entry-level security analysts to senior security architects.

  1. Digital forensic engineer - Seniority: Entry-level to senior-level. As the term suggests, digital or computer forensics involves retroactively investigating confirmed security incidents, such as data breaches. Digital forensic engineers -- also known by titles such as cyber forensic investigators and computer forensic analysts -- seek to uncover and understand the scope of attacks, who perpetrated them and how.

A digital forensic engineer's responsibilities may include the following:

  • gathering and analyzing digital evidence, including log and alert data;
  • recovering and analyzing data from damaged or corrupted devices;
  • documenting the sequence of events that unfolded during a security incident;
  • providing evidence and analysis to legal and law enforcement teams; and
  • offering expert analysis and testimony in judicial proceedings.

To be successful in this role, a digital forensic engineer must have the following:

  • strong problem-solving skills;
  • advanced technical abilities, with expertise in programming, ethical hacking and OSes;
  • an understanding of the legal requirements involved in evidence gathering; and
  • an avid interest in piecing together evidence to make a case.

While many digital forensic engineer, analyst and investigator roles require significant experience, related entry-level positions do exist. In some cases, for example, junior technicians may need only a bachelor's degree and relevant technical skills to get started in digital forensics.

  1. IT auditor - Seniority: Entry-level to senior-level. The IT auditing role involves evaluating an organization's security practices and technological infrastructure to assess the following:
  • security gaps and corresponding business risks;
  • adherence to compliance laws; and
  • efficiency and effectiveness of the overall security deployment.

After assessing an organization's risk profile, an IT auditor makes formal recommendations for improvement to key stakeholders. Other key responsibilities of an IT auditor include developing, implementing and updating the audit framework.  IT auditors need strong interpersonal skills and the ability to build relationships across their organizations; the ability to interpret and implement security frameworks; and an interest in meeting regulatory requirements effectively and efficiently.

  1. Application security engineer - Seniority: Midlevel to senior-level. The application security engineering role focuses on protecting an organization's applications from attackers throughout the software development lifecycle and the application lifecycle. Appsec engineers may work in standalone teams or as integrated members of DevSecOps teams.

An appsec engineering position typically involves the following:

  • identifying and implementing security controls -- including hardware, software, techniques and procedures -- and establishing internal security standards to prevent unauthorized application access;
  • working closely with developers and software architects to ensure they use secure coding practices;
  • implementing application logging, authentication and authorization systems; and
  • creating a framework for assessing incorporation of binaries from public libraries such as GitHub to ensure security.

Today's appsec engineers may also oversee API security and recommend best security practices for third-party application use.

  1. Network security engineer - Seniority: Midlevel to senior-level. Network security engineers aim to minimize network security vulnerabilities without sacrificing uptime. They need technical skills, the ability to troubleshoot problems as they arise and extensive knowledge of common and emerging cyber threats.

A network security engineer's responsibilities typically include the following:

  • deploying, configuring, managing and testing network security hardware and software -- including routers, firewalls, VPNs and endpoint devices -- to defend against cyber threats;
  • managing network access;
  • monitoring the network for unusual activity;
  • troubleshooting network security issues; and
  • supporting the development of network security policies, processes and designs.

Today's network security engineers may manage infrastructure in traditional on-premises, cloud or hybrid environments.

  1. Penetration tester - Seniority: Midlevel to senior-level. Also known as ethical hackers, pen testers work to proactively uncover enterprises' security vulnerabilities by modeling attacker behavior. Pen testers try to breach networks and systems by exploiting known and unknown technical vulnerabilities and by engaging in social engineering. Their goal is to uncover security weaknesses before malicious hackers do.

Necessary skills include the following:

  • building automated scripts;
  • keeping up with security vulnerabilities disclosed publicly and on the dark web;
  • creating detailed pen test reports identifying exploitable weaknesses; and
  • recommending policy changes and updates to user training methods.

Pen testers may work for dedicated in-house teams or for third-party firms that serve multiple organizations.

  1. Security architect - Seniority: Senior-level. The security architect role overlooks the entire security posture of an organization. It includes the following responsibilities:
  • drafting security policies that align with the organization's risk appetite;
  • architecting remediation and mitigation plans in case of cyber attacks; and
  • identifying new security and technology trends to incorporate into the cyber framework.

For security architects who are managers -- leading teams of security engineers -- people and communication skills are also important.

 

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants?lctg=141970831

[2] https://www.techtarget.com/searchsecurity/tip/Cybersecurity-roles-to-consider

Topics by Tags

Monthly Archives