10967999295?profile=RESIZE_400xActivity Summary - Week Ending on 16 February 2023:

  • Red Sky Alliance identified 8,834 connections from new IP’s checking in with our Sinkholes
  • NJ based Reliablesite.net LLC hit 130x (2nd week)
  • Analysts identified 496 ‘new’ IP addresses participating in various Botnets
  • Red Sky Dark Web Collection
  • ESXiArgs-Recover / CISA
  • DDoS Attack Stopped
  • Bipartisan Policy Center
  • Future Ready Strategy

 

Red Sky Alliance Compromised (C2) IP’s 

IP

Contacts

185.150.191.81

275

209.141.32.113

81

43.153.118.150

33

209.141.60.62

29

139.59.241.204

25

185.150.191.81 was found in AbuseIP data base (second week).  This IP was reported 130 times. Confidence of Abuse is 100%  ISP: Reliablesite.net LLC;  Usage Type: Data Center/Web;  Hosting/Transit,  Hostname(s): cloud01.3twentysoft.com;  Domain Name:  reliablesite.net;  Country:   United States of America, City: Piscataway, New Jersey https://www.abuseipdb.com/check/185.150.191.81

 

On 15 February 2023, Red Sky Alliance identified 8,834 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Shiz follows. 

 

Red Sky Alliance Malware Activity   

Malware Variant

Times Seen

sality

35195

corkow

2295

shiz

691

sykipot

496

betabot

351

 

For a full black list – contact analysts: info@redskyalliance.com


Red Sky Alliance Botnet Tracker

On 15 February 2023, analysts identified 496 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2023-02-11T12:20:36

HTTP proxy|port:80

8.219.57.86

2023-02-09T19:10:28

HTTP proxy|port:80

8.219.59.74

2023-02-11T11:10:20

HTTP proxy|port:80

8.219.78.50

2023-02-12T19:40:51

HTTP proxy|port:80

8.219.101.230

2023-02-14T11:30:25

HTTP proxy|port:80

8.219.105.24

 

Red Sky Alliance Dark Web Collection / Last 12 Months

10967954089?profile=RESIZE_584xRed Sky Dark Web Data Collection - Darkweb data is collected from a variety of pages on the Tor network and their plain web mirrored counterparts or plain-web forums with intent overlap.  Our collection This includes forums, ransomware listings, and marketplaces. Data found in this is broad as it will contain companies already breached, various login credentials (personal and business), and variety of software, identification papers, and counterfeit items for sale.  

In the past 12 months, our collection focused on Forums 76.31%; Dark Web Market Places 20.05% and Ransomware sites 3.64%

10967954263?profile=RESIZE_584xThis chart is a list of the top 20 most active marketplace item category.  Stealing digital good is on top of the list, while illegal drugs and pornography are high (no pun intended) on the list. 

MALICIOUS CYBER TRENDS:

ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.  CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. For more information, see CISA's ESXiArgs Ransomware Virtual Machine Recovery Guidance.[1] [2]

Disclaimer:  CISA’s ESXiArgs script is based on findings published by the third-party researchers mentioned above.  Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it.  This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.  While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system.  CISA does not assume liability for damage caused by this script.

This script is being provided “as is” for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis.  Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Usage:  Download this script and save it as /tmp/recover.sh.  For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh

  • Give the script execute permissions: chmod +x /tmp/recover.sh
  • Navigate to the folder of a virtual machine you would like to decrypt (you may browse these folders by running ls /vmfs/volumes/datastore1). For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example
  • Run ls to view the files. Note the name of the VM (e.g. if there is a file example.vmdk, the name of the VM is example).
  • Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the virtual machine determined in step 4. If the virtual machine is a thin format, run /tmp/recover.sh [name] thin.
  • If successful, the decryptor script will output that it has successfully run. If unsuccessful, this may mean that your virtual machines cannot be recovered.
  • If the script succeeded, the last step is to re-register the virtual machine.
  • If the ESXi web interface is inaccessible, take the following steps to remove the ransom note and restore access (note that taking the steps below moves the ransom note to the file ransom.html. Cconsider archiving this file for future incident review).
  • Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
  • Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html & mv index1.html index.html
  • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
  • In the ESXi web interface, navigate to the Virtual Machines page.
  • If the VM you restored already exists, right click on the VM and select “Unregister”.
  • Select “Create / Register VM”.
  • Select “Register an existing virtual machine”.
  • Click “Select one or more virtual machines, a datastore or a directory” to navigate to the folder of the VM you restored. Select the vmx file in the folder.
  • Select “Next” and “Finish”. You should now be able to use the VM as normal.
  • If needed, the script will save encrypted files in a new encrypted_files folder within each virtual machine’s directory.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.  All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

GLOBAL TRENDS:   

DDoS Attack Stopped - Internet infrastructure company Cloudflare said that over the weekend it detected and mitigated the largest distributed denial-of-service (DDoS) attack ever recorded.  The 71 million request-per-second (rps) DDoS attack is more than 35% larger than the previously reported record of 46 million rps in June 2022. Such attacks work by flooding targeted websites with junk traffic, making them unreachable.  The newly observed attack was followed by dozens of others that peaked at 50-70 million rps, according to a blog post released on Monday.  The unknown attackers targeted a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms.[3]

10967955467?profile=RESIZE_584xFigure 1.  THE ATTACK SPIKED TO A LEVEL OF REQUESTS-PER-SECOND NEVER SEEN BEFORE IN A DDOS INCIDENT. IMAGE: CLOUDFLARE

The DDoS attacks originated from numerous cloud providers, and Cloudflare has been working with them to crack down on the botnet behind the attack.  “Over the past year, we’ve seen more attacks originate from cloud computing providers,” the company said.  This isn’t the first time Cloudflare has claimed to have stopped “the largest” DDoS attack on record.  The company said that these attacks are getting “bigger, more sophisticated, and more frequent.”

The amount of DDoS attacks increased by 79% in 2022, and the number of attacks lasting more than three hours increased by 87%, according a recent report from Cloudflare.  The hackers behind these attacks are getting smarter, Cloudflare said.  They often choose DDoS extortion attacks over ransomware attacks because it’s cheaper and easier.  “Ransom DDoS attacks don’t require tricking the victim into opening an email or clicking a link, nor do they require a network intrusion or a foothold to be carried out,” Cloudflare said.  Instead, hackers just flood their victims with enough traffic to negatively impact their internet services and ask for a payment to stop the attack.

The Bipartisan Policy Center (BPC) is a Washington, DC – based think tank that promotes bipartisanship. The organization aims to combine ideas from both the Republican and Democratic parties to address challenges in the US.  BPC focuses on issues including health, energy, national security, the economy, housing, immigration, infrastructure, governance, and education.

Bipartisan Policy Center - The top cyber risks of 2023 range from growing geopolitical tensions to insufficient corporate leadership attention and the scarcity of cyber personnel, according to a new report from the Bipartisan Policy Center, a Washington think tank.  This year’s other top cybersecurity risks, according to the report, include technological advancement fueling a cyber arms race; economic uncertainty; lackluster preparation for cyberattacks; a patchwork of regulations; and vulnerable infrastructure.[4]  Cybercriminals this year have already targeted schools and hospitals, as well as high-profile organizations like UK postal service Royal Mail.  Those cyberattacks came after a 2022 that saw cyberattacks out of the war in Ukraine, a flurry of major ransomware attacks and some newer groups, like a group of teenagers who hacked major companies.

10967955480?profile=RESIZE_400xThe Bipartisan Policy Center report drew on the expertise of a working group made up of state government officials, former federal government leaders, and representatives from civil society groups and corporate giants like Bank of America and Comcast.  Equifax provided support for the project.   I’m moderating a panel today at 10 a.m. Eastern at the Bipartisan Policy Center headquarters to discuss the report.  Until then, here’s a rundown of some of its conclusions.

Offense-oriented Risks:

“Evolving geopolitical environment.”  Rising international conflict and protectionism are driving risk, the center found. Russia’s war in Ukraine is the biggest factor, with the potential for cyberattacks to spill out of the borders of that conflict. But conflicts between China and Western nations, as well as conflict in the Middle East, are other drivers of risk.

“Accelerating cyber arms race.” Decades-old attacks can still be effective, but innovation causes problems for cyberdefense, the report observes.  “Rapid and continual advancements in offensive and defensive capabilities require defenders to keep pace in an environment that disproportionately favors attackers,” it states.  “Advances in artificial intelligence simultaneously offer great opportunity and danger, the democratization of advanced attack techniques, and unprecedented automation/scalability.”

Defense-oriented risks:

“Vulnerable infrastructure.”  Critical infrastructure will always be an attractive target for hackers, particularly smaller operators, the Bipartisan Policy Center noted.  At particular risk are smaller operators who rely on state and local agencies or third-party suppliers.

“Lack of investment, preparedness and resilience.”  Neither governments nor businesses have adequately invested in preparing for disastrous cyberattacks, including ransomware, according to the report.  A lack of preparedness, and reliance on third-party suppliers, also increases the risk of data breaches and loss of confidential information.

Economy-oriented risks:

“Global economic head winds.”  Stock market volatility, inflation and the chances of a recession stand to affect cyber risk in a number of ways, the report states.  Chief among them is entities putting off cybersecurity to shift money to other priorities, but a recession also could lead investors to avoid putting money into cybersecurity start-ups.

“Lagging corporate governance.”   Large firms have made “modest headway” toward adding cyber expertise to corporate boards and senior leadership, but too many still haven’t, the Bipartisan Policy Center concluded. Small- and medium-sized businesses have a particular lack of expertise. The Securities and Exchange Commission has proposed amendments to its rules that would require public companies to report periodically on management and board of directors’ expertise.  “Overlapping, confusing and subjective regulations.”  “In the United States, and internationally as a consequence of their global nexus, companies navigate the complex patchwork of required cybersecurity, data security, and privacy regulations implemented by national, state, and local authorities, with varying prescriptive requirements,” the report reads.

Governments need to come to conclusions about things like deciding what level of confirmation of a cyberattack triggers requirements for a victim to report it to the government, according to the center. Some critics of strict notification requirements say that swift notification mandates can hamper responses to an incident, or lead to companies passing along useless, unconfirmed information.

“Talent scarcity.”  Fortune 100 companies were less likely last year to report they had sufficient cyber talent — just 1 percent of them did — than in 2020, when 10% said they had enough.  “The influence of COVID-driven educational attainment gaps that have yet to manifest might further contribute to the cybersecurity talent shortage,” the report says.

The Bipartisan Policy Center pointed out some smaller strategic and operational risks, with white-collar cybercrime (such as intellectual property theft) an example of the former and the commercialization of malware (such as dark web hacking kits) an example of the latter.  In its report, the think tank stops short of making recommendations to address the risks.  “We intentionally focused on identifying risks, not solutions, because various stakeholders may need to take different approaches,” the report states. “There are no one-size-fits-all fixes. Rather, these top risks must be considered individually by companies and collectively by the nation.”

Future Ready Strategy - A guest opinion by Joanne Wong, Vice President International Marketing – APJ and EMEA at LogRhythm: They’ve been a constant focus for IT security teams for years, however the number of ransomware attacks experienced by organizations around the world continues to climb.[5]

Research shows that, during 2022, a ransomware attack was recorded every 11 seconds.  This resulted in a global annual cost to business of $US20 billion and the number is continuing to rise.  For all organizations, it is a matter of ‘when’ rather than ‘if’ they will fall victim to an attack.

10967955672?profile=RESIZE_400xOverlapping fields of visibility - To address this ongoing challenge, organizations need to increase their ability to monitor for and identify potential security threats before they can cause disruption and damage.  One of the most successful ways of achieving this is through the adoption of what is known as the ‘security operations center (SOC) visibility triad’.

This approach comprises three elements: a security information and event management (SIEM) platform, network detection and response (NDR) tools, and endpoint detection and response (EDR) capabilities.  Together these components provide a security team with overlapping fields of visibility.  They maximize the chances that threats will be identified early, thus allowing preventative steps to be taken that significantly reduce the chances of a successful attack.

The role of the SOC - One of the most important roles of a SIEM is to undertake constant log monitoring across an organization’s IT environment.  This can spot suspicious traffic in multiple areas, from operating systems to networks and applications, and alert security teams as quickly as possible.  A well-resourced SOC can also assist when it comes to effective network monitoring.  Because many attacks tend to begin at the network layer, being able to spot them in early stages is critical.  Here, machine-learning tools can also help as they are able to spot potentially anomalous behavior on a network and flag it for closer inspection.  This means security teams can focus their time and resources on potentially serious events rather than having to constantly watch large volumes of traffic.

As a third element, a SOC should assist an organization achieve effective monitoring of all endpoints on its network.  This will allow strong and graduated containment of threats and their eradication from devices before they can cause harm.  Because endpoint monitoring tools are installed on devices, they are able to monitor and report back on every activity on that device, even when it has been running on offline mode.  This is particularly important when a workforce is distributed, and users may not always be connected to the central network.

Undertaking a monitoring strategy - When beginning to design and deploy an effective security monitoring strategy, an organization’s security team needs to be aware of what has become known as the three ‘Ps’: process, people, and partners.  The process element involves carefully considering exactly how the alerts generated by monitoring tools will be handled and actioned.  There is no use in monitoring in the first place if the team is not equipped to respond quickly and effectively.

To achieve this, organizations should look at established frameworks such as NIST and ITIL which document the most effective ways to create processes that will deliver the most value.  The second element is people and this involves assigning staff members within the security team to undertake specific monitoring roles.  These include triaging initial alerts to identify those which are most important.

A second group should then be responsible for conducting detailed investigations to determine what response is required before handing over the most concerning to a third group that undertakes appropriate remediation steps.  The third part in a monitoring strategy is partners.  Organizations need to realize that there is no single silver bullet that can achieve effective monitoring and so components will need to be sourced from multiple vendors.  Security teams need to focus on how these individual components can be best integrated to create the most effective monitoring infrastructure possible.

An ongoing challenge - It needs to be recognized that an effective security monitoring strategy will require continual evolution.  The threat landscape is constantly changing and so the techniques used to spot and mitigate attacks much also continually shift.  By being aware of this, and making use of the best possible tools and strategies, security teams will be well placed to protect their organization both from current threats and those that will appear in the months and years.

[1] https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

[2] https://github.com/cisagov/ESXiArgs-Recover

[3] https://therecord.media/cloudflare-says-it-stopped-largest-ddos-attack-on-record/

[4] https://www.washingtonpost.com/politics/2023/02/13/top-cyber-risks-watch-out-2023/

[5] https://itwire.com/guest-articles/guest-opinion/how-to-build-a-%E2%80%98future-ready%E2%80%99-security-monitoring-strategy.html

Topics by Tags

Monthly Archives