Intel Reports

Activity Summary - Week Ending on 30 March 2023:

• Red Sky Alliance identified 30240 connections from new IP’s checking in with our Sinkholes
• SmartMediaNetwork in Ukraine hit 197x
• 63 ‘new’ Botnets hits
• SVB Financial Scams
• Fiatusdt  
• Czech Republic - General Bytes
• TA406 and Thallium
• Latitude Financial

 Red Sky Alliance Malware Activity    

Red Sky Alliance Compromised (C2) IP’s 

On 29 March 2023, Red Sky Alliance identified 30,240 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 29 March 2023, analysts identified 63 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Red Sky Alliance Daily Indicator Type / Bank Scams

Example of our CTAC ‘bank’ hits:

SVB Scams - Big news events and major crises usually trigger an avalanche of follow-on phishing attempts.  The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent one is the collapse of Silicon Valley Bank (SVB).  The mid-sized US lender and a key financer of tech start-ups held tens of billions of dollars’ worth of assets when it went bust last week after succumbing to a bank run.  Although the US government stepped in days later to guarantee customers would be able to access their money, the damage was done and even if you or your business was not affected by the bank’s meltdown, you could still be at risk of cybercrime that exploits such events for nefarious gains.

Ambulance-chasing phishing and business email compromise (BEC) attempts are already hitting inboxes across the globe.  Once you’ve weathered the storm, there’s plenty of takeaways that can be used to build a more resilient security awareness program going forward.[1]

The SVB scams so far:  There is nothing new in scammers piggy-backing on news events to improve their success rates.  But the SVB case has several ingredients that make it arguably a more attractive lure than the norm. These include:

• The fact that there’s lots of money at stake: SVB had an estimated US$200 billion in assets when it went bust.
• Extreme anxiety from corporate customers worried about how to pay the bills if they can’t access their assets, and of individuals concerned about whether they’d get paid.
• Confusion over exactly how customers can get in touch with the failed lender.
• The fact that the collapse came after the fall of Signature Bank, sparking even more anxiety about the whereabouts of funds and the health of the financial system.
• SVB’s global reach – including a UK arm and various affiliated businesses and offices across Europe. This expands the pool of potential scam victims.
• The BEC angle: as many SVB corporate customers will be informing their partners of bank account changes, it offers the perfect opportunity for fraudsters to step in first with their own details.

When something like this happens, it’s not unusual to see multiple domains registered by firms looking to offer legitimate loans or legal services to the ailing bank’s customers.  It can be difficult to discern the authenticity from those registered for nefarious ends.  There is a long list of newly-registered lookalike domains that may try to deceive people in the future.

SVB phishing attempts - As always, phishing attempts focus on classic social engineering techniques such as:

• Using a breaking news story to lure the recipient in.
• Spoofing SVB or other brands to gain recipient trust.
• Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse.
• Including malicious links/attachments to harvest information or steal funds.

Some phishing attempts have focused on stealing the details of SVB customers, possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams.  Others have embedded more sophisticated methods of stealing cash from victims.  One effort uses a fake reward program from SVB claiming all holders of stablecoin USDC will get their money back if they click through.  However, the QR code the victim is taken to will compromise their cryptocurrency wallet account.  A separate lure with the same QR-related crypto-stealing end goal used an announcement by USDC issuer Circle as its starting point.  The firm said USDC would be redeemable 1:1 with the dollar, prompting the creation of new phishing sites with a Circle USDC claims page.

SVB BEC threats - As mentioned, this news event is also slightly unusual in providing the perfect conditions for BEC attacks to flourish.  Finance teams are going to be legitimately approached by suppliers that previously banked with SVB and that have now switched financial institutions.  As a result, they’ll need to update their account details. Attackers could use this confusion to do the same, impersonating suppliers with modified account payee details.

Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails that have been sent from legitimate but hijacked supplier email accounts.  Organizations without sufficient fraud checks in place could end up mistakenly sending money to scammers.

How to avoid SVB and similar scams - Phishing and BEC are increasingly common.  The FBI Internet Crime Report 2022 details over 300,000 phishing victims last year, cementing its status as the most popular cybercrime type of all.  And BEC made scammers over US$2.7bn in 2022, making it the second highest-grossing category.  Consider the following to stay safe from the scammers:

• Be cautious about unsolicited messages received by email, SMS, social media etc. Try to independently verify them with the sender before deciding whether to reply.
• Don’t download anything from an unsolicited message, click on any links or hand over any sensitive personal information.
• Look for grammatical mistakes, typos etc. that can indicate a spoofed message.
• Hover over the email sender’s display name – does it look authentic?
• Switch on two-factor authentication (2FA) for all online accounts.
• Use strong and unique passwords for all accounts, ideally stored in a password manager.
• Regularly patch or switch on automatic updates for all devices.
• Report anything suspicious to the corporate security team.
• Importantly, ensure you have up-to-date security software on all your devices from a reputable provider.

For BEC specifically:

• Check with a colleague before changing account details/approving payments for new accounts.
• Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records.

From a corporate IT security perspective:

• Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks.
• Consider gamification techniques which may help reinforce good behaviors.
• Build BEC into staff security awareness training.
• Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets.
• Update payment processes so that large wire transfers must be signed off by multiple employees.

We all need to be on the lookout for unexpected emails or calls, mainly those coming from a bank and requiring urgent action.  Never click a link and input your banking login credentials nor give them over the phone at any time.  To access your banking information, use your bank’s official website.

MALICIOUS CYBER TRENDS:

Fiatusdt - The server was exposed to the public without any password or security authentication, allowing access to tens of thousands of passports and ID card copies.  In recent news, Website Planet discovered an exposed database belonging to the online currency exchange platform, Fiatusdt.  The database contained cryptocurrency sales records, including customer names, bank account numbers, purchase and sales records, and other sensitive information.

Online currency exchanges are internet-based platforms that facilitate the transfer of currencies for distribution in a stable, centralized setting between countries or companies.  Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.  Among the exposed information were Know Your Customer (KYC) compliance records and identification images, which were particularly concerning as they contained sensitive information that proved the identity of customers.

Fowler reported having viewed as many as 20,000 passport and identity card images. The customer ID documents appeared to belong to individuals from all over the world, including the following countries:

• Oman
• China
• India
• Malaysia
• Australia
• Indonesia
• Singapore and others.

According to Website Planet’s blog post, it is still unclear how many users were affected by the data leak since the total number of records could not be seen, and whether or not the exposed records were accessed by anyone before being discovered.

Publicly leaked folders and one of the ID cards (Image credit: Website Planet)

The database also contained screenshots of deposit and withdrawal amounts, which exposed bank transfer records identifying customer names, account numbers, email addresses, phone numbers, and other sensitive information.  Additionally, transaction IDs and wallet addresses for transactions were present in the database.

This database was exposed due to a misconfigured AWS storage name and address, which allowed public access. This resulted in the database being open and accessible to anyone with an internet connection.  The company was notified of the breach through a responsible disclosure notice, and public access to the database was subsequently closed.

GLOBAL TRENDS:   

Czech Republic - On 17 March, General Bytes, a major manufacturer of cryptocurrency automated teller machines (ATMs), experienced a security incident that resulted in the theft of over $1.5 million worth of Bitcoin.  The incident was first reported by General Bytes on their official Twitter account on 18 March.  The same day the company explained, “We released a statement urging customers to take immediate action to protect their personal information.  We urge all our customers to take immediate action to protect their funds and personal information and carefully read the security bulletin.”

According to the company’s security bulletin, an attacker was able to remotely upload a Java application using the master service interface, which allowed access to BATM user privileges, the database, and API keys used to access funds in hot wallets and exchanges.  As a result, the hacker was able to download usernames, access password hashes, turn off two-factor authentication, and send funds from hot wallets.

General Bytes has produced 9,505 ATM machines globally, thousands of which are located in the US.  However, following the attack, all US operators using General Bytes machines were shut down, and the servers will have to be rebuilt from scratch.  General Bytes is reportedly transitioning crypto ATM operators to self-hosted servers after discontinuing its cloud service.  This process can be time-consuming, and it is likely that some operators will be offline for an extended period.

Figure 1. Cryptocurrency ATM Manufacturer General Bytes Suffers $1.5 Million Bitcoin Theft

The hacker was able to steal 56.28 bitcoin, worth around $1.5 million, and liquidated other cryptocurrencies, including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The bitcoin address holding the stolen funds has not moved since 18 March and some digital currencies were transferred to different locations, including a decentralized exchange platform.  The company has disclosed the wallet addresses and three IP addresses used by the attacker in the hack.  However, some sources have indicated that the company’s full node is secure enough to prevent unauthorized access to funds.  If you or someone you know has been affected by this incident, follow the solution detailed in General Bytes’ security bulletin, which can also be found in Figure 1.

A user on Twitter speculated similar sentiments stating that it is likely that the attack was conducted by an individual familiar with the cryptocurrency ATM industry.  “This was made by somebody that knows the system very well, a crypto ATM company/ rogue employee that owns GB ATMs. Is not like a hacker go with a USB stick and plugs it into the ATM and uploads the attack,” they said.  Nonetheless, the breach highlights the need for increased security measures in the cryptocurrency industry to prevent future attacks.

North Korea - German and South Korean government agencies this week warned about a new spear phishing campaign from a notorious North Korean group targeting experts on the peninsula.  The campaign gains access to victims’ Google accounts through two attack methods, the infection of Android phones through a malicious app on Google Play and the use of a malicious Chromium web browser extension.  The advanced persistent threat (APT) group, whose many names include TA406 and Thallium, has been in operation since 2012, largely targeting diplomats, non-governmental organizations, think tanks, and experts on issues related to the Korean peninsula[2].

The advisory, released on 20 March by Germany’s Constitutional Protection Agency and the Republic of Korea’s National Intelligence Service, describes a highly targeted campaign focusing on familiar victims.  “The National Intelligence Service and the Constitutional Protection Agency believe that the hacking attack described above is mainly targeting experts on the Korean Peninsula and North Korea, but since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people,” they wrote.

As they have in previous campaigns, Kimsuky used spear phishing attacks to gain initial access “by impersonating portal administrators and acquaintances.”  In some cases, the emails induced an installation of a malicious extension on Chromium-based browsers, which was automatically enabled.  When the victims open Gmail, the program steals the person’s emails, which are sent to a server belonging to the attackers.

In another attack, Kimsuky actors add a malicious app to Google Play Console for “internal testing” and give permission to a targeted person to access it.  After getting access to their login credentials in a spear phishing attack, they download the app through the victim’s account, which is then synced to their Android smartphone.  According to the advisory, the actors stole both emails as well data stored in the cloud.

An October 2020 alert on the group from the US Cybersecurity and Infrastructure Agency (CISA) described Kimsuky as “likely tasked by the North Korean regime with a global intelligence gathering mission.”  In some cases, hackers posed as South Korean reporters to gain access to targets.

Russia - The Russian government recently has added a wide range of Western messaging apps to its Register of Prohibited Sites, including Snapchat, WhatsApp, Discord, Skype for Business, Microsoft Teams, and Telegram.  We beg the question, Why?  In addition, European encrypted messaging apps Viber and Threema, as well as the Chinese communication app WeChat, have also been banned.[3]  According to a memo posted by a famous online library of hacked materials, such as source codes and malware, the Russian Federation has banned all Western social media and online messaging applications.

The complete list of banned apps includes the following:

• Viber
• Discord
• WeChat
• Snapchat
• Telegram
• Threema
• WhatsApp
• Microsoft Teams
• Skype for Business

The government has devised a new law on Information, Information Technologies, and Information Protection to ban these applications, which was formally implemented yesterday.  The law is part of the Federal Service for Supervision of Communications, Information Technology, and Mass Media, aka Roskomnadzor (RKN).  Article 8-10 of the new law applies to government agencies and organizations and establishes a ban for several Russian organizations on using Western foreign messaging apps.

In a statement, Roskomnadzor said, “The law establishes a ban for a number of Russian organizations on the use of foreign messengers (information systems and computer programs owned by foreign persons that are designed and (or) used for exchanging messages exclusively between their users, in which the sender determines the recipients of messages and does not provide for placement by internet users publicly available information on the internet).”

Zoom and Signal have not been added to the list, but they may be added to the Russian government’s infamous register sometime later.  These restrictions are placed on government officials to minimize the possibility of sensitive data landing in the wrong hands, particularly to Ukraine’s allies.  Or this could be part of a wider crackdown against foreign tech services in Russia.  Interestingly, Telegram is also part of this block list, even though it is owned by Russian millionaire Pavel Durov. This app is popular in Ukraine and in the western regions, which could be a reason for its blacklisting. App and site owners can file an appeal within a month before they are placed on the Register of Prohibited Sites; however, the appeal may be denied.

In 2018, the Russian administration formally banned Telegram, 50+ VPNs and anonymizers in the country and has already blocked hundreds of Western social networking platforms, such as Instagram and Facebook, as well as news platforms. There has also been a crackdown against the use of the Tor browser and VPNs.

Australia - Latitude Financial disclosed on March 16 that more than 330,000 personal records had been impacted due to a cyber-attack, but days later the company warned that the breach could widen.   In a statement released on 27 March, Latitude Financial confirmed that 7.9 million Australian and New Zealand drivers licenses, 53,000 passport numbers and fewer than 100 monthly financial statements had been stolen in the attack.  Latitude also confirmed that 6.1 million customer records that were provided before 2013 were compromised in the hack — including some dating back to 2005.[4] 

Some believe Latitude Financials’ disclosure of a third-party system being the hack's gateway has parallels to Medibank's cyber-attack last year, which impacted 9.7 million customers.  Optus or Medibank, experts say it is all about money.  Millions of Australians have had a bad run with their personal data lately.  With all this going on, you might be left wondering what exactly the hackers are doing with your data and how it could affect you?  "Medibank has recently released some information about how they were hacked, and it seems that it was a credential, an internal Medibank credential that was stolen through a third-party provider," a professor said.  "This seems alarmingly similar to the way that Latitude is so far indicating that it was breached."  Latitude Finance is the fourth major Australian company in recent months to have been affected by hackers, following Optus, Medibank and the Good Guys Concierge Loyalty program customers having their data stolen in the last year.

Some Latitude Financial customers are complaining that the institution is not doing enough to mitigate the cyber incident.[5]   Many believe they are on their own with safeguarding their personal information that is now floating around the Dark Web.

[1] https://www.welivesecurity.com/2023/03/17/svb-collapse-scammers-dream-dont-get-caught-out/

[2] https://therecord.media/north-korea-apt-kimsuky-attacks/

[3] https://www.hackread.com/russia-bans-whatsapp-telegram-others/

[4] https://www.abc.net.au/news/2023-03-28/latitude-financial-customers-frustrated-lack-of-communication/102151166

[5] https://9now.nine.com.au/a-current-affair/aussie-customer-calls-response-to-latitude-finance-cyber-attack-unacceptable/0b5c67f3-014e-499a-86a5-32e47a538dcc