Intel Reports

Activity Summary - Week Ending on 13 April 2023:

• Red Sky Alliance identified 26,928 connections from new IP’s checking in with our Sinkholes
• FiberExpress[.]net in Netherlands hit 16,726x
• 114 ‘new’ Botnets hits
• 334 Million + Source Code Secrets
• Rorschach Ransomware   
• Don’t Plug in
• ZTA
• EvoTech
• Complacency in Ireland

Red Sky Alliance Compromised (C2) IP’s 

On 12 April 2023, Red Sky Alliance identified 26,928 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 12 April 2023, analysts identified 114 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Red Sky Alliance Source Code Secrets / Last 4 Months

Source Code Secrets – Red Sky Alliance analysts daily collect authentication keys, usernames and passwords, and API keys from open sources where users may have failed to properly configure their Github, GitLab, or Bitbucket repositories.

MALICIOUS CYBER TRENDS:

Rorschach Ransomware shows off advanced encryption technology and can spread automatically on the machine if executed on a domain controller.  Researchers explain that Rorschach ransomware has been labelled as the fastest-ever ransomware due to its unparalleled evasion techniques, which have never been seen before.  Check Point Research has shared details of previously undocumented ransomware, called Rorschach, which they regard as the fastest-ever ransomware discovered so far.  Researchers noticed that an unnamed US-based organization is one of the victims of Rorschach.  It’s not surprising that new strains of ransomware are emerging, given the increasing number of ransomware attacks and the constant development of new evasion techniques by cybercriminals.  Recently, researchers discovered a new ransomware strain called Cylance that targets both Linux and Windows devices.[1]

Highly Effective, Evasive, and Fast-Encrypting Ransomware.  An exclusive feature of Rorschach ransomware is its effective, fast hybrid-cryptography scheme, which makes it the fastest ransomware out there, even faster than LockBit.  Calling it a Speed Demon, Check Point researchers wrote that in a controlled encryption speed assessment, the ransomware encrypted 220,000 files in four and a half minutes. In contrast, LockBit encrypted the same number of files in seven minutes.

Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller.  Moreover, this is a highly configurable malware equipped with novel functionalities that make it stand out among other ransomware strains.  It features a “high level of customization” and has “technically unique features that have not been seen before in ransomware,” Check Point’s researchers explained in their report.  “In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.”  And, the ransomware is equipped with safeguards to bypass analysis and defence mechanisms, which it achieves via direct system calls. This is the first ransomware that can make direct system calls. Until now, only malware families had this feature. 

Is Rorschach Linked with another Ransomware?  Although it seems inspired by several other ransomware, Rorschach is neither linked to any other malware family nor affiliated with another ransomware group.  However, researchers did observe similarities between Rorschach and Babuk ransomware source codes.  Of note is worth noting that Babuk’s source code was leaked in September 2021. The ransom notes used in Rorschach-based campaigns are inspired by DarkSide and Yanluowang.

Ransom note (Image: Checkpoint)

How is Rorschach Executed?  The ransomware execution mainly relies on three files.  First, Cortex XDR Dump Service Tool (cy.exe) is executed, which side-loads with loader and injector file (winutils.dll).  This DLL file then loads the ransomware (config.ini) in the memory. It also gets injected into notepad.exe.  Rorschach uses multiple processes and uses falsified arguments to stop some processes, clear Windows event logs, delete shadow backups and volumes, and disable Windows firewalls.

Infection chain of Rorschach Ransomware (Image: Checkpoint)

When the ransomware is executed on a domain controller, it generates a group policy that lets it automatically infect other devices on that domain. It checks for the infected device language and terminates if a language from the CIS countries, e.g., Russia, is detected.

Apple - Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. 

• Safari is a graphical web browser developed by Apple.
• iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
• macOS Monterey is the 18th and release of macOS.
• macOS Big Sur is the 17th release of macOS.
• iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
• macOS Ventura is the 19th and current major release of macOS

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.  Link to full report: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2023-036

Don’t Plug in - The FBI is warning consumers against using public phone charging stations in order to avoid exposing their devices to malicious software.  Public USB stations like the kind found at malls and airports are being used by bad actors to spread malware and monitoring software, according to a tweet last week from the FBI’s Denver branch.  The agency did not provide any specific examples.  “Carry your own charger and USB cord and use an electrical outlet instead,” the agency advised in the Tweet.[2]

While public charging stations are attractive to many when devices are running critically low on battery, security experts have for years raised concerns about the risk. In 2011, researchers coined the term “juice jacking” to describe the problem.  “Just by plugging your phone into a [compromised] power strip or charger, your device is now infected, and that compromises all your data,” Authentic8 said. 

The cord you use to charge your phone is also used to send data from your phone to other devices.  For instance, when you plug your iPhone into your Mac with the charging cord, you can download photos from your phone to your computer.  If a port is compromised, there’s no limit to what information a hacker could take, Paik previously explained to CNN. That includes your email, text messages, photos and contacts.

GLOBAL TRENDS:   

US / ZTA - The Cybersecurity and Infrastructure Security Agency (CISA) leads the nation’s effort to understand, manage, and reduce cybersecurity risk, including by supporting Federal Civilian Executive Branch agencies in evolving and operationalizing cybersecurity programs and capabilities. CISA’s Zero Trust   Maturity Model (ZTMM) provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This ZTMM is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” § (3)(b)(ii),1 which requires that agencies develop a plan to implement a Zero Trust Architecture (ZTA).  While the ZTMM is specifically tailored for federal agencies as required by EO 14028, all organizations should review and consider adoption of the approaches outlined in this document.

Link to full report: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf

North Korea - Recent attacks linked to North Korean state-backed hackers are spotlighting how technically adept and creative the regime's cyber activity has become.  The big picture: Experts say public perception of North Korea's cyber threat risks painting the regime as an underfunded country solely focused on cybercrime to fund its government, but those perceptions aren't quite right.[3]

Driving the news: Late last month, several cybersecurity firms found North Korean state-backed hackers attaching malware in a system update for video-conference tool 3CX, mirroring a tactic Russian hackers used in the infamous SolarWinds espionage campaign two years ago.  While the supply chain attack appears to have had little impact so far, news of the campaign came just days after Mandiant identified a new North Korean state-backed espionage team that's successfully tricked researchers into sharing their work.  What they are saying: "They have the capabilities, they develop the capabilities, and they are very effective at using them for espionage or sabotage or disruptive, destructive activities," the senior vice president of intelligence at CrowdStrike said. 

North Korean hackers are typically young men who have been "trained to be these cyber warriors" and were hand-selected to join the regime's hacking teams at a young age explained Mandiant.  North Korea has been behind some of the heaviest-hitting cyberattacks and espionage campaigns in recent years.

The US attributed a highly publicized cyberattack against Sony Pictures in 2014 to North Korea, and in 2016, the country's hackers got plenty of attention after attempting to steal $1 billion from Bangladesh's national bank.  In the last year, North Korean espionage groups have started impersonating journalists and well-known researchers in phishing campaigns to trick researchers into sharing their intel on the regime's efforts.  North Korea has a dual-hatted cybersecurity mission: deploying hackers to pursue cybercrime to help fund the regime's activities and spying on the US, South Korea and their allies.

The National Security Agency warned earlier this year that North Korea-linked hackers were exploiting the known Log4j vulnerability to deploy ransomware against health care organizations.  The FBI attributed last year's $100 million hack of the Harmony Protocol to North Korea.  Several groups estimate that North Korea stole more than $1 billion in cryptocurrencies in 2022.  Those funds are suspected of being used to fund the regime's espionage activities, as well as its nuclear programs.  North Korean leader Kim Jong-un likes to keep the precise structure of his regime's cyber operations under wraps and isn't afraid to reorganize after public reporting about North Korea's efforts.  "This is where Kim Jong-un thrives," a researcher recently said. "He wants you to be confused and to miss stuff, so it's effective on all aspects."

While China and Russia tend to grab more attention in the cybersecurity industry, the U.S. intelligence community has also identified North Korea as a maturing cyber threat.  The Office of the Director of National Intelligence's 2023 worldwide threats report released earlier this year warned that North Korea's cyber program poses a "sophisticated and agile espionage, cybercrime and attack threat."  North Korea "probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States," the report adds.

Germany - Evotec SE announces that on 06 April, 2023 a cyber-attack occurred on Evotec‘s IT systems.  As a result, the systems were shut down proactively and disconnected from the Internet to secure from data corruption or breaches.  The IT systems are currently being examined and the scope of the impact is being reviewed. Highest diligence will be applied to data integrity.  The company noticed unusual activity in one of its IT systems and took steps to maintain IT security.  As a preventive measure, all IT systems were taken offline.  A forensic examination is being conducted together with external IT specialists and other experts to ascertain the extent and potential impact.  While systems are not connected to the network at this stage, Evotec SE confirmed that business continuity is upheld at all of its global sites.[4]

Ireland and Complacency - Confirmation bias is a psychological phenomenon that refers to our tendency to seek out and interpret information that confirms our pre-existing beliefs or values while ignoring all evidence to the contrary.  Ireland’s LoughTec says “as a businessperson, parent (and Arsenal fan), I get tested a lot.”  Sometimes taking a wider view or different perspective undoubtedly helps, but on occasion, the turn signals are so firmly fixed that no amount of evidence can shift our thinking.[5]

Since the start of the year, LoughTec has been inundated with unsolicited support calls from businesses and organizations across Northern Ireland, asking for our help to solve cyberattacks that range from ransomware to business email compromise.  Many of those business owners, in calmer moments, admit to having thought that a cyberattack would never happen to them, and because of that belief had protected their businesses accordingly.  There is still a commonly held belief amongst many in the business community, despite evidence to the contrary that “a cyberattack will never happen to us”.

The cyber security industry has no shortage of compelling information and yet there are those who still buy into some of those other cyber-myths.  The idea that “we’re too small to be a target” is countered by the fact that you’re a perfect size.  In fact, small businesses are more vulnerable because they usually have fewer resources and have weaker security systems in place.  “We are covered by cyber insurance” is a sound idea however, as with all insurance, you need to prove that you have done your very best to protect your business from cyberattacks.  Being insured simply isn’t enough if you consider reputational damage, downtime and future opportunity cost.  “We can recover any lost data from our backups” can be wishful thinking as your back-ups are just as vulnerable to attack if you don’t take the correct measures.  Cyber Essentials will cover us.”

Sure, Cyber Essentials is an excellent step to improving your cyber security posture and helps you get the basics right, but it does little to protect you in the event of a severe breach.  Even with the best anti-virus software solution, your network is still vulnerable.  AV protection is essential but not a panacea, protecting only against known threats and not zero-day exploits.

As businesses have become more reliant on digitization and technology, the threats to business have become more frequent and persistent and yet many of the methods used by hackers can be unsophisticated, phishing emails or social engineering to access systems rely on tricking individuals into divulging their passwords or other sensitive information.

Cyber security is no longer the responsibility of the IT department or MS partner, every employee has a responsibility to help maintain an adequate standard of cyber hygiene.  Did you know that as many data breaches are caused by human error as by strategic cyberattacks?

In a world where we are told never to ‘assume,’ I think in the context of cyber security, we are now at a place where it is safe to assume that your business has already been attacked.  Or will be soon.

Brazil Schools - Brazil's Justice Ministry (MJSP) requested the deletion of 270 Twitter accounts conveying hashtags related to attacks against schools nationwide, Agencia Brasil reported on 9 April.  The news service also explained that hashtags are keywords or terms associated with any information or discussion that one wishes to index explicitly in applications such as Twitter and Facebook, preceded by the symbol (#).  According to the MJSP, both content and authors are under investigation, and search warrants were also served, resulting in the seizure of seven weapons.  A suspect was arrested.  Authorities also requested the Tik Tok platform remove two accounts that were transmitting content that incited fear in families.[6]

The Integrated Operations and Intelligence Directorate of the National Public Security Secretariat identified more than 80 profiles that had their links removed, due to the violation of the platform's policy.  The content of these links was preserved at the request of the Ministry of Justice to allow further investigations.  Several preventive and repressive actions were taken against attacks in schools all over Brazil, among them the search for profiles on social networks with posts related to crimes against life and hate speech.

Cybercrime police stations in the main Brazilian regions also monitored internet threats related to possible attacks.  The data is being analyzed by the ministry's Cyber Operations Laboratory (Ciberlab), which will be exclusively dedicated to this work over the next few days, on a 24-hour shift basis.  Any citizen can report threats related to the safety of schools and students on the Ministry of Justice and Public Safety's website.

The exclusive channel to receive information about suspected cases of attacks on educational institutions was created by the ministry, in partnership with SaferNet Brazil.  This private civil association works to promote human rights on the Internet and, since 2006, has offered an online platform for reporting illegal or harmful content on the network.  The organization acts as a direct channel between internet users and the authorities, offering a safe and confidential environment for sending complaints.

In the actions that make up Operation Safe School, organized by MJSP in partnership with the states, 51 heads of investigative police stations and 89 heads of Public Security intelligence agencies (Civil Police and Military Police) are working in an integrated manner.  The operation will be in effect for an indefinite period of time, continuously and around the clock.

Since 5 April's episode in a school in Blumenau (SC), in which four children died and at least five were injured, the MJSP's Cyber Operations Laboratory has supported the Interministerial Working Group in gathering information about possible threats to schools, by monitoring social networks.  Representatives of the area participated in the first meeting of the WG held on Thursday at the Ministry of Education (MEC).

Ciberlab has a team specialized in information technology, which uses advanced investigation techniques to trace the origin of cybercrimes and identify those responsible.  Based on the growing cases of violence in schools in Brazil, Ciberlab has also acted in preventive actions against Brazilian schools and daycare centers, producing reports that are forwarded to state police forces all over the country.

Italy - Japanese car giant Toyota said that security lapses at its offices in Italy may have exposed customer data.  Toyota Motor North America spokesperson confirmed the findings from Cybernews, a cybersecurity research organization that discovered an environment file (.env) hosted on the official Toyota Italy website on 14 February.[7]

The file contained a wide range of information, including credentials to digital marketing platform Salesforce Marketing Cloud, which could be used to reach out to customers in a variety of ways.  The researchers also found other data related to the company’s use of Mapbox’s application programming interface.  The file had been exposed since 21 May 2021.  “Immediately after Cybernews team informed Toyota Motor Italy of a cybersecurity vulnerability in its IT environment, the company took all necessary actions to remedy the situation that was caused by a failure to follow our company data security policies,” media reported.  “An additional set of countermeasures have been put in place to restore and strengthen our cyber security systems and protocols. We have reported this data privacy risk to the relevant authorities and are fully cooperating with the ongoing investigation.”  Toyota is conducting a wider investigation of its cybersecurity systems to “prevent a recurrence of similar incidents.”

The incident comes amid a streak of data leaks affecting car companies.  In January, ransomware actors took credit for an attack on Arnold Clark, one of the United Kingdom’s largest car dealerships.  When the car dealership refused to pay a ransom, the gang leaked National Insurance numbers, the equivalent of Social Security numbers in the US, and passport data, alongside addresses and phone numbers.

In February 2022, ransomware actors from the now-defunct Hive group attacked one of Europe's biggest car dealers and last week a BMW dealer in France was also hit with ransomware.  Media reported last week that Tesla employees were sharing data collected from cameras within customer vehicles.

[1] https://www.hackread.com/rorschach-ransomware-hits-us-based-companies/

[2] https://www.cnn.com/2023/04/12/tech/fbi-public-charging-port-warning/

[3] https://www.axios.com/2023/04/11/north-korea-cybersecurity-hacking-supply-chain

[4] https://markets.businessinsider.com/news/stocks/evotec-issues-update-on-cyber-attack-1032222063

[5]https://www.irishnews.com/business/businessnews/2023/04/12/news/_if_your_business_hasn_t_already_faced_a_cyber_security_attack_it_will_do_soon_-3192251/

[6] https://en.mercopress.com/2023/04/10/brazil-operation-safe-schools-targets-270-twitter-accounts

[7] https://therecord.media/toyota-italy-customer-data-exposure/