Intel Reports

Activity Summary - Week Ending on 4 May 2023:

• Red Sky Alliance identified 27,858 connections from new IP’s checking in with our Sinkholes
• 1337 Services in Germany hit 35x
• 9,401 ‘new’ Botnets hits
• Goldoson-Android
• AI Threat Hunting   
• Israel in their Sights
• Canada Casinos
• Sweden's Parliament

 Red Sky Alliance Compromised (C2) IP’s 

Red Sky Alliance Malware Activity   

On 3 May 2023, Red Sky Alliance identified 27,858 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 3 May 2023, analysts identified 9,401 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

Goldoson – This malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices.  McAfee’s Mobile Research Team researchers discovered at least 60 malicious apps on Google Play Store infected with Android malware Goldoson.  Collectively, these apps account for around 100 million installs on the Play Store and 8 million installs on the South Korean ONE Store.  South Korean users are most vulnerable to downloading these apps.[1]

Goldoson Infiltrates Legit Apps on Play Store - Researchers found that Goldoson Android malware has infiltrated the official Google Play Store via 60 legitimate apps.  The malware component is based on a third-party library that all sixty apps use. Researchers assume that the developers mistakenly added it to the apps.

Which Apps Are Infected with Goldoson?

Some of the infected apps include the following:

• Pikicast
• GOM Player
• LIVE Score
• Infinite Slice
• Real-Time Score
• POINT with L.PAY
• Swipe Brick Breaker
• Bounce Brick Breaker
• LOTTE WORLD Magicpass
• Compass 9: Smart Compass
• Korea Subway Info: Metroid
• SomNote - Beautiful note app
• GOM Audio - Music, Sync lyrics
• Money Manager Expense & Budget
• How Does The Device Gets Infected?

The Goldoson Android malware is designed to perform malicious actions on devices that download one of the 60 infected apps.  Once the app is downloaded and launched, the malware library registers the app and receives its configuration from a remote server with an obfuscated domain.  This configuration sets the functions that the malware will run on the device, including ad-clicking and data-gathering features.  The data collection function is activated every two days, and the collected data, along with the MAC address of connected Bluetooth and Wi-Fi devices, is transferred to a C2 server.

The ad-clicking feature is launched by loading and injecting HTML code into a hidden, customized WebView. This feature generates revenue through multiple URL visits.  Overall, the Goldoson malware has been found in 60 different apps and has impacted a large number of downloads.

What is Goldoson Malware Capable of? - Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices.  In addition, it can track users’ location and carry out ad fraud by clicking on ads in the background without alerting the user.  Data collection relies on permissions given to an infected app when being installed. 

McAfee researchers stated that although Android 11 and above versions are generally considered safe against data theft due to their superior security protections, in 10% of the infected apps, Goldoson could collect sensitive data from devices running these versions.  McAfee responsibly alerted Google and the app developers, who promptly removed the malicious library from the apps.  Apps in which they couldn’t remove the library were taken off the Play Store.

It is worth noting that malicious versions of these apps will still be available on third-party Android app stores even though on Play Store these apps will become safe with an update.  Therefore, uninstall the app, and reinstall it from Play Store to be safe.

Brave New World – SentinelOne’s Purple AI tool/service drives SOC team efficiency and efficacy in threat hunting, analysis and response and illustrate this powerful new feature with example use cases.[2]

Threat Hunting Made Simple with Conversational AI - When it comes to threat hunting, building the right query to get effective results is not an easy task.   It requires the analyst to understand what patterns to look for and be familiar with the query syntax at hand to translate a seemingly simple question into something the system can understand.   AI helps analysts get rapid, accurate and detailed responses to any question, in any language, that otherwise would have required hours of research and multiple queries – not to mention years of analyst experience – to obtain an answer.

The Known Knowns - threat hunters can ask questions about specific, known threats and get fast answers without needing to create manual queries around indicators of compromise.  For example, the analyst could use a prompt such as “Is my environment infected with SmoothOperator?”, or “Do I have any indicators of SmoothOperator on my endpoints?” to hunt for a specific named threat.

A table of results is presented along with context-aware insights based on the observed behavior and identified anomalies within the returned data.   Suggested follow up questions and best next actions are also provided.  In the case of the SmoothOperator example, a hunter might, for instance, receive the following summary:  “Analysis of results shows that there are three endpoints with the SmoothOperator malware detected, all from the same company site.  The data shows that the malware has infected both desktop and server endpoints.  This indicates that there may be a larger-scale attack underway, and it is important to investigate further to determine the extent of the infection.  The data shows that the malware has been detected multiple times on some of the infected devices.  For example, the malware has been detected twenty-two times on the endpoint named “TheEnterprise”, where it was last observed a few hours ago.  This suggests that the malware is persistent and that it has been active on the infected devices for some time.”

The hunter can then follow up with additional questions suggested by AI or manually typed by the user, such as: “Have there been any persistent events on the endpoint ‘TheEnterprise’?”  “Are there any known vulnerabilities on the affected machines?”  “Show me the users that are active on the affected machines, check their Okta data for successful logins and include the location where the logon happened.”

The system will then automatically return results, alongside a summary of the identified behavior and recommend the next best investigation questions and response actions.  In the examples above, the final question might have resulted in a suggestion to trigger one or more of a combination of actions like “clear user session”, “suspend user`s Okta account”, “force Password reset”, “network quarantine all affected endpoints”, “create a rule to notify users on similar activity identified on other endpoints”, “collect recent security logs from affected machines” and more.  With a single click of a button the analyst can then trigger one or multiple actions, while continuing the conversation and analysis with AI.

AI tool Purple runs on every piece of information within the SentinelOne Security DataLake and enables one-click response via the various SentinelOne XDR integrations.  Every question asked by the analyst is executed against the right source or a combination of sources behind the scenes, without the user needing to be familiar with the various data sources or the way their data is ingested.   For instance, analysts may ask:  “Are there any ec2 instances running xmrig?”  “Are there any disconnected linux machines of type server or any kubernetes node in my network?”

The analyst can then trigger E/XDR actions like the following:  “Scan all affected EC2 instances, to confirm that no residual artifacts remain on any of the instances that were involved in the incident.”  Or - “Add the detected coinminer software to the SentinelOne Blocklist, preventing it from being re-downloaded, or running on any other endpoints.”

The Unknown Unknowns - In other cases, however, threat hunters may not know what they are looking for.  By leveraging the capabilities and speed of AI to intelligently utilize internal and external resources, users can ask questions about suspicious activity they may have not been able to define themselves.  For instance, they might ask AI to: “Search for all instances of processes attempting to access sensitive data or files and investigate the source of these access attempts”  Or - “Search for all command-line tools commonly used by attackers and investigate if they are being used in suspicious ways.”  Analysts can also leverage AI to ask questions like “how can I identify X”?  For instance:  “How do I look for a possible webshell?”  Or  “How can I search for LOLBins?”

The above might seem simple, but without Purple AI, the task of translating vague terms like “sensitive data”, “commonly used” or “suspicious way” into patterns and then syntax of a query language that could return useful results is an extremely challenging task.

Threat Analysis Made Simple - It is well-known that alert fatigue is one of the biggest challenges facing the modern security operations center (SOC).  Most security teams receive more security alerts than they can possibly investigate and address.  The issue is clear: the security problem is a data problem.  Information only becomes knowledge once we apply meaningful linkages between multiple points of information, assembling the contextualized data into actionable results.  Purple AI, on top of its ability to help security teams ask complex threat hunting questions and run operational commands to manage the entire enterprise environment using natural language, also significantly simplifies the threat investigation process.

The understanding of ingested data as well as the cyber security domain allows AI to quickly determine the chain of events and then to summarize a potentially complex situation to the analyst.  The powerful combination of SentinelOne’s patented Storylines technology and AI allows analysts to not only quickly find all events associated with a given activity but also get a summary of these events and their suspicion level in no time.

Within seconds, AI will provide insights on the identified behavior alongside recommendations, thus reducing the need to manually analyze and stitch together diverse events into one contextual story.  AI vastly improves analysts’ efficiency, allowing them to investigate and triage a far greater number of alerts in significantly less time.

AI In Action - Below is an example summary created for a threat identified by the SentinelOne Singularity platform.  Analysis of this event suggests that a potentially malicious activity occurred on the endpoint named “TheBorg” running on a Windows server in the SF East Bay Corp site. The suspicious activity was initiated by the “ResistanceIsFutile.exe” process, which is unsigned and located on the user’s desktop. This process started another process, “powershell.exe”, which is signed by Microsoft Windows and located in the SysWOW64 folder.

SentinelOne’s AI first indicates whether any malicious activity had been seen and where.  This is important for the analyst to understand how widespread the attack is. In this example, all malicious activity had been identified on a single site.  The user can then choose to drill down further to get detailed analysis of the identified activity if required.   AI next provides detailed analysis of the events, indicating the behaviors that made SentinelOne classify the behavior as malicious.

The PowerShell process executed a command to force a Group Policy update on all Active Directory computers in the “starfleet.corp” domain.  This command had a high number of indicators associated with it, including 127 Reconnaissance indicators, 16 Evasion indicators, and 136 General indicators.  The high number of indicators suggests that the PowerShell command may have been used for malicious purposes, such as gathering information about the network or attempting to evade detection.  In this case, a PowerShell process forced a group policy update, which triggered various indicators like Reconnaissance & Evasion.  Purple AI then presents aggregations on the activity made by the suspicious process:

The PowerShell process also performed several file operations, including creating 4 files, modifying 11 files, and deleting 4 files.  Additionally, the process made 6 DNS requests and established 15 outgoing network connections to the IP address 192.168.192.22 on port 49667. The network connections were successful, and the event was classified as an “IP Connect” event with a repetition count of 2.

AI then moves on to provide additional information on the entities associated with the malicious process, like users or files.  Suspicious behaviors or attributes associated with these entities will be highlighted as well.  The user “STARFLEET\jeanluc” was associated with both the “ResistanceIsFutile.exe” process and the PowerShell process. The PowerShell process had an unsigned active content file associated with it, which was located on an unknown device and file path. This further raises suspicion about the nature of the activity.

AI finally summarizes the activity in Purple, highlighting the malicious entities involved, and provides a conclusion along with recommended next steps.

In conclusion, the event data suggests that the “ResistanceIsFutile.exe” process initiated a potentially malicious PowerShell command to force a Group Policy update on all Active Directory computers in the “starfleet.corp” domain. The high number of indicators, file operations, and network connections associated with the PowerShell process, as well as the unsigned active content file, indicate that this activity should be investigated further by cybersecurity analysts.”

Now in possession of an accurate analysis with a high level of detail, the analyst is rapidly able to copy and paste the insights generated by AI into a threat analysis report, or initiate further mitigation and incident response steps.

Conclusion – SentinelOne provides an integrated generative AI that allows threat hunters and SOC team analysts to leverage the power of LLMs (large language models) from within the SentinelOne console to identify and respond to attacks faster and easier.  Using natural language conversational prompts and responses, even less-experienced or resourced security teams can rapidly expose suspicious and malicious behaviors that hitherto were only possible to discover with highly-trained analysts dedicating many hours of effort. 

GLOBAL TRENDS:   

Israel in their Sights - Cities across Israel were hit by a huge power failure last week in a suspected cyber-attack.[3]  The Anonymous Sudan hacker group said it was responsible for the incident, boasting on its Telegram channel that "the electric attack was just for fun.  We'll show you more."  In a later post, the group threatened more attacks: "Israel, we are still playing with you ... soon you will be without the internet. We are working to down the internet in Israel like electricity."  Israel's Electric Company told media sources that a fault in a production unit caused the failure.  In a statement, the company said: "Due to a glitch in one of the Haifa power plants, power outages are being felt in a number of areas around the country ... regular power supply was renewed to a number of areas and will be fully renewed in the next few minutes."  The outage caused major traffic jams in Tel Aviv, as right-wing protesters prepared to attend a rally to show support for the country's government.

During recent months Anonymous Sudan has been behind several cyber-attacks in Israel, including during last week’s celebrations of the 75th anniversary of the establishment of Israel, in which two news sites and Israel's Defense Ministry and Shin Bet security service were claimed to be attacked.  The Facebook account of Israeli Prime Minister Benjamin Netanyahu was also targeted. The page was briefly full of Arabic-language Quranic verses.  Earlier in April, a series of hacks hit important websites, including those of Ben-Gurion Airport and several universities.  Israeli authorities later blamed some of them on Iran, including one on Haifa's prestigious Technion Institute, in which hackers demanded millions of shekels as a ransom.

An Israeli radio station and a software company have come under cyber-attack by unidentified hacker groups, the latest in a series of cyber operations against the regime’s digital infrastructure across the occupied territories.  Israeli media reported on 30 April that the attack targeted the Hebrew-language Radio 103FM and the website of Check Point Software Technologies Ltd., an American-Israeli multinational provider of software and combined hardware and software products for cyber security.  The attack came a day after the websites of Israel Aerospace Industries (IAI), Israel Weapon Industries (IWI), an Israeli firearms manufacturer, Rafael Advanced Defense Systems Ltd. and Evigilo Ltd., which develops and delivers emergency mass-notification and alert multi-channel solutions, were hacked.

“The electric attack was just for fun. We’ll show you more,” the Sudanese group said in a post on its Telegram channel. “Israel, we are still playing with you ... soon you will be without the internet. We are working to down the internet in Israel like electricity.”

Another hacker group, known as “Sharp Boys” stated last week it had targeted the Atid institutions, stealing the data of 500,000 users.  The hacker group further claimed it had obtained the personal information of Israelis, including identification documents of people who served in the military and police forces of the regime.[4]

An Indonesian hacker group carried out a massive cyber-attack against several Israeli websites last week, including those of the ministries of foreign affairs, education and health.  The group, calling itself VulzSecTeam, announced on 17 April it had managed to break into the websites of the Israeli ministries, as well as Israel police and bus and train companies in recent days, and took them down.

Canada Casinos - Several casinos in Ontario remain closed nearly two weeks after a cyberattack, with no official reopening date.  The ransomware attack that knocked the servers out to Gateway Casinos facilities was first detected on 16 April.  The situation is the digital equivalent of recovering from a major fire or similar disaster.[5]  "It's as bad as it gets.  And unfortunately, the damage is going to take years to undo, even if they are able to undo it," a London, Ontario-based digital expert said. "You don't just flip a switch and come back on."

Last week, Gateway posted online it hopes to reopen using a phased approach "later this [last] week; however, the reopening timeline depends on the pace of restoration and approval by regulatory bodies."  The cybersecurity incident impacted operations to 14 casinos, including Casino Rama in Orillia, Georgian Downs in Innisfil, and Playtime Casinos Wasaga Beach.  The recovery procedure is a "multi-faceted, multi-staged process" involving highly-trained people.  "We call these 'business killer events' for a reason. Many companies that are targeted successfully by ransomware never fully recover.  The direct costs will be into the millions if not the tens of millions or beyond," a tech analyst said.  While the company has said there is no evidence to believe customer's data was breached, several techs believe it is possible.  "There is a very strong likelihood that it has been - that it is either being bought and sold on the dark web or will be at some point in time because all of these ransomware events tend to play out in the same way. There's no coming back from that. ," he noted.

While Casino Rama's gaming floor remains closed to gamblers, the Orillia facility welcomed back concertgoers on 27 April in an attempt at getting some operations back to normal.  "The concert was very well attended, and people seemed very excited to be there," said the director of communications at Gateway Casinos and Entertainment Limited.  Still, the digital analyst believes Gateway will have a long road ahead.  "Gateway Casinos is going to have to own this, and they are going to have to work hard to reestablish the trust of customers and other stakeholders who have done business with them in the past who may be hesitant to do so going forward, for good reason." 

Many analysts reiterate that extensive training is the key to avoiding digital attacks.  "Organizations aren't training their people well enough to recognize the signs of a phishing type of message that shows up in their inbox.  That's how all of these attacks are initiated," some said. "Clearly, someone clicked on the wrong thing in this event.  Clearly, someone is going to click on the wrong thing in future events.  It's time Canadian businesses got wise to this and started redirecting their cyber security investments toward their people."

Sweden - Sweden's parliament has been hit by a cyber-attack that has disrupted access to its web page, it said on 3 May 2023.   The web page was partially down on 2 May and appeared slow the next day.  "The analysis shows that it is a denial-of-service attack," a parliament spokesperson said. "Right now the web page can be slow and it can be difficult to watch our web casts."

Swedish Prime Minister Ulf Kristersson and other Nordic leaders are due to meet Ukrainian President Volodymyr Zelenskiy in Finland's capital on the 3^rd.  Sweden applied for NATO membership in the wake of Russia's invasion of Ukraine and authorities have warned of increased cyber-attacks against Swedish interests.[6]

The work to restore services on the Parliament web page was ongoing, the spokesperson said, adding it was not possible to say when it would be fully functional again.

[1] https://www.hackread.com/goldoson-android-malware-100-million-downloads/

[2] https://www.sentinelone.com/blog/purple-ai-empowering-cybersecurity-analysts-with-ai-driven-threat-hunting-analysis-response/

[3] https://www.thenationalnews.com/mena/2023/04/27/major-power-failure-in-israel-after-suspected-cyber-attack/

[4] https://www.presstv.ir/Detail/2023/04/30/702503/Israel-radio-station-Check-Point-Software-Technologies-cyber-attack-

[5] https://barrie.ctvnews.ca/ontario-casino-ransomware-attack-as-bad-as-it-gets-expert-says-1.6375498

[6] https://www.msn.com/en-ca/news/world/swedens-parliament-hit-by-cyber-attack/ar-AA1aGgNA