Intel Reports

Activity Summary - Week Ending on 11 May 2023:

• Red Sky Alliance identified 27,627 connections from new IP’s checking in with our Sinkholes
• Ionos in Spain hit 12x
• 1,323 ‘new’ Botnets hits
• BabyShark
• Killnet in Europe   
• Dallas TX hit
• San Bernardino County
• Australia and China

Red Sky Alliance Compromised (C2) IP’s  

On 10 May 2023, Red Sky Alliance identified 27,858 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 10 May 2023, analysts identified 1,323 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

BabyShark as ReconShark - SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe.  Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.  ReconShark functions as a reconnaissance tool with unique execution instructions and server communication methods.  Recent activity has been linked to a wider set of activity we confidently attribute to North Korea.[1]

Kimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across the world. The current understanding of the group indicates they have been primarily assigned to intelligence collection and espionage operations in support of the North Korean government since at least 2012.  In 2018 the group was observed deploying a malware family dubbed BabyShark, and our latest observations indicate the group has evolved the malware with an expanded reconnaissance capability, SentinelOne refer to this BabyShark component as ReconShark.

Targeted Organizations - Historically, Kimsuky targets have been located across countries in North America, Asia, and Europe.  In the group’s latest campaigns, they continue their global targeting themed around various ongoing geopolitical topics.  For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

In a recent campaign Kimsuky targeted the staff of Korea Risk Group (KRG), the information and analysis firm specializing in matters directly and indirectly impacting the Democratic People’s Republic of Korea (DPRK). We applaud KRG’s willingness to publicly share our analysis of attacks against them so the wider cybersecurity community can use this intelligence for expanded understanding of the Kimsuky threat actor and their own hunting and detection efforts. Our assessment is that the same campaign has been used to continue targeting other organizations and individuals in at least the United States, Europe, and Asia, including think tanks, research universities, and government entities.

Initial Access Targeting - For the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails.  Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target.  This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users.  Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as Political Scientists.  In the malicious emails, Kimsuky entices the target to open a link to download a password-protected document.  Most recently, they made use of Microsoft OneDrive to host malicious documents for download.  As used against KRG, the lure email contained the OneDrive shared file link:

1drv[.]ms/u/s!AvPucizxIXoqedcUKN647svN3QM?e=K6N1gT

The file downloaded is a password protected .doc file named “Research Proposal-Haowen Song.doc” (SHA1: 86a025e282495584eabece67e4e2a43dca28e505) which contains a malicious macro (SHA1: c8f54cb73c240a1904030eb36bb2baa7db6aeb01)

Malicious Document, themed to DPRK / China

ReconShark: A New BabyShark Reconnaissance Variant - The lure documents Kimsuky distributes contain Microsoft Office macros that activate on document close. Based on overlaps in file naming conventions, used malware staging techniques, and code format, we assess that the macros implement a newer variant of a reconnaissance capability of the Kimsuky’s BabyShark malware seen targeting entities in the Korean peninsula towards the end of 2022.  Analysts refer to this BabyShark component as ReconShark.

The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses.

Information Exfiltration - The main responsibility of ReconShark is to exfiltrate information about the infected platform, such as running processes, information about the battery connected to the system, and deployed endpoint threat detection mechanisms.  Like previous BabyShark variants, ReconShark relies on Windows Management Instrumentation (WMI) to query process and battery information.

ReconShark queries process and battery information

ReconShark checks for the presence of a broad set of processes associated with detection mechanisms, such as ntrtscan.exe (Trend Micro OfficeScan), mbam.exe (Malwarebytes Anti-Malware), NortonSecurity.exe (Norton Security), and avpui.exe (Kaspersky Internet Security).

Enumeration of deployed detection mechanisms

In contrast to previous BabyShark variants, ReconShark exfiltrates information without first storing it on the filesystem – the malware stores the information it collects in string variables and then uploads them to the C2 server by issuing HTTP POST requests.

ReconShark exfiltrates information

Payload Deployment - In addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines.  Some ReconShark strings are encrypted using a relatively simple cipher to evade static detection mechanisms.  These strings are typically commands or scripts for downloading and/or executing payloads.

A decrypted command

ReconShark deploys and executes payloads in different ways.  For example, the malware can directly download a payload from the C2 server using the curl utility, but also use Windows Shortcut (LNK files) or Office templates for that purpose.

ReconShark edits Windows Shortcuts (LNK files) to the msedge.exe (Microsoft Edge), chrome.exe (Google Chrome), outlook.exe (Office Outlook), whale.exe (Whale browser), and firefox.exe (Mozilla Firefox) applications. When executed, these LNK files start the linked legitimate applications and execute malicious code at the same time.  Further, ReconShark replaces the default %AppData%\Microsoft\Templates\Normal.dotm Office template, which opens whenever a user starts Microsoft Word, with a malicious Office template hosted at the C2 server.  This effectively compromises the execution of Microsoft Word.

ReconShark edits LNK files (top) and deploys a malicious Normal.dotm Office template (bottom)

The payload staging ends with Windows Batch or VBS scripts that create the %AppData%\1 file with a content of ss or sss.  These files may represent markers of a successful ReconShark execution.

A third-stage ReconShark payload

Infrastructure Analysis - All observed infrastructure in this campaign are hosted on a shared hosting server from NameCheap, whom analysts have already notified of this malicious activity and recommended takedowns.  Kimsuky operators continually made use of LiteSpeed Web Server (LSWS) for managing the malicious functionality.

Kimsuky LiteSpeed Web Server Portal

Phishing emails have been observed sending from the yonsei[.]lol domain, while rfa[.]ink and mitmail[.]tech are used for command and control.  The domain yonsei[.]lol has been active since December 2022, with malicious activity occurring as recently as this week. rfa[.]ink has been actively used since early February 2023, and mitmail[.]tech since mid January 2023.  Kimsuky also made use of newshare[.]online as a C2 server for a short time at the end of 2022.  As shown in the ReconShark macro example, beacons are made to the /bio/ directory of rfa[.]ink.  During our analysis of the activity, the attacker made multiple attempts at renaming that directory, including /bio433ertgd12/ then later /bio234567890rtyui/, and a day later returning back to /bio/.

This may have been an attempt to hinder research efforts or pause the intake of new victims for unknown reasons.  The IOC table below highlights each of the URL paths Kimsuky manages across each C2 domain and their specific purpose according to the execution flow in the macro.  These patterns match across domains, while the directory they are placed in often varies.  Attempted navigation to some paths on C2 domains are configured to redirect visitors to the legitimate Microsoft website.  As with most malicious infrastructure linked to North Korean actors, we can quickly find links back to previous reporting or separate campaigns.  For example, links can be found to the domains mainchksrh[.]com and com-change[.]info, with indications com-change was used in 2020-2022 credential phishing campaigns at these subdomains:

• lives.com-change[.]info
• live.com-change[.]info
• lives.com-change[.]info
• com-change[.]info
• hotmail.com-change[.]info
• hotrnail.com-change[.]info
• live.com-change[.]info
• lives.com-change[.]info
• microsoft.com-change[.]info
• naver.com-change[.]info
• navers.com-change[.]info
• navor.com-change[.]info
• outlock.com-change[.]info
• outlook.com-change[.]info
• navor.com-change[.]info
• navor.com-change[.]info
• com-change[.]info
• com-change[.]info
• com-change[.]info
• com-change[.]info
• com-change[.]info
• com-change[.]info
• lives.com-change[.]info
• gmail.com-change[.]info
• grnail.com-change[.]info
• lives.com-change[.]info
• lives.com-change[.]info
• lives.com-change[.]info
• com-change[.]info
• loginsaa.gmail.com-change[.]info
• loginsaa.grnail.com-change[.]info
• com-change[.]info
• loginsaa.gmail.com-change[.]info
• com-change[.]info
• com-change[.]info
• navor.com-change[.]info
• com-change[.]info
• com-change[.]info
• com-change[.]info
• navor.com-change[.]info
• lives.com-change[.]info

Conclusion - The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape.  Organizations and individuals need to be aware of the TTPs used by North Korea state-sponsored APTs and take necessary precautions to protect themselves against such attacks.  The link between recent activity and a wider set of previously unknown activity attributed to North Korea underscores the need for continued vigilance and collaboration.

Indicators of Compromise:

GLOBAL TRENDS:   

Killnet in Europe - A pro-Russian hacking group has recently carried out a cyber-attack on Europe’s air traffic control agency.  Eurocontrol said the attack by Russian hacking group Killnet affected its website but did disrupt flights or pose any threat to air traffic.  The group has since claimed responsibility for the attack and vowed to disrupt the agency’s operations for 100 hours.  Killnet targets organizations with distributed denial of service (DDoS) attacks by bombarding the target with junk Internet traffic preventing legitimate users from accessing online services.  The European Organization for the Safety of Air Navigation (EOSAN), also known as Eurocontrol, coordinates air traffic in 41 countries.[2]

Eurocontrol said its website was attacked on April 19 by pro-Russian hackers, causing access problems.  “The attack is causing interruptions to the website and web availability,” a Eurocontrol spokesperson said.  “There has been no impact on European aviation.”  Consequently, the European air traffic control agency advised travelers to use alternative means of filing flight plans. The cyber-attack also forced some airlines to use commercial solutions to manage flights.  However, the cyber-attack did not compromise the air traffic control agency’s internal systems, and the safety of air navigation was not at risk.

Nevertheless, an official admitted that the DDoS attack made air traffic control operations difficult.  “It’s been a heavy cyber battle and while operations are entirely safe, doing other things has been difficult,” a Eurocontrol spokesperson told media.  However, the cyber-attack did not cause any delays to commercial flights, according to the International Air Transport Association: “There has been no inconvenience to commercial air traffic, no disruption and no delays because of the cyberattack.”  At least 2,000 Eurocontrol employees could not access the organization’s internal and external communication tools.

Based on a 2021 report by Eurocontrol, the use of diverse technologies in air traffic control exposed the sector to a wide range of cyber-attacks.  Killnet claimed responsibility for the cyber-attack on the European air traffic control agency and promised a DDoS marathon for 100 hours.  “From today, a Eurocontrol marathon is being held, lasting 100 hours,” the group posted on its Telegram channel, threatening to cause “great discomfort” to European airlines.

This is not the first time Killnet has targeted the aviation industry.  In October 2022, the pro-Russian hackers attacked 14 US airports with DDoS attacks.  US airports impacted by Killnet DDoS attacks include Chicago O’Hare International Airport (ORD), Denver International Airport (DIA), Hartsfield-Jackson Atlanta International Airport (ATL), Denver International Airport (DIA), Los Angeles International Airport (LAX), Orlando International Airport (MCO), and Phoenix Sky Harbor International Airport (PHX).  In Europe, over two dozen airports have borne the brunt of Killnet’s cyber-attacks, which aim to cause discomfort and incite the public against their governments for helping Ukraine.

In July 2021, Eurocontrol published a report showing that the aviation industry was ill-equipped to cope with cyber-attacks from various cyber threat groups.  Pro-Russian groups have also targeted government services in countries assisting Kyiv militarily or imposing sanctions on Moscow since the full-scale Russian invasion of Ukraine began in February 2022.  In June 2022, Killnet targeted Lithuanian government websites with DDoS attacks after the country blocked shipments to the Russian enclave of Kaliningrad.

US, Texas - A ransomware attack on the city of Dallas that has “significantly impacted” police and compromised other city services was initiated by a prolific group called Royal, officials said on 5 May.  The city’s Information and Technology Services department “isolated the issue and is gradually restoring service prioritizing public safety and resident-facing departments,” the city said in an afternoon news release.  The Dallas City Manager said in a statement earlier in the day that he is optimistic that the risk is contained.  “Since city of Dallas’ Information and Technology Services detected a cyber threat Wednesday morning, employees have been hard at work to contain the issue and ensure continued service to our residents,” he said.  “For those departments affected, emergency plans prepared and practiced in advance are paying off,” he said.  “We apologize for any inconvenience and thank residents for their understanding as we continue to work around the clock until this issue is addressed.”

The Dallas police directed inquiries about the investigation into the ransomware attack to the FBI, which is typically the lead federal agency for cyberattack cases.[3]   A spokesperson for the FBI’s Dallas bureau, said the agency is aware of the attack and is in contact with city officials.  She declined to provide additional details about the investigation.  The Dallas police chief said in a written statement that the department’s operations have been “significantly impacted” by the outage.  Emergency plans that were prepared and practiced in advance are in place now, he said.  The department’s computer-assisted dispatch system is in the process of being brought back online, and calls are still being dispatched, the chief said.  The system used by police for offense reports and jail intake is also affected, prompting personnel to conduct those tasks manually, García said.  The Dallas Police Department’s website, internal share drives and applications for personnel matters are also affected, according to the chief.  “We want to [assure] the public even with these internal difficulties, police response continues across the city,” the chief said.  “Regardless of the uphill battles, our men and women will always answer calls for service. Public safety remains our top priority.”

The president of the Dallas Fire Fighters Association, said Dallas-Fire Rescue has had to revert to a primitive form of manual dispatching reliant on communicating over the radio because of the attack.  “A lot of flying blind,” McDade said. “We don’t know exactly what’s going on.”  In the past, the agency’s system has crashed “every once in a while” but was typically fixed within a few hours, he said.  But in this case, he said, there has been no indication when the system will be restored.  “It’s been, what, 36 hours now.  And nothing has changed and nothing’s improved,” he said on 4 May.  Fire officials would ensure every call was answered, but the cyberattack makes for a more stressful day.  “We have a knack of just getting it done,” he said. “We’re gonna get it done, we’re gonna respond.  Nobody’s in danger.”

A ransomware attack occurs when a perpetrator gains access to a system, usually through malicious software, according to the US Cybersecurity and Infrastructure Security Agency (CISA).  The attackers then encrypt the server’s data and makes demands in return for its decryption.  Royal uses custom-made encryption, the FBI and the Cybersecurity and the federal Infrastructure Security Agency said in a recent joint advisory.  The group originated around September, the agencies said, and has compromised US and international organizations.

A professor of computer science at the University of Texas at Dallas, said Royal is a sophisticated “gang” that uses traditional and new ways of infiltrating victims’ systems.  Authorities say “threat actors” with Royal gain access to victim networks through phishing about two-thirds of the time.  The group can also gain access into a system through remote desktop control tools, the professor said.

Royal threatens to publicly release the encrypted data if the victim does not pay the ransom, the FBI said in the advisory.  It was not immediately clear what demands Royal might have made to the city of Dallas.

There have been at least 11 confirmed ransomware attacks in Texas since March 2022, including attacks on the Mansfield Independent School District, Rice University and the city of Tomball.  Royal was responsible for the ransomware attack against the Dallas Central Appraisal District late last year that caused its operations to be stunted for 72 days.  Authorities believed the attack happened after an employee fell for a phishing scam.

On 4 May, a temporary website for the city of Dallas directed users to its Twitter account, @CityOfDallas, for updates.  The city’s news portal, dallascitynews.net, also provided updates on the outage.  “The City is experiencing a service outage and is working to restore services.  We appreciate your patience during this time,” a banner on the temporary website reads.  Most city departments’ websites direct users back to the temporary site — including 311 services, municipal courts and Dallas Water Utilities.

California - A hacker who in April caused a "network disruption" of the San Bernardino County Sheriff’s Department’s computer system was paid a $1.1 million ransom to let county officials back into the network.  The ransom was announced on 5 May by county officials, who stated that the hacker uploaded ransomware to infiltrate the sheriff’s department’s information technology system.  The disruption included sheriff’s officials being unable to access a system that provides information on whether a person is wanted for crimes elsewhere in the county, the San Bernardino Sheriff said.[4]

Department officials became aware of the incident on 7 April, according to county officials, who said they immediately secured the network and were working with its information technology staff and third-party forensic specialists to investigate.  After the disruption, county officials referred the incident to partnering law enforcement agencies, including the FBI and the Department of Homeland Security.

During the April disruption, whether the incident involved a cyberattack or other threat against the sheriff’s department was unknown.  County officials did not say when the $1.1 million was paid to the hackers, how long the system was inaccessible to the department, or why officials waited until now to inform the public about the ransom payment.

A County spokesman reported on 5 May that further information on the cyberattack could not be disclosed at this time considering the ongoing criminal investigation.  San Bernardino County officials dish out a nearly $1 million ransom to a hacker who caused a "network disruption"

So, the question is posed - Why was a ransom paid?  After “careful consideration,” county officials opted to pay the $1.1 million ransom to the unknown hacker to regain control of their system.  An insurance policy ensured a payout of $511,852, county officials said.  "The county had prepared for the possibility of such an incident by securing appropriate insurance coverage," the spokesman said.  "After negotiating with the responsible party, the insurance carrier and the county agreed to a payment to restore the system's full functionality and secure any data involved in the breach. Insurance covers most of the payment."  County officials did not offer details on the other $600,000 that paid the ransom.

The ransomware attack did not impact public safety.  Investigators have yet to determine if any information was seized during the malware attack or if the hacker can be tracked.  The sheriff's department is conducting a forensic examination to fully understand the extent of the incident, with findings crucial to public agencies seeking to avoid similar attacks, county officials said.

Australia & China - Australia does not need to wait ten or 20 years for its new submarines, or for long-range missiles, to project effective military power against China.  It can use its cyber forces to strike strategic targets inside China now, or for the sake of deterrence, to hold out that threat.  Cyber-attacks are aimed at breaking into enemy military networks to disrupt or disable their systems.  They can be used against a variety of weapons and communications systems.  Cyber forces are now an integral part of a country’s strike capability in wartime.  The United States is even now planning wartime cyber-attacks against China, should they be needed.[5]

According to 2018 figures, the Americans have a force of around 240,000 defense personnel and contractors in place to contribute to cyber defense and cyber-attack, with up to one-third likely available to support the latter.  In the event of war, these US cyberattacks could be sustained across the full range of Chinese war capacity.  The aim would be to gain what’s called “decision dominance.”  This is the “disintegration” of China’s systems and decision-making, “thereby defeating their offensive capabilities” – if we can interpret remarks of the former commander of US Indo-Pacific Command, Admiral Davidson, to be a reference to China.

Australia has been much more guarded in discussing cyber offense than the US, but the two allies are in lockstep.  Canberra is in the process of tripling the size of its offensive cyber forces under Project Redspice, announced last year.  It could attack military command and control assets anywhere in China in the event of war.  Softer targets might include critical national infrastructure, such as the energy grid supporting the war effort.  Australia’s cyber force will remain small compared with the US.  But it can also call on private domestic or foreign corporations to design attack packages against China, as the US does.

Australia is aiming for world-class offensive options in cyberspace.  The AUKUS allies coordinate closely together on cyber operations, and this area of activity is a prime focus for the new grouping.  AUKUS is a reality, with major implications for Australian sovereignty and security.  In 2020, the United Kingdom set up a new organization, its National Cyber Force, dedicated to offensive strike operations.  As part of this “cyber three” alliance with the US and UK, Australia’s cyber force will likely remain the country’s most powerful strike capability against China for decades to come.

China’s cyber security weakness - Of course, success isn’t assured with cyber-attacks.  But causing disruption on a significant scale can be achieved with a highly focused effort across all phases of offensive cyber operations, especially in coordination with our allies.  The most important phase is the first one: ensuring up-to-date intelligence on the other side’s systems.  The effort put into cyber intelligence against China’s armed forces is actually the foundation of cyber offensive teams, even if the intelligence people are not counted as having an “offensive” role.

China is adept at cyber offense.  But contrary to popular belief, cyber security isn’t a strong point for China, and this makes it particularly vulnerable to attack in wartime.  The International Institute for Strategic Studies has assessed that China has certain fundamental weaknesses that will take many years to overcome, including in its cyber security industry, education and policy.  Chinese leaders have said they believe they’re well behind the US and its allies in terms of military cyber capability.  This will likely constrain their choices about starting any war over Taiwan.

There’s no need for Australia to be shy about this offensive capability against China on political grounds because China is planning to do the same against us in the event of war.  China is already conducting cyber espionage in Australia and other countries in preparation for a major crisis.  It is almost certainly developing capabilities to disable enemy military systems and infrastructure if needed.  Australia’s Defense Minister recently restated the long-held view that the more offensive capabilities Australia has, for example through submarines, the more the country can contribute to allied deterrence of potential aggressors.

Australian political leaders should prioritize the military’s ability to attack targets in China at scale, in the unlikely event of war.  And leaders need to ensure cyber forces have more highly trained people dedicated to this task and a more powerful domestic cyber industry.  For military and political leaders to go down this path more robustly, the Australian Defense Force will also need to reassess the military balance of power in the Asia-Pacific to take account of the US and its allies’ cyber superiority over China.  This might also allow Australians to feel more secure about possible Chinese military threats.  The choices Chinese leaders might make in provoking a crisis will be shaped by their view that their armed forces are not as competitive in this dimension of US and allied military power.

[1] https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

[2] https://www.cpomagazine.com/cyber-security/russian-hackers-killnet-executed-a-cyber-attack-on-european-air-traffic-control-agency-eurocontrol/

[3] https://www.dallasnews.com/news/public-safety/2023/05/04/a-group-called-royal-is-behind-the-ransomware-attack-on-dallas-the-city-said/

[4] https://www.vvdailypress.com/story/news/crime/2023/05/05/county-pays-hacker-1-1-million-ransom-after-cyber-attack/70190226007/

[5] https://asiatimes.com/2023/05/australia-taking-the-measure-of-chinas-cyber-vulnerability/