Activity Summary - Week Ending on 1 June 2023:
- Red Sky Alliance identified 10,745 connections from new IP’s checking in with our Sinkholes
- Datacenter[.]de in Singapore hit 33x
- 907 ‘new’ Botnets hits
- Cap Cut and BatLoader
- PowerExchange and OilRig
- Canadian Power vulnerabilities
- US - AT&T
- Cuba ?
Red Sky Alliance Malware Activity
Red Sky Alliance Compromised (C2) IP’s
IP |
Contacts |
194.59.165.249 |
32 |
89.248.165.204 |
19 |
206.189.130.194 |
18 |
34.150.218.220 |
13 |
5.34.177.30 |
12 |
194.59.165.249 was reported 33 times. Confidence of Abuse is 73% ISP: TT1 Datacenter UG (haftungsbeschraenkt); Usage Type: Data Center/Web Hosting/Transit: Domain Name: tt1-datacenter.de; Country: Singapore, City: Singapore, Singapore https://www.abuseipdb.com/check/9194.59.165.249 |
On 1 June 2023, Red Sky Alliance identified 10,745 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.
Malware Variant |
Times Seen |
sality |
9682 |
corkow |
488 |
maudi |
153 |
shiz |
139 |
sykipot |
93 |
Top 5 Malware Variant and number of contacts. Sality and Corkow has consistently remain the top variants.
|
For a full black list – contact analysts: info@redskyalliance.com
Red Sky Alliance Botnet Tracker
On 1 June 2023, analysts identified 907 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). We are currently upgrading this collection.
First_ Seen |
Botnet Attribution |
Infected Host’s IPv4 Address |
2023-05-24T12:40:18 |
HTTP proxy|port: 3128 |
3.34.176.115 |
2023-05-24T12:40:09 |
HTTP proxy|port: 3128 |
3.34.176.226 |
2023-05-24T12:40:24 |
HTTP proxy|port: 3128 |
3.34.176.238 |
2023-05-24T12:40:28 |
HTTP proxy|port: 3128 |
3.35.3.186 |
2023-05-24T12:40:27 |
HTTP proxy|port: 3128 |
3.35.6.106 |
MALICIOUS CYBER TRENDS:
Cap Cut and BatLoader - CapCut video editor, with a following of more than 200 million active users per month in the US alone, is the current target of threat actors, revealed a new report from Cyble Research and Intelligence Labs. CapCut is a Chinese app that allows users to edit their videos. However, like many other apps of Chinese origin, CapCut is banned in several countries, including India, the USA, and Taiwan. So, users looking to edit their videos conveniently search for ways to install this app and get trapped. CapCut is created by ByteDance, which also owns TikTok. Reportedly, threat actors are trapping unsuspecting users through CapCut phishing sites and tricking them into downloading BatLoader, Stealers, and other malware. Cyble researchers discovered several phishing websites designed to appear as video editing software.[1] However, these sites trick users into downloading/executing malware, including RATs and Stealers. Researchers observed that threat actors specifically targeted the CapCut tool in this campaign. Researchers extensively explored the attackers’ modus operandi and noted that the scammers use Python to target victims. One of the stealer binary they identified had a SHA256 and it was compiled with PyInstaller. The executable is available only for Windows 8 or later versions. Researchers could access the hidden Python script after extracting the installation successfully. Moreover, the script’s .py file imports the Fernet class to decrypt. It receives the file from the cryptography.fernet module.
In one of the campaigns observed by Cyble researchers, a phishing website was hosting the Offx stealer. In another instance, threat actors used a phishing site to host BatLoader malware and delivered RedLine stealer to the targeted system. This means that phishing websites come preloaded with RATs and malware. Cyble researchers explained in their blog post[2] that the primary objective of these stealers is collecting information about the victim and using it for malicious purposes.
PowerExchange and OilRig - A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. After infiltrating the mail server via a phishing email containing an archived malicious executable, the threat actors deployed a web shell named ExchangeLeech (first observed by the Digital14 Incident Response team in 2020) that can steal user credentials.[3] The FortiGuard Labs Threat Research team found the PowerExchange backdoor on the compromised systems of a United Arab Emirates government organization.[4]
The malware communicates with its command-and-control (C2) server via emails sent using the Exchange Web Services (EWS) API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the "Update Microsoft Edge" subject. "Using the victim's Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization's infrastructure," the FortiGuard Labs Threat Research team said.
The backdoor enables its operators to execute commands to deliver additional malicious payloads on the hacked servers and to exfiltrate harvested files.
PowerExchange infection chain (FortiGuard Labs)
During the forensic investigation of the network, the researchers also discovered additional backdoored endpoints with various other malicious implants. Among them, they found the ExchangeLeech web shell, installed as a file named System.Web.ServiceAuthentication.dll that mimicked legitimate IIS file naming conventions. ExchangeLeech collects the usernames and passwords of those logging into the compromised Exchange servers using basic authentication by monitoring clear text HTTP traffic and capturing the credentials from the webform data or HTTP headers. The attackers can instruct the web shell to send the credential log via cookie parameters.
FortiGuard Labs linked these attacks to the Iranian state-backed hacking group APT34 (aka Oilrig) based on similarities between PowerExchange and the TriFive malware they used to backdoor the servers of Kuweiti government organizations. "Both backdoors share striking commonalities: they are written in PowerShell, activated by a periodic scheduled task, and the C2 channel leverages the organization's Exchange server with EWS API. And while their code is much different, we speculate that PowerExchange is a new and improved form of TriFive," the Fortigard said.
APT34 also uses phishing emails as an initial infection vector in their attacks and has previously breached other UAE entities, according to Fortiguard Labs' report.
Name: OilRig[5]
Synonyms: Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten, APT 34, APT34, IRN2, ATK40, G0049
Probably operating from:
- Iran, Islamic Republic of
- (CFR) Suspected state sponsor:
- Iran (Islamic Republic of)
(CFR) Suspected victims:
- Israel
- Kuwait
- United States
- Turkey
- Saudi Arabia
- Qatar
- Lebanon
- Middle East
(CFR) Type of incident: Espionage
Description: OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve: -Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access. Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
GLOBAL TRENDS:
New Zealand - A cyber security firm reports hackers are selling access to IT systems at hundreds of New Zealand schools and tertiary institutes, as well as stolen personal data from thousands of staff and students. Cyber Sentience said it found the information being traded on websites on the so-called dark web for just a few dollars last year.
In a report published earlier this week, it said it also found evidence hackers were using a New Zealand primary school's website as a training ground to practice hacking. It said cyber-attacks on New Zealand education institutions were growing exponentially, and schools in particular needed more protection.[6] It said the information for sale last year included alleged vulnerabilities in the IT systems of seven of New Zealand's eight universities, access to 556 education sector web services and to 31 institutions' email services. Hackers were also sharing the logins and passwords of 2359 people in universities, polytechnics and industry training organisations and for countless people in schools. One hacker was selling backdoor access to a primary school's IT systems and others were sharing a database stolen from a secondary school.
Cyber Sentience said stolen personal credentials generally sold for between US$2-$10 (NZ$3.30-$16) and access to a New Zealand school's webserver was listed for US$8 (NZ$13.20). He did not know if any of the hacks had resulted in financial losses or blackmail of individuals or institutions. Sentience said several posts indicated hackers had discovered and shared a vulnerability in a web application belonging to a New Zealand school several years ago. "A few years later, we detect Russian, Turkish and Arabic-speaking threat actors in closed communities sharing this vulnerability as a 'training target'. Interactive mentoring encouraged and supported the abuse of this school's system. One of the locations where this activity was occurring is known to be state aligned, with the others focused on e-crime and hacktivism."
The NZ Ministry of Education chief digital officer said he could not confirm the report's details but its broad findings about the types of problems affecting schools were "definitely on the money." Wakefield said schools' computer networks were well-protected, but students and staff often used their computers and phones at home and for purposes other than school-work. "What this report shows is students are using things like their school-issued email address as their username on a whole range of websites and systems and apps and services, and some small number of those has been compromised," he said. The Ministry added that it contacted schools when it found that student or staff credentials had been stolen, but it was hard to stay ahead of the hackers. "We're always playing a little bit of catch-up here. We're talking about an organized criminal enterprise here that is trying to exploit not just schools and kura but all New Zealand organizations and all New Zealanders," he said. "To that extent that we can we are putting all our effort into things that mitigate that risk, so precautions such as use of two-factor authentication and making sure people have strong passwords and making sure their devices are kept up to date with the latest patches."
NZ Universities use existing expertise – The Ministry said Cyber Sentience had refused to provide detailed information without payment. Sentience replied that the company had arrangements with other organizations which meant it could not share further information with the Ministry of Education without a formal agreement. Meanwhile, universities dismissed Cyber Sentience's approach to them earlier this year as an attempt to generate business. Universities New Zealand reported its members preferred to use their existing in-house or third-party expertise to manage cyber security. It could not confirm whether universities investigated alleged vulnerabilities raised by Cyber Sentience and universities did not answer RNZ's questions about whether those vulnerabilities had been investigated and found to exist.
Canada - News of pro-Russia hackers allegedly gaining access to Canada’s gas infrastructure brought cybersecurity concerns to the fore last month. To protect our power grid, industry insiders say Canada needs to step up regulations safeguarding energy systems that are vulnerable to attack. Energy infrastructure all over the world is regularly targeted by both cybercriminals looking to extort companies and state-sponsored actors trying to get a leg up on other nations. Oil infrastructure was the target of nearly a third of the 45 cybersecurity incidents against global commodity industries like shipping, agriculture and petrochemicals between 2017 and 2022, according to data from S&P Global. This includes high-profile incidents like the 2021 ransomware attack on the US’s Colonial Pipeline, which resulted in a shutdown and hefty ransom payment, and the 2022 attack that disrupted shipments from major European oil refining hubs. Power generation and electricity networks were other popular targets, according to S&P Global.[7]
Not all attacks are so impactful. The alleged breach of Canada’s gas infrastructure last month hasn’t resulted in any disruption, and Hydro-Québec’s website fell victim to a run-of-the-mill attack where the server was overwhelmed with traffic, causing it to crash. The crash did not impact production, transmission or distribution of electricity, according to Hydro-Québec. Now, as Canada scales up its renewable energy, experts say cleantech operators will face the same cybersecurity threats as their fossil fuel counterparts and should seize the opportunity to build strong defenses into their infrastructure.
In a cyberattack, which energy system is most at risk? There is no simple answer to which types of energy systems are most vulnerable to cyberattacks, Ammolite Technology said in a detailed statement to Canada’s National Observer. Ammolite Technology is an IT service provider whose services include security solutions for small and medium-sized businesses, charities and non-profits. At this time, renewable energy infrastructure, like large wind and solar farms, makes up a smaller share of Canada’s overall energy mix, and so is likely a less valuable targe. But that proportion could increase in coming years as Canada ramps up renewable power in its bid to achieve a net-zero power grid by 2035.
Media reports of pro-Russia hackers allegedly gaining access to Canada’s gas infrastructure brought cybersecurity concerns to the fore front in April 2023. To protect our power grid, industry insiders say Canada needs to step up regulations. Canada’s cyber and foreign signals intelligence agency, the Communications Security Establishment (CSE), told Canada’s National Observer in an emailed statement that all critical infrastructure is increasingly at risk from cybersecurity threats, though it does not “have any information specific to renewable energy projects.” Some key factors that could put energy infrastructure at risk include how valuable and vulnerable a target is and who is looking to attack.
There are many bad actors out there who would like to do harm, with varying motivations, said Plurilock, a Canadian cybersecurity company. Criminal organizations are often looking to make a buck by eliciting ransom payments from companies and organizations (as was the case with the 2021 Colonial Pipeline attack) or stealing data. “It’s often cited that the single greatest transfer of wealth globally was from the United States to China as a result of the intellectual property theft campaigns that took place,” Plurilock told Canada’s National Observer. Aside from the financial motivations shared with criminals, hostile nation-states or state-sponsored organizations also stand to benefit from attacks that steal sensitive information or seek to disrupt a country’s critical infrastructure, it added.
If the country’s share of renewable energy grows and its infrastructure is accessible to the same degree as oil and gas infrastructure, it could become “an equally attractive target,” said Singh and Hodgkinson. For any and all infrastructure, the trouble is having a single point of failure — a.k.a., one fault that can be exploited and cause a whole system to stop operating. Researchers are “cautiously optimistic” because renewable energy infrastructure is inherently less centralized than fossil fuel infrastructure. It is also typically designed with batteries and energy storage to deal with downtime caused by nightfall or weather patterns, which offer resilience against disruptions caused by outages, unlike fossil fuel systems, they added. But this is not to say all renewable energy systems do not currently or will not eventually have big vulnerabilities hackers can use to incapacitate the system, Singh and Hodgkinson said. There are countless factors at play. For example, if the renewable energy sector is eventually monopolized or dominated by a handful of companies, it is reasonable to assume that a cybersecurity incident could collapse the entire system for the affected energy provider, according to the researchers. .
Better secure and harden the grid. The nascence of Canada’s renewable energy infrastructure presents an opportunity to raise the bar for cybersecurity. In a lot of cases, cleantech is built from the ground up, and as a general rule, it’s a lot easier to have a secure system if you build it with security standards in mind from the outset. “It's very hard to bolt on security after the fact. So from my perspective, cleantech and renewables present, actually, an opportunity to better secure and harden the grid,” Plurilock said. “Whereas trying to secure the legacy grid, it's actually a much, much harder problem.”
Concerns have also been raised about vulnerabilities with solar power. Research from 2016 said flaws in a company’s solar panels could make the electricity grid vulnerable to hacking, namely through the panels’ internet-connected inverters. Inverters take electricity generated by the panels and convert it so it can be used on the power grid. At the time, a different researcher told the BBC he thought the risk to power grid stability was present, though less extreme than the study outlined. Only some inverter models had vulnerabilities, according to the company. Reflecting on this research seven years later, current researchers say they “wouldn’t single out solar as being any more vulnerable than other types of renewable or fossil fuel infrastructure,” primarily because the bar for cybersecurity is fairly low for all types of energy infrastructure. To deter attackers, upcoming renewable energy infrastructure must be subject to “vigorous regulatory enforcement,” they maintain.
There are a few different, commonly used standards to guide cybersecurity measures and best practices: namely, an international standard and a US standard. Canada has a national standard, but the country does not require Canadian companies and organizations to meet any of those standards. Most organizations “follow a flavor that is pretty similar to those standards,” said Plurilock. He says it’s challenging for larger organizations to comply with multiple standards across different markets, so simplifying and aligning on just a few existing standards would be beneficial. But on the flip side, smaller companies with fewer resources may be harder pressed to align with these standards. Another industry insider says strong regulations for cybersecurity are key, regardless of which sector. “It’s all about money” and finding a balance of managing risks without spending too much, said the chief innovation officer at cybersecurity firm Mirai Security.
Corporations legally have to make decisions that are best for the business, not necessarily for the country, the people and the environment, so governments have to bring in regulations and force corporations to take measures in the public interest, said Mirai.
Incentive through insurance. The Canadian Centre for Cyber Security works with partners and industry associations in the energy sector to “share cyber threat information and strengthen overall cybersecurity and cyber resilience,” a media relations representative said in a statement. When asked about energy-related examples, authorities cited two “ongoing collaborations” that hinge on information sharing. The cybersecurity centre and the Canadian Gas Association are working together on the Blue Flame Program, which aims to strengthen the security of gas delivery systems across Canada. The other partnership, with Ontario’s Independent Electricity System Operator, looks to reduce cybersecurity risks and provide insights and analysis into the Canadian energy sector. “I think where we're gonna get change is with cybersecurity insurance,”experts believe. “If I'm an insurance organization, and I … want to underwrite a large oil and gas or … renewable energy organization, I want to make sure that they're doing as much as they can to strengthen their cybersecurity,” he said.
South of the border, the US is pursuing research into solar cybersecurity and in 2020 released a multi-year plan to improve cybersecurity in renewable energy systems and other areas. The Wind Energy Office also has a specific roadmap for wind energy cybersecurity. More often than not, experts often look to the US to keep up to date on the latest regulatory and technical developments in cybersecurity, noting there is a “lack of reliable and consistent reporting sources” for Canadian cybersecurity developments.
US - AT&T recently fixed a vulnerability that would have allowed anyone to take over someone’s account on ATT.com just by knowing their phone number and ZIP code. A cybersecurity researcher nick named ‘Doc,’ discovered the bug earlier this year, finding a way to exploit an account merging feature for malicious means. The issue allowed him to effectively merge his own account with anyone else’s, giving him the ability to update that account’s password and take control of it. “This could have allowed an attacker to SIM swap a person, change any of their details, cancel their service and much more,” he said in an interview. “Obviously SIM swapping is a big deal these days, imagine how this would have played out in the wrong hands.” An AT&T spokesperson confirmed the problem. “The issue was fixed promptly through our established bug bounty program, and there is no evidence that it was exploited beyond the researcher,” the spokesperson said.[8]
AT&T has a subscriber base of approximately 81.5 million postpaid and 19 million prepaid customers. “Doc said the vulnerability was simple to exploit. After creating a free ATT.com profile, a hacker could go to the “combine accounts” tab and select “already registered accounts.” After entering the victim’s phone number and ZIP code, the victim’s masked user ID would appear and they would be prompted for their password. From there, Doc explained that hackers would be able to intercept the request of the password being entered and use the backend of the website to forward the password request to accounts the hacker controls.
Doc used his own accounts to test the attack method and it worked. He posted a video on YouTube of the issue depicting the process. Although Doc’s reported vulnerability was eventually fixed, he wasn’t completely satisfied as he felt his bug bounty payment of $750 was low considering the severity of the issue, ease of exploitation and the fact that AT&T is one of the world’s largest telecommunications companies. He noted that a similar bug he found affecting Vodafone netted him nearly $5,000 and that company “didn’t even have a public bounty program."
AT&T did not respond to requests for comment about the bounty payment, but several cybersecurity experts backed Harris’ assessment that the issue was worth more than he was paid. Contrast Security CISO David Lindner said the vulnerability was “really bad” and “could have led to complete account compromise for many ATT accounts, and then from there, who knows what could have happened such as changing SIMs, removing accounts, adding phones to other’s payment profiles, etc.”
KnowBe4 agreed that “this is a pretty big flaw. The resulting action … the merged accounts … is even a bit strange, in how easy it is to do,” he said. “It makes me think there are multiple, either related or unrelated additional flaws, that are activated in this particular account attack scenario.” KnowBe4 noted that similar issues continue to happen repeatedly to major telecoms like AT&T, T-Mobile and Verizon as well. Just three weeks ago, TechCrunch reported that hackers exploited an AT&T vulnerability to steal cryptocurrency.
Doc cited the repeated announcements from all three major US telecoms about data breaches over the last five years as evidence that SIM swapping still runs rampant. He noted that if any cybercriminal or more sophisticated group got a hold of the issue, “mass chaos would have erupted. We are talking about a way to get into anyone's AT&T account, just by knowing their phone number and ZIP code. The merge feature has been around for awhile. Who's to say it hadn't been exploited and even if it wasn't, don't you think the public should be aware that they left the door wide open for over a year?” he said.
The US Federal Communications Commission (FCC) confirmed in January that there have been multiple breaches affecting the country’s largest telecommunications companies: Verizon, T-Mobile and AT&T. The FCC is now mulling changes to the breach notification rules for telecommunications companies due to the increased amount of data the companies hold. Doc said his hope is that mobile carriers will eventually take issues like the one he discovered more seriously. “Pretty much everyone uses a cellphone. It's an important part of our daily life,” he said.
Cuba? – The reported earlier Philadelphia attack by Red Sky Alliance, now shows that a ransomware group has removed its listing of The Philadelphia Inquirer on its darknet extortion site last week after the company cast doubts on the authenticity of documents the criminals provided for download. On 23 May, a Cuba based ransomware gang, which has attacked at least 100 organizations globally and brought in more than $60 million as of last August, according to US authorities, added the Inquirer to its website’s list of victims.[9] But, within 24 hours, that listing had been removed. While this normally occurs when victims make an extortion payment, or begin negotiating one, this listing disappeared following questions about whether the documents uploaded were actually from the cited victim.
Cuba claimed to have posted a trove of files stolen from the Inquirer, including "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code.” But the newspaper’s publisher said that the company had seen no evidence that the information was related to the newspaper, and a review of the documents by the paper's reporters didn't find anything that appeared to come from the company itself. While the ransomware gang's name and branding reference “Cuba,” there is no direct evidence that the Caribbean state has any connection to the criminals themselves. Earlier in May, the Inquirer announced that it had detected "anomalous activity" that disrupted its publication of the Sunday print newspaper, although the company did not confirm whether the incident was caused by a cyberattack.
Reporters at the newspaper, which was first published in 1829 and has won 20 Pulitzer Prizes, said the episode raised questions about the company’s cybersecurity practices, highlighting that it “does not require multi factor authentication for many of its key systems.”
Researchers at Google and Ukraine's Computer Emergency Response Team believe that the criminals behind the ransomware may be connected to the Russian state (friends to Cuba), as they have been seen targeting government systems in Ukraine and Montenegro. Google said the group, which previously appeared financially motivated, is now “behaving more similarly to an actor conducting operations for intelligence collection.”
[1] https://www.hackread.com/capcut-users-phishing-sites-malware/
[2] https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
[3] https://www.bleepingcomputer.com/news/security/new-powerexchange-malware-backdoors-microsoft-exchange-servers/
[4] https://www.fortinet.com/blog/threat-research/operation-total-exchange-backdoor-discovered
[5] https://aptmap.netlify.app/#OilRig
[6] https://www.rnz.co.nz/news/national/490864/hackers-selling-access-to-school-it-systems-cyber-security-firm-says
[7] https://www.nationalobserver.com/2023/05/29/news/hackers-claim-they-went-after-canada-gas-infrastructure-can-renewables
[8] https://therecord.media/att-resolves-issue-allowing-account-takeover/
[9] https://therecord.media/philadelphia-inquirer-cyber-incident-cuba-ransomware-group/