Intel Reports

Activity Summary - Week Ending on 13 July 2023:

• Red Sky Alliance identified 2,507 connections from new IP’s checking in with our Sinkholes
• Akamai hit 39x
• 278 ‘new’ Botnets hits
• Kings of Translation
• China Spyware
• SmugX
• Nigeria
• Higher Education

Red Sky Alliance Compromised (C2) IP’s 

On 12 July 2023, Red Sky Alliance identified 2,507 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 12 July 2023, analysts identified 278 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Kings of Translation - Among the thousands of exposed documents were a Florida driver’s license, a letter from a Ukrainian ambassador, and an FBI background check document.  People think that offline paper documents would never pose an online data risk.  However, this is a mere assumption because the latest research suggests that compromising these documents is possible.[1]

A Website Plant‘s security researcher has discovered a non-password-protected database that contained over 25,000 records, all publicly exposed, including ‘highly sensitive’ documents.  The database reportedly belonged to a global translation service provider, Kings of Translation.  What is interesting is that Kings of Translation is a New York-based company that claims to be a premium translation service provider in the country, facilitating the translation of over 120 languages.

Database Contents: research revealed that the exposed data contained PII (personally identifiable information), internal screenshots of the source code, and customer documents stored in the uploads folder, including the following:

• Passports
• Driver licenses
• Business documents
• Denied visa petitions
• Birth and Marriage records
• US Federal and State tax filings

These files belonged to customers from across the globe.  There were around 25,601 records contained in the database.

How was the Database Owner Discovered?  Researchers found invoices and references linked to the NYC-based Kings of Translation.  This is how the researcher identified the database’s owner.  Kings of Translation allows customers to upload documents and transfer payments through its developed technology automatically.  This is the first time Website Plant‘s has come across data from a translation service and its customers in his career.  Also noted that this was the first time such versatile documents were part of a database.

Possible Security Risks:  It was an alarming discovery since it involved a business that collected all sorts of documents.  Usually, businesses store data related to their industry.  But this case was different.  Since the database belonged to a translation service, the documents were sensitive, as many of them were required by educational institutions or foreign governments.

Moreover, the documents revealed crucial personal details such as birth, marriage, divorce, death certificates, etc.  Website Plant‘s also shared screenshots regarding some of the exposed documents, which included a Florida driver’s license, a letter from a Ukrainian ambassador, and an FBI background check document.

An FBI document and a Florida driving licence are among the trove of leaked documents (Image: Hackread.com via Website Planet)

Many legal documents were also part of the leak, for instance, court documents, contracts, certificates requiring translation to ensure compliance with legal requirements, and visa or immigration-related documents.  Such documents, if exposed, can make impacted people vulnerable to tax fraud or identity theft, or cybercriminals may file false tax returns, claim for a refund on behalf of the victim, or obtain credit in their name. Government documents and correspondence letters may reveal business trade secrets, leaving the victim liable for debts, fees, or penalties.  Website Plant‘s notified the company immediately, and public access to the database was restricted on the same day.  The researcher couldn’t identify for how long this database had remained publicly exposed before access was restricted and has not received any response from Kings of Translation yet.

GLOBAL TRENDS:

China - Mobile security solutions provider Pradeo’s security researchers have shared details of the spyware they discovered hiding on the Google Play Store.  According to the report published on 6 July 2023, Pradeo’s behavior analysis engine recently detected two apps (File Recovery and Data Recovery, with 1 million installations, and File Manager, with 500,000 installations) containing hidden spyware, which may have impacted up to 1.5 million users.[2]

Interestingly, both were created by the same developer. The malicious apps appeared to be harmless file management software, but in reality, they showcased malicious behavior.  These apps can self-launch without user interaction and secretly exfiltrate sensitive user data to several malicious servers in China.

Malicious apps (Pradeo)

What Data Did These Apps Collect?  The app profiles on the Google Play Store state that they do not collect any data from the device, but according to Pradeo’s blog post, these are false claims.  Research revealed that the apps collected highly personal data from their targets and transferred it to over one hundred different destinations, all of which were in China and were malicious.

The spyware apps collected the following data:

• OS version number
• Device brand/model
• Real-time user location
• Network provider’s name
• SIM provider’s network code
• Mobile phone’s country code
• Pictures, video, and audio content
• Device’s contact lists (all linked accounts, email and social networks)

How Do the Apps Trap Users?  The hacker has used various techniques to make these apps appear legitimate.  For instance, spyware shows a large user base but doesn’t feature any reviews.  Researchers believe that the hacker must have used mobile device emulators or installed farms to show huge numbers and improve the apps’ ranking on the store.  Another tactic is minimal user interaction since the apps can launch automatically when the system starts. So, they can continue their malicious operations even if the app isn’t in use. Also, these apps aren’t visible on the home screen, and their icon remains hidden to prevent uninstallation.

How to Stay Safe?  Although Google has removed these apps, if you have downloaded and installed them from a third-party store, delete them immediately and never download apps without any reviews, despite having a large user base. Also, do not forget to go through their reviews, if there are any, to detect foul play.   Organizations should automate mobile detection and response by vetting apps and determining if they comply with their security policies.

China SmugX - Check Point Research’s (CPR) cyber threat intelligence researchers have discovered a disturbing attack trend.  According to CPR’s report published on July 3, 2023, Chinese threat actors have become increasingly interested in targeting European governments, embassies, and foreign local policy-making entities. Eastern Europe is among their preferred targets, with prime targets being Slovakia, the Czech Republic, and Hungary.[3]  This newly discovered campaign is called SmugX.  Researchers claim that this campaign has been active since December 2022, but they believe that it is an extension of a previously discovered campaign linked to Mustang Panda and RedDelta. Interestingly, both groups are Chinese.

As far as the attack method is concerned, research revealed that in SmugX, attackers are using HTML smuggling to target European embassies.  In this method, the modular PlugX malware implant is smuggled (hidden) inside HTML documents.   Hackers use this technique to trick web security systems and evade antivirus mechanisms or security defenses.  HTML smuggling exploits HTML features to conceal malicious data documents from automated content filters, including them as JavaScript blobs that reassemble on the targeted device.

It is worth noting that PluxX is a commonly used tool for HTML smuggling.  Multiple Chinese threat actors have used this malware previously, such as the group that targeted the Vatican in 2020 or the one that targeted the Indonesian Intelligence Service in 2021.  The malware was also used to target users in Mongolia, Ghana, Papua New Guinea, Nigeria, and Zimbabwe in a USB drive-based campaign.

CPR researchers agree that SmugX’s primary objective is to obtain sensitive data on the foreign policies of the targeted countries.  This analysis is based on the lure samples posted to the malware repository on VirusTotal. The filenames of these samples were self-explanatory.  Researchers wrote that the names strongly suggested that the attackers wanted to target diplomats and government entities, whereas the content contained mainly diplomatic-related content related to China.  The attack utilizes several .docx and .pdf files containing diplomatic content.

CPR researchers obtained a letter from the Serbian embassy in Budapest, a document revealing the Swedish Presidency of the Council of the European Union’s priorities, and an invitation from the Hungarian foreign ministry for a diplomatic conference.   The researchers also discovered an article about the two Chinese human rights lawyers who had received a ten-year sentence.  Here are the titles of these documents:

• 202305 Indicative Planning RELEX
• Draft Prague Process Action Plan_SOM_EN
• 2262_3_PrepCom_Proposal_next_meeting_26_April
• Comments FRANCE – EU-CELAC Summit – 4th May
• China jails two human rights lawyers for Subversion

One of the phishing documents (left) – Targeted countries (right)

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR researchers noted.  CPR is still investigating and monitoring SmugX activities and will share new details soon. Please continue to visit this platform for the latest updates on SmugX.

Nigeria - The Cyber Security Expert Association of Nigeria (CSEAN) has revealed in a report that Small and Medium Scale Enterprises (SMEs) received the most cyber-attacks in 2022.  The report titled ‘Nigeria Cyber Threat Landscape 2022’ was presented during a two-day conference of the group in Abuja.  NAN reports that the study sheds light on trends in cyber-attacks in 2022 and could provide insights into occurrences in 2022.[4]

Data on cyber-attacks on SMEs:  According to the report, phishing attacks on SMEs increased by 87% in 2022 compared to 37% in 2021.  The Director of Research and Development of the group Mr. John Odumesi said there was a spike in corporate phishing attacks in 2022 and data protection policies and disclosures were lagging.  In his words, “Part of the findings and key threat trends we discovered is that data protection policies enforcement and disclosure practices are grossly lagging; there is a surge in corporate phishing attacks.  There is a rise of ransomware in the industrial control system environment, compromise of business emails, and malware such as Backdoor skyrocketed.”

What business owners can do to protect themselves from cyber-attacks?  On how organizations can protect themselves from cyber-attacks, Mr. Odumesi noted that individuals and organizations need to have a detailed cyber-security policy and an incident response plan.  He said, “To combat cyber-attacks, we need to maintain a detailed cyber security policy; individuals and organizations should be email skeptic; organizations should develop an incident response plan.  “We also need to protect our systems, travel wisely on the internet, avoid password pitfalls, and engage the services of Cyber security experts,”

Mr. Odumesi noted that the study surveyed over 552 participants and also collated reports from online media and other cyber security reports.  Also speaking during the conference was the Chief Technology Officer (CTO) of CyberSoc Africa, Mr Yaniv Ovitz, who noted that there was general progress in combating cyber-crimes especially in the fintech space from 2019 but efforts nosedived because of talent loss due to the ‘japa syndrome.’

Role of relevant stakeholders in combating cybercrimes:  The territory manager of Sophos West Africa, Mr. Jimi Falaiye noted cyber security is a continuous exercise and perfection cannot be achieved.  He said, “Cyber security ecosystem is a dynamic environment, so we have threat actors; these are the bad guys who are investing a lot in launching their attacks.  Meanwhile, from the internal, it is usually reactive for most organizations, and it has formed an imbalance in the system.  The good guys in organizations are trying to catch up with what the bad guys are doing, which should be on the contrary,”

Statistics on Cybercrime in 2021:  Nigerian businesses have been battling cyber threats of various kinds in recent times.  According to Sophos- a cyber security firm reported by Nairametrics, 71% of Nigerian firms were hit with ransomware in 2021.  They also reported that Nigerian businesses paid as much as $706,452 as ransom to cyber-criminals in 2021.

International Education - As higher ed IT administrators have battled a growing onslaught of cyber threats since the COVID-19 pandemic, cyber criminals have worked to stay one step ahead of them with more sophisticated targeting of users and imitating network systems, according to some education analysts and officials.  According to a 2023 report from the cybersecurity company SonicWall, the nature of cyber-attacks against higher ed appears to have changed and adapted to new security measures in the past few years. While much of the focus has been almost solely on ransomware attacks and data breach incidents — such as the recent MOVEit hack that has affected state and federal agencies and universities around the globe — the SonicWall report said malware attacks at colleges and universities also increased significantly between 2021 and 2022.  It added that the threat of phishing attempts has remained, with some organizations battling what feels like a never-ending onslaught of more sophisticated phishing attacks.[5]

The vice president of strategy at Jamf, a software company that makes mobile device management tools, wrote in an email to Government Technology that part of what makes IT security increasingly challenging is the fact that cyber criminals have myriad tactics to exploit vulnerabilities created partly by efforts in recent years to digitize instruction and daily operations.  Aside from the exorbitant cost of ransomware attacks against institutions such as Lincoln College, which was forced to close permanently in May 2022, the collection of so much data on digital systems has also exacerbated the cost of cyber incidents for staff and students, practically and financially.  He pointed to a 2021 report from the Center for Digital Education that said data breaches cost each student an average of $250.

Unlike large corporations with more capital to put toward IT security, and government agencies that are often also tasked with providing supplemental funding to K-12 schools for cybersecurity, he said “many universities and colleges may have limited cybersecurity resources and budgets,” which are threatened by enrollment declines across higher ed.  “There have been major changes in the targeting of students and staff through sophisticated emails that mimic the systems used by the university.  These emails ask individuals to change their passwords, et cetera.  This is a key area of concern due to the increase in password fatigue, which leads to many people handing over their information or clicking on phishing links,” he wrote.  “As more staff and students utilize IT tools, the target radius has increased over the years … One key vulnerability is the weakness of university systems, as outdated technology makes it easy for hackers to break through. Increased sophistication is also evident in SQL (structured query language) attacks through a higher education or school website, providing an entry point through online forms used to support users, but exploited by hackers.”

Cyber criminals also frequently employ automated tools to launch “credential stuffing” attacks against higher ed institutions, making use of compromised username and password combinations from other breaches to gain unauthorized access to accounts for financial gain or to access research data.  “Weak or reused passwords can make institutions more vulnerable to these attacks,” he said, adding that the recent surge in attacks on higher ed institutions demonstrates a need for cybersecurity awareness campaigns and modernizing IT infrastructure.

Information security at California State University’s Chancellor’s Office, wrote in an email that universities should conduct regular vulnerability assessments, update policies for more robust cybersecurity planning and institute multifactor authentication to mitigate the threats posed by the evolution of cyber-attacks.  “Developing an incident response plan, fostering collaboration and providing continuous cybersecurity education are also crucial,” she wrote. “Prioritizing these measures helps protect sensitive data, intellectual property and the institution’s reputation.”

Oregon State University CISO said the increase in cyber-attacks had been unfolding and evolving already before the rapid digitization spurred by remote learning during the pandemic compounded the threat.  He said offices across Oregon State have been aggressively targeted with phishing attacks and other fraud schemes, in addition to threats like ransomware.  “The key thing that ties this all together is the financial gain these actors are looking to achieve,” he said.

University of North Carolina at Greensboro CISO wrote in an email to Government Technology that while the (usually financial) motivations remain the same for most cyber criminals, their tactics have evolved since COVID-19 began.  He said bad actors have created malware, ransomware and distributed denial of service (DDoS) attacks that are “progressively more deceptive, more authentic in appearance, and more targeted,” partly due to their financial incentives for targeting higher-ed organizations.  His suggestion was to take away that incentive for cyber criminals to extort universities.  “Although not an absolute deterrent control, perhaps a policy or regulation to eliminate negotiation with ransomware groups is a worthy consideration,” he wrote.  “For example, North Carolina passed the first state law in November 2021 which prohibits all state agencies, the University of North Carolina, cities, counties, local schools and community colleges from payment or communication with ransomware groups. Another impactful suggestion, at an institutional level, would be to require annual information security awareness training for all employees, including their participation in a non-punitive, simulated phishing program — all of which is critically important to provide stakeholders the knowledge and confidence to safeguard their security interests.”

[1] https://www.hackread.com/global-translation-service-exposed-records/

[2] https://www.hackread.com/china-spyware-google-play-store-apps/

[3] https://www.hackread.com/smugx-attack-chinese-hackers-europe/

[4] https://nairametrics.com/2023/07/12/smes-in-nigeria-were-major-victims-of-cyber-attacks-in-2022-csean/

[5] https://www.govtech.com/education/higher-ed/how-are-higher-ed-cyber-attacks-evolving