Intel Reports

Activity Summary - Week Ending on 31 August 2023:

• Red Sky Alliance identified 1,387 connections from new IP’s checking in with our Sinkholes
• Amazon Hit Only Twice
• 69 ‘new’ Botnets hits
• Whiffy Recon – New Smoke Loader
• DuoLingo Forum
• Akira Ransomware
• UK and EU
• Latin America
• ASEAN

Red Sky Alliance Compromised (C2) IP’s 

On 31 August 2023, Red Sky Alliance identified 1,387 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 31 August 2023, analysts identified 69 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Whiffy ReCon - The cybersecurity researchers at Secureworks have detected a new custom, Wi-Fi scanning payload that they have named Whiffy Recon. The malicious executable hunts for the geolocation of compromised systems – In the case of Whiffy Recon malware, the targeted devices are Windows based.  Secureworks’ Counter Threat Unit has shared details of a brand-new Smoke Loader botnet that infects compromised devices with a custom Wi-Fi scanning executable. They observed this malicious activity on 8th August 2023.  For your information, Smoke Loader, also known as Dofoil, is a type of botnet malware that is often used to deliver various payloads to compromised computers. It’s categorized as a downloader and is commonly associated with the distribution of other types of malware, such as banking Trojans, ransomware, and cryptocurrency miners.  Previously, in April 2019, the Smoke Loader botnet was found spreading a banking trojan to steal $4.6 million from victims. Another campaign exposed in July 2018, saw the use of the botnet to drop the Kronos banking trojan against unsuspecting victims.  As for the latest campaign; Whiffy Recon malware triangulates the positions of infected devices using any nearby Wi-Fi access points as its data point to access Google geolocation API. For your information, the Google Geolocation service triangulates a system’s location and returns coordinates using the mobile network and Wi-Fi access points data.

JSON-structured scan results in HTTPS POST request sent to Google Geolocation API. (Source: Secureworks)

According to Secureworks’ blog post, the payload starts its operation by scanning for the WLANSVC service on the compromised device. This is performed to confirm the Windows-based device has a wireless capability and exits if it isn’t present. It must be noted that Whiffy Recon only scans for the feature’s presence and not whether it is working or not.[1]

It maintains persistence on the device by creating the wlan.Ink shortcut in the Startup folder that points to the Whiffy Recon malware’s exact location on the system. The malware’s main code has two loops- one of these registers the bot with the attacker’s C2 server and the other scans for Wi-Fi capability using the Windows WLAN API.  The second loop runs repeatedly with 60-second intervals to keep obtaining geolocation data. The scanning results are mapped to a JSON structure, which is transmitted to the Google Geolocation API through an HTTP Post request.

This information is then mapped to another JSON structure that contains information about every wireless access point present in that area, and the encryption methods these use.  What’s the purpose behind obtaining this information is still unclear to researchers. However, they suspect that attackers might want to “intimidate victims or pressure them to comply with demands.” Secureworks researchers urge organizations to use available controls and restrict access to Wi-Fi.

DuoLingo Forum - A hacker has recently disclosed the personal information of approximately 2.6 million users of the popular language-learning platform, Duolingo. Contrary to a conventional data breach where hackers infiltrate an organization’s servers, this incident involved the exploitation of a public API.  The hacker, who also serves as a moderator on the Breach Forums, managed to scrape user data in January 2023, leading to the exposure of account-related details for a vast number of Duolingo users.  Duolingo, known for its accessible and engaging language courses, was caught off guard by the incident. The breach, while not originating from a direct assault on Duolingo’s servers or infrastructure, highlights the complex challenges organizations face in safeguarding user information in a hostile and uncertain environment created by threat actors.

Leaked Data - Hackread.com has examined and analyzed the exposed data, shedding light on its contents. The dataset encompasses the personal information of a staggering 2,658,787 users. This encompassing collection includes critical details such as:

• Full names
• Usernames
• Email addresses
• Countries of origin
• The precise dates of account creation
• The language courses to which users have subscribed

Notably, the gravity of the breach escalated when, prior to the public leak, another threat actor attempted to sell the same data set for $1500.  The revelation of the data on hacker forums and Telegram channels has only exacerbated concerns regarding user privacy and the potential misuse of exposed information.

Screenshot from the leaked Duolingo data (Image credit: Hackread.com)

Duolingo data leaked and sold on Breach Forums (Image credit: Hackread.com)

Duolingo, in response to the breach, is diligently investigating the situation and has intensified its efforts to secure user data. The incident has catalyzed discussions about the protection of user information in an era where APIs, often considered as open doors to data, require heightened vigilance.

Impact - While distinct from a conventional data breach, the exposure of email addresses and full names of 2.6 million Duolingo users still constitutes a significant privacy breach. This incident raises considerable concerns as it exposes individuals to potential risks such as targeted phishing attempts, identity theft, and cyberattacks.  Hackers armed with such specific personal information can craft convincing phishing emails, posing as legitimate entities, to deceive users into sharing further sensitive details or clicking on malicious links.  Moreover, the divulgence of full names can aid cybercriminals in constructing more credible and convincing social engineering schemes, increasing the likelihood of successfully breaching users’ accounts or even conducting scams. As such, even seemingly basic information leaks can lead to severe consequences for affected users.

In an environment where personal data is an invaluable currency, Duolingo data scraping stands as a testament to the ever-evolving methods of hackers and the pressing need for organizations to remain resilient against cyber threats.  As users await the outcome of Duolingo’s investigation, the incident underscores the collective responsibility to maintain digital security and protect user data from falling into the wrong hands.[2]

Akira ransomware has been repeatedly spotted since mid-2023 by several security firms, but this time it has made headlines for targeting big fish: CISCO VPNs.

• Cisco VPN products are being exploited by the newly identified ransomware group Akira, which focuses on targeted attacks against corporate entities.
• Akira gang leverages vulnerabilities in Cisco VPNs to gain unauthorized access, enabling them to launch ransomware attacks and demand ransom for sensitive information.
• The Akira gang’s primary goal is to infiltrate and compromise corporate networks, particularly those lacking multi-factor authentication (MFA) for VPN access.
• Researchers suspect the hackers might have exploited a zero-day vulnerability, mainly affecting VPN accounts without MFA, to gain unauthorized access.
• Akira ransomware has been observed targeting various sectors, including education, real estate, healthcare, manufacturing, and corporations, indicating a broad and persistent threat to diverse industries.

Multiple cybersecurity firms have confirmed that Cisco VPN products are being targeted with ransomware, and the perpetrators are members of a relatively new gang identified as Akira.

Corporate entities are the primary target of this ransomware campaign, solely aimed at obtaining sensitive information and making money through ransom. All that Akira members need is to log into the accounts from the VPN service.  However, researchers couldn’t determine how the hackers gained access to Cisco VPN’s accounts’ login credentials in the first place, considering that Cisco ASA doesn’t feature a logging function.  Akira ransomware has been repeatedly spotted since mid-2023 by several security firms. For instance, Sophos detected it in May and reported that the gang utilized VPN access to target their desired networks through Single-factor authentication.

In another report, an incident responder using the alias SecurityAura stated that Akira could only compromise those VPN accounts that didn’t feature (multi-factor authentication).  Some researchers believe that attackers may have used brute force to compromise these accounts or bought access from a third party via a dark web marketplace. SentinelOne’s research published on 23 August highlighted that the hackers might have used a zero-day vulnerability that mainly impacted accounts without having MFA. 

SentinelOne researchers also noted that threat actors have become increasingly interested in inserting ransomware into the codebases of popular products, especially VPNs. Their most preferred ransomware families include Conti, LockBit, and Babuk.  Regarding Akira, SentinelOne researchers wrote that the malware’s Linux variant was discovered in June 2023 but the operations have been active since April 2023. Attackers deliver Akira by exploiting vulnerable public services and applications. Per SentinelOne researchers, they are more inclined to target MFA-based vulnerabilities. 

Akira’s attack scope is vast as it targets educational institutions, real estate, healthcare, and manufacturing sectors apart from corporations. Linux versions of Akira ransomware are based on the Crypto++ library for enabling encryption on targeted devices. Akira’s brief command set doesn’t contain options to shut down VMs before encryption.  However, the attacker can control encryption speed and the possibility of data recovery by the victim through the -n parameter. This means if the encryption speed is fast, there is a dim chance that the victim will recover the data using decryption tools. If the speed is slow, there is a good chance the victim can recover data.

Akira’s activities were first detected by a US-based cybersecurity firm Arctic Wolf in March 2023. Per their research, attackers’ main targets were small to medium-sized businesses worldwide, with a considerable focus on the US and Canada. Researchers also found links between Akira and Conti operators.  Akira decryptor was released by Avast in late June 2023 but the ransomware operators updated the encryptor so decryption may only work on older versions.  Cisco VPN products are popular among businesses. Organizations rely on it for the secure transmission of data between networks/users. It is considered mandatory for hybrid and remote workers. This explains why threat actors might be interested in exploiting it. Organizations must remain vigilant and ensure foolproof digital security to prevent data loss and extortion attempts from ransomware operators.

In this regard, My1Login CEO Mike Newman has shared some tips with Hackread.com for organizations to stay protected. “With VPNs providing a direct tunnel, deep into an enterprise’s network, this is not the type of access you ever want to fall into the hands of malicious actors.”  “The best way to protect this access is by implementing two-factor authentication, so any organization using Cisco VPNs must do this as a priority. But it’s also a practice that should be applied to any business using a VPN,” Mike added.  “VPNs are a direct route into the enterprise network, and they open the organization’s networks up to the outside world.  Securing this with multiple layers of authentication is a standard best practice and one of the best ways to avoid getting caught up in incidents like these.  “Furthermore, it is also critical to implement policies against password reuse as this reduces the risk of one set of breached credentials on the dark web enabling access to other applications and services,” said Mike.

GLOBAL TRENDS:

UK and EU - A few months after the Invasion of Iraq, the British state was attacked by another country, but these attackers were not using bombs and bullets as their weapons, instead, it was the rise of bytes and botnets. 

In the now-distant days of June 2003, there was no dedicated arm of British intelligence working to deal with cyber-attacks, or even a dedicated managed response to an online national security incident, just a working group of digital communications experts based at GCHQ.  So, when a government employee noticed suspicious activity on their workstation, it was these early cybersecurity experts who were called in, reports Gloucestershire Live.   As has now been revealed, this major incident changed the way security and intelligence priorities were viewed by agencies like GCHQ, where threats to key parts of UK defense and infrastructure could be perpetrated at any time and from across the globe. It was the first time the Cheltenham-based signals intelligence agency had to respond to cyber-attack carried out by another state.[3]

A suspected phishing email, where the sender poses as a reputable person or business, was identified and technical specialists from the Communications-Electronics Security Group (CESG) were brought in. Their analysis discovered malware on the workstation, which was designed to steal sensitive data and evade security software, raising suspicions about the attacker’s intent and setting in motion a series of actions that were transformative to cyber incident investigations.

Due to this incident, for the first time, GCHQ fused its signals intelligence capabilities with its cyber security function to investigate and identify the actor responsible. Analysis by the intelligence service led the CESG to come to the conclusion that the attack had been cyber espionage by another nation state.

This new threat in 2003 is one we all now live with on a daily basis, with many public bodies threatened or held to ransom by hacker networks, including Gloucester City Council. The CESG evolved into the National Cyber Security Centre by 2016, amalgamating various public bodies into one entirely focused on online threats to businesses and institutions. 

Paul Chichester, Director of Operations at the National Cyber Security Centre, said: “Twenty years ago, we were just crossing the threshold of the cyber attack arena, and this incident marked the first time that GCHQ was involved in a response to an incident affecting the UK Government.  “It was also the first time that the UK and Europe started to understand the potential online risks we faced and our response transformed how we investigate and defend against such attacks.  The NCSC and our allies have come such a long way since this incident, and it is reassuring to be at the forefront of efforts to develop tools and techniques to defend against cyber threats and keep our respective nations safe online.”

The National Cyber Security Centre, a part of GCHQ, was set up in October 2016 to help protect the UK from online cyber-attacks.  It combined existing expertise from CESG, the Centre for Cyber Assessment, CERT-UK and the Centre for Protection of National Infrastructure (now the National Protective Security Authority).

Latin America - Gabriella Batalha didn't think much when she noticed she had been logged out of Instagram - until the next day when she found her account overrun with sensational posts touting high-yield cryptocurrency investments.  To recover her account, the 27-year-old lawyer from Rio de Janeiro had to pay 200 reais ($40) to a "consultant" she found on YouTube, a man she says could have been a scammer himself.  "It took me two days to recover my account, and I was under a lot of stress," she said.  Batalha is not alone.  Online scams in Brazil jumped 65% last year to over 200,000, according to data from the Brazilian Public Security Yearbook published last month.

And across Latin America, online frauds and cyberattacks are at an "all-time high," says cybersecurity company Tenable, posing an urgent problem for a well-connected region.  Latin America's recent progress on technological inclusion has created new opportunities for scams, experts say, with the pandemic fueling a trend toward mobile banking and shopping using payment systems like Brazil's hugely popular PIX.

The region is increasingly online.  In 2022, 77.9% of the population in Latin America and the Caribbean used the internet, up from 74.8% the year before and above the global rate of 66.3%, according to the International Telecommunication Union (ITU).  And nearly half of Latin American internet users spend an average of six hours a day on social media, according to a report by cybersecurity company Kaspersky.  "The increasing reliance on new technology has made it easier for cybercriminals to attack more frequently," said Kerry-Ann Barrett, a cybersecurity specialist at the Organization of American States (OAS).  The threats are increasingly complex and costly, costing the region billions annually, Barrett said.

In Peru, for example, a gang scammed a construction company out of over $62,000 by pretending to be a bank with a fake website, according to the attorney general's office.  In Mexico, scammers have targeted unsuspecting victims with fake job offers via text message, only to entice victims to share sensitive personal data, according to media reports.  "Latin America is a priority target because it has a very connected population, which means that they are always exposed," said Claudio Martinelli, managing director for Latin America for Kaspersky.

Institutions and governments are also more vulnerable than in other parts of the world. In a ranking of 93 countries on cyberthreat risks compiled by fraud prevention software SEON, nine of the 10 Latin American countries were ranked in the bottom half.

Three Latin American countries - Honduras, Nicaragua and Venezuela - were seen among the 10 countries with the highest risks for cyberthreats.  The region, meanwhile, had the highest share of unprotected data in the world in 2022, Tenable said, making companies vulnerable to threats like ransomware, a kind of attack that locks a computer and then demands money for its release.  Ransomware was responsible for six of every 10 attacks in 2022, including an attack on Costa Rica's finance ministry by Russian hackers, who demanded $10 million.[4]

Latin America's ability to safeguard against future attacks is handicapped by a lack of regulation and judicial investigations, said Marcos Simplicio, a professor specializing in cybersecurity at the University of Sao Paulo.  "Virtual crime is no different from physical crime," he said. "As long as it's making a profit, and if there is little chance of punishment, it will continue."

Southeast Asia - Finance and healthcare are the top two sectors experiencing cyber attacks in Malaysia this year despite growing resilience and awareness among financial institutions, said Kaspersky Southeast Asia general manager Yeo Siang Tiong.  Speaking at Kaspersky Cyber Security Weekends 2023 held in Bali, Indonesia, Yeo said that the same trend was also observed in other ASEAN countries this year.  He explained that the financial sector is where the money is while the government and healthcare sectors contain a lot of data, including personal data which has a lot of value for which cyber attackers can gain benefit.[5]

Although facing the most attacks, the Malaysia’s financial sector has seen some improvement in cyber resilience after Bank Negara instructed banks to follow the risk management in technology framework.  In addressing the rising threat and risk of cyber-attacks from the government perspective, Yeo said there was a need for the government to address the issue from the regulation and policy standpoints.  He said Kaspersky is working very closely and having collaboration with the National Cyber Security Agency (NACSA) and Cybersecurity Malaysia (CSM) from the government side for sharing information with them. Then, the agencies will get early signals from Kaspersky if the cyber security firm sees a cyber-attack is happening.

The Malaysian government is looking at the possibilities of making some changes to the two agencies involved in cybersecurity.  Yeo said that organizations need to learn and do their due diligence by exercising a fair share process to protect their own environment and from the consumers’ perspective, awareness is the most effective way.  With the digital economy growing rapidly across the ASEAN region at an expected growth rate of 20% year-on-year, more data will be used by the industry, and it requires more protection on its information technology (IT) and operational technology (OT).

Kaspersky announced that the company detects an average of 400,000 new malicious attacks on a daily basis and has been responding to the detection by using the latest technology.  They also highlighted that AI has emerged as a powerful tool in the field of cybersecurity and beyond with the arrival of ChatGPT in November 2022 triggering debates and conversations on AI.  It showed the tangible effects of this neural network technology and revealed AI’s potential to disrupt industries globally.

[1] https://www.hackread.com/smoke-loader-botnet-whiffy-recon-malware/

[2] https://www.hackread.com/api-misuse-hacker-leak-duolingo-emails-names/

[3] https://www.msn.com/en-gb/money/technology/gchq-bosses-reveal-first-cyber-attack-and-how-incident-changed-uk-and-europe/ar-AA1fRs4D

[4] https://www.msn.com/en-gb/news/world/latin-americans-fall-prey-to-more-online-scams-as-cybersecurity-lags/ar-AA1fjduh

[5] https://vir.com.vn/cyber-attacks-hit-aseans-finance-healthcare-sectors-most-kaspersky-104760.html