Intel Reports

Activity Summary - Week Ending on 02 November 2023:

• Red Sky identified 27,522 connections from ‘new’ unique IP addresses
• Swiss Private Layer Inc. hit 697x
• 36 ‘new’ Botnets hits
• The Hype Cycle
• Bad Google Apps
• Israel Check Point
• US Stanford U.
• Akira Group
• The British Library
• Toronto Library

Red Sky Alliance Compromised (C2) IP’s 

On 1 November 2023, Red Sky Alliance identified 27,522 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity 

British Library

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 1 November 2023, analysts identified 36 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

The Hype Cycle & What You Need to Know - The desire for less complexity, simplified operations and greater efficiency continues to drive cybersecurity consolidation, according to the 2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey.  More than half the participants in this survey were pursuing vendor consolidation to increase the efficacy of security solutions, while just over one-third (35%) saw cost reduction as a primary motivation.  Gartner sees strong consolidation efforts in multiple workload and network security areas, including the pairing of security service edge (SSE) and secure access service edge (SASE) platforms for (largely) outbound user traffic, and the use of cloud-native application protection platforms (CNAPPs) for cloud workloads and applications.

Developing a zero-trust approach remains important for many of Gartner’s clients, and new technologies to support a zero trust mindset continue to emerge.  Of these, generative cybersecurity AI has been subject to a great deal of hype in 2023. Organizations are extremely interested in the possible impacts — positive and negative — of generative AI, especially this technology’s potential to help their (often short-staffed) security teams work with increasingly complex environments.

Security and risk management leaders must select the right enabling security technologies for their organization to continuously support cybersecurity consolidation and a zero-trust strategy without missing the opportunities that arise from emerging technologies like generative cybersecurity AI.

The Hype Cycle - This Hype Cycle reflects the continuing trend toward converged platforms and strong interest in zero trust strategies, as well as emerging cloud security technologies, generative AI and more.  Several technologies have been retired from the Hype Cycle this year, due to their maturation and to increased consolidation at the edge and in the cloud (for a full list, see the Off the Hype Cycle section). For instance, most organizations are replacing secure web gateways, cloud access security brokers (CASBs) and many of their remote access solutions with converged security service edge (SSE) platforms, and CNAPPs are incorporating the mature cloud workload protection platforms (CWPPs). Adoption of ZTNA (and emerging interest in universal ZTNA) and the hybrid workforce has reduced interest in (and hype about) network access control, and ZTNA remains a starting point for many zero trust architecture efforts. Additionally, cloud adoption and, again, the hybrid workforce are furthering the expansion of highly mature network firewalls into cloud firewalls and nascent firewall-as-a-service products. They are also prompting network security policy management to develop in the direction of cloud security posture management (CSPM) and CNAPPs.

Several emerging technologies appear in this Hype Cycle:

• Generative AI has attracted a great deal of hype this year, which has triggered the inclusion of generative cybersecurity AI.
• Coping with complex configuration requirements remains a big challenge in both cloud and on-premises environments, and is best addressed with automation. As a result, automated security control assessment (ASCA) tools are emerging to verify the configuration of products in hybrid environments.
• Desire for a reliable method of ascertaining the severity of security events in the cloud has led to cloud investigation and response automation (CIRA) products.
• Extended Berkeley Packet Filter (eBPF) techniques are becoming the new norm for Linux security and are now widely used in Linux workload protection.

Figure 1: Hype Cycle for Workload and Network Security, 2023

Link to full report: https://www.gartner.com/doc/reprints?id=1-2EMEMAR4&ct=230802&st=sb&elqTrackId=730c5ffd7f2846ef83f42eda99b17082&elqaid=8123&elqat=2&elqah=AF2C25EAE3BC4FA5AA46BD3A4AC1641A1367D0FBE83E6494709F794F9542588B

Bad Apps - There are plenty of reasons to own an Android phone instead of an iPhone, from the plethora of choices to the lower prices to the experimental designs, but Android device owners also need to be careful about what they install.  Google frequently prunes the Play Store of malicious Android apps, but not before millions of users download them.  In September alone, the IT security vendor Dr.Web uncovered more than a dozen such apps on Google Play.  They have all since been removed, but if you downloaded any of these apps while they were available, you should delete them immediately.[1]

Last  week, Dr.Web’s monthly mobile threat report (via Bleeping Computer) highlighted multiple apps infected with Joker, FakeApp, and HiddenAds trojans.  Altogether, these apps have been downloaded over 2 million times, so chances are high that a large number of Android users still have one or two of them installed on their phones.  Up first are the adware trojans, which disguise themselves as games.  Once installed, these apps try to hide from the user by replacing their icons with transparent images, leaving the app names blank, and even pretending to be a mobile browser like Chrome:

• Super Skibydi Killer | 1,000,000 downloads
• Agent Shooter | 500,000 downloads
• Rubber Punch 3D | 500,000 downloads
• Rainbow Stretch | 50,000 downloads

The security vendor also pointed out several FakeApp trojans, some of which appear to be financial software and others that operate as games:

• Eternal Maze | 50,000 downloads
• Cowboy’s Frontier | 10,000 downloads
• Enchanted Elixir | 10,000 downloads
• Fire Fruits | 10,000 downloads
• Jungle Jewels | 10,000 downloads
• Stellar Secrets | 10,000 downloads
• GazEndow Economic | 1,000 downloads
• FinancialFusion | 1,000 downloads
• Financial Vault | 500 downloads
• MoneyMentor | 0+ downloads

Finally, there are two Joker trojans that Android users should be on the lookout for that subscribe victims to paid services without their knowledge or permission:

• Love Emoji Messenger | 50,000 downloads
• Beauty Wallpaper HD | 1,000 downloads

You can never be too careful when downloading apps from Google Play.

GLOBAL TRENDS:

Israel - Israeli-based Check Point Software Technologies said on Monday that its business had continued to operate as planned since the conflict between Israel and Hamas began this month.  Check Point Chief Executive Gil Shwed said 98% of the company's customers were outside Israel and it had successfully launched new technologies and completed acquisitions.  Shwed said Check Point's data showed that over the past three weeks, since Hamas-led militants stormed through the south of Israel on 7 October, there had been an 18% rise in cyber-attacks in the country, with 52% against the government sector.[2]

Check Point earlier on reported a higher than expected profit for the third quarter, boosted by double-digit revenue growth in subscriptions for its platform that prevents attacks across networks, mobile and the cloud.  The company said it earned $2.07 per diluted share excluding one-off items in the July-September quarter, up 17% from $1.77 a year earlier. Revenue grew 3% to $596 million.  It was forecast to earn $2.02 a share on revenue of $591.5 million, according to I/B/E/S data from Refinitiv.  Shwed said that a year ago companies had been keeping their existing firewalls for longer rather than updating them.  But now, the situation has begun to improve.  "I am seeing some positive changes and I hope they will carry the next few quarters," he told a news conference.  "The last quarter clearly shows that we are in a very good trend of a positive change. I'm actually quite positive about the business trend that we're seeing."  Check Point said it bought back 2.48 million shares in the quarter, worth $325 million, as part of its ongoing $2 billion share buyback program.  Its Nasdaq listed shares were down 2.9% at $128.02 in pre-market trading.

US - Stanford University said earlier this week it was investigating a “cybersecurity incident” after a ransomware group threatened to release confidential information from the university’s Department of Public Safety on the dark web.  According to a screenshot posted to social media by cybersecurity analyst Brett Callow, the ransomware group ‘Akira’ holds 430 gigabytes worth of internal data from the Department of Public Safety, including confidential documents and private information.  The group instructed those interested in the information to contact them.

“Stanford University is one of the world’s leading research universities.  Stanford is known for its entrepreneurial character, drawing from the legacy of its founders, Jane and Leland Stanford, and its relationship to Silicon Valley,” the Akira threat reads.  “Soon the university will be also known for 430 GB of internal data leaked online.”

The university acknowledged the threat last week, saying that the department’s impacted systems had been “secured.”  “We are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted,” the university said in a statement. “Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured.”  The university’s statement did not directly address the claim of data already allegedly stolen by the hackers.  According to Callow, at least 68 colleges and universities have been hit by ransomware attacks this year.  

UK - The British Library is suffering a technology outage after it was hit by a cyber-attack, which is affecting services online and its sites in London and Yorkshire.   Access to the website, as well as the catalogue and digital collections, is temporarily unavailable.  The collection of items ordered on or after 27 October, new collection item orders via digital catalogues and reading room PCs are also inaccessible, it said. Reader registration is also unavailable.[3]

The British Library said on 30 October it had launched an investigation into the incident with the support of the National Cyber Security Centre (NCSC) and other cybersecurity specialists.  A statement said: “The British Library is experiencing a major technology outage, as a result of a cyber incident.  This is affecting online systems and services, our website, and onsite services including our reading rooms.  We are investigating the incident with the support of the National Cyber Security Centre (NCSC) and cybersecurity specialists.”

The library revealed that it was experiencing “technical issues” on 28 October on X, formerly known as Twitter, and said that public wifi was down. It later said it expected the issues “to continue for the next few days”. Public wifi access is now back.  Collection items ordered on or before 26 October are still available to pick up and there is very limited manual collection item ordering available in St Pancras for items stored onsite via the library’s printed catalogues.  The statement continued: “We are very grateful for the support and understanding we have had from our users, staff and partners.  The library’s sites remain fully open to the public and details on the services that remain available can be found via @britishlibrary on X.

The British Library, the UK’s national library, is one of the largest libraries in the world.  It holds more than 150m items, including 13.5m printed books and e-books, rare manuscripts, maps, stamps, sound recordings, photographs and music.

The library recently revealed that in a “major milestone”, the entire collection of Geoffrey Chaucer’s works were being made available in digital format after the completion of a two-and-a-half-year project to upload 25,000 images of the often elaborately illustrated mediaeval manuscripts.  The library asked users to “please bear with us while we gather more information” on the cyber-attack and said it would provide updates about the situation as regularly as it could.

Canada - Of note, the Toronto Canada Public Library was also hit with a cyber-attack this week.[4]   Canada’s largest public library system said it is dealing with a cyberattack that brought down its website, member services pages and limited access to its digital collections.  The Toronto Public Library serves more than 1.2 million members with more than 12 million items spread across 100 branches.  It said on 28 October afternoon that it was experiencing technical difficulties with online services as well as in-branch WiFi and printing.  By the 29^th, the city-run organization confirmed that it was dealing with a cybersecurity incident.  The library’s website has been replaced with a temporary page with a statement explaining the situation.

[1] https://bgr.com/tech/16-more-infected-android-apps-you-need-to-delete-asap/

[2] https://www.msn.com/en-gb/money/other/israels-check-point-data-shows-october-cyber-attack-rise/ar-AA1j5vvs

[3] https://www.theguardian.com/books/2023/oct/31/british-library-suffering-major-technology-outage-after-cyber-attack

[4] https://therecord.media/toronto-public-library-cyberattack-disruptions/