Intel Reports

Activity Summary - Week Ending on 23 November 2023:

• Red Sky identified 29,262 connections from ‘new’ unique IP addresses
• Amazon NoVa in Virginia hit 24x (2^nd week)
• 35 ‘new’ Botnets hits
• NoEscape Ransomware
• Infection Vector
• Victimology
• NoEscape IOCs
• Paris WasteWater hit
• US AI Roadmap
• Airport Shutdown

Red Sky Alliance Compromised (C2) IP’s 

On 22 November 2023, Red Sky Alliance identified 29,262 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 22 November 2023, analysts identified 35 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

NoEscape is a financially motivated ransomware group that emerged in May 2023. The group runs a Ransomware-as-a-Service program.  The developer creates and provides necessary pre- and post-infection tools for affiliates to perform malicious activities such as compromising victims, data exfiltration, and encryptor (ransomware) deployments.

The group has victimized numerous organizations across multiple industries, including government, energy, hospitals, and physicians’ clinics.  The NoEscape ransomware group is believed to be related to the now-defunct Avaddon ransomware group.[1]

Infection Vector - Information on the infection vector used by the NoEscape ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups.

Victimology - According to data collected through Fortinet's FortiRecon service, the NoEscape ransomware group has targeted multiple industry verticals (Figure 1).  Business services were most impacted by the ransomware, followed by the manufacturing and retail sectors.  Victims of the NoEscape ransomware also include government organizations, hospitals, and medical clinics.   When victim organizations are ranked according to country (Figure 2), the United States leads by a wide margin.

Figure 1: Top sectors targeted by the NoEscape ransomware (source: FortiRecon)

Figure 2: Top country victimized by the NoEscape ransomware (source: FortiRecon)

As of 3 November 2023, the NoEscape ransomware group had last posted new victims on October 27th.

NoEscape Ransomware Execution - Once a network has been compromised and data has been exfiltrated, the NoEscape attacker deploys and runs a file encryptor, which terminates the following services and processes:

Figure 3: Services terminated by the NoEscape ransomware

Figure 4: Processes terminated by the NoEscape ransomware

The ransomware encrypts files on the compromised systems and appends a “.[random 10-character uppercase alphabet]” extension to the affected files.  The ransomware avoids encrypting the following file extensions:

Figure 5: File extensions that the NoEscape ransomware avoids to encrypt

The NoEscape ransomware also exempts the following directories from file encryption:

Figure 6: File directories that the NoEscape ransomware avoids encrypting

It then leaves a ransom note titled “HOW_TO_RECOVER_FILES.txt.” The ransom note instructs victims to visit a TOR site for further instructions. The actual ransom negotiation takes place on TOX. It also insists that the NoEscape ransomware group is financially driven and is not politically motivated.

Figure 7: Files encrypted by the NoEscape ransomware and its ransom note

Figure 8: NoEscape ransomware’s ransom note

The NoEscape ransomware has variants that affect Linux and VMware ESXi.

Data Leak Site - The NoEscape ransomware group owns a TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.  Victims are instructed to visit the TOR site below and enter the unique personal ID listed on the ransom note.

Figure 9: The NoEscape ransomware’s TOR site that victims are instructed to visit

Figure 10: The contact form on the NoEscape ransomware’s TOR site

As of 3 November, the “NoEscape” blog lists 20 active NoEscape ransomware victims.

Figure 11: Active NoEscape ransomware victims listed on the TOR site

Figure 12: NoEscape ransomware victims whose "negotiations" have ended

If victims do not comply with the attacker's request, another message is added to the page assigned to each victim urging action.  Some of those messages are below:

Figure 13: One of the messages added to the victim’s unique page

Figure 14: Another message added to the victim’s unique page

IOCs

GLOBAL TRENDS:

France - The organization that manages wastewater for nine million people in and around Paris was hit with a cyberattack on 17 November. Service public de l'assainissement francilien, known by its acronym SIAAP, manages nearly 275 miles of pipes throughout four French departments.  The organization said that it filed a complaint with the judicial police and National Commission on Informatics and Liberty (CNIL) following the discovery of a cyberattack.

IT teams have worked since last week to secure industrial systems and close off all external connections in order to prevent the attack from spreading.  The French officials said they have prioritized measures that allow them to “maintain the continuity of the public sanitation service for Ile-de-France residents.”  “The SIAAP crisis unit remains mobilized to manage the aftermath of this attack and support the continuity of the work of all of its agents from this week in a working environment largely degraded by the current situation,” they said, according to a machine translation of the statement.  “This mobilization will continue until a return to normal can be ensured.”

The organization has set up local systems to answer any questions from the public and said they are in constant communication with various government agencies about the situation.  Their statement was accompanied by an emergency order authorizing officials at the organization to hire outside cybersecurity firms and purchase any equipment necessary to recover or restore systems needed for them to continue their work.[2]

No hacking group has taken credit for the attack, but water authorities have been a prime target for ransomware gangs eager to target critical services in possession of sensitive customer information.  Last May, an Italian company that provides drinking water to nearly half a million people experienced some technical disruptions following a ransomware attack and the water utility of Porto, Portugal's second-largest city, dealt with its own ransomware attack in February 2023.

South Staffordshire Water, which supplies water for more than 1.7 million people in England, was severely damaged by a ransomware attack in August 2022.  The agency that manages Puerto Rico’s water supply was forced to call in the FBI to investigate a ransomware attack in March of 2023.  US law enforcement agencies said ransomware gangs hit five US water and wastewater treatment facilities from 2019 to 2021 and those figures did not include three other widely-reported cyberattacks on water utilities.  The problem has gotten so bad for so many water utilities that last week, the US cybersecurity agency announced a new voluntary pilot program offering “cutting-edge cybersecurity shared services” to water utilities and other critical infrastructure organizations.

US - The US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has unveiled its inaugural roadmap for artificial intelligence (AI).  The initiative aligns with President Biden’s recent Executive Order, which directed DHS to globally promote AI safety standards, safeguard US networks and critical infrastructure, and address the potential weaponization of AI.  The roadmap comprises five strategic lines of effort aimed at steering concrete initiatives and articulating CISA’s responsible approach to AI in cybersecurity.  “DHS has a broad leadership role in advancing the responsible use of AI and this cybersecurity roadmap is one important element of our work,” commented secretary of homeland security, Alejandro N. Mayorkas.[3]

“CISA’s roadmap lays out the steps that the agency will take as part of our Department’s broader efforts to both leverage AI and mitigate its risks to our critical infrastructure and cyber defenses.”

The lines of effort outlined in the roadmap include:

• Using AI responsibly to support CISA’s mission
• Assessing and assuring AI systems
• Protecting critical infrastructure from malicious AI use
• Collaborating and communicating on key AI efforts
• Expanding AI expertise in the workforce

The roadmap emphasizes responsible, ethical and safe AI use, aligning with constitutional principles and relevant laws and policies. 

Read more on AI in cybersecurity policy: Biden-Harris Administration Launches US AI Safety Institute: https://www.infosecurity-magazine.com/news/ai-safety-summit-biden-launch/

“Artificial intelligence holds immense promise in enhancing our nation’s cybersecurity, but as the most powerful technology of our lifetimes, it also presents enormous risks,” said CISA Director, Jen Easterly.   “Our Roadmap for AI, focused at the nexus of AI, cyber defense and critical infrastructure, sets forth an agency-wide plan to promote the beneficial uses of AI to enhance cybersecurity capabilities.”  In an effort to advance the Administration’s goal of ensuring safe and secure AI, CISA invited stakeholders, partners and the public to explore the “Roadmap for Artificial Intelligence” and understand the agency’s strategic vision for AI technology and cybersecurity.

US - A cyber attack on Long Beach Airport's main website caused a temporary shutdown.  Payment processing systems linked to the website are also affected.  Just in time for the busiest travel week of the year.  Other airport systems remain unaffected, including public WiFi, airline internet systems, traffic control, and mobile apps.  This cyberattack occurred during the busy travel season, with a significant increase in passenger numbers.  The airport recommends using the mobile app and arriving 90 minutes early for flights.[4]

Long Beach Airport (LGB), a major public airport located near Los Angeles California, was the target of a cyberattack on 14 November.  The cyberattack affected the airport's main website and caused the airport authority to take the website offline temporarily.  Currently, the website redirects to the Long Beach city website, which has also added additional flight information to help passengers navigate their flights.

Affecting the airport's main website - The cyberattack rendered the airport's website and caused the website itself to go offline.  Additionally, the attack affected some of the payment processing systems that were linked from the website.  However, other main airport systems were unaffected by the breach.  The systems that remain fully functional include the airport's public WiFi, internet systems utilized by airlines, traffic control, the airport's mobile application, and payment kiosks for parking on airport property. These systems all run on a separate server from the main city server, which is what the airport website is linked to.

The airport released a statement regarding the cyberattack.  The statement read: "On Nov. 14, 2023, the City of Long Beach learned that it was subject to a potential cybersecurity incident.  The City's Department of Technology and Innovation immediately initiated an investigation, engaged with the City's contracted cybersecurity consultant firm, and notified the Federal Bureau of Investigation.  Through the initial investigation, the City determined a network security incident occurred."  The statement also mentioned that the city would be taking the website offline to help with the investigation and potential remediation. It also expected the website to be offline for several days as the investigation takes place. Additionally, all necessary flight information will be placed on the city's main website, which is also the destination that the offline website will redirect to if a user attempts to access it.

Breach ahead of the busy holiday season - The cyberattack comes at an unfortunate time ahead of the busy travel season. Long Beach Airport is expecting an estimated 88,000 passengers over the Thanksgiving weekend.  It is also estimated to reach 14,000 passengers on its busiest day.  These numbers are a 25% increase when compared to 2019, which is prior to the COVID-19 pandemic.  This shows a return to normal travel compared to the decrease in travel during the pandemic.

Ahead of the busy weekend, Long Beach Airport also released recommendations for travelers.  The airport authority recommends downloading the LGB Airport mobile app to assist in finding information regarding flights.  Especially with the recent breach, the app will have the necessary information for travelers through the airport.  The airport also recommends that travelers arrive at the airport 90 minutes early for flights, especially for morning flights. LGB recommends that all passengers verify the airline's baggage rules and flight schedule well ahead of time to assist with making the busy weekend operate smoothly.

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-noescape?lctg=141970831

[2] https://therecord.media/paris-wastewater-agency-hit-cyberattack/

[3] https://www.infosecurity-magazine.com/news/us-gov-first-ai-roadmap-for/

[4] https://www.msn.com/en-us/travel/news/long-beach-airport-s-website-taken-down-by-cyber-attack/ar-AA1kkc1N