Intel Reports

Activity Summary - Week Ending on 30 November 2023:

• Red Sky identified 26,305 connections from ‘new’ unique IP addresses
• HostRush 116x
• 29 ‘new’ Botnets hits
• Decoding the Past
• Rhysida Ransomware Group
• PSExec
• Palestine Hamas Hackers
• Denmark
• Singapore
• Cyber Table Top

Red Sky Alliance Compromised (C2) IP’s 

Red Sky Alliance Malware Activity    

On 29 November 2023, Red Sky Alliance identified 26,305 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 29 November 2023, analysts identified 29 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Decoding the Past - Organizational defenders today face unprecedented pressure to keep up with a relentless stream of new attacks.  No sooner than the latest campaign is discovered, indicators shared, and defenses bolstered, and we are on to the next one.  The details of these attacks are added to our collective historical record, but most defenders rarely have time or motivation to reconsider what further value they might offer.[1]

However, mining historical data for insight into tomorrow’s attacks is, we would argue, an undervalued resource.  From expanding our list of known indicators and developing better threat intelligence to improving our understanding of attribution and providing new discoveries, investigating historical data is an asset that cyber defenders can and should make more of.  Below, SentinelLabs explore practical ways that revisiting past cyber incidents can empower defenders and help to anticipate future threats more effectively.

1. Exploring the Past to Expand Actionable Threat Intelligence - In September of 2023, SentinelLabs observed a new threat activity cluster by a previously unknown threat actor we dubbed Sandman. The threat actor deploys malware utilizing the LuaJIT platform, a development paradigm relatively rarely seen in the cyberespionage domain but which has an historical association with suspected Western or Western-aligned advanced threat actors.

Early last year, SentinelLabs released a report on a new cyber threat actor we named ModifiedElephant.  This research was the conclusion of an investigation into an unknown offensive threat actor responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.  Our analysis identified that ModifiedElephant has been operating since at least 2012 and continued to operate as of the report.

Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure

So why does this matter? Cyber paleontology allows us to take a small bit of knowledge of targeted intrusions, and expand it into hundreds of indicators of compromise, such as malware samples and unique infrastructure. In the case of ModifiedElephant, we tied the threat actor to hundreds of other intrusion attempts across the globe. This research found activity spread across nearly a decade, targeting individuals and organizations alike.

IOCs have been greatly expanded on, which allow us to improve the defenses of those who were originally targeted, and others who may be targeted in the future.  If we simply stopped researching the threat actor based on the initial, smaller, case of a handful of intrusions against individuals, our perception of this actor would remain to be interesting but irrelevant to most. However, visiting a decade back of activity allows us to understand and use actionable intelligence for direct network defense needs.

2. Developing Better Strategic Threat Intelligence - Pushing past directly actionable intelligence such as malware samples, IOCs, and threat detection rules, we can also gain new strategic intelligence on threat actors. Specifically, our perspective of known threat actors can alter greatly when we review past intrusions. For example, in September we reported and presented at LABScon the topic of China’s soft power agenda throughout Africa. In this research, we shared how Chinese attributed APTs, such as “Backdoor Diplomacy”, have been linked to a previously reported set of intrusions across South Africa, Kenya, Senegal, and Ethiopia in the past few years.

Revising previously reported infrastructure associated with the threat actor opened our eyes to a wider set of targets in these countries, and a set of targets we have not observed before, including financial organizations.  Today, we can use this expanded understanding of the threat actor to apply strategic intelligence for financial organizations and the countries newly observed of interest to the attacker.  Taking a similar approach to others, it would be valuable to dive into high-interest threat actors to question our past assessments and intelligence, aimed at expanding defense capabilities and context today.

3. Enhancing Our Understanding of Attribution - An additional value which can come from a fresh review of historical threat activity concerns attribution the process of identifying the true attacker behind an activity. Past intrusions can become clearer based on understanding who the attacking entity actually was, or understanding which threat actor cluster some previously unknown activity may now fall under.  For example, in August, we identified malware, with a long history of use by a variety of suspected Chinese clusters, and infrastructure targeting Southeast Asia’s gambling sector related to previous activities attributed to BRONZE STARLIGHT, a Chinese threat actor whose main goal appears to be espionage rather than financial gain.  In addition, we recently reported on the Appin hack-for-hire business in India and how unconfirmed and mysterious activity years back can finally be attributed to them.  This includes Operation Hangover, the well known industrial espionage case, and targeting of human rights malware with custom Mac malware.

C2 / Delivery Server bluecreams[.]com and Linked Malware

Knowing that these sets of activities tie back to a central organization allows renewed understanding and interest in the hack-for-hire threat actor industry.  Additionally, and perhaps more importantly, this provides victims with an opportunity to hold attackers responsible for their actions, if desired.

4. Newer Techniques Offer Fresh Insights From Old Data - Using today’s technology to expand past context and knowledge of attackers is also increasingly valuable to modern defenders. The technology sector evolves at a blistering pace, and new research tools often arrive to provide new capabilities. Although much recent focus has been on adopting and adapting LLMs and generative AI for various infosec tasks, we can also see examples of existing technologies that continue to develop and push the boundaries of what is possible.

One of the best examples of this is YARA,  today’s go-to tool for malware description rules used to hunt for various types of files, such as malware or files of high interest.  YARA continues to be developed in ways that can yield new discoveries from old datasets.  New rule writing methods, combined with major malware repositories such as Stairwell and VirusTotal, can lead to the discovery of leaked attacker files, targeted malware family changes, and uploads of never before seen malware from past attacks.  Combining new discoveries with other tools for tracking infrastructure, like SilentPush, it is possible to make similar high interest discoveries centered around old attacker infrastructure.

Conclusion - As we move forward, it’s important not to lose sight of the past.  As many of SentinelLabs’ research examples highlighted above show, retrospective analyses can wring new actionable intelligence from the raw data of past breaches and help to preempt future attacks.  Analysts encourage other analysts to join us in connecting the dots between what was known, what was overlooked, and what can be learned, taking advantage of the insights that new technologies and methods afford us.  Historical data isn’t just an academic record of what went before, but a resource we must mine to craft a more resilient and responsive cybersecurity posture.

The Rhysida Ransomware Group - The Rhysida group was first identified in May 2023, when they claimed their first victim.  This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS).  The group has listed around 50 victims so far in 2023.  FortiGuard conducted an investigation that uncovered some of the techniques and tools used by Rhysida:  The initial detection was identified by the FortiGuard MDR team.  The threat actor was observed accessing systems in a victim's network and attempting to create memory dumps and gather user data. FortiEDR detected these events, allowing the MDR team to analyze them further.  Following the initial detection and triage, the FortiGuard IR team was engaged to conduct a complete analysis.

Attack Details - The threat actors abuse legitimate software such as PowerShell to gain information about users and systems within the network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for remote connections, and WinSCP for file transfers.  The threat actors also attempt to exfiltrate data from various systems using MegaSync.  The report also covers the additional malware the FortiGuard IR Team identified, along with a technique we don’t often see where the group deployed Windows and Linux binaries.  Restricting Veeam access to only designated machines hindered the threat actors from gaining access to the backup files.  Moreover, the prudent management of passwords for vSphere fortified the victim's defense.  The Rhysida ransomware group is known to target vSphere and look for credentials, so the safeguards that the victim implemented were vital to preventing widespread ransomware of the virtual infrastructure.

Staying informed on the landscape of cyber threats is critical. This analysis of the Rhysida group serves as a valuable resource for organizations. By uncovering motives and impact, the FortiGuard IR teams’ findings can guide proactive strategies. 

Link to full Fortinet report: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/rhysida-ransomware-intrusion.pdf?utm_source=blog&utm_medium=blog&utm_campaign=rhysida-ransomware

GLOBAL TRENDS:

Palestine - Amid the escalating tensions in the Israel-Hamas conflict, Check Point Research’s (CPR) team has unearthed a new variant of a multi-platform backdoor SysJoker. According to CPR, which has been monitoring the cybersecurity activities in the two countries, SysJoker malware was used by a Hamas-affiliated APT (advanced persistent threat) group to target Israel recently.[2]  For your information, SysJoker was discovered by Intezer in 2021. It is a multi-platform backdoor, which means it can target Windows, macOS, and Linux systems.  The malware has been under active evolution since its discovery and today it is equipped with a range of tactics to evade detection. The new SysJoker variant is written in Rust language.

In their technical report, CPR researchers noted that the malware code has been rewritten completely but the malware still maintains its original functionalities. The primary modification is that instead of Google Drive, the Rust variant utilizes OneDrive to store dynamic C2 URLs.  SysJoke features two different modes for string decryption. The first method is rather simple and part of many SysJoker variants. It entails multiple base64-encoded encrypted data blobs and a base64-encoded key.  When decrypting, it decodes both base64 blobs and XORs them to produce plain text strings. The second method is much more complex and involves generating a complex string decryption algorithm.

Cybersecurity researchers at Check Point Research revealed that “The infrastructure used in this campaign is configured dynamically.  First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.”  The report offers in-depth insights on the Rust variant of SysJoker and its Windows variants with their attributions along with infection vectors, the C2 communication mechanism, and malware’s functionalities, which include downloading/uploading files, executing commands, and capturing screenshots.

The screenshot shared by CPR shows the metadata of the OneDrive file containing the encrypted C2 server

“It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version,” researchers noted.

Researchers found evidence of the malware’s ties to Gaza Cybergang as they have used it in their previous campaigns.  They also found behavioural similarities between SysJoker’s new variants and the Operation Electric Powder campaign, which crippled Israeli organizations in 2016-2017.  This campaign was also loosely connected to Gaza Cybergang.  This gang is reportedly pro-Palestine and often launches attacks to safeguard Palestinian interests. Nevertheless, the resurgence of SysJoker malware adds to the arsenal of cyberweapons employed by hacktivists.  Before this incident, Hamas hackers were discovered using a new Linux malware named BiBi-Linux Wiper against Israeli targets.

Denmark - In an era of heightened cyber awareness by vessels, leading international satellite service operator IEC Telecom has introduced OptiShield, a comprehensive cybersecurity solution designed specifically for the maritime industry.  Developed by IEC Telecom’s experts, OptiShield combines advanced cybersecurity software with a dedicated remote IT team to ensure state-of-the art protection for onboard networks.  “To navigate safely in the digital ocean, having a toolkit is not enough,” explains the VP of Technology at IEC Telecom Group.  “It is essential to have a qualified team to manage the software to ensure optimal benefits for your vessel, but not every vessel can have an IT specialist on board. We developed OptiShield to provide it all: advanced cybersecurity software coupled with a 24/7 remote support team of experts.”

The number of maritime cyber-attacks has risen steadily in recent years, with several global ports being hacked in 2023 as well as a steep increase in maritime companies paying ransomware.  According to a recent study by law firm HFW and maritime cyber security company CyberOwl, the average cost of unlocking computer systems in the maritime sector reached $3.2m this year, and 14% of the maritime industry professionals responding to a survey said they had paid ransomware in 2023, compared with 3% in 2022.[3]

Vessel operators must consider several factors to ensure their vessels are protected against cyber risks. Cybersecurity is no longer optional for vessels, with cyber policies introduced by the International Maritime Organization (IMO) having gone into effect on 1 January 2021.  The regulations followed a steep rise in the use of connectivity and data transfers on vessels during the COVID-19 pandemic, and data usage is expected to continue to rise.  Cybersecurity is not a plug-and-play solution; rather, it requires customization based on the vessel’s operations and chain of command.  The comprehensive OptiShield solution builds on IEC Telecom’s remote management and cybersecurity expertise to provide top-tier protection for onboard networks while also helping vessels comply with IMO regulations. The OptiShield solution provides crucial threat protection and detection while IEC Telecom’s remote experts function as a cyber response team, ensuring vessels are ready to execute an effective response and quickly return to normal operations.

OptiShield’s key features include: 

• Advanced threat protection: Integration between the endpoint antivirus and the next-generation firewall provides native endpoint visibility, compliance control, vulnerability management, sandbox analysis, and automation capabilities; real-time investigation of incidents helps minimize impact by automatically quarantining suspicious endpoints.
• Secure remote access: Endpoint security solutions utilise SSL and IPSec VPN technologies to create safe access to corporate networks and applications; two-factor authentication can be added for an extra layer of security.
• Anti-exploit protection: The OptiShield software prevents advanced malware and vulnerabilities from being exploited by analysing downloads in real time and leveraging a cloud-based global threat intelligence platform to protect onboard networks against emerging threats.
• Ransomware protection: The antivirus solution rolls back changes made by malicious programs and restores the endpoint to a pre-infection state.
• Dashboard visibility: An intuitive dashboard enhances visibility and control over each vessel’s software and hardware inventory.
• 24/7 cyber response team: OptiShield’s advanced software is operated by a dedicated remote IT team providing expert guidance.

With the introduction of the OptiShield cybersecurity solution, IEC Telecom continues to demonstrate its commitment and leadership in providing comprehensive solutions that prioritize vessel safety, efficiency, and cybersecurity in an increasingly connected world. 

Singapore - As simulated attackers tried to overload an electrical system, cripple a water distribution network and shut down a gas plant, cyber defense operators across 26 national agencies sprang into action to neutralise the assaults on a fictional state’s critical infrastructure.  These were among the scenarios that more than 200 participants went through from 22-24 November during the second Critical Infrastructure Defense Exercise held at the National University of Singapore.  The three-day exercise organized by the SAF’s Digital and Intelligence Service (DIS) and Cyber Security Agency of Singapore (CSA) involved employees from organizations such as Changi Airport Group, national water agency PUB, Senoko Energy and Singtel.[4]

To ensure that the scenarios were realistic, officers from the DIS, CSA, the Defense Science and Technology Agency and Infocomm Media Development Authority modelled their attacks on Advanced Persistent Threat (APT) and cybercriminal groups’ tactics and methods, said the commander of the DIS’ Cyber Defense Group.

The Group said the primary objective of the exercise is to prepare and train Singapore’s cyber defenders in the critical information infrastructure sectors, which includes “an experience of what it is like to be in a nation-under-attack scenario.”  Such sectors include power, water, telecom and aviation.  Preparations for the exercise took about four months, and about 1,000 physical and virtual systems were created for this purpose, he added.

A Singapore military expert, who was in charge of leading a team of participants from PUB and CSA in defending a water plant network, said the simulated attack started with a phishing e-mail, followed by an attack on the physical test bed, where values from the water plant were manipulated by hackers.  “We had to closely monitor what are the vulnerabilities that are exposed to the external facing, Internet-connected systems, and how we can remediate this action,” she said.

Part of the scenarios included how quickly critical systems can be restored after being attacked. Often times, agencies have business continuity plans that can include steps like re-cloning a system, or reverting the digital platform to a previous stable version, she added.

Speaking to the media on 24 November, the Senior Minister of State for Defense said cyber attacks have become a fact of life.  “You can see so many examples in the world – real wars, real attacks, commercial sector, security-related sectors – everyday life is disrupted,” he said.  This exercise therefore provides a platform for agencies to jointly prepare to deal with such attacks, he said.  “(It) brings together many agencies throughout Government to come together to learn how to defend together,” Mr Heng added.

This year’s exercise involved twice as many participants as the inaugural edition in 2022, a sign that more of the nation’s digital infrastructure needs to be prepared to face down cyber-attacks.  The number of participating agencies also grew from 17 to 26.  Separately, DIS also signed memorandums of understanding for cyber collaboration with Google, ST Engineering and Ensign InfoSecurity, a cyber security joint venture between StarHub and Temasek. The Ministry of Defense said the agreements will help expand DIS’ partnership with the technology sector.

[1] https://www.sentinelone.com/labs/decoding-the-past-securing-the-future-enhancing-cyber-defense-with-historical-threat-intelligence/

[2] https://www.hackread.com/hamas-group-sysjoker-malware-leverages-onedrive/#google_vignette

[3] https://thedigitalship.com/news/maritime-satellite-communications/item/8711-iec-telecom-introduces-optishield-advanced-cybersecurity-solution-for-vessels

[4] https://www.straitstimes.com/singapore/cyber-defenders-fend-off-simulated-attacks-against-singapore-s-cellular-gas-and-airport-systems