All Articles (214)

4248175712?profile=RESIZE_710xWe all need some good news on the “new” COVID-19 Cyber Front.  The FBI has delivered the good news this past week.  During these first weeks of the “New Normal” during the worldwide Corona Virus pandemic, more and more employees are working from home with limited cyber threat protections or training.  Taking down a Crime as a Service (CaaS) web store off the Internet is fantastic news.  This past week, the FBI seized the domain of Deer.io, which federal prosecutors say served as a clearinghouse

4247419524?profile=RESIZE_710xCyber threat analysts recently uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.  TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps.  The malware has also evolved to send sp

4246314441?profile=RESIZE_710xRansomware actors have been preying on small governments, because it is an easy payday.  Small governments have limited cyber threat resources and the demand of their citizens to bring back vital services (immediately).  City leaders want to get their services back in operation and running quickly, as voters have long memories.  Because it is cheaper than going completely offline, city and county governments often pay the ransom, especially if insurance companies pay the demanded amount or honor

4215815511?profile=RESIZE_710xDuring these current and uncertain times, who can you trust for updated, reliable and virus free information on the Coronavirus?  A safe reliable source is InfraGard.  InfraGard National is an FBI-affiliated nonprofit organization dedicated to strengthening national security, community resilience and the foundation of American life.  InfraGard is one of the FBI’s longest-running outreach programs and its largest public/private partnership, with over 60,000 members representing 77 InfraGard chapt

4205403241?profile=RESIZE_710xThe City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware on 07 March 2020.  Local media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk Ransomware on their systems.  Ryuk was developed by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once deployed, Ryuk can spread across network servers through file shares to individual compu

4179836625?profile=RESIZE_710xLater yesterday, the US based InfraGard National https://www.infragard.org/ provided a very valuable link to a Northeastern University site that provides COVID-19 information and prevention on-line training.  Much of this information is provided through the support of John Hopkins University, Center for Disease Control and the World Health Organization.  We here at Red Sky Alliance would like to provide this very valuable reliable reference source; as “Knowledge is Power.”   Having the proper pr

4179539010?profile=RESIZE_710xTwo week ago, T-Mobile announced it experienced a data breach which was caused by an email vendor being hacked and exposed the personal and financial information for some of its customers.

In early February 2020, our Red Sky Alliance RedXray service, which is cyber threat notification service that simplifies monitoring for organizations and supply chains, provided our collection and analysis to T-Mobile, regarding our discovered cyber threats (knowns as “hits”) in our proprietary collections....

4168783309?profile=RESIZE_710xSummary

The IoTReaper, a.k.a. IoTroop, botnet was discovered in 2017, and remains a significant threat to the cyber domain. Check Point Research completed a thorough investigation of the malware when it was discovered in 2017, but researchers have still seen no sign that the botnet has been activated to conduct a significant DDoS attack, similar to that seen against Dyn in 2016. In 2016, a DDos coming from the Mirai botnet triggered a shutdown of services across the country and analysts believe

4168185373?profile=RESIZE_710xSummary

This document summarizes threats reported by Red Sky Alliance’ RedXRay for one of the largest shipping/transportation companies in the world.  Analysts observed hits in most collections.  The name of the company will be redacted for this report, and the company will be referred to as “Shipping Co.”  Recent international events have caused a significantly higher risk for all industries but especially an industry in charge of transporting important commodities around the globe.  With many

4157799936?profile=RESIZE_710xA new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.[1]  Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.

Details

The earliest PXJ ransomware sample is from 24 February 2020.  It received its name for the .pxj extension that it adds to the files it encrypts.  Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@pr

4157448215?profile=RESIZE_710xSummary

As some operations and businesses in the United States and around the world come to a significant slowdown due to COVID-19, many employees are being forced to work from home.  While every-day business operations may slow down, cyber-attacks do not; in fact, we predict - they will increase.  Many companies are implementing BYOD and work-from-home policies on a huge scale.  This presents many more hacking opportunities and creates more vulnerabilities than companies normally manage while e

4096876977?profile=RESIZE_710xThe DoppelPaymer Ransomware is the latest malware which groups are using to threaten the sale or publication of a victim's stolen files, if they do not pay a timely ransom demand.  A newer tactic being used by ransomware operators that perform network-wide encryption is to steal a victim's files before encrypting any devices. The actors then threaten to publish or sell this data if the victim does not pay the ransom.

Read the full report here: TR-20-073-001_DoppelPaymer_Ransomware.docx

4057063184?profile=RESIZE_710xRemember Mad magazine’s spokesman, Alfred E. Newman and his catch phrase, “What me Worry?’  This attitude is has taken root in many organizations’ views of cybersecurity and shows little improvement.  Cyber security experts estimate that only one in three small medium sized businesses (SMB) and small municipalities, with 50 or fewer employees rely on free or consumer-grade cybersecurity products.  Additional research indicated that one in five companies do not use any endpoint security either. A

4026067745?profile=RESIZE_710xNo, I am not making this up.  This really happened and it started with a phishing attack.  Those you who have read my past articles will see a theme, “Always verify any requests in person to change bank accounts or make any payment that is not authorized and verified by voice through a company office.  Never rely on an email alone.” 

Cyber criminals posed as the wife of Crown Bank CEO Jacinto Rodriques by utilizing a spoofed email address that really looked legitimate.  Crown Bank is a community

Our Red Sky Alliance analyst team uses Cisco Meraki and RedXray-Plus for our VIP client protection.  For numerous reasons, prospective clients often confuse the RedXray threat intelligence feed with an Intrusion Detection System (IDS; alerting/monitoring) or Intrusion Prevention System (IPS; blocking/preventing).

The Meraki device is different from RedXray service in several ways.  The Meraki is limited because it uses generic Sourcefire Snort rules and does not allow for the creation/use of cus

4007235433?profile=RESIZE_710xCan you go phishing in a Shark Tank?  Apparently, you can.  "Shark Tank" TV star Barbara Corcoran has lost close to $400,000 last week after her real estate office was duped by criminal hackers who used a small typo to gain access into her company.   

The phish started last week when an email chain was forwarded to Corcoran's bookkeeper whose name is “Christine.”  Confidential sources on Corcoran's team passed to media that the phishing email appeared to have been sent from Corcoran's executive

3986905201?profile=RESIZE_710xRansomware as a Service (RaaS) has a nice ring to its name, yet it spells big trouble for all businesses and government alike.  Targeted ransomware attacks are likely to increase in 2020 as RaaS continues to evolve into an even more profitable business model for cyber criminals.  This is one of the opinions expressed by numerous cyber security experts interviewed at RSA 2020.[1]  Dark web researchers are noticing a spike in demand for RaaS applications in hacker forums.  The ease of availability

3978010892?profile=RESIZE_710xPhishing attacks are the most common method of attacking any organization.  These types of attacks have been observed in all industries and government entities.  The latest infiltration campaign used by Iranian state sponsored hackers has been named, “The Return of the Charming Kitten.”  In this particular effort, hackers have targeted individuals in organizations that have been involved in economic and military sanctions against the Islamic Republic of Iran.  These targets include politicians,

3957006398?profile=RESIZE_710xA Massachusetts utility company power station was attacked by ransomware recently, and the company refused to meet attackers' ransom payment demands.  The Reading Municipal Light Department (RMLD) was targeted on 21 February 2020 by cyber-criminals trying to extort money by encrypting data in the station's computer system.  Unfortunately for them, management opted to hire an outside cyber threat consultant to help them deal with the ransomware infection instead of paying for the return of their