breach data - X-Industry - Red Sky Alliance2024-03-29T12:15:28Zhttps://redskyalliance.org/xindustry/feed/tag/breach+dataINTELLIGENCE REPORT: A YEAR LOOK BACKhttps://redskyalliance.org/xindustry/intelligence-report-a-year-look-back2022-12-29T16:52:42.000Z2022-12-29T16:52:42.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10921768884,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10921768884,RESIZE_400x{{/staticFileLink}}" alt="10921768884?profile=RESIZE_400x" width="250" /></a>End of 2022 - Week Ending 30 December 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 19,712 connections from new IP’s checking in with our Sinkholes</li>
<li>Frantech[.]ca in NYC hit 23x</li>
<li>Analysts identified 867 new IP addresses participating in various Botnets</li>
<li>2022-2023ZeroBot</li>
<li>Ten (10) Data Set Stats</li>
<li>Red Sky Tools</li>
<li>Red Sky Partners</li>
<li>LastPass</li>
</ul>
<p>Link to .pdf : <a href="{{#staticFileLink}}10921768700,original{{/staticFileLink}}">IR-22-364-001_weekly364.pdf</a></p>
<table width="289">
<tbody>
<tr>
<td width="187">
<p><strong>IP</strong></p>
</td>
<td width="102">
<p><strong>Contacts</strong></p>
</td>
</tr>
<tr>
<td width="187">
<p>199.195.249.252</p>
</td>
<td width="102">
<p>56</p>
</td>
</tr>
<tr>
<td width="187">
<p>87.236.20.241</p>
</td>
<td width="102">
<p>49</p>
</td>
</tr>
<tr>
<td width="187">
<p>185.151.48.131</p>
</td>
<td width="102">
<p>49</p>
</td>
</tr>
<tr>
<td width="187">
<p>68.178.224.252</p>
</td>
<td width="102">
<p>48</p>
</td>
</tr>
<tr>
<td width="187">
<p>62.210.185.4</p>
</td>
<td width="102">
<p>37</p>
</td>
</tr>
</tbody>
</table>
<table width="100%">
<tbody>
<tr>
<td>
<p>199.195.249.252 was reported 23 times. Confidence of Abuse is 84% ISP: Frantech Solutions; Usage Type: Data Center/Web Hosting/Transit: Domain Name: frantech.ca; Country: USA, City: NYC, NY<br /> <a href="https://www.abuseipdb.com/check/199.195.249.252">https://www.abuseipdb.com/check/199.195.249.252</a></p>
</td>
</tr>
</tbody>
</table>
<p><strong>Compromised (C2) IP’s </strong></p>
<p>On 28 December 2022, Red Sky Alliance identified <strong>19,712 </strong>connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.</p>
<table width="100%">
<tbody>
<tr>
<td>
<p>Top 5 Malware Variant and number of contacts. <strong>Sality</strong> and <strong>Corkow</strong> has consistently remain the top variants. <br /> <strong>Sykipot </strong>follows. </p>
</td>
</tr>
</tbody>
</table>
<p><strong> Malware Activity</strong><strong> </strong> </p>
<table width="288">
<tbody>
<tr>
<td width="204">
<p><strong>Malware Variant</strong></p>
</td>
<td width="84">
<p><strong>Times Seen</strong></p>
</td>
</tr>
<tr>
<td width="204">
<p>sality</p>
</td>
<td width="84">
<p>17391</p>
</td>
</tr>
<tr>
<td width="204">
<p>corkow</p>
</td>
<td width="84">
<p>1245</p>
</td>
</tr>
<tr>
<td width="204">
<p>sykipot</p>
</td>
<td width="84">
<p>452</p>
</td>
</tr>
<tr>
<td width="204">
<p>shiz</p>
</td>
<td width="84">
<p>293</p>
</td>
</tr>
<tr>
<td width="204">
<p>maudi</p>
</td>
<td width="84">
<p>207</p>
</td>
</tr>
</tbody>
</table>
<p> <strong> </strong></p>
<p><strong>For a full black list – contact analysts: </strong><a href="mailto:info@wapacklabs.com"><strong>info@wapacklabs.com</strong></a></p>
<p><strong>Botnet Tracker</strong></p>
<p>On 28 December 2022, analysts identified <strong>867 </strong>new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).</p>
<table width="474">
<tbody>
<tr>
<td width="138">
<p><strong>First_ Seen</strong></p>
</td>
<td width="156">
<p><strong>Botnet Attribution</strong></p>
</td>
<td width="180">
<p><strong>Infected Host’s IPv4 Address</strong></p>
</td>
</tr>
<tr>
<td width="138">
<p>2022-12-27T01:20:51</p>
</td>
<td width="156">
<p>HTTP proxy|port:80</p>
</td>
<td width="180">
<p>8.219.60.145</p>
</td>
</tr>
<tr>
<td width="138">
<p>2022-12-26T11:00:24</p>
</td>
<td width="156">
<p>HTTP proxy|port:80</p>
</td>
<td width="180">
<p>8.219.141.77</p>
</td>
</tr>
<tr>
<td width="138">
<p>2022-12-24T21:10:26</p>
</td>
<td width="156">
<p>HTTP proxy|port:80</p>
</td>
<td width="180">
<p>8.219.158.54</p>
</td>
</tr>
<tr>
<td width="138">
<p>2022-12-22T19:10:24</p>
</td>
<td width="156">
<p>HTTP proxy|port:80</p>
</td>
<td width="180">
<p>8.219.159.77</p>
</td>
</tr>
<tr>
<td width="138">
<p>2022-12-24T19:10:27</p>
</td>
<td width="156">
<p>HTTP proxy|port:80</p>
</td>
<td width="180">
<p>8.219.172.178</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p><strong>MALICIOU</strong><strong>S CYBER TRENDS</strong><strong>:</strong></p>
<p><strong><br /> Recorded Future Top 5 Threat Actors and Malware for 12 28 2022 (rankings change daily)</strong></p>
<p><strong> </strong></p>
<p><strong>A YEAR LOOK BACK</strong><strong>:</strong></p>
<p>The year of 2022, saw Red Sky Alliance move from the US east coast State of New Hampshire to the State of Colorado and is now a 100% Red Sky Alliance brand. Our ten (10) different data sets continued to provide our clients the needed indicators of compromise to help protect their networks. Most notably, our Dark Web collection was fully automated and we are scraping between 70 and 80 forums and marketplaces. </p>
<p><strong>‘First’ Seen Data Collection of 2022 – Samplings</strong>:</p>
<p><strong>Breach Data</strong>:</p>
<p><a href="{{#staticFileLink}}10921776071,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921776071,RESIZE_584x{{/staticFileLink}}" alt="10921776071?profile=RESIZE_584x" width="500" /></a>Our analysts collect from more than just the large known data breaches. We have proprietary processes to collect breach data from less visible sources.</p>
<p><strong>Sinkhole Data</strong>:</p>
<p><a href="{{#staticFileLink}}10921777258,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921777258,RESIZE_584x{{/staticFileLink}}" alt="10921777258?profile=RESIZE_584x" width="500" /></a>Red Sky runs a proprietary sinkhole and collect indicators from known former malicious domains. This data is not available from any other source.</p>
<p><strong>Botnet Tracker</strong>:</p>
<p><a href="{{#staticFileLink}}10921777677,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921777677,RESIZE_584x{{/staticFileLink}}" alt="10921777677?profile=RESIZE_584x" width="500" /></a>Before 2020, this data set tracked IPs that communicated with known botnet IPs. From 2020 to present, we track publicly accessible open web proxies. This is because bad actors can use these proxies to leverage attacks while masking their own IP.</p>
<p><strong>Dark Web Marketplaces (</strong>and Forums<strong>)</strong>:</p>
<p><a href="{{#staticFileLink}}10921778091,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921778091,RESIZE_584x{{/staticFileLink}}" alt="10921778091?profile=RESIZE_584x" width="500" /></a>Dark Web data is collected from a variety of pages on the Tor network and their plain web mirrored counterparts or plain-web forums with intent overlap. This includes forums, ransomware listings, and marketplaces. Data found in this is broad as it will contain companies already breached, various login credentials (personal and business), and variety of software, identification papers, and counterfeit items for sale.</p>
<p><strong>Keylogger</strong>:</p>
<p><a href="{{#staticFileLink}}10921778655,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921778655,RESIZE_584x{{/staticFileLink}}" alt="10921778655?profile=RESIZE_584x" width="500" /></a>We collect against known keylogger aggregation points. Red Sky uses propriety processes to determine where these aggregation points are and collect against them. This data is not yet seen by other companies with the same data from this collection. Data includes the attacking server, indicators, and victim IP (if known).</p>
<p><strong>Malicious Emails</strong>:</p>
<p><a href="{{#staticFileLink}}10921778275,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921778275,RESIZE_584x{{/staticFileLink}}" alt="10921778275?profile=RESIZE_584x" width="500" /></a>This is a collection of indicators extracted from the headers of emails where malicious attachments are detected. This includes email routing information, senders, recipients, and subject lines. On records where possible, we have determined industry sector and geolocation.</p>
<p><strong>Other Red Sky Alliance Data Sets</strong>:</p>
<p><strong>Source Code Secrets</strong> - We collect authentication keys, usernames and passwords, and api keys from open sources where users may have failed to properly configure they're github, gitlab, or bitbucket repositories.</p>
<p><strong>Threat Recon</strong> - Aggregation of other open source threat intel mainly concerning IPs of known threat actors.</p>
<p><strong>"Paste" Sites</strong> (i.e. Pastebin) - This index contains domains, emails, and IP addresses extracted from sites, such as pastebin.com. Indicators in this collection are geolocated when possible. We personally store these references for informational requests, well after the original link may have been removed</p>
<p>** Keep in mind, that our data has been collected since over 10+ years. This is important for a solid historical look at collection points through our Products: RedXray and CTAC and then once set up properly, a daily look at your threat picture. </p>
<p><strong>Red Sky Alliance Collection and Analysis Tools</strong></p>
<p><strong>RedXray</strong></p>
<p>Our <strong>RedXray</strong> product was totally developed by our engineers to help company IT professionals and analysts to pro-actively monitor any domain they want to keep an eye on. This could be their own networks, or other domains they deem need monitoring. The RedXray product provides daily notifications with indicators derived from our ten (10) different data sets. This product was developed for the Defense Industrial Base (DIB) to help easily protect companies from malicious intrusions. </p>
<p><strong>CTAC</strong></p>
<p>Our Cyber Threat and Analysis Center (<strong>CTAC</strong>) is an Kibana/Elastic Stack product, which is a more encompassing analytical tool for companies and analysts. CTAC offers an open, REST API for integration with as many other systems as needed. These are tools that offer low learning curves, yet large user bases.</p>
<p>With both of our RedXray and CTAC products, the year of 2022 saw many new improvements to help our clients better support their cyber security programs. </p>
<p><strong>Cyber Intelligence Reporting</strong></p>
<p><a href="{{#staticFileLink}}10921779498,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921779498,RESIZE_584x{{/staticFileLink}}" alt="10921779498?profile=RESIZE_584x" width="500" /></a>Several years ago, we established the Red Sky Alliance information portal [redskyallicne.org]. Here we share tactical cyber reports, full technical cyber intelligence reports and our weekly Redshort webinars. Below is our 2022 break down in this support we provide free of change. For 2023, this site will be open to any who wish to participate. </p>
<p><strong>2022 Partners</strong></p>
<p>Red Sky Alliance together with Quackenbush Benefit Agency is providing needed ID protection services. They have been in business since 1999 and are working with families, small businesses, and employers to protect them from various events with a host of services. Two popular services include legal and cyber/digital identity protection for people and businesses. We also partner with healthcare providers and various affordable insurance products for life and health.</p>
<p><strong>Cyrisma</strong></p>
<p>Our coordinated effort assists Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) and provides a unique “Inside Outside” cybersecurity service approach that will provide affordable, simplistic, and accessible cybersecurity in a matter of hours. Cyrisma is a SaaS based ecosystem that provides a single interface to identify sensitive data, vulnerable systems, insecure configurations, track mitigation progress, and assign accountability. Organizations that utilize this solution see significant ROI against their resources, time, money and people, while meeting compliance mandates.</p>
<p><strong>Dun and Bradstreet (DnB)</strong></p>
<p>The Dun & Bradstreet Marketplace contains raw data derived from Red Sky Alliance database breaches. This includes both public breaches and those leaked on the deep or dark web. Breach data is a collection meaning the data is unparsed and unsanitized. The type of data depends on the breach. For example, some may list an email and password combination while others may just have Pii such as names and addresses.</p>
<p><strong>Cysurance</strong></p>
<p>As insurance providers are taking a closer and closer look at providing coverage against cyber-attacks. Cysurance, in cooperation with Red Sky Alliance, continues to offer coverage to managed service providers, specialty insurance brokers, and other small business partners as an add-on service that protects data, operations and revenues. Cysurance offers services to ease insurance complexities by eliminating underwriting and confusing, lengthy application processes.</p>
<p><strong>Snowflake</strong></p>
<p>Red Sky Alliance saw the beauty of providing our data through the Snowflake platform to offer an innovative way to protect networks. Snowflake’s founders started from scratch and built a data platform that would harness the immense power of the cloud. They engineered Snowflake to power the Data Cloud, where thousands of organizations have seamless access to explore, share, and unlock the true value of their data.</p>
<p><strong>GLOBAL TRENDS</strong><strong>: </strong></p>
<p><strong><br /> </strong><strong>LastPass</strong> - Password manager LastPass announced last week that hackers had accessed and copied a backup of data including customers’ passwords in an encrypted format. People who use LastPass and have a weak master password, or one which may be associated with their email address or telephone number on another service, may need to consider that all of their passwords have been compromised and need to be changed, the company said. “If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” LastPass CEO explained, describing so-called credential stuffing attacks.<a href="#_ftn1">[1]</a></p>
<p>The announcement follows the company disclosing an incident from August in which “some source code and technical information were stolen from our development environment” — details that were subsequently used in the most recent attack. In an update to its existing post, rather than a new one, LastPass, said that the data gained during the August breach was “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”</p>
<p>The threat actor — as the data stolen in the first attack was used to support the second attack, this suggests it is the same individual or group behind both — was then able to access the decryption keys for LastPass’ cloud storage and dual storage containers. This is what has caused the most concern among onlookers as it enabled the attackers to copy the backups which LastPass keeps of its customers’ unencrypted account information “including company names, end-user names, billing addresses, email address, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”</p>
<p>The threat actor also accessed “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” In bold text, its blog post said that these encrypted fields are “secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.” LastPass’s encryption and hashing methods would make it “extremely difficult” for the threat actor to ‘brute force’ guess master passwords — referring to the practice of guessing a password by using a computer to generate every possible key (aaaaa, aaaab, aaaac, etc.) until one of them works.</p>
<p>AES-256 has a large number of possible keys; 2 to the power of 256. As this explainer from the 3blue1brown YouTube channel shows, it would take hackers with today’s technology an impossibly long time to brute force a key of that size. There are no publicly known attacks that would allow someone to brute force the key for material encrypted with a complete implementation of 256-bit AES (Advanced Encryption Standard) within a smaller period of time, although some attacks have been proposed against incomplete implementations. “Password managers are a natural target for someone trying to gain unauthorized access to your accounts, because a successful attack provides access to all of a user’s stored passwords,” warns guidance from the United Kingdom’s National Cyber Security Centre (NCSC).</p>
<p>Despite this risk, NCSC still recommends using password managers as long as the service complies with technical standards which include preventing the service itself (and thus any attacker) from being able to access the decryption key. LastPass wrote: “The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.” However, the company has been criticized for its handling of the incident and for failing to encrypt additional customer data. The blog post added that any customers which use LastPass’ default settings, including using a unique master password consisting of a minimum of twelve characters, do not need to take any actions. However those with weaker passwords, including business customers who do not use LastPass’ federated login services, were told they “should consider minimizing risk by changing passwords of websites you have stored. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution,” LastPass added. “We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”</p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/lastpass-hackers-accessed-and-copied-customers-password-vaults/">https://therecord.media/lastpass-hackers-accessed-and-copied-customers-password-vaults/</a></p>
<p><a href="{{#staticFileLink}}10921779684,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10921779684,RESIZE_584x{{/staticFileLink}}" alt="10921779684?profile=RESIZE_584x" width="500" /></a></p></div>Supply Chain & Truckinghttps://redskyalliance.org/xindustry/supply-chain-trucking2022-05-12T17:59:43.000Z2022-05-12T17:59:43.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10482542089,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10482542089,RESIZE_400x{{/staticFileLink}}" alt="10482542089?profile=RESIZE_400x" width="250" /></a>The supply chain provides the framework for the modern transfer of goods. Logistics play a pivotal role from the acquisition of raw materials to the delivery of a final product to the end user. Generally, the raw materials are transported to a supplier, who then transports the materials to a manufacturer. The manufacture creates a finished product that is then distributed to either a retailer or warehouse where the product is either sent to or carried out by the consumer. Pictured below is a diagram showing the basic flow of goods in the supply chain:<a href="{{#staticFileLink}}10482542662,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10482542662,RESIZE_400x{{/staticFileLink}}" alt="10482542662?profile=RESIZE_400x" width="350" /></a></p>
<p>There are three distinct flows within the supply chain, they are: the flow of goods, the flow of information, and the flow of currency. Communication is essential to supporting these flows.</p>
<p>Cyber-attacks can, and have caused global disruptions including the SolarWinds, JBS, and Colonial Pipeline attacks. These supply chain cyber-attacks resulted in impacts felt by consumers around the world. The reality is that the supply chain creates an enormous attack surface area for malicious actors to target. Sophisticated attack techniques have been employed by attackers in the past, however, a reliance on social engineering and human error is still evident. Spoofed phishing emails with subject lines directing recipients to see the attached Bill of Lading, tracking number, shipment notice, invoice, or parcel arrival are common among distribution companies.</p>
<p>Using the Cyber Threat Analysis Center (CTAC) from Red Sky Alliance, we have discovered both breach data and malicious emails connected to a number of distributors and trucking companies within the supply chain. Pictured below is some geographic information about the hosts both sending and receiving these emails.</p>
<p> </p>
<p><a href="{{#staticFileLink}}10482542873,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10482542873,RESIZE_584x{{/staticFileLink}}" alt="10482542873?profile=RESIZE_584x" width="500" /></a> <em>Figure 1. Map displaying location of sender domains</em></p>
<p><a href="{{#staticFileLink}}10482543697,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10482543697,RESIZE_584x{{/staticFileLink}}" alt="10482543697?profile=RESIZE_584x" width="500" /></a> <em>Figure 2. Map displaying location of victim domains</em><em><a href="{{#staticFileLink}}10482547871,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10482547871,RESIZE_710x{{/staticFileLink}}" alt="10482547871?profile=RESIZE_710x" width="710" /></a></em></p>
<p><em>Table 1. Below: List of subject lines, type of malware detection, sender data and targets seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full Table is Linked here --> <a href="{{#staticFileLink}}10482571881,original{{/staticFileLink}}">Trucking_Report_Table_05_12_2022.pdf</a></em></p>
<p><em><a href="{{#staticFileLink}}10482548856,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10482548856,RESIZE_710x{{/staticFileLink}}" alt="10482548856?profile=RESIZE_710x" width="710" /></a></em></p>
<p>The subject lines present several commonalities. The search terms used to query the CTAC database were based on popular logistics companies including FedEx, UPS, and DHL. Attackers used these terms and common notification messages to deceive recipients into believing the message has a useful attachment. The attachments claimed to be shipping notices, invoices, tracking numbers, or notification of delivery. A number of these emails were sent multiple times to different recipients demonstrating small, targeted phishing campaigns. </p>
<p>One sample phishing attack from the collection is sent from “mariya-ostocos.shop” “mariya@ostocos.shop” with a subject line of “DHL Shipment Notification: 0915158433032022” On 12 April 2022, our data collections show this email was sent four times to hlcorp.com and hlcorp.com.cn. This email flagged a number of detections in Virus Total for a Common Vulnerability Exposure (CVE). The detection pointed to CVE-2017-11882, which is an older Microsoft Office Memory Corruption Vulnerability that allows attackers to run arbitrary code.<a href="#_ftn1">[1]</a></p>
<p>Some phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most supply chain transactions announcing notifications or updates that are universally expected.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the supply chain and thus possibly infect suppliers, manufacturers, distributors, and retailers, further up or down the chain.</p>
<p>Fraudulent emails are designed to make recipients hand over sensitive information, extort money or trigger malware installation on Information Communication Technologies. These threats often carry a financial liability to one or all those involved in the supply chain. Preventative cyber protection offers a strong first-line defense by blocking deceptive messages from ever reaching staff inboxes. Malicious hackers are developing new techniques to evade current detection daily, so it is important to stay up to date. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>Further investigation of breach data using CTAC to query for 10 smaller logistics (trucking) companies yielded 90 compromised credentials in the past 30 days.</p>
<p> <a href="{{#staticFileLink}}10482566471,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10482566471,RESIZE_710x{{/staticFileLink}}" alt="10482566471?profile=RESIZE_710x" width="710" /></a></p>
<p>Of interest is that attackers can use these compromised email accounts to further pass phishing emails within a target company taking advantage of the victim’s contact list. In trucking, many times smaller companies are subcontracted to deliver goods from larger firms. Email communication between these large and small companies is very common and could be a successful lure for unsuspecting users. The loss of even one user credentials is all it takes for a malicious actor to wreak havoc on the supply chain. We have a recent example of only one credential compromise of a law firm in Louisiana, which resulted in a ransomware attack two months later. It happens.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
<li>Use strong passwords and maintain an enforceable password policy.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-11882">https://nvd.nist.gov/vuln/detail/CVE-2017-11882</a></p></div>COMBing Through Billions of Passwordshttps://redskyalliance.org/xindustry/combing-through-billions-of-passwords2021-05-17T13:50:15.000Z2021-05-17T13:50:15.000ZJonathon Sweeneyhttps://redskyalliance.org/members/JonathonSweeney<div><p><a href="{{#staticFileLink}}8938732855,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8938732855,RESIZE_400x{{/staticFileLink}}" width="250" alt="8938732855?profile=RESIZE_400x" /></a>The volume of breach data, or exposed user credentials, has significantly increased in recent years. The recent CompilationOfManyBreaches (COMB) breach was discovered in February 2021 and <u>contains more than 3 billion unique sets of stolen user credentials</u>. The name of the breach file is accurate in that it contains breach data from numerous historical and recent data breaches all combined into one dataset.</p>
<p>While the risk associated with historical passwords is lower, users often re-use passwords (especially more complex passwords) which means an attacker with this data would have a significant advantage in a cyber attack. There are many uses for stolen credentials including credential stuffing attacks, business email compromises (BEC), extortion and...</p>
<p>Read the full report here: <a href="{{#staticFileLink}}8938733279,original{{/staticFileLink}}">IR-21-134-001-CompilationOfManyBreaches (COMB).pdf</a></p>
<p> </p></div>Ransom at the Carnivalhttps://redskyalliance.org/xindustry/ransom-at-the-carnival2020-08-20T16:11:37.000Z2020-08-20T16:11:37.000ZJonathon Sweeneyhttps://redskyalliance.org/members/JonathonSweeney<div>
<p><a href="{{#staticFileLink}}7541747475,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7541747475,RESIZE_400x{{/staticFileLink}}" alt="7541747475?profile=RESIZE_400x" width="250" /></a>Carnival Corporation & PLC is the largest cruise line operator in the world. In 2019, Carnival pulled in a record revenue of $20.8 billion. Even with the troubles of 2020, this makes them a significant target for attackers looking to earn a profit. On 15 August 2020, Carnival Corp & PLC detected a ransomware attack that encrypted a portion of one brand’s IT systems. Attackers not only encrypted the data, but also downloaded certain files indicating some data was stolen. In their SEC filings, the company states, “we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies.<a href="https://redskyalliance.org/transportation/ransom-at-the-carnival?edited=1#_ftn1">[1]</a>”</p>
<p><strong> </strong></p>
<p>Some people may remember the breach Carnival experienced from April to July 2019 in which attackers stole data including, but not limited to names, addresses, social security numbers, credit card info, etc. Often cyber attackers will breach a network and linger there for future cyber-attacks. It is unclear if that is the case here.</p>
<p> </p>
<p>Carnival has yet to disclose the name of the ransomware which targeted the company. However - using Red Sky Alliance collections - analysts noticed a recent spike in external malicious activity related to the company. This was right before the current attack. Our collection showed a spike...</p>
<p>Read the full report here: <a href="{{#staticFileLink}}7541752678,original{{/staticFileLink}}">IR-20-233-001-Ransom_At_The_Carnival.pdf</a></p>
<p> </p>
<p><a href="https://redskyalliance.org/transportation/ransom-at-the-carnival?edited=1#_ftnref1">[1]</a> <a href="https://www.sec.gov/Archives/edgar/data/0001125259/000095014220002039/eh2001078_8k.htm">https://www.sec.gov/Archives/edgar/data/0001125259/000095014220002039/eh2001078_8k.htm</a></p>
</div>