extortion - X-Industry - Red Sky Alliance2024-03-29T10:26:15Zhttps://redskyalliance.org/xindustry/feed/tag/extortionLapsus$ Hit in UKhttps://redskyalliance.org/xindustry/lapsus-hit-in-uk2023-07-13T16:25:00.000Z2023-07-13T16:25:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12144609461,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12144609461,RESIZE_400x{{/staticFileLink}}" alt="12144609461?profile=RESIZE_400x" width="250" /></a>British prosecutors say teen Lapsus$ member was behind hacks on Uber, Rockstar. Earlier this week a British Crown Court lifted a reporting restriction, allowing the naming of a teenager who is accused of hacking Uber, Revolut, and video game developer Rockstar Games in a short period of time last September. The teen, who is now 18, has been deemed not fit to stand trial by medical professionals. The jury will decide whether he is liable for the hacking incidents rather than guilty of them.<a href="#_ftn1">[1]</a></p>
<p>The teenager has been charged with 12 offenses, including three counts of blackmail, two counts of fraud, and six charges under the Computer Misuse Act. Prosecutors allege that he was a member of the Lapsus$ hacking gang but acted independently when he broke into the systems of ride-hailing business Uber, fintech firm Revolut, and the developer of Grand Theft Auto in a rash of successive incidents in September 2022.</p>
<p>The teen, alongside another 17-year-old who may not be named for legal reasons, has also been accused of attempting to blackmail the telecommunications company BT as well as the graphics-card maker Nvidia as part of their activities with the Lapsus$ gang. The 17-year-old is being tried for two counts of blackmail, two counts of fraud, and three charges under the Computer Misuse Act, all of which relate to the alleged Lapsus$ activities targeting BT and Nvidia. He denies these charges, although he had previously pleaded guilty to two offenses under the Computer Misuse Act and one count of fraud.</p>
<p>At the time of the Uber hack, a person claiming to be responsible contacted The New York Times and security researchers to claim they had managed to access the ride-hailing company's computer network through social engineering. Uber said the hacker had posted what was described as pornographic material to an internal information page for employees, alongside the message: “F*ck you wankers.”</p>
<p>The Grand Theft Auto incident was disclosed on a fan forum for the video game series by an individual who claimed to have also hacked Uber. This individual then shared a link to clips from Grand Theft Auto 6, a title which Rockstar had not publicly confirmed was in development.</p>
<p>At the time of the Revolut incident, some users on Reddit reported seeing messages with inappropriate language on the app’s support chat. Revolut replied that it was aware of those messages and “taking steps to ensure this does not happen again.”</p>
<p>Prosecutors said that the hacking incidents were linked to the teens by investigators who found their IP addresses through a number of email and Telegram accounts which the pair allegedly used to boast about their antics. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/british-prosecutors-accuse-teen-lapsus-member-of-uber-revolut-rockstar-hacks/">https://therecord.media/british-prosecutors-accuse-teen-lapsus-member-of-uber-revolut-rockstar-hacks/</a></p></div>BianLian Ransomware Developerhttps://redskyalliance.org/xindustry/bianlian2023-05-19T12:05:00.000Z2023-05-19T12:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11128908088,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11128908088,RESIZE_400x{{/staticFileLink}}" alt="11128908088?profile=RESIZE_400x" width="250" /></a>BianLian is a ransomware developer, deployer, and data extortion cybercriminal group who has targeted organizations in multiple US critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, use open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrate victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.<a href="#_ftn1">[1]</a></p>
<p>FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.</p>
<p>For a downloadable copy of IOCs, see AA23-136A.stix (STIX, 35kb).</p>
<p>TECHNICAL DETAILS: BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple US critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a double extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.</p>
<p>Initial Access - BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].</p>
<p>Command and Control - BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) [T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219].</p>
<p>FBI also observed BianLian group actors create and/or activate local administrator accounts [T1136.001] and change those account passwords [T1098].</p>
<p>Defense Evasion - BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001], specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry [T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.</p>
<p>Discovery - BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used:</p>
<ul>
<li>Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports [T1046].</li>
<li>SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers,scan ports, and discover shared folders [T1135].</li>
<li>SharpShares to enumerate accessible network shares in a domain.</li>
<li>PingCastle to enumerate Active Directory (AD) [T1482]. PingCastle provides an AD map to visualize the hierarchy of trust relationships.</li>
<li>BianLian actors also use native Windows tools and Windows Command Shell to:</li>
<li>Query currently logged-in users [T1033].</li>
<li>Query the domain controller to identify:
<ul>
<li>All groups [T1069.002].</li>
<li>Accounts in the Domain Admins and Domain Computers groups [1087.002].</li>
<li>All users in the domain.</li>
</ul>
</li>
<li>Retrieve a list of all domain controllers and domain trusts.</li>
<li>Identify accessible devices on the network [T1018].</li>
</ul>
<p>See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.</p>
<p>Credential Access - BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine [T1552.001]. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory [T1003.001], download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit) [T1003.003].</p>
<p>In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it. Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network.</p>
<p><a href="{{#staticFileLink}}11128908483,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128908483,RESIZE_584x{{/staticFileLink}}" alt="11128908483?profile=RESIZE_584x" width="483" /></a>If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via <a href="https://qtox.gitbhub">https://qtox.gitbhub</a>[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company.</p>
<p>BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.</p>
<p><strong>INDICATORS OF COMPROMISE</strong> (IOC)</p>
<p>See Table 1 for IOCs obtained from FBI investigations as of March 2023.</p>
<p><a href="{{#staticFileLink}}11128909061,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128909061,RESIZE_584x{{/staticFileLink}}" alt="11128909061?profile=RESIZE_584x" width="498" /></a>MITRE ATT&CK TECHNIQUES - See Table 2 for all referenced threat actor tactics and techniques in this advisory.</p>
<p><a href="{{#staticFileLink}}11128909271,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128909271,RESIZE_400x{{/staticFileLink}}" alt="11128909271?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128909463,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128909463,RESIZE_400x{{/staticFileLink}}" alt="11128909463?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128909497,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128909497,RESIZE_400x{{/staticFileLink}}" alt="11128909497?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910459,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910459,RESIZE_400x{{/staticFileLink}}" alt="11128910459?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910473,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910473,RESIZE_400x{{/staticFileLink}}" alt="11128910473?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910076,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910076,RESIZE_400x{{/staticFileLink}}" alt="11128910076?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910092,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910092,RESIZE_400x{{/staticFileLink}}" alt="11128910092?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910101,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910101,RESIZE_400x{{/staticFileLink}}" alt="11128910101?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910298,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910298,RESIZE_400x{{/staticFileLink}}" alt="11128910298?profile=RESIZE_400x" width="400" /></a><a href="{{#staticFileLink}}11128910860,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128910860,RESIZE_400x{{/staticFileLink}}" alt="11128910860?profile=RESIZE_400x" width="400" /></a>MITIGATIONS - FBI, CISA, and ACSC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.</p>
<ul>
<li>Reduce threat of malicious actors using remote access tools by:</li>
</ul>
<p>o Auditing remote access tools on your network to identify currently used and/or authorized software.</p>
<p>o Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].</p>
<p>o Using security software to detect instances of remote access software only being loaded in memory.</p>
<p>o Requiring authorized remote access solutions only be used from within your</p>
<p>network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).</p>
<p>o Blocking both inbound and outbound connections on common remote access</p>
<p>software ports and protocols at the network perimeter.</p>
<ul>
<li>Implement application controls to manage and control execution of software, including allowlisting remote access programs.</li>
</ul>
<p>o Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.</p>
<p>See NSA Cybersecurity Information sheet Enforce Signed Software Execution Policies</p>
<p>for additional guidance.</p>
<ul>
<li>Strictly limit the use of RDP and other remote desktop services. If RDP is necessary,</li>
</ul>
<p>rigorously apply best practices, for example [CPG 2.W]:</p>
<p>o Audit the network for systems using RDP.</p>
<p>o Close unused RDP ports.</p>
<p>o Enforce account lockouts after a specified number of attempts.</p>
<p>o Apply phishing-resistant multifactor authentication (MFA).</p>
<p>o Log RDP login attempts.</p>
<ul>
<li>Disable command-line and scripting activities and permissions [CPG 2.N].</li>
<li>Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].</li>
<li>Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].</li>
<li>Enable enhanced PowerShell logging [CPG 2.T, 2.U].</li>
</ul>
<p>o PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.</p>
<p>o Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).</p>
<p>o The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.</p>
<ul>
<li>Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.</li>
<li>Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].</li>
<li>Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].</li>
<li>Reduce the threat of credential compromise via the following:</li>
</ul>
<p>o Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.</p>
<p>o Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).</p>
<p>o Refrain from storing plaintext credentials in scripts.</p>
<ul>
<li>Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.</li>
</ul>
<p>In addition, FBI, CISA, and ACSC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:</p>
<ul>
<li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g, hard drive, storage device, or the cloud).</li>
<li>Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they will not be as severe and/or only have irretrievable data [CPG 2.R]. ACSC recommends organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media such as disk and tape, with one copy kept off-site for disaster recover.</li>
<li>Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies of Use longer passwords consisting of at least 15 characters [CPG 2.B].</li>
</ul>
<p>o Store passwords in hashed format using industry-recognized password managers.</p>
<p>o Add password user “salts” to shared login credentials.</p>
<p>o Avoid reusing passwords [CPG 2.C].</p>
<p>o Implement multiple failed login attempt account lockouts [CPG 2.G].</p>
<p>o Disable password “hints”.</p>
<p>o Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.</p>
<p>o Require administrator credentials to install software.</p>
<ul>
<li>Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].</li>
<li>Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours from vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].</li>
<li>Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks, restricting further lateral movement [CPG 2.F].</li>
<li>Identify, detect, and investigate abnormal activity and potential traversal of the</li>
</ul>
<p>indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].</p>
<ul>
<li>Install, regularly update, and enable real time detection for antivirus software on all hosts.</li>
<li>Disable unused ports [CPG 2.V].</li>
<li>Consider adding an email banner to emails received from outside your organization [CPG 2.M].</li>
<li>Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].</li>
</ul>
<p>VALIDATE SECURITY CONTROLS</p>
<p>In addition to applying mitigations, FBI, CISA, and ACSC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
<p>To get started:</p>
<ol>
<li>Select an ATT&CK technique described in this advisory (see Table 2).</li>
<li>Align your security technologies against the technique.</li>
<li>Test your technologies against the technique.</li>
<li>Analyze your detection and prevention technologies’ performance.</li>
<li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
<li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
</ol>
<p>FBI, CISA, and ACSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
<p>RESOURCES</p>
<ul>
<li>Stopransomware.gov, a whole-of-government approach with one central location for US ransomware resources and alerts.</li>
<li>cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats.</li>
<li>CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack</li>
<li>For no-cost cyber hygiene services for US organizations, Cyber Hygiene Services and Ransomware Readiness Assessment.</li>
</ul>
<p>REPORTING</p>
<p>The FBI is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BianLian actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report. Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ACSC via 1300 CYBER1 (1300 292 371) or by submitting a report cyber.gov.au.</p>
<p>ACKNOWLEDGEMENTS</p>
<p>Microsoft and Sophos contributed to this advisory</p>
<p><a href="{{#staticFileLink}}11128911452,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128911452,RESIZE_400x{{/staticFileLink}}" alt="11128911452?profile=RESIZE_400x" width="350" /></a><a href="{{#staticFileLink}}11128911460,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128911460,RESIZE_400x{{/staticFileLink}}" alt="11128911460?profile=RESIZE_400x" width="350" /></a><a href="{{#staticFileLink}}11128911655,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128911655,RESIZE_400x{{/staticFileLink}}" alt="11128911655?profile=RESIZE_400x" width="350" /></a><a href="{{#staticFileLink}}11128911298,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11128911298,RESIZE_400x{{/staticFileLink}}" alt="11128911298?profile=RESIZE_400x" width="350" /></a>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p> Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/3/Joint+Cybersecurity+Advisory+-+5.16.2023.pdf">https://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/3/Joint+Cybersecurity+Advisory+-+5.16.2023.pdf</a></p></div>Everyone Wants to Steal Your Moneyhttps://redskyalliance.org/xindustry/everyone-wants-to-steal-your-money2022-06-27T14:43:49.000Z2022-06-27T14:43:49.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10599094693,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10599094693,RESIZE_400x{{/staticFileLink}}" width="250" alt="10599094693?profile=RESIZE_400x" /></a>It has been reported that cyber criminals are sending out millions of phishing emails a day, using extortion and other schemes to steal Bitcoin and other cryptocurrencies from victims. The phishing attacks use a variety of techniques to trick people into transferring sums of Bitcoin, including phony requests for charity donations and Business Email Compromise BEC scams.</p>
<p><em>See: <a href="https://redskyalliance.org/xindustry/what-the-heck-is-bec">https://redskyalliance.org/xindustry/what-the-heck-is-bec</a></em></p>
<p>According to a report by cybersecurity researchers at Proofpoint, the company blocks an average of one million extortion emails every day, with some days peaking at nearly two million. Researchers say most of these phishing emails and BEC attacks are asking the victim to make payments in cryptocurrency. Cybercriminal threats to cryptocurrency are not new, but when the general public experiences growing adoption of cryptocurrency, people may be more likely to engage with social engineering lures using such themes.<a href="#_ftn1">[1]</a></p>
<p>One basic attack reported, is to attempt to steal user names and passwords. During 2022 cyber threat investigators have observed regular attempts to compromise user's cryptocurrency wallets using credential harvesting. This method often relies on the delivery of a URL within an email body or formatted object which redirects to a credential harvesting landing page.</p>
<p>Another common method cyber criminals use in attempts to steal cryptocurrency in phishing attacks is extortion. The victim receives an email from a 'hacker' who claims to have gained control of their computer and their online accounts with malware, as well having access to audio and video recordings of the user, alongside their browsing history. The email attempts to blackmail the victim, claiming the 'hacker' has embarrassing information and video recordings about them, which they will send to all of their email contacts unless they pay $500 in Bitcoin. </p>
<p>It is highly unlikely that there is any malware on the victim's machine: the attacker has just sent out spam emails to as many users as possible. But the shock and fear of seeing that someone claims to have control of their PC is enough to trick some victims into making the payment.</p>
<p>Other phishing attacks around cryptocurrency payments are not so direct, instead attempting to exploit the victim's empathy rather than their fear. For example, messages that claim to generate funds for worthy causes, but which only serve to benefit the criminals sending out the emails.</p>
<p>Requests for cryptocurrency payments are also appearing in Business Email Compromise scams, fraud attempts where cyber criminals pose as a trusted colleague or business partner, asking for a large sum of money to be transferred in order to complete and important and time-sensitive deal. Always check on suspicious payment requests in person or via telephone. The attacks may appear to be simple, but BEC is one of the most lucrative forms of cybercrime and cryptocurrency scammers are getting in on the action.</p>
<p>In the example detailed by a researcher, an email sent by an attacker potentially using a legitimate account that belongs to a trusted contact claims that an urgent payment is required to seal a business acquisition deal. The matter is also described as secretive, so the victim is urged not to tell anyone about it. This, of course, is to make sure the victim does not discover it is a scam.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.zdnet.com/article/these-fake-voicemail-phishing-emails-want-to-steal-your-passwords/">https://www.zdnet.com/article/these-fake-voicemail-phishing-emails-want-to-steal-your-passwords/</a></p></div>Maze Claims to End Its Ransomware and Extortion Operations, Really?https://redskyalliance.org/xindustry/maze-ransomware-extortion2020-11-05T14:27:31.000Z2020-11-05T14:27:31.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8127316299,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8127316299,RESIZE_400x{{/staticFileLink}}" width="250" alt="8127316299?profile=RESIZE_400x" /></a>The Maze cybercrime gang, which revolutionized the ransomware business by adding an extortion element to each attack, has issued a statement saying it has hung up its spikes and will retire, at least temporarily. Can you believe anything a ransomware group says? Maze posted a "retirement" notice to its darknet site on Nov. 1 saying: "This project is now closed." The word "project" appears to be a reference to the ransomware gang stating in the note that its attacks were intended to teach its victims the danger of having poor security practices. The gang also denied it was ever the center of a larger group. The note ended with the group saying it would be back. So, why the retirement announcement? It sounds more like a “vacation” than a retirement.</p>
<p>The consensus from cybersecurity executives is that Maze has closed up shop with activity on its site having decreased and no new attacks recently spotted. But it is noted that cybercriminals are not honest individuals, meaning any halt may be brief. "Ransom actors are professional liars and scammers; to believe anything they say is a mistake. Maze as we know it might be shutting down, but the actors behind it feel like they've got some kind of 'holy mission' to expose the weaknesses of corporate networks, for-profit, so I doubt we'll see them gone forever," says Adam Kujawa, director of Malwarebytes Labs.</p>
<p>Jamie Hart, a cyber threat intelligence analyst at Digital Shadows, notes that while the group did clean up its data leak site Maze News during October 2020 by posting the full dumps for victims, the gang has not encrypted any new victims during the past 30 days or so. The announcement, however, did leave the door open for its return. "The press release stated that the group would be back, so the Maze threat is likely not finished," Hart says.</p>
<p>Even if Maze has decided to cease operating, the move will have no real impact on the threat landscape, Brett Callow, a threat analyst with Emsisoft says. "Their affiliates will join other groups or simply start their own operations. Unfortunately, ransomware is far too profitable for the retirement of any one group to have any significant effect," Callow says.</p>
<p>The group likely decided to halt its operations because of the amount of attention it has been receiving, especially since its antics, such as creating data leak sites for their victims, have influenced the operations of ransomware groups across the world, Kujawa says.</p>
<p>After claiming that it had taken more than $2 billion from victims over the course of a year, on May 31, 2019, the operators behind the GandCrab ransomware posted they would be ending their campaign. Unlike Maze, however, GandCrab operated as a ransomware-as-a-service, taking a 40% cut of any money collected, and the group publicly released the encryption keys used, enabling some victims to regain access to their devices.</p>
<p>Hart notes that Maze has not followed suit, and it is unknown if it will release its keys to remaining victims. "Security researchers reached out to the Maze Group to ask if the decryption keys would be made available but have not received a response. The Maze group stated they would be available for support for the next month for organizations that want to be deleted from the website, so it is unlikely that the decryption keys will be released for the next month, at least," Hart says.</p>
<p>Peter Mackenzie, incident response manager with Sophos Rapid Response, tells Information Security Media Group that Maze may be going down the same road as GandCrab when it announced its departure, only to reappear as REvil, aka Sodinokibi, ransomware.</p>
<p>"The announcement by the Maze operators that they are ceasing operations after just over a year of activity is probably not as significant as it might appear," Mackenzie says. "In June 2019, the operators behind GandCrab announced their retirement, and all its affiliates moved to REvil; now the Maze affiliates are moving across to a new group, Egregor, which according to public reports has access to Maze tools and infrastructure. They may even share some of the same operators."</p>
<p>The maze may have tried to get out ahead of this possibility by publicly stating it worked alone, and any thought that the group is at the center of a larger organization was a figment of people's imaginations. "The Maze cartel was never existed [sic] and is not existing now. It can be found only inside the heads of the journalists who wrote about it," the group writes.</p>
<p>The gang covered a wide range of issues in its note, spending some time trying to rationalize why it launched ransomware attacks and then attempted to extort money from those victims that refused to pay by revealing the stolen data online. Maze's main excuse is the attacks were instructional, teaching companies that they need to secure the data with which they are entrusted.<a href="#_ftn1">[1]</a></p>
<p>"If you are taking the responsibility for other people [sic] money and personal data then try to keep it secure. Until you do that [sic] there will be more projects like Maze to remind you about secure data storage," Maze states in its note. "The group behind Maze are either trolling folks or delusional. This group claims that it's helping the world by bringing attention to vulnerable corporate networks. If that was their actual goal, the next step would be to inform them, not demand thousands of dollars in return for files," Kujawa says.</p>
<p>The Maze note says the organization's "customer service" department will continue to operate for another month. The message also contained a somewhat rambling section where Maze essentially denounced technology and how it is negatively impacting the human race. "All your technologies are a symbol of your helplessness. Once going to a wheelchair a man will not be able to walk again. And once trusting your mind to a technology you won't be able to recover your consciousness. By delegation the part of your conscious activity to machines you won't be able to watch at the reality with the clear eye," it says.</p>
<p>Maze warned of a digital dystopian world that will be created through the use of digital currency that will eventually allow just a few people to run, and then ruin, this new world. "We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze," the group wrote.</p>
<p>Maze started life as a variant of ChaCha ransomware and was first uncovered by Jerome Segura, Malwarebyte's senior threat analyst, in May 2019. The primary differentiator for Maze was its decision to fight back against victims that are able to shrug off their ransomware attack by using backed up data. The method involved adding a data exfiltration step in the ransomware attack. Some of Maze's better-known victims were Canon, the City of Pensacola, and the computer chipmaker MaxLinear.</p>
<p>Is that it? Actually, no. Having tools and services looking in the deep/dark web is essential to a well rounded cyber protection plan. The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks, but utilizing the RedXray and CTAC collection and analysis tools by Red Sky Alliance, will ensure a proactive approach to cybersecurity. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: </p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/maze-claims-to-end-its-ransomware-extortion-operations-a-15291">https://www.bankinfosecurity.com/maze-claims-to-end-its-ransomware-extortion-operations-a-15291</a></p></div>THREAT ASSESSMENT – BOMB THREAT EMAILS, Global Guardianhttps://redskyalliance.org/xindustry/threat-assessment-bomb-threat-emails-global-guardian2018-12-15T15:54:14.000Z2018-12-15T15:54:14.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p>Below is the Executive Summary regarding the recent email bomb threats sent internationally.  Our good friends from Global Guardian shared their threat assessment for situational awareness.</p>
<p><strong>Summary</strong> - On 13 December 2018, hundreds of businesses, law enforcement agencies and public services across the United States and Canada received email threats demanding a bitcoin payment of $20,000 in the early afternoon, prompting evacuations, building sweeps and overloading police call centers. What’s more, the bomb threats sewed panic across the continent and undoubtedly defrauded thousands. Global Guardian concurs with many police departments assessment that<br />
the threats were not predicated on credible evidence — no explosive devices have been found<br />
or are likely to be found in the coming hours.</p>
<p>The scale of this mass bomb threat implies that:<br />
(a) The perpetrators commanded serious resources, indicating possible state actors<br />
(b) The motivation was disruption (and possibly showcase capability), rather than monetary gain</p>
<p>Risk Probabilities:</p>
<ul>
<li>Materialization of bomb threat – <strong>LOW</strong></li>
<li>Copycat incidents – <strong>MEDIUM</strong></li>
</ul>
<p>We deeply appreciate the support and assistance from Global Guardian.  Their full Threat Assessment is linked below:</p>
<p><strong><a href="https://storage.ning.com/topology/rest/1.0/file/get/371960715?profile=original" target="_blank" rel="noopener">Global Guardian - Bomb Threat Emails Threat Assessment - 13 December 2018.pdf</a></strong></p>
</div>Hackers Use Stolen Passwords in Fake Sextortion Claimshttps://redskyalliance.org/xindustry/hackers-use-stolen-passwords-in-fake-sextortion-claims2018-10-30T16:36:49.000Z2018-10-30T16:36:49.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p>Red Sky Alliance (RSAC) members have reported seeing and, or receiving fake sextortion scams. These scam emails typically provide old password that was used by the user. These emails are an attempt to extort money, claiming the sender has compromising information indicating the user was involved in viewing pornographic sites. The sender claims to have compromising video recordings of the user and alleges to have additional “stolen secrets” of a compromising sexual nature. An RSAC member in the telecommunication industry reported intercepting daily, dozens of fake sextortion emails since the middle of October 2018. Below is an example of a sextortion scam identical to the one received by an RSAC member.</p><p><a href="https://storage.ning.com/topology/rest/1.0/file/get/131171218?profile=RESIZE_930x" target="_blank" rel="noopener"><img class="align-full" src="https://storage.ning.com/topology/rest/1.0/file/get/131171218?profile=RESIZE_710x" width="472" height="232"/></a><a rel="nofollow" href="#_ftn1" name="_ftnref1" id="_ftnref1"></a>Figure 1. Ransom note received in the video</p><p>In a researched YouTube video titled, “Scam hacking email—international hacker group—Your Secret Life,” cyber researcher Craig Tester receives a spoofed email in which it appears as if he sent it to himself. The sender posts to have hacked an account of the target (user), claims to know the account’s password and puts the password in the email. The email claims to have infected the target’s computer with a virus obtained via an adult website. The email additionally alleges to know secrets about the target user and claims to have recorded the target and their actions on pornography websites via the target’s webcam. The email threatens the target that their actions and secrets will be released to their family, friends, intimate partner unless a ransom is paid. The email demands $800 worth of Bitcoin. Analysts discovered that a total of 16 targets have paid the $800 Bitcoin ransom as of 26 October 2018. <a rel="nofollow" href="#_ftn1" name="_ftnref1" id="_ftnref1">[1]</a></p><p><a href="https://storage.ning.com/topology/rest/1.0/file/get/131171244?profile=RESIZE_930x" target="_blank" rel="noopener"><img class="align-full" src="https://storage.ning.com/topology/rest/1.0/file/get/131171244?profile=RESIZE_710x" width="360" height="242"/></a>Figure 2. Example of Bitcoin wallets, September 2018</p><p>In another researched example, the CEO of a small company received a similar sextortion email with his outdated password. The CEO was instructed to move $4,000 to 137XQHKy9v83RU91eexWHA1v4AVS5Fnc7g, which is a Bitcoin wallet. In this case, the Bitcoin address possibly was unique and no payments were sent to it.</p><p>Typically, in these recent sextortion scams hackers reuse passwords stolen during various site databases breaches. In reality, hackers had no access to the target’s computers. The email is intended to trick users into paying the extortion by pretending to be a real hack. Hackers often use basic social engineering techniques to try and validate the scheme. These sextortion scams come in a variety of forms, some more successful than others.<a rel="nofollow" href="#_ftn2" name="_ftnref2" id="_ftnref2">[2]</a></p><p><strong>Mitigation</strong></p><p>If you receive a sextortion email, the easiest and best way to protect yourself from being victimized is to not engage the sender and just ignore the message. If the received email appears to look like you were both the receiver and the sender, it is a positive sign that it is spam. Ignore this type email. To protect oneself and ones’ accounts it is recommended that you often change your passwords. The passwords used in these scams are typically older passwords that were released in past database leaks. If the scammer has actual pictures and or, recordings of you – contact law enforcement authorities. No one should pay any requested ransom or send any additional information or personal pictures to the scammer. </p><p>Contact the Wapack Labs for more information: 603-606-1246, or <u><a rel="nofollow" href="mailto:feedback@wapacklabs.com?subject=Feedback:%20Electorate%20trolling">feedback@wapacklabs.com</a></u>.</p><p><a rel="nofollow" href="#_ftnref1" name="_ftn1" id="_ftn1">[1]</a> blockchain.com/btc/address/14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w</p><p><a rel="nofollow" href="#_ftnref2" name="_ftn2" id="_ftn2">[2]</a> https:// blog.malwarebytes.com/101/2018/10/sextortion-emails-theyre-probably-not-watching/</p></div>