uae - X-Industry - Red Sky Alliance2024-03-28T10:14:28Zhttps://redskyalliance.org/xindustry/feed/tag/uaeUS & UAE Cyber Agreementhttps://redskyalliance.org/xindustry/us-uae-cyber-agreement2023-10-19T16:10:00.000Z2023-10-19T16:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12258730486,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12258730486,RESIZE_400x{{/staticFileLink}}" alt="12258730486?profile=RESIZE_400x" width="250" /></a>The United States and United Arab Emirates (UAE) have finalized an agreement that sets out how the two countries will cooperate on cybersecurity and digital resilience. The memorandum of understanding signed by the Treasury Department and the UAE’s Cyber Security Council calls for increased information sharing about digital threats to the financial sector; more staff training and visits; and “competency-building activities” like joint online exercises, according to the Treasury.<a href="#_ftn1">[1]</a></p>
<p>“As cyber-attacks and ransomware attacks become more complex, close cooperation is essential to prevent these attacks from impacting the international financial system,” Wally Adeyemo, deputy Treasury secretary, said in a statement.<a href="#_ftn2">[2]</a></p>
<p>“We are pleased to have the government of the United Arab Emirates as partners in our global effort to combat these threats and look forward to expanding our partnership,” added Adeyemo, who visited the UAE in 2021 as part of an effort to boost digital cooperation between the two countries.</p>
<p>The agreement with the UAE comes as the White House prepares to host its annual International Counter Ransomware Initiative (CRI) summit on 31 October 2023.</p>
<p>This was first reported last month that the Biden administration is expected to urge participating governments to issue a joint statement announcing they will not pay ransoms to cybercriminals.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/treasury-deal-with-uae-cybersecurity">https://therecord.media/treasury-deal-with-uae-cybersecurity</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://home.treasury.gov/news/press-releases/jy1808">https://home.treasury.gov/news/press-releases/jy1808</a></p></div>Ballistic BobCat & A New Backdoorhttps://redskyalliance.org/xindustry/ballistic-bobcat-a-new-backdoor2023-09-21T12:00:00.000Z2023-09-21T12:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12227252865,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12227252865,RESIZE_400x{{/staticFileLink}}" width="250" alt="12227252865?profile=RESIZE_400x" /></a>The Iranian threat actor Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the UAE using a previously undocumented backdoor named Sponsor. Cybersecurity investigators are tracking the cluster under the name <u>Ballistic Bobcat</u>. Victimology patterns suggest that the group primarily singles out education, government, healthcare organizations, human rights activists, and journalists. At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/charming-kitten-s-new-malware">https://redskyalliance.org/xindustry/charming-kitten-s-new-malware</a></p>
<p>The Sponsor backdoor uses configuration files stored on disk. Batch files discreetly deploy these files and are deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines. Sponsoring Access campaign involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions, echoing an advisory issued by Australia, the UK, and the US in November 2021.</p>
<p>In one incident, an unidentified Israeli company operating an insurance marketplace is said to have been infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and a Go-based open-source post-exploitation toolkit called Merlin over the next couple of months. The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server. On 12 December 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor.</p>
<p>Written in C++, Sponsor is designed to gather host information and process instructions received from a remote server, the results of which are sent back to the server. This includes command and file execution, file download, and updating the list of attacker-controlled servers.</p>
<p>Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/09/charming-kitens-new-backdoor-sponsor.html">https://thehackernews.com/2023/09/charming-kitens-new-backdoor-sponsor.html</a></p>
<p> </p></div>Lazarus Group has New Trickstershttps://redskyalliance.org/xindustry/lazarus-group-has-new-tricksters2022-12-31T14:10:00.000Z2022-12-31T14:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10921669465,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10921669465,RESIZE_400x{{/staticFileLink}}" alt="10921669465?profile=RESIZE_400x" width="250" /></a>North Korea’s BlueNoroff hackers have updated their strategies and delivery techniques in a new wave of attacks targeting banks and venture capital firms according to cyber threat investigators. Part of Lazarus, a hacking group linked to the North Korean government, BlueNoroff is financially motivated and has been blamed for numerous cyber-attacks targeting banks, cryptocurrency firms, and other financial institutions.</p>
<p>The campaign by BlueNoroff has been in operation at least since 2017. It uses advanced phishing and social engineering techniques in order to abuse trust within companies. As such, threat actors study and analyze behaviors and interactions of employees to detect topics of interest.<a href="#_ftn1">[1]</a></p>
<p>After collecting the necessary data on the victims, they pretend to send what looks like a relevant and trustworthy email from one colleague to another, sharing a document or asking to review/answer questions about its contents. By including the logo of a third-party service Sendgrid, which offers user-tracking capabilities, the attacker knows exactly when the victim opens their email.</p>
<p>Alternatively, after hacking into an existing company, threat actors use its pathways such as email and social media to contact other firms and distribute weaponized documents in the form of investment contracts and similar files. Malicious actors then exploit the CVE-2017-0199 vulnerability in Microsoft Word.</p>
<p>Following several months of silence, the group has resumed its activities this fall with renewed attacks that leverage new malware, and updated delivery techniques that include new file types and a method of bypassing Microsoft’s Mark-of-the-Web (MotW) protections. Specifically, the hackers are distributing optical disk image (.iso) and virtual hard disk (.vhd) files containing decoy Office documents, which allows them to avoid the MotW warning that Windows typically displays when a user attempts to open a document downloaded from the internet. Relying on phishing, BlueNoroff is attempting to infect target organizations to intercept cryptocurrency transfers and drain accounts.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency">https://redskyalliance.org/xindustry/lazarus-targeting-cryptocurrency</a></p>
<p>As part of the new campaign, the hacking group has registered an estimated seventy (70) fake domains mimicking well-known banks and venture capital firms, with a focus on Japanese firms. Organizations in UAE, US, and Vietnam are also targeted. These domains have been used for phishing attacks aimed at startup employees. The group also ‘adopted new techniques to convey the final payload’, including the use of Visual Basic Script and Windows Batch scripts, and the introduction of a new downloader to fetch the next stage payload.</p>
<p><a href="{{#staticFileLink}}10921669657,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10921669657,RESIZE_400x{{/staticFileLink}}" alt="10921669657?profile=RESIZE_400x" width="400" /></a></p>
<p>In September 2022, a victim in UAE was targeted with a malicious Office document designed to connect to a remote server and download a payload named ieinstal.exe, which helped bypass the User Access Control (UAC) protections. After the infection, the threat actor used the backdoor to perform keyboard hands-on activities such as fingerprinting and the installation of additional malware with high privileges.</p>
<p>In another attack, the group was observed using a downloader that checks the system for antivirus programs from Avast, Avira, Bitdefender, Kaspersky, Microsoft, Sophos, and Trend Micro, to disable them. BlueNoroff was also observed exploiting Living-of-the-Land binaries (LOLBins) and using various scripts to display a decoy document and fetch the next-stage payload, as well as using a new Windows executable-type downloader that creates a fake password file and downloads a payload.</p>
<p>As part of the campaign, the hackers also used fake domains for hosting malicious documents and payloads, and fake domains imitating legitimate financial and investment companies, most of which are Japanese organizations. Lately, the group also targeted cryptocurrency-related businesses. This threat actor has introduced slight modifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the near future.</p>
<p>Organizations are advised to train their employees on phishing, perform a network audit to identify vulnerabilities and weaknesses, and deploy and maintain security solutions that offer endpoint protection and threat detection and response capabilities.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains">https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains</a></p></div>Who can you Trust anymore?https://redskyalliance.org/xindustry/who-can-you-trust-anymore2021-09-20T19:29:08.000Z2021-09-20T19:29:08.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9588575488,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9588575488,RESIZE_400x{{/staticFileLink}}" width="250" alt="9588575488?profile=RESIZE_400x" /></a>What if three disgruntled employees left your organization and took top secret information to a competing company? What repercussions would follow and how would it impact your business? In many cases, there would be a lawsuit. In this case, there was federal prosecution and a cybersecurity threat.</p>
<p>The US Department of Justice (DOJ) released a shocking statement on 16 September 2021, which explains the scenario at the federal level. Three men, who formerly worked for the US intelligence community and military, offered hacking services to a company based in the United Arab Emirates (UAE).</p>
<p>Information provided was highly sensitive, and the release paints a picture of three "hackers-for-hire" conspiring to offer their insights to another country. The employees apparently decided to pursue their illegal activities for a significant pay raise. Prosecutors say, "despite being informed on several occasions" that the defendants' work required a license to be issued, they pressed on anyway.</p>
<p>An Acting Assistant Attorney General describes the case where insiders left to become criminal hackers: "This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.</p>
<p>Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct." The three men, provided direction to the foreign companies in teaching hacking techniques, some of which could be used to attack the US.</p>
<p>Most unsophisticated cyberattacks rely on a click factor, where targets must click on something to initiate the attack. However, there have been a rising number of stories about "zero-click" exploits in use. SecureWorld News reported on the patch Apple released for an attack of this kind that targeted iPhones.</p>
<p>The DOJ says the defendants created this type of "zero-click" technology for the company located in the UAE. While the UAE company was not named in the court documents, Law360 found evidence that the company in question may be the DarkMatter Group. "These services included the provision of support, direction, and supervision in the creation of sophisticated 'zero-click' computer hacking and intelligence gathering systems—i.e., one that could compromise a device without any action by the target.</p>
<p>The UAE employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by US companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States."</p>
<p>The hackers used their clearance and access to private information from US agencies to attack targets, including some in the United States.<a href="#_ftn1">[1]</a></p>
<p>The three men charged in this hacker-for-hire case agreed to repay more than $1.68 million in lieu of prison time. An Assistant Director of the FBI’s Cyber Division condemned the crimes and warned others in similar roles about moving forward with illegal actions like these. "This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company—there is a risk, and there will be consequences," the FBI said.</p>
<p>Some commenters online believed the punishment was too lenient and questioned whether or not this would hinder insider threats like this in the future. "The only 'message' the @FBI and @TheJustice Dept sends with this is: 'If you charge enough for your services, you can get off with a simple fine if we catch you.'"</p>
<p>Malicious actors are malicious actors, but some don't leave your company or organization, they attack from within it. Sometimes on accident.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.secureworld.io/industry-news/us-intelligence-insider-threats">https://www.secureworld.io/industry-news/us-intelligence-insider-threats</a></p></div>