vice society - X-Industry - Red Sky Alliance2024-03-28T14:50:37Zhttps://redskyalliance.org/xindustry/feed/tag/vice+societyVice Society & BARThttps://redskyalliance.org/xindustry/vice-society-bart2023-01-10T17:10:00.000Z2023-01-10T17:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10928541653,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10928541653,RESIZE_400x{{/staticFileLink}}" alt="10928541653?profile=RESIZE_400x" width="250" /></a>We are only 10 days into 2023 and already a ransomware attacks continue to escalate. San Francisco’s Bay Area Rapid Transit (BART) is investigating an alleged ransomware attack after the Vice Society ransomware gang claimed to have attacked the agency. BART which is the fifth-busiest heavy rail rapid transit system in the US, was listed on the group’s leak site on Friday. The chief communications officer for BART, reported that they are investigating the data that was stolen and posted by the group. “To be clear, no BART services or internal business systems have been impacted,” she said. “As with other government agencies, we are taking all necessary precautions to respond.” Whenever I hear the saying, “to be clear,” is always a defensive statement that something is possibly worse that what is being presented.<a href="#_ftn1">[1]</a> </p>
<p>Vice Society has listed Bay Area Rapid Transit #BART #Ransomware pic.twitter.com/Wn58CBSdtM — Brett Callow (@BrettCallow) 6 January 2023</p>
<p>The rail industry has seen its fair share of cyberattacks in recent years. In April 2021, New York City’s Metropolitan Transportation Authority, one of the largest transportation systems in the world, was hacked by a group based in China.</p>
<p>While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors inside its networks. The same month, the Santa Clarita Valley Transportation Authority was hit with a ransomware attack. In 2020, the Southeastern Pennsylvania Transportation Authority also experienced a ransomware attack.</p>
<p>Just last week, one of the world’s largest rail and locomotive companies announced a data breach that involved troves of employee information following an alleged ransomware attack last summer. Wabtec, which has about 25,000 employees and operates in 50 countries, began sending out breach notification letters on 30 December 2022 letting people know that data was stolen from their systems during a cyberattack they discovered last June.<a href="#_ftn2">[2]</a></p>
<p>The US Homeland Security Secretary announced new cybersecurity regulations last year for US railroad operators, requiring them to disclose any hacks, create cyberattack recovery programs and name a chief cyber official. Those regulations expired in December 2022.</p>
<p>The Vice Society ransomware gang has drawn international headlines with attacks on colleges and K-12 schools, including the second largest public school district in the US and several in the UK.</p>
<p>The FBI, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and other agencies noted in an alert in September 2022 that Vice Society has “disproportionately” attacked dozens of educational institutions over the last year and stepped up its level of attacks in the fall of 2022.</p>
<p>But the group also “continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout,” according to a Microsoft report released in October.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/san-francisco-bart-investigating-ransomware-attack/">https://therecord.media/san-francisco-bart-investigating-ransomware-attack/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://therecord.media/billion-dollar-rail-firm-confirms-data-breach-after-suspected-ransomware-attack/">https://therecord.media/billion-dollar-rail-firm-confirms-data-breach-after-suspected-ransomware-attack/</a></p></div>Attacks "With Love"https://redskyalliance.org/xindustry/attacks-with-love2022-10-24T13:50:12.000Z2022-10-24T13:50:12.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10853628288,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10853628288,RESIZE_400x{{/staticFileLink}}" alt="10853628288?profile=RESIZE_400x" width="250" /></a>Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021 that has alleged ties to Russia who attacks “With Love.” Vice have crossed the line of what many hackers said was off limits – education and health care systems and facilities. This past September, a ransomware attack on the Los Angeles Unified School District crippled its digital operations across their system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system did not pay a ransom.</p>
<p>After the school system refused to pay, the hackers released the trove of data, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident.<a href="#_ftn1">[1]</a></p>
<p>The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals, a sector plagued by recent ransomware attacks, but one that some hacking groups pledged not to target at the height of the Covid-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society's activity has been just unremarkable enough to keep the group out of the spotlight. “We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”</p>
<p>Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims' systems and may sometimes buy a foot in the door from criminal actors known as “initial access" brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization's own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware.</p>
<p>Shortly after the LAUSD attack, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … [The] actors do not use a ransomware variant of unique origin."</p>
<p>In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victims between North America, South America, and Europe.</p>
<p>Throughout 2021, Vice Society's health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D'Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand's Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline could not obtain proof of negative Covid-19 tests for crew members because the health department's digital systems were down.</p>
<p>Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the US and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes.</p>
<p>Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August, neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.</p>
<p>“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says security firm Tenable who has studied Vice Society's tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving."</p>
<p>Researchers view the group's attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society's other hacks. Tenable notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks. “They're focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don't necessarily break into the mainstream,” Recorded Future said. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”</p>
<p>By focusing on lesser-known schools, Tenable explains that Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don't make mid-tier ransomware groups a higher priority. “Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” says Tenable. "Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group's success makes them sustainable, but they're still kind of written off. So, they're not getting raided or arrested that we’ve seen so far. They're a really good example of what we as an industry are not paying enough attention to.”</p>
<p>See: <a href="https://redskyalliance.org/xindustry/vice-society">https://redskyalliance.org/xindustry/vice-society</a> for the CISA report on Vice Society. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.wired.com/story/vice-society-ransomware-gang/">https://www.wired.com/story/vice-society-ransomware-gang/</a></p></div>Weekly Cyber Intel Report - All Sector 10 07 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-10-07-20222022-10-07T12:47:57.000Z2022-10-07T12:47:57.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10836457279,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10836457279,RESIZE_400x{{/staticFileLink}}" width="250" alt="10836457279?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 7 October 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 24,201 connections from new IP’s checking in with our Sinkholes</li>
<li>Pptechnology Limited in Romania hit 485x</li>
<li>Analysts identified 1,163 new IP addresses participating in various Botnets</li>
<li>Royal Ransomware</li>
<li>Phishing Microsoft</li>
<li>US National Elections</li>
<li>Vice Society</li>
<li>New Zealand Attack</li>
<li>Ferrari Issues</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10836456881,original{{/staticFileLink}}">IR-22-281-001_weekly281.pdf</a></p></div>Vice Societyhttps://redskyalliance.org/xindustry/vice-society2022-09-06T21:42:12.000Z2022-09-06T21:42:12.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10805304256,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10805304256,RESIZE_400x{{/staticFileLink}}" width="250" alt="10805304256?profile=RESIZE_400x" /></a>This joint CISA - Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</p>
<p>Link to full report: <a href="{{#staticFileLink}}10805303301,original{{/staticFileLink}}">IR-22-249-001_ViceSociety.pdf</a></p>
<p>CISA Report: <a href="{{#staticFileLink}}10805303663,original{{/staticFileLink}}">aa22-249a-stopransomware-vice-society.pdf</a></p></div>Weekly Cyber Intel Report - All Sector 04 29 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-04-29-20222022-04-29T18:20:23.000Z2022-04-29T18:20:23.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10448521073,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10448521073,RESIZE_400x{{/staticFileLink}}" width="250" alt="10448521073?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 29 April 2022:</h2>
<ul>
<li>Red Sky Alliance identified 10, 907 connections from new IP’s checking in with our Sinkholes</li>
<li>msk.ru has issues</li>
<li>Analysts identified 3,698 new IP addresses participating in various Botnets</li>
<li>Vice & Industrial Spy</li>
<li>US Agriculture under Attack</li>
<li>T-Mobile Hit (again)</li>
<li>Oil India LTD</li>
<li>Getting Annoyed?</li>
<li>Lapsus$</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10448537900,original{{/staticFileLink}}">IR-22-119-001_weekly119.pdf</a></p></div>