vulnerabilities - X-Industry - Red Sky Alliance2024-03-28T14:16:10Zhttps://redskyalliance.org/xindustry/feed/tag/vulnerabilitiesFive Eyes - Cyber Alerthttps://redskyalliance.org/xindustry/five-eyes-cyber-alert2023-08-13T13:50:00.000Z2023-08-13T13:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12187402493,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12187402493,RESIZE_400x{{/staticFileLink}}" width="200" alt="12187402493?profile=RESIZE_400x" /></a>Intelligence agencies in Australia, Canada, New Zealand, the UK, and the US have published a list of the software vulnerabilities that were most frequently exploited in malicious attacks in 2022. The Five Eyes agencies say, threat actors mainly targeted internet-facing systems that were not patched against older, known vulnerabilities, including flaws for which Proof-of-Concept (PoC) exploit code exists publicly.</p>
<p>“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations,” the agencies note.<a href="#_ftn1">[1]</a></p>
<p>Threat actors, the agencies say, likely focus on exploits for severe vulnerabilities that have wider impact, which provides them with “low-cost, high-impact tools” that can be used for years and prioritize exploits for bugs impacting the networks of their specific targets.</p>
<p>Throughout 2022, the reporting agencies observed the frequent exploitation of 12 vulnerabilities, some of which were exploited in previous attacks as well, although patches have been available for years.</p>
<p>The list includes:</p>
<ul>
<li>CVE-2018-13379 (Fortinet SSL VPNs)</li>
<li>CVE-2021-34473</li>
<li>CVE-2021-31207</li>
<li>CVE-2021-34523 (Microsoft Exchange, ProxyShell)</li>
<li>CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus)</li>
<li>CVE-2021-26084</li>
<li>CVE-2022-26134 (Atlassian Confluence)</li>
<li>CVE-2021- 44228 (Log4Shell),</li>
<li>E-2022-22954</li>
<li>CVE-2022-22960 (VMware products)</li>
<li>CVE-2022-1388 (F5 BIG-IP)</li>
<li>CVE-2022-30190 (Windows, Follina)</li>
</ul>
<p>Additionally, the Five Eyes agencies call attention to 30 other known vulnerabilities that were routinely exploited in attacks in 2022, in products from:</p>
<ul>
<li>Apache</li>
<li>Citrix</li>
<li>F5 Networks</li>
<li>Fortinet</li>
<li>Ivanti</li>
<li>Microsoft</li>
<li>Oracle</li>
<li>QNAP</li>
<li>SAP</li>
<li>SonicWall</li>
<li>VMware</li>
<li>WSO2</li>
<li>Zimbra</li>
</ul>
<p>Vendors and developers are advised to audit their environments to identify classes of exploited vulnerabilities and eliminate them, implement secure design practices, prioritize secure-by-default configurations, and follow Secure Software Development Framework (SSDF).</p>
<ul>
<li>End-user organizations are advised to:</li>
<li>Apply available software updates and patches in a timely manner</li>
<li>Perform secure system backups</li>
<li>Maintain a cybersecurity incident response plan</li>
<li>Implement robust identity and access management policies</li>
<li>Ensure that internet-facing network devices are secured</li>
<li>Implement Zero Trust Network Architecture (ZTNA)</li>
<li>Improve their supply-chain security</li>
</ul>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/five-eyes-agencies-call-attention-to-most-frequently-exploited-vulnerabilities/">https://www.securityweek.com/five-eyes-agencies-call-attention-to-most-frequently-exploited-vulnerabilities/</a></p></div>ColdFusion Vulnerability Issueshttps://redskyalliance.org/xindustry/coldfusion-vulnerability-issues2023-07-18T12:00:00.000Z2023-07-18T12:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12150097485,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150097485,RESIZE_400x{{/staticFileLink}}" alt="12150097485?profile=RESIZE_400x" width="250" /></a>A vulnerability has been discovered in Adobe ColdFusion which could allow for arbitrary code execution. Adobe ColdFusion is a commercial web-application development platform designed to build and deploy web applications. Successful exploitation of this vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p>There are currently no reports of this vulnerability being exploited in the wild. However, Adobe is aware of a proof of concept being available for this issue.</p>
<p>Systems Affected:</p>
<p>ColdFusion 2018 update 17 and earlier versions</p>
<p>ColdFusion 2021 update 7 and earlier versions</p>
<p>ColdFusion 2023 update 1 and earlier versions</p>
<p>Risk:</p>
<p>Government: Large and medium government entities – HIGH; Small government - HIGH</p>
<p>Businesses: Large and medium business entities – HIGH; Small business entities - HIGH</p>
<p>Home Users: LOW</p>
<p>Technical Summary:</p>
<p>A vulnerability has been discovered in Adobe Coldfusion which could allow for arbitrary code execution which could allow for arbitrary code execution. Details of this vulnerability are as follows:</p>
<p>Tactic: Initial Access (TA0001):</p>
<p>Technique: Exploit Public-Facing Application (T1190):</p>
<p>Deserialization of Untrusted Data which could result in Arbitrary code execution. (CVE-2023-38203)</p>
<p>Successful exploitation of this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.</p>
<p>Researchers recommend the following actions be taken:</p>
<p>Apply appropriate updates provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.</li>
<li>Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.</li>
<li>Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.</li>
<li>Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.</li>
<li>Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.</li>
<li>Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.</li>
<li>Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.</li>
</ul>
<p> </p>
<p>Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)</p>
<ul>
<li>Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.</li>
</ul>
<p> </p>
<p>Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</p>
<ul>
<li>Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</li>
<li>Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.</li>
<li>Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.</li>
</ul>
<p> </p>
<p>Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)</p>
<ul>
<li>Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.</li>
</ul>
<p> </p>
<p>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)</p>
<ul>
<li>Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
</ul>
<p> </p>
<p>REFERENCES:</p>
<p>Adobe</p>
<p><a href="https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html">https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html</a></p>
<p>CVE</p>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38203">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38203</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/a-vulnerability-in-adobe-coldfusion-could-allow-for-arbitrary-code-execution_2023-078">https://www.cisecurity.org/advisory/a-vulnerability-in-adobe-coldfusion-could-allow-for-arbitrary-code-execution_2023-078</a></p></div>Google Chrome Issueshttps://redskyalliance.org/xindustry/google-chrome-issues2023-04-04T20:10:00.000Z2023-04-04T20:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11004795484,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11004795484,RESIZE_400x{{/staticFileLink}}" alt="11004795484?profile=RESIZE_400x" width="250" /></a>Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p>Threat Intel: There are currently no reports of these vulnerabilities being exploited in the wild.</p>
<p>Systems Affected:</p>
<ul>
<li>Google Chrome versions prior to 111.0.5563.110/.111 for Windows</li>
<li>Google Chrome versions prior to 111.0.5563.110 for Mac and Linux</li>
</ul>
<p>Risks:</p>
<p>Government: Large and medium government entities HIGH; Small government MEDIUM</p>
<p>Businesses: Large and medium business entities HIGH; Small business entities MEDIUM; Home Users: LOW</p>
<p>Technical Summary: Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:</p>
<p>Tactic: Initial Access (TA0001):</p>
<p>Technique: Drive-By Compromise (T1189):</p>
<ul>
<li>Use after free in Passwords (CVE-2023-1528)</li>
<li>Out of bounds memory access in WebHID (CVE-2023-1529)</li>
<li>Use after free in PDF (CVE-2023-1530)</li>
<li>Use after free in ANGLE (CVE-2023-1531)</li>
<li>Out of bounds read in GPU Video (CVE-2023-1532)</li>
<li>Use after free in WebProtect (CVE-2023-1533)</li>
<li>Out of bounds read in ANGLE (CVE-2023-1534)</li>
</ul>
<p>Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.</p>
<p>Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.</li>
<li>Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.</li>
</ul>
<p>Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</p>
<ul>
<li>Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</li>
<li>Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.</li>
</ul>
<p>Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)</p>
<p>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)</p>
<ul>
<li>Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
</ul>
<p>Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)</p>
<ul>
<li>Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.</li>
<li>Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.</li>
<li>Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.</li>
</ul>
<p>Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)</p>
<ul>
<li>Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.</li>
</ul>
<p>REFERENCES: CVEs</p>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1528">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1528</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1529">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1529</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1530">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1530</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1531">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1531</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1532">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1532</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1533">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1533</a></li>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1534">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1534</a></li>
<li>google</li>
<li><a href="https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html">https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html</a></li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/<br /> • Website: https://www. wapacklabs. com/<br /> • LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-033">https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-033</a></p></div>Vulnerability Management & Scanninghttps://redskyalliance.org/xindustry/vulnerability-management-scanning2023-02-21T12:40:00.000Z2023-02-21T12:40:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10970860687,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10970860687,RESIZE_400x{{/staticFileLink}}" width="250" alt="10970860687?profile=RESIZE_400x" /></a>Vulnerability management comprises the entirety of workflows geared toward maintaining an up-to-date inventory of a company's digital assets, checking them for imperfections, and addressing the detected security loopholes. It revolves around the principle of monitoring and hardening the security condition of a corporate IT infrastructure continuously to ensure proactive defenses against different forms of exploitation.</p>
<p>There is a difference between the use of garden-variety vulnerability scanners and a full-fledged vulnerability management cycle. The latter aims to enhance corporate security, in general, and incident response, in particular. The ability to spot a critical flaw is undoubtedly important, but it does not make an organization any safer unless the weak link is eliminated before criminals piggyback on it to infiltrate the network. The mechanisms that are leveraged to analyze vulnerabilities and prioritize the remediation steps play a significant role as well. This part of the protection equation goes way beyond scanners alone.</p>
<p>Essentially, vulnerability management extends the functionality of the scanning process by assessing, categorizing, and addressing the pinpointed shortcomings. This approach has caused a paradigm shift in the enterprise security world. Previously, the main goal was to uncover loopholes in a computer network. It mainly comes down to methods that can be used to take care of these issues. Most services of this sort use a fairly straightforward licensing model based on the number of secured IP addresses. Their location or the required installation count does not affect the price tag. Providers of vulnerability scanning tools stick to a different model, in which the final price depends on the number of hosts and specific scanning preferences.</p>
<p>To choose a service that will match your infrastructure, consider the following criteria:</p>
<ul>
<li>The size of your organization, the number of subsidiaries operating in different time zones.</li>
<li>The common types of vulnerabilities inherent to the industry you represent. A possible conflict of interest between different teams can be another non-trivial factor you should keep in mind. To a large extent, the choice depends on whether the cybersecurity and IT departments can find common ground when discussing the required features of the system. Security experts tend to put vulnerability detection first, whereas IT specialists typically prioritize remediation. The negotiation process will help you better understand what specifications you need.</li>
</ul>
<p>Analysts should pay attention to how often the vulnerability management solution gets updates and how comprehensive these updates are. Also, look at the list of supported operating systems and application frameworks to avoid compatibility problems.</p>
<p>One of the important things on the plus side of any vulnerability management system is the option to integrate your threat database with information obtained from third-party sources. Furthermore, its ability to list examples of public exploits based on specific security gaps won't go amiss.</p>
<p>Many organizations have a hard time deciding what type of subscription to select free or commercial. It is important to keep the vulnerability database current and it requires a good deal of effort, time, and investment. To provide a tool with no financial strings attached, its developers probably have to focus on other activities that generate profit. As a result, free products usually lack some essential features or simply are not effective enough for prime time use.</p>
<p>Successful use cases and the vendor's reputation can give you clues whether a solution is worth deploying. It is in your best interest to go for tools with a perfect track record that boast significant capabilities to pinpoint, evaluate, prioritize, and fix vulnerabilities across a wide range of software environments, including Windows, Red Hat Enterprise Linux, and macOS platforms.</p>
<p>If the tool is backed by a large database of third-party patches, it ensures a swift response to emerging threats. Well-orchestrated patch automation makes the process frictionless, with intuitive dashboards helping you stay on top of the vulnerability status of your digital ecosystem. To take your protection agility a step further, investigate solutions that will give you actionable insights into the security condition of your critical applications and systems. Advanced alerting features, precise threat scoring, and APIs for seamless integration with your internal processes play an important role here.</p>
<p>Vulnerability management comprises a set of disparate tools that complement each other to generate the expected results. Here is a list of what's usually required to detect and fix network security flaws:</p>
<ul>
<li>Various applications that collect, aggregate, and process vulnerability-related data. These may include traditional scanners, utilities that analyze information from third-party sources, and private vulnerability repositories acquired by the company's security personnel.</li>
<li>Tools that provide Common Vulnerability Scoring System (CVSS) data based on collected metrics and evaluate the importance of the assets that are susceptible to specific vulnerabilities.</li>
<li>Instruments that facilitate the interoperability between an internally deployed system and external vulnerability databases.</li>
<li>Solutions that address a security flaw with regard to the organization's network architecture, the industry in which it operates, and the worldwide attack surface.</li>
</ul>
<p>The most effective way to streamline the patch management workflow is to label every vulnerability signature with a unique identifier and ascertain that it is remedied during the next update. This process must be organized as meticulously as possible because failing to apply a single patch can be detrimental. It is also recommended to correlate automatic patches with a specific segment of the network. For example, the scope of computer updates may be limited to installing the latest versions of operating systems and most-used software, such as web browsers and office tools. Corporate servers require greater scrutiny, given that a shoddy update may cause a malfunction and disrupt your business activity by making valuable data inaccessible.</p>
<p>A lot depends on how well the security and IT teams work together. These teams have to reach a consensus on who will deploy updates for which enterprise resources and how frequently this will be happening. The efficiency and effectiveness of vulnerability management is comparable to compliance with such agreements and applying critical patches in time.</p>
<p>The asset management routine should also be as automated as possible. In addition, it needs to occur regularly and embrace all the areas of the company's digital infrastructure. These are the key prerequisites for prioritizing vulnerabilities. It is impossible to supervise your corporate IT network unless you keep a record of its elements. This makes asset management an important link in the vulnerability management chain.</p>
<p>The most conspicuous trend in this niche of cybersecurity is the growing automation of the underlying processes, including the above-mentioned asset and patch management. With the technology behind vulnerability assessment services being constantly refined, it is safe to expect a much higher accuracy of their verdicts down the line. Besides, these solutions will probably use more metrics to prioritize vulnerabilities.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p>Source: <a href="https://www.secureworld.io/industry-news/improve-your-organization-vulnerability-management">https://www.secureworld.io/industry-news/improve-your-organization-vulnerability-management</a></p>
<p> </p></div>Vulnerable VMware ESXi Servershttps://redskyalliance.org/xindustry/vulnerable-vmware-esxi-servers2023-02-08T19:20:00.000Z2023-02-08T19:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10960040875,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10960040875,RESIZE_400x{{/staticFileLink}}" alt="10960040875?profile=RESIZE_400x" width="250" /></a>Our friends at the State of NJ, NJCCIC has provided a valuable alert - Vulnerable VMware ESXi Servers Targeted in Ransomware Attacks. </p>
<p>Ransomware groups are actively exploiting a 2-year-old heap-overflow vulnerability, CVE-2021-21974 (CVSS v3.1 8.8), affecting OpenSLP used in VMware ESXi servers for versions 6.x and prior to 6.7, though threat actors may be leveraging other vulnerabilities or attack vectors, as earlier builds of ESXi appear to have also been compromised. European cybersecurity agencies reported that thousands of servers have been targeted in ransomware attacks within the last week and analysts assess that the ransomware attacks may utilize a new variant called ESXiArgs. VMware ESXi 6.5 and VMware ESXi 6.7 are currently targeted in this campaign and should be prioritized for patching and mitigation; they are considered end-of-life as of October. Vulnerable ESXi servers exposed to the public internet are particularly at risk; there are approximately 245 public-facing ESXi servers in New Jersey.</p>
<p>Bleeping Computer assessment:<a href="#_ftn1">[1]</a> Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware.</p>
<p>Tracked as <a href="https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-rce-bug-in-all-default-vcenter-installs/">CVE-2021-21974</a>, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. "As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said. "The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7."</p>
<p><img src="{{#staticFileLink}}10960038895,RESIZE_710x{{/staticFileLink}}" alt="10960038895?profile=RESIZE_710x" /></p>
<p>Figure 1. Source: VMWare</p>
<p>To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't yet been updated. CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.</p>
<p>CVE-2021-21974 affects the following systems:</p>
<ul>
<li>ESXi versions 7.x prior to ESXi70U1c-17325551</li>
<li>ESXi versions 6.7.x prior to ESXi670-202102401-SG</li>
<li>ESXi versions 6.5.x prior to ESXi650-202102101-SG</li>
</ul>
<p><a href="{{#staticFileLink}}10960041080,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960041080,RESIZE_584x{{/staticFileLink}}" alt="10960041080?profile=RESIZE_584x" width="500" /></a>French cloud provider OVHcloud first published a report linking this massive wave of attacks targeting VMware ESXi servers with the Nevada ransomware operation. “According to experts from the ecosystem as well as autorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those assumptions," OVHcloud CISO Julien Levrard <a href="https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/">said</a>. "The attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port (427)." However, the company backtracked soon after our story was released, saying they attributed it to the wrong ransomware operation. At the end of the first day of attacks, approximately 120 ESXi servers were encrypted. The numbers quickly grew over the weekend, with 2,400 VMware ESXi devices worldwide currently detected as compromised in the ransomware campaign, according to a <a href="https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.http.response.body%3A+%22How+to+Restore+Your+Files%22+and+services.http.response.html_title%3A%22How+to+Restore+Your+Files%22&ct=1">Censys search</a>.</p>
<p>In an advisory published on February 6th, <a href="https://www.bleepingcomputer.com/news/security/vmware-warns-admins-to-patch-esxi-servers-disable-openslp-service/">VMware confirmed</a> that this attack exploits older ESXi flaws and not a zero-day vulnerability. The company advises admins to install the latest updates for ESXi servers and <a href="https://kb.vmware.com/s/article/76372">disable the OpenSLP service</a>, which has been disabled by default since 2021. Overall, the ransomware campaign has not seen much success considering the large number of encrypted devices, with the <a href="https://ransomwhe.re/">Ransomwhere</a> ransom payment tracking service <a href="https://twitter.com/ransomwhere_/status/1622726675006988288">reporting only four ransom payments</a> for a total of $88,000. The lack of ransom payments is likely due to <a href="https://enes.dev/">a VMware ESXi recovery guide</a> created by security researcher Enes Sonmez, allowing many admins to rebuild their virtual machines and recover their data for free.</p>
<p>New ESXiArgs ransomware – The ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware, and appear to be from a new ransomware family. Starting roughly four hours ago, victims impacted by this campaign have also begun reporting the attacks on <a href="https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help/">BleepingComputer's forum</a>, asking for help and more information on how to recover their data. </p>
<p>The ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata (likely needed for decryption).</p>
<p>While the threat actors behind this attack claim to have stolen data, one victim reported in the BleepingComputer forums that it was not the case in their incident. "Our investigation has determined that data has not been infiltrated. </p>
<p>In our case, the attacked machine had over 500 GB of data but typical daily usage of only 2 Mbps. We reviewed traffic stats for the last 90 days and found no evidence of outbound data transfer," the admin <a href="https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-6#entry5470443">said</a>. Victims have also found ransom notes named "ransom.html" and "How to Restore Your Files.html" on locked systems. Others said that their notes are plaintext files.</p>
<p><em><a href="{{#staticFileLink}}10960041670,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960041670,RESIZE_584x{{/staticFileLink}}" alt="10960041670?profile=RESIZE_584x" width="486" /></a>ESXiArgs ransom note (BleepingComputer)</em></p>
<p><a href="https://id-ransomware.malwarehunterteam.com/">ID Ransomware</a>'s <a href="https://twitter.com/demonslay335">Michael Gillespie</a> is currently tracking the ransomware under the name '<strong>ESXiArgs</strong>,' but told BleepingComputer that until we can find a sample, there is no way to determine if it has any weaknesses in the encryption.</p>
<p>BleepingComputer has a <a href="https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/">dedicated ESXiArgs support topic</a> where people are reporting their experiences with this attack and receiving help recovering machines.</p>
<p><strong>ESXiArgs technical details</strong>: On 6 February</p>
<p>Last night, an admin retrieved a copy of the ESXiArgs encryptor and associated shell script and <a href="https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/?p=5470686">shared it in the BleepingComputer support topic</a>.</p>
<p>Analyzing the script and the encryptor has allowed us to understand better how these attacks were conducted. When the server is breached, the following files are stored in the /tmp folder:</p>
<ul>
<li><strong>encrypt </strong>- The encryptor ELF executable.</li>
<li><strong>sh</strong>- A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.</li>
<li><strong>pem</strong>- A public RSA key used to encrypt the key that encrypts a file.</li>
<li><strong>motd</strong>- The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server's original file will be copied to /etc/motd1.</li>
<li><strong>html</strong>- The ransom note in HTML form that will replace VMware ESXi's home page. The server's original file will be copied to index1.html in the same folder.</li>
</ul>
<p>ID Ransomware's Michael Gillespie analyzed the encryptor and told BleepingComputer the encryption is, unfortunately, secure, meaning no cryptography bugs allow decryption. "The public.pem it expects is a public RSA key (my guess is RSA-2048 based on looking at encrypted files, but the code technically accepts any valid PEM).," Gillespie posted in the <a href="https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/?p=5470974">forum support topic</a>. "For the file to encrypt, it generates 32 bytes using OpenSSL's secure CPRNG <a href="https://www.openssl.org/docs/man1.1.1/man3/RAND_pseudo_bytes.html">RAND_pseudo_bytes</a>, and this key is then used to encrypt the file using Sosemanuk, a secure stream cipher. The file key is encrypted with RSA (OpenSSL's <a href="https://www.openssl.org/docs/man1.1.1/man3/RSA_public_encrypt.html">RSA_public_encrypt</a>), and appended to the end of the file. The use of the Sosemanuk algorithm is rather unique, and is usually only used in ransomware derived from the Babuk (ESXi variant) source code. This may perhaps be the case, but they modified it to use RSA instead of Babuk's Curve25519 implementation."</p>
<p>This analysis indicates that ESXiArgs is likely based on <a href="https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/">leaked Babuk source code</a>, which has been previously used by other ESXi ransomware campaigns, such as <a href="https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html">CheersCrypt</a> and the Quantum/Dagon group's <a href="https://www.synacktiv.com/en/publications/pridelocker-a-new-fork-of-babuk-esx-encryptor.html">PrideLocker</a> encryptor. While the ransom note for ESXiArgs and Cheerscrypt are very similar, the encryption method is different, making it unclear if this is a new variant or just a shared Babuk codebase. This does not appear to be related to the Nevada ransomware, as previously mentioned by OVHcloud. The encryptor is executed by a shell script file that launches it with various command line arguments, including the public RSA key file, the file to encrypt, the chunks of data that will not be encrypted, the size of an encryption block, and the file size.</p>
<p>usage: encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]</p>
<p> enc_step - number of MB to skip while encryption</p>
<p> enc_size - number of MB in encryption block</p>
<p> file_size - file size in bytes (for sparse files)</p>
<p>This encryptor is launched using the encrypt.sh shell script that acts as the logic behind the attack, which we will briefly describe below.</p>
<p>When launched, the script will execute the following command to modify the ESXi virtual machine's configuration files (.vmx) so that the strings '<em>.vmdk'</em> and '<em>.vswp'</em> are changed to '<em>1.vmdk'</em> and '<em>1.vswp</em>'.</p>
<p><strong><a href="{{#staticFileLink}}10960041886,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960041886,RESIZE_584x{{/staticFileLink}}" alt="10960041886?profile=RESIZE_584x" width="500" /></a>Modifying VMX files</strong><br /> <em>Source: BleepingComputer</em></p>
<p>The script then terminates all running virtual machines by force-terminating (kill -9) all processes containing the string '<em>vmx</em>' in a similar way to this <a href="https://kb.vmware.com/s/article/1014165#:~:text=Sending%20signals%20on%20ESXi%20to%20power%20off%20the%20virtual%20machine">VMware support article</a>.</p>
<p>The script will then use the 'esxcli storage filesystem list | grep "/vmfs/volumes/" | awk -F' ' '{print $2}'' command to get a list of ESXi volumes.</p>
<p>The script will search these volumes for file's matching the following extensions:</p>
<p>.vmdk</p>
<p>.vmx</p>
<p>.vmxf</p>
<p>.vmsd</p>
<p>.vmsn</p>
<p>.vswp</p>
<p>.vmss</p>
<p>.nvram</p>
<p>.vmem</p>
<p>For each found file, the script will create a [file_name].args file in the same folder, which contains the computed size step (shown below), '1', and the size of the file. For example, server.vmx will have an associated server.vmx.args file. The script will then use the 'encrypt' executable to encrypt the files based on the computed parameters, as shown in the screenshot below.</p>
<p><strong><a href="{{#staticFileLink}}10960042263,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960042263,RESIZE_584x{{/staticFileLink}}" alt="10960042263?profile=RESIZE_584x" width="500" /></a>Routine to create .args files and encrypt files</strong><br /> <em>Source: BleepingComputer</em></p>
<p>After the encryption, the script will replace the ESXi index.html file and the server's motd file with the ransom notes, as described above. </p>
<p>Finally, the script performs some cleanup by deleting logs, removing a Python backdoor installed at <strong>/store/packages/vmtools.py</strong> [<a href="https://www.virustotal.com/gui/file/773d147a031d8ef06ee8ec20b614a4fd9733668efeb2b05aa03e36baaf082878">VirusTotal</a>], and deleting various lines from the following files:</p>
<p>/var/spool/cron/crontabs/root</p>
<p>/bin/hostd-probe.sh</p>
<p>/etc/vmware/rhttpproxy/endpoints.conf</p>
<p>/etc/rc.local.d/local.sh</p>
<p><strong><a href="{{#staticFileLink}}10960042461,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10960042461,RESIZE_584x{{/staticFileLink}}" alt="10960042461?profile=RESIZE_584x" width="500" /></a>Cleanup of various Linux configuration files and potential backdoor</strong><br /> <em>Source: BleepingComputer</em></p>
<p>The <em>/store/packages/vmtools.py</em> file is the same custom Python backdoor for VMware ESXi server <a href="https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers">discovered by Juniper</a> in December 2022, allowing the threat actors to remotely access the device. All admins should check for the existence of this vmtools.py file to make sure it was removed. If found, the file should be removed immediately.</p>
<p>Finally, the script executes the /sbin/auto-backup.sh to update the configuration saved in the /bootbank/state.tgz file and starts SSH. <em>This is a developing story and will be updated with new info as it becomes available ...</em></p>
<p><em>Update 2/4/23: Added technical details about the attack. - Lawrence Abrams<br /> Update 2/5/23: Updated with new number of encrypted ESXi servers and method to recover virtual machines.<br /> Update 2/6/23: Added info from VMware and known ransom payments.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/">https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/</a></p></div>The US Manufacturing Sectorhttps://redskyalliance.org/xindustry/the-us-manufacturing-sector2022-09-14T17:36:12.000Z2022-09-14T17:36:12.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10812238283,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10812238283,RESIZE_400x{{/staticFileLink}}" width="250" alt="10812238283?profile=RESIZE_400x" /></a>Cyber threats are an all too common danger for companies in all critical infrastructure sectors. Historically, the threat of cyber-attack was thought to be largest against financial institutions, retail chains, and the medical sector. However, as manufacturing has become more reliant on data and technology, the threat of cyber-attacks on the industry has grown. This especially true for critical manfacturing, like aviation and the defense industrial base (DIB), but true for any manfacturing. This means that all companies operating in the manufacturing sector should be aware of the cyber threats they face, such as ransomware, spyware, and adware, and should know how best to combat them. What follows are the most common threats facing manufacturers today.<a href="#_ftn1">[1]</a></p>
<ol>
<li>Phishing</li>
</ol>
<p>Phishing attacks involve tricking the recipient of an email or text into opening a link, providing hackers with an entry point into a secure network. These messages will appear to have been sent from within the company itself or from a trusted partner organization. The messages will often be meticulously created, using the correct terminology and imagery to appear official.</p>
<p>Phishing remains one of the most prevalent cybersecurity threats, as it accounted for 85 percent of the threats to manufacturing businesses. Once a hacker has gained access to the secure network, they can move unnoticed, acquiring the information needed to complete the attack. This information will either be ransomed back to the organization or sold on the dark web.</p>
<p>Manufacturing companies are often more vulnerable to phishing attacks due to a long supply chain that comprises many disparate organizations, providing more points of entry for hackers.</p>
<ol start="2">
<li>IP Theft</li>
</ol>
<p>A manufacturer’s intellectual property (IP) is what differentiates it from its competitors. This information is, therefore, one of the most valuable assets of a manufacturer, and its theft can have disastrous results. IP theft is reported as one of the most costly cyber threats. IP theft can be carried out by outside parties looking to steal trade secrets or other sensitive information, but it can also be carried out by employees or other insiders looking to make some quick cash by selling the information.</p>
<p>Hackers can gain access to the network through phishing or other nefarious means and then plant malware that can allow them to obtain sensitive information without being noticed. IP theft can have disastrous consequences for a manufacturing business. It can allow competitors to get a jump on developing new technologies, allowing them to compete for sales without first investing in the necessary research and development.</p>
<p>Instances of IP theft can also be incredibly difficult to prove. Every effort should therefore be made to prevent IP theft before it occurs, from identifying vulnerable assets and taking steps to protect them to training employees to watch out for potential threats.</p>
<ol start="3">
<li>Data Spillages</li>
</ol>
<p>Data spillages can affect companies in any industry, including manufacturing. However, the risks presented for the manufacturing industry may be different to those associated with retail data solutions, for example. Data spillages occur when sensitive data is accidentally released. This could be through the sending of an email to the wrong recipient or through storage devices being lost or stolen.</p>
<p>The type of data a company stores can vary and can include everything from customer details to confidential plans or blueprints. If your company procedure is to record cell phone calls for compliance or quality assurance reasons, then even audio data could be at risk. To limit the occurrence of data spillages, staff should be trained on best practices regarding data security. It’s also a good idea to employ data loss prevention software.</p>
<ol start="4">
<li>Ransomware</li>
</ol>
<p>The manufacturing sector is at increasing threat of ransomware attacks, with 13.9 percent of incidents in North America in the last year being on manufacturing companies. Ransomware functions by encrypting the files on a network, making them unusable. Hackers can then demand a ransom in exchange for the decryption key, which will make the files usable again.</p>
<p>These attacks are so effective against the manufacturing industry because of the time constraints involved. Time is money, and manufacturers will often opt to pay a ransom, as the amount paid out to hackers could end up being less than the losses accrued from the delay in manufacturing.</p>
<p>The manufacturing industry is particularly susceptible to ransomware because of the abundant usage of computer-aided design (CAD). Access to these files is required for manufacturing to proceed, so making them unusable can be crippling to a company.</p>
<ol start="5">
<li>Supply Chain Attacks</li>
</ol>
<p>Supply chain attacks occur when attackers target a company’s business partners or suppliers. This can be done through phishing or otherwise compromising the networks of these third parties. Once an attacker has gained access to the network, they can then attack the manufacturer to steal data, plant malware, or simply disrupt the supply chain enough to halt production.</p>
<p>The manufacturing industry is so susceptible to these types of attacks because of the number of vulnerable endpoints present across a wide number of interconnected suppliers. This gives hackers multiple ways to access a network and ultimately attack the manufacturer.</p>
<p>On top of this, because each step in the supply chain is often reliant on other companies in the chain, an attack on one supplier can quickly cripple many other companies, too. To prevent serious attacks on supply chains, manufacturers need to carry out extensive risk management and activity monitoring on all their suppliers.</p>
<ol start="6">
<li>Nation-State Attacks</li>
</ol>
<p>Cyber threats to manufacturing companies aren’t always carried out by competitors or independent actors. Attacks can be carried out by the governments of other nations or threat actors employed by the governments of other nations. These attacks will often be extremely sophisticated and can have incredibly serious effects.</p>
<p>These attacks can be economically motivated and be used to try and destabilize the economies of foreign powers. They could also be militaristic in nature, with foreign governments attempting to strengthen their own military strategies while weakening their rivals’ strategies.</p>
<p>When trying to accomplish either of these goals, manufacturers make for attractive targets, with 17.7 percent of nation-state attacks in 2020 occurring in the manufacturing sector. Nation-state threat actors are often incredibly well-funded and are, therefore, equipped with sophisticated tools. They’re also highly trained. This makes these kinds of attacks particularly difficult to detect and prevent.</p>
<p>Cyber warfare attacks carried out by nation-state actors have the potential to shut down key infrastructures, such as energy and transportation. They can also disrupt military contractors and, in extreme cases, the operations of entire governments.</p>
<ol start="7">
<li>Equipment Sabotage</li>
</ol>
<p>As businesses embrace new technologies, like IVR phone systems, new threats must be identified and new risks eliminated. It’s not only information technology (IT) that’s at threat of cyber-attacks. Operational technology (OT) can also be vulnerable.</p>
<p>Equipment sabotage occurs when attackers damage the equipment needed for manufacturing, leading to the disruption of operations. These kinds of attacks are made possible as operational technology has increasingly become connected to modern communication systems. These machines have often only recently become linked to network infrastructures and so may be operated without the necessary security measures to protect them from threats. This can mark them as weak points in the network.</p>
<p>It’s possible for hackers to use these machines as entry points into a secure network, but it’s also possible for them to disrupt operations by simply shutting them down or irreparably damaging them. The destructive potential of equipment sabotage cannot be overstated, so companies should make every effort to ensure that potential vulnerabilities in machinery are addressed quickly and effectively.</p>
<ol start="8">
<li>Telecommuting Risks</li>
</ol>
<p>The advent of telecommuting and better software system integration has allowed many employees to work from home, allowing manufacturers to benefit from global workforces and providing greater flexibility for many employees. The number of employees working remotely has increased steadily in the past couple of decades, with a sharp increase during the latter half of 2019.</p>
<p>However, this arrangement can also have negative implications for cyber security. Employees will often utilize personal devices when working remotely, which can lead to challenges when trying to create a secure network.</p>
<p>These devices, if not secured to the same standard as the rest of the network, can produce vulnerabilities that can be exploited by hackers. A breach through one of these devices, through phishing, malware, or other means, can provide access to a wide range of sensitive information.</p>
<p>To protect against the risks arising from telecommuting, companies should ensure that all devices are vetted before use and that device management and activity monitoring practices are undertaken.</p>
<p>Remote employees should also be well trained in security awareness, and best practices should be implemented to ensure that high levels of care are taken at all times. If you use services such as eVoice as a business phone provider, you could consider more secure options as an eVoice alternative.</p>
<p>Manufacturers are at increasing risk from cyber threats as the industry increasingly relies on interconnected systems and stores more and more data. Steps must be taken to ensure that companies minimize the risk and impacts of cyber-attacks. Great care should be taken to avoid data spillages, and employees should be properly trained in security protocols and better communication practices to reduce the chances of successful phishing and ransomware attacks. Take precautions, remain vigilant, and remember that manufacturers are just as much at risk of cyber-attacks as any other industry.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.manufacturing.net/iot/blog/22444974/the-top-8-cyber-threats-facing-manufacturers">https://www.manufacturing.net/iot/blog/22444974/the-top-8-cyber-threats-facing-manufacturers</a></p></div>Unchecked Vehicle GPS Tracking Vulnerabilitieshttps://redskyalliance.org/xindustry/unchecked-vehicle-gps-tracking-vulnerabilities2022-07-26T19:07:37.000Z2022-07-26T19:07:37.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10672047278,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10672047278,RESIZE_400x{{/staticFileLink}}" width="250" alt="10672047278?profile=RESIZE_400x" /></a>GPS, or Global Positioning Systems, have become a staple of our lives – especially in the transportation sector. Whether you are broadcasting your location for a rideshare or trying to find the quickest way to avoid traffic on your commute it seems that paper maps and printed directions have become a thing of the past. It comes as no surprise that the more we rely on interconnected devices the more susceptible to cyber attacks we become. This is exemplified through the Cybersecurity & Infrastructure Security Agency’s (CISA) Alert about the MV720 GPS tracker, a device from Chinese Supplier, MiCODUS.</p>
<p>According to a report by BitSight the tracker presents six security flaws that can be exploited in attacks that target the physical vehicles in addition to accessing tracking information. The device is used to track the GPS location of vehicles in real time by sending text messages or using an application. This is very useful for companies that manage large fleets of vehicles. The device can also send remote commands to shutdown the vehicle’s fuel circuit. Exploiting these vulnerabilities could impact the supply chain as well as the safety of drivers.</p>
<p>BitSight had reached out to MiCODUS about the discovery vulnerabilities, and after waiting for corrective action to take place, BitSight decided that contact CISA and disclose the vulnerabilities. According to The Record, CISA reported that no patches or updates to fix the security issues are available. Two of the vulnerabilities documented in the National Vulnerability Database (NVD) as Common Vulnerabilities and Exposures (CVEs), CVE-2022-2107 and CVE-2022-2141 were assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, making them critical threats.<a href="#_ftn1">[1]</a></p>
<p>CVE-2022-2107 describes an API server authentication mechanism that allows devices to use a hard-coded master password to send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.</p>
<p>CVE-2022-2141 describes a vulnerability where SMS-based GPS commands can be executed without authentication.</p>
<p>Other CVEs discovered on the MiCODUS MV720 platform include CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.</p>
<p>CVE-2022-2199 describes a Cross-Site Scripting (XSS) vulnerability with the main MiCODUS webserver, which could allow an attacker to gain control by tricking users into making a request. CVE-2022-2199 has a CVSS score of 7.5.</p>
<p>CVE-2022-34150 describes an authorization bypass vulnerability. The vulnerability authenticates endpoint and parameter device IDs without further verification. CVE-2022-34150 has a base CVSS score of 7.1.</p>
<p>CVE-2022-33944 describes another authorization bypass vulnerability on endpoint and POST parameter “Device ID” which accepts arbitrary device IDs. CVE-2022-33944 has a base CVSS score of 6.5.</p>
<p>For more information on the CVEs associated with the MiCODUS MV720 GPS tracker be sure to look at the CISA alert <a href="https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01">here</a>. </p>
<p><a href="{{#staticFileLink}}10672047858,RESIZE_1200x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10672047858,RESIZE_710x{{/staticFileLink}}" width="650" alt="10672047858?profile=RESIZE_710x" /></a>According to TechCrunch the MiCODUS MV720 GPS tracking units have been installed on more than 1.5 million vehicles and by over 420,000 customers.<a href="#_ftn2">[2]</a> These vehicles span 169 countries and are used by individuals, government agencies, militaries, law enforcement, and corporations.</p>
<p>The potential impacts of malicious actors taking advantage of the vulnerabilities in the MiCODUS MV720 include the unlawful tracking of individuals using the systems in their vehicles. GPS tracking has been a growing privacy concern of many consumers and now with a vulnerable IoT GPS tracker the privacy of users is at risk. GPS tracking on individuals could lead to burglaries when individuals are tracked leaving their homes or worse. The device also has the ability to send commands to cut fuel to vehicles which could lead to attackers holding vehicles for ransom. These types of attacks, if aimed at distribution companies could lead to supply chain issues and shortages on goods. Finally, because these systems are being used by militaries and law enforcement agencies, nation-state actors could exploit these trackers for intelligence purposes or to cause chaos by disabling emergency vehicles.</p>
<p>Representatives from MiCODUS have not yet introduced patches or updates to address the vulnerabilities. BitSight recommends users disable or discontinue user of the MiCODUS MV720 until a fix is made available. According to BitSight the device typically requires professional installation and may require mechanic consultation to be properly disabled.</p>
<p>This is an example of the ongoing lack of consideration for security in IoT devices. It seems that IoT devices are not sufficiently tested before reaching the market. The vulnerabilities in the MiCODUS MV720 are also representative of a larger trend, which involves an increased reliance on interconnected devices. The increased reliance on these devices leads to a larger attack surface, and ultimately back to the overarching struggle of cyber security as a whole, which is finding the balance between usability and security.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/unpatched-flaws-in-popular-gps-devices-could-let-hackers-disrupt-and-track-vehicles/">https://therecord.media/unpatched-flaws-in-popular-gps-devices-could-let-hackers-disrupt-and-track-vehicles/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://techcrunch.com/2022/07/19/micodus-gps-tracker-exposing-vehicle-locations/">https://techcrunch.com/2022/07/19/micodus-gps-tracker-exposing-vehicle-locations/</a></p></div>Intel Report: Cyber Threats & Vulnerabilities 05 19 2022https://redskyalliance.org/xindustry/intel-report-cyber-threats-vulnerabilities-05-19-20222022-05-19T20:08:31.000Z2022-05-19T20:08:31.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10501359490,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10501359490,RESIZE_400x{{/staticFileLink}}" width="200" alt="10501359490?profile=RESIZE_400x" /></a>Our weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions. </p>
<p>Link to full report: <a href="{{#staticFileLink}}10501359264,original{{/staticFileLink}}">IR-22-139-001_IntelSummary139.pdf</a></p></div>Intel Report: Cyber Threats & Vulnerabilities 04 07 2022https://redskyalliance.org/xindustry/intel-report-cyber-threats-vulnerabilities-04-07-20222022-04-07T18:11:00.000Z2022-04-07T18:11:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><strong><a href="{{#staticFileLink}}10277584486,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10277584486,RESIZE_400x{{/staticFileLink}}" alt="10277584486?profile=RESIZE_400x" width="250" /></a>Our weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions. </strong></p>
<p> </p>
<p><strong>Link to full report: <a href="{{#staticFileLink}}10277630278,original{{/staticFileLink}}">IR-22-097-001_IntelSummary097.pdf</a></strong></p></div>Intel Report: Cyber Threats & Vulnerabilities 03 24 2022https://redskyalliance.org/xindustry/intel-report-cyber-threats-vulnerabilities-03-24-20222022-03-24T13:59:10.000Z2022-03-24T13:59:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10235176680,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10235176680,RESIZE_400x{{/staticFileLink}}" width="250" alt="10235176680?profile=RESIZE_400x" /></a>Our weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions. </p>
<p>Link to full report: <a href="{{#staticFileLink}}10235174665,original{{/staticFileLink}}">IR-22-083-001_IntelSummary083.pdf</a></p></div>2021 Cyber Security Predictionshttps://redskyalliance.org/xindustry/2021-cyber-security-predictions2021-01-05T20:18:57.000Z2021-01-05T20:18:57.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8390510860,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8390510860,RESIZE_400x{{/staticFileLink}}" width="250" alt="8390510860?profile=RESIZE_400x" /></a>Our Red Sky Alliance research predictions for 2021 are not necessarily in any order of importance yet presented as what we believe are the most important.</p>
<p><strong>Ransomware…Ransomware… Ransomware</strong></p>
<p>2020 saw a dramatic rise in ransomware activity. While it is difficult to predict specifically what ransomware authors will do next, it can be expected that they will continue to do what has worked well for them in the past if it continues as profitable. Ransomware ‘payment’ amounts saw a 217% rise in 2020 from an average of $84,000 to $234,000. This has been largely due to attackers focusing on large organizations with deep pockets that can afford higher ransom amounts. Also, the usage of cyber extortion insurance policies gives victim organizations the ability to pay higher ransoms. However, this does not mean small organizations are not being targeted. We expect ransoms to continue to rise if victims continue to pay ransom amounts.<a href="#_ftn1">[1]</a> </p>
<p>Ransomware operators will continue to evolve the capabilities of their tools and techniques to remain stealthy and blend in with the victim’s IT infrastructure. Increasingly, ransomware is being deployed manually after an initial intrusion to increase its effectiveness and to remain undetected until the last minute. They are also increasing the speed of their tools so that the encryption of victim data can happen before defenders have a chance to respond. As their capabilities evolve, they will eventually approach the level of nation state actors.</p>
<p>In addition to simply encrypting data and demanding a ransom for the decryption tool, attackers exfiltrated data and threatened to sell it on the black market. In fact, several ransomware variants have dedicated data marketplaces for this. This tactic is very effective and we expect it to continue into 2021.</p>
<p>Ransomware as a business. Cyber criminals are actually becoming very sophisticated and utilizing business analysis techniques to target victim companies. They research their various open-source business statistics and calculate the proper amount of ransom. It used to be, target a company, infect the network with ransomware and then throw out various amounts for a ransom demand. Now they are using busines data to pick a ransom amount that may just cause the decision makers to pay the ransom and get back to operations.<a href="#_ftn2">[2]</a> </p>
<p><strong>RDP Vulnerabilities</strong></p>
<p>2020 also saw an increase in remote work due to the pandemic. As a result, Remote desktop usage saw an increase in attack deployment. Over the past several years, RDP has been exploited by attackers to gain both an initial foothold and also move laterally move through an organization’s IT infrastructure. Internet facing Windows machines that are running the RDP service will be relentlessly subjected to a brute force type attack in an attempt to guess login credentials.</p>
<p>Once compromised, an attacker could use the machine for many different types of attacks including: data theft, lateral movement, crypto-mining, botnet malware, sending spam email, and of course - ransomware.</p>
<p>Internet facing RDP servers are very easy to find using tools such as Shodan, ZoomEye, and Censys. Additionally, login credentials for compromised RDP servers are plentiful and cheaply available for sale on dark web marketplaces. We expect RDP to continue to be an important attack vector to protect.</p>
<p>VPN usage also saw an increase as employees moved to remote work in 2020. The US , DHS CISA organizationreleased several Alerts throughout 2020 warning that attackers were actively exploiting VPN devices. The most distressing thing in these cases were the age of the vulnerabilities being exploited. Some had been public knowledge since the mid-2019 showing a lack of patch deployment. In November 2020, an individual posted publicly a list of nearly 50,000 vulnerable VPNs for one single vulnerability: CVE-2018-13379. Once compromised, an attacker would be able to perform the same types attacks as a compromised RDP server.</p>
<p><strong>Cyber to Physical Ransomware</strong></p>
<p>In September 2020, threat actors attacked University Hospital system in Dusseldorf, Germany – the attack was Ransomware. After affecting more than 30 servers at the facility, the hospital was forced to turn away emergency patients. According to German authorities, this directly resulted in the death of a woman whose care was delayed, because she needed to be transferred to another facility 20 miles away. The death places the cyber crime in a whole different and higher criminal statute category. </p>
<p>Ransomware actors have shown their capabilities of targeting critical infrastructure such as 911 systems, which has had severe consequences both socially and financially. Red Sky Alliance believes this will not slow down in 2021, but will actually increase as attackers understand the willingness of government agencies to pay ransoms.</p>
<p>As Ransomware-as-a-service or RaaS platforms expand, even low skill attackers are able to earn a profit by targeting emergency services and vulnerable cities. Municipalities around the US in states such as Florida, Maryland and California have been taken offline because they are often ill-prepared and have lower budgets for security operations. The consequences of these attacks have gone from financial loss to the loss of emergency services which could potentially result in the loss of human life.</p>
<p>The fact that so many companies have paid ransomware actors so much money during previous attacks means that these attackers now have better resources to attack their targets.</p>
<p>Until these attackers are arrested, prosecuted, and severely punished, they will become more emboldened to take down bigger targets likely resulting in the injury, if not death, of multiple victims. Being that many of the actors are protected by hostile foreign governments, prosecution is very unlikely.</p>
<p><strong>Dark Clouds are Forming</strong></p>
<p>In May 2020, threat actors broke into BlackBaud, a provider of software and cloud hosting solutions, and attempted to encrypt files on the company’s network in a ransomware attack. While the company was able to expel attackers from their systems, the attackers were able to steal some confidential data before being removed. Blackbaud claimed that while the files were not encrypted, they paid the ransom to avoid the disclosure of some of the stolen data. With the increase in data extortion or threatening the release of sensitive data if a ransom is not paid, analysts suspect that the Cloud will become a much bigger target for ransomware attacks.</p>
<p>The increase in companies using cloud technology does not automatically mean an increase in cloud system administrators. This means that many IT teams are learning how to use the Cloud, but not necessarily learning how to keep that data secure. Red Sky Alliance has recently begun monitoring for misconfigured cloud servers, as well as malware that could specifically affect Cloud technology. However, analysts believe that 2021 will see a large spike in attackers targeting Cloud technologies such as Amazon Web Services and Microsoft Azure. Traditional attacks on the Cloud such as crypto-mining and leveraging the Cloud for DDoS attacks are unlikely to decrease in 2021.</p>
<p>If attackers do target the Cloud more successfully in 2021, companies should expect to see the shift from ransoming encrypted files, to ransoming the release of stolen data. As many companies discovered over 2020, the Cloud can help companies significantly but can also provide a major attack surface for attackers looking to steal private data and make a profit. According to Aqua Security's 2020 Cloud Native Threat Report, attacks against cloud systems exploded at the start of 2020 when the company recorded a 250% jump in attacks from the previous year. Red Sky analysts expect to see another increase over 2021. </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing underground data stolen from many of the critical infrastructure sectors across the Globe. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate">https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report">https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report</a></p>
<p> </p></div>