RedXray: ‘Outside the Wire’

7224994052?profile=RESIZE_400xMilitary patrols working outside their forward operating bases (FOB) are categorized as “working outside the wire.”  This is often where reconnaissance patrols and military intelligence officers collect and gather valuable military intelligence to provide back to its unit, base, and section commanders to use in future proactive combat operations.  This is no different from what RedXray does in cyber security.  RedXray collects and analyzes indicators of compromise (IOCs) to help customers identify threats that are not monitored by traditional intrusion prevention systems, or threats “outside the wire.”  Using this data, companies can better defend their employees and customers against cyber threats targeting their company, and also better respond to cyber incidents that take place.

Pharmaceutical Raw Materials Manufacturer:

RedXray was used to analyze a German pharmaceutical raw materials manufacturer. Intelligence shows that the company has numerous hits in the breach data collections indicating that employees around the world are having their credentials stolen and exposed online. Keylogger hits for the company indicate that the network had Hawkeye Keylogger activity, which allows for the exfiltration of sensitive data from the company’s network. Analysts were able to determine that 51% of malicious email activity targeted a single public email address. Using this data, policies can be developed and implemented to enforce multi-factor authentication. Using the Red Sky Alliance reporting on Hawkeye Keylogger activity, users can import blacklists into internal sensors to block malicious activity at the network level. Indicators from the malicious email hits can also be imported into webmail filters to mitigate malicious activity.

7225044901?profile=RESIZE_400xMultinational Tax and Consulting Service:

RedXray was used to analyze a multinational tax and consulting service. Intelligence shows that the company had employees signing into keylogged devices exfiltrating data to Russian attacker servers. Breach data indicates that multiple supervisory employees had their credentials exposed online. Access to these accounts would allow attackers to gain elevated privileges on the network and commit further cyber-attacks. Using subject-line data from the malicious emails collections, analysts were able to identify subject lines used in the malicious emails which could be imported into internal filters to bolster webmail security.

Global Shipping Company:

RedXray was used to analyze a global shipping company based out of Europe. Intelligence shows that there were multiple employees based in the company’s Indonesia-branch who had keylogger activity on their devices. Both versions 13 and 14 of the Predator Pain Keylogger were used which allows attackers to exfiltrate passwords and other sensitive information, as well as to take screenshots on the victims’ computers, and pictures via the victim’s webcam. Since the beginning of 2020, the company had 100+ unique credentials in the breach data collections. After analyzing the breached credentials, analysts recommended a stronger password policy to make brute force attacks more difficult. The company also had multiple email addresses listed on Pastebin without additional context. Often times attackers will list email addresses on Pastebin as part of a list of phishing targets.

 

International Technology Service Provider:

RedXray was used to analyze an international managed service provider headquartered in America. Intelligence shows that there were two employees with Fareit malware on their devices. With this malware installed on their machines, sensitive data and credentials can be stolen by attackers and exfiltrated for later use. Using the breach data collections, analysts reported that employees such as the Chief Technology Officer and Enterprise Account Manager had credentials exposed online. Using RedXray data, clients are able to analyze breached passwords to generate stronger password/authentication policies.

American Political Organization:

RedXray was used to analyze a major American political organization. Intelligence shows that there were multiple employees with credentials exposed online. One of the employees was the executive director for the organization. Political organizations are often targeted by hacktivists and nation-state actors for political gain and/or profit. Pastebin collections data indicates that someone published a message that was likely intended to be private. The message came from another major leader of the organization and spoke specifically about membership issues.

Professional American Sports Team:

RedXray was used to analyze an American professional sports program based in the Southeast. With breach data as recent as this month, intelligence shows that there are multiple employees with passwords exposed online. Malicious email data shows the Guest Services being used to send emails containing Windows trojan malware to unsuspecting victims. This activity is often indicative of supply chain targeting which can be monitored using RedXray data.

Northeastern Community College:

RedXray was used to analyze an American community college based in the Northeast. Intelligence shows that at least one user (a professor) had their credentials collected when signing into a mobile support center portal. Breach data includes information for sensitive accounts such as the Director of Human Resources and the Grants & Donated Funds Administrator. An attacker with access to either of these accounts would have prime information to leverage for further cyber attacks on the network. Malicious emails collections allow for subject line analysis and show that in one case the threat of a lawsuit was used to deliver a malicoius email. Pastebin data showed that at least one other faculty member had credentials exposed on a post where the attacker indicated they had more, undisclosed, stolen credentials. Student and faculty credentials were exposed at a rate of apporximatly 1 breached account every 4 days, according to RedXray data.

Major Hospital:

RedXray was used to analyze a multibillion dollar major healthcare facility on the East Coast. Intelligence shows that the company averaged approximately 1 breached account every day in 2020. Data shows at least one user having signed into the provider’s patient portal with a keylogger on their device. Attackers were able to capture the data being viewed by the users (likely sensitive patient/medical information). There were also malicious emails being sent by a visiting nurse and hospice company, likely an attempt at a supply chain attack. 

International Oil & Gas Corporation:

RedXray was used to analyze an international oil & gas corporation headquartered on the West Coast. Intelligence shows that there have been at least 4 unique Pastebin posts containing breach data for employees at the company. Some of the breach data likely resulted from the fact that there are users with Azorult (credential stealing) malware logging into portals owned by the company. There were multiple malicious emails targeting the company over the years. These emails contained password stealing, phishing, and trojan malware. One specific user was being targeted with phishing malware designed to steal their Microsoft Office 365 credentials.

East Coast Municipality:

RedXray was used to analyze and municipality on the Atlantic Coast. At least 174 municipal institutions suffered ransomware attacks in 2019, according to research from antivirus software provider Kaspersky. This represents a 60 percent year-over-year increase.[1] Using intelligence from RedXray, towns are able to mitigate the risks of these attacks and use indicators of compromise to bolster internal intrusion prevention systems. RedXray botnet tracker data also indicated multiple devices located in the town reaching out to botnets such as Irstealer, Mirai, and Lokibot networks.

 

[1] https://www.msspalert.com/cybersecurity-research/municipality-ransomware-attacks-2019/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!