X-Industry

Activity Summary - Week Ending 19 February 2021:

• VW Jetta Headlights VACAR-CN
• Cheyenne Cloud Shards & C2 Compromise
• Red Sky Alliance identified 37,941 connections from new unique IP addresses
• Analysts identified 2,217 new IP addresses participating in various Botnets
• Bazar/Team9 and MS
• TX Wind Power Turbines Freeze
• France and the Sandworm Group
• Norway Oil worker’s Strike Averted
• Major Oil find offshore in South Africa, Looks to Govt for Approval

Link to full article:  IR-21-050-001_Energy_050F

No one needs reminding that ransomware has reached incredible proportions; one widely reported statistic from Purplesec suggests that $20 billion was paid out in 2020. That's almost double its $11.5 billion estimate from 2019, with a commensurately huge increase in the number of attacks, while BitDefender suggested a 715% increase in the first half of the year.

The "crews" have multiplied, adopted tactics that are reminiscent of nation-state attacks, and developed partnerships and relationships

A group of cybercriminals known for ransomware attacks has started leaking files allegedly stolen from Jones Day.  Jones Day is an international law firm based in the US.  As of 2018, it was the fifth largest law firm in the US and the 13th highest grossing law firm in the world.  Jones Day has represented former US president Donald Trump, including his inquiries into the 2020 voting irregularities. 

The cybercriminals behind the ransomware operation known as Clop (Cl0p) have been known to encry

Global Cybercrime Market Revenue Surged to $1.7 Billion in 2020, Chainalysis reports.  Underground markets continue to thrive despite being regularly targeted by international law enforcement agencies and site administrators often steal buyers' and sellers' cryptocurrency via "exit scams" and users get ripped off.

Darknet markets persist because users are willing to risk losing funds, risk arrest and will keep their loses quiet if scammed.  Yet, for anyone who wants to buy or sell ‘illegal’ good

Back in the 1960’s, our educational systems began teaching a concept called, Phonics.  Phonics is a method for teaching people how to read and write an alphabetic language. It is done by demonstrating the relationship between the sounds of the spoken language, and the letters or groups of letters or syllables of the written language.  Enter FonixCrypter, not the mobile app but the criminal hacking gang - which is far from the innocent way of teaching language. 

It is being reported that the Foni

Activity Summary - Week Ending 12 February 2021:

• Red Sky Alliance observed only 75 unique email accounts compromised with Keyloggers
• Analysts identified 36,685 connections from new unique IP addresses
• 1,794 new IP addresses were collected participating in various Botnets
• Hello Kitty Malware Pussy-Footing Around Projekt RED
• Groundhog Botnet in the Cloud
• Danabot Going Wild
• Banking and Financial services in the hacker’s Cross-hairs
• Pii data of millions of people in Brazil in the Underground
• PayPal

With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices.  Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads

Lavabird Ltd.'s Barcod

In a continuation of malicious activity observed over the last two weeks, analysts are still seeing attackers impersonating Mediterranean Shipping Company (MSC) in a campaign to spread Dridex malware.  The attackers seem to be using the same tactic to target numerous companies across the globe targeting multiple different industries.

Analysts have observed numerous malicious emails beginning in late January, in which senders are impersonating Mediterranean Shipping Company (MSC) employees and t

In 1972, Alice Cooper sang a popular song: “School’s Out.”  In 2020, school has literally been 'OUT for Covid.'  The global pandemic has shut down many, many global school systems.  This created a system of teaching virtually using a variety of on-line platforms.   That turned the heads of black hat hackers to successively focus on attacking school systems, teachers, parents and students.  Recently, there has been a significant increase in ransomware cyber-attacks on virtual classrooms.  The Cor

Cybersecurity researchers disclosed in February 2020, a new supply chain attack targeting online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs.  Named "Operation NightScout" by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka.

NoxPlayer, developed by Hong Kong-based BigNox,

A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection. Named LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada. 

According to security vendor Media Trust, the malware checks for a global variable ‘

A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don't operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits. The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.

In today’s world, the ransomwar

Activity Summary - Week Ending 5 February 2021:

• Red Sky Alliance identified 34,976 connections from new unique IP addresses
• Greek Bank, Alpha Bank Group has an Attack Server (C2) Compromise
• DigitalOcean has a Compromised (C2) IP
• Analysts identified 2,089 new IP addresses participating in various Botnets
• PowerShell Dropping REvil
• Ursnif/Gozi using INPS as Bait
• How the World Ends
• US – Russia Cyber Strategy
• Rocket Chat (Al Qaeda) urging Cyber Terrorism
• Operation Lady-Bird
• Electric Grids – Still a

You have been asked to be a local celebrity at the summer church fund raiser.  This honor involves sitting on a perch in a Dunk Tank.  All goes well, until after the first plunge into the cold water, you realize that you forgot to take your phone off your hip.  Panic sets in.  This is the phone you use for both work and home.  Oh no – now what?   Plunging into a dunk tank may not be in your near future, but dropping your phone in the toilet, pool or local pond is a distinct reality.  Smart phone

A Russian-speaking "Scam-as-a-Service" (SaaS) operation called, "Classiscam" is expanding globally, with 40 interconnected gangs in about a dozen countries using fake product advertisements to launch phishing schemes, the security firm Group-IB reports.  This “SaaS” is adding to the long list of hacker services for anyone to buy with some spare Bitcoin.

The fraud actors are posting fake online classified advertisements for products to trick interested buyers into visiting phishing pages, where t

A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest.  The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera, believed to be operating in the interests of the Chinese state.  Researchers say the group has remained undetected in a network for up to three years. Initial reports mentioned a series

Looks like the electric car is here to stay, especially in the US.  The vast spending power of the US federal government is unmatched and so when it decides to do something, it can move markets and shape the economy. 

The best, and by far biggest, example of this was the decision in 1961 to send a man to the moon by the end of the 1960s; the resulting flood of spending spawned waves of innovation and technological breakthroughs.  It literally rocketed America’s post-World War II economy into the

In late January, a new botnet campaign was discovered targeting unpatched software running on Linux devices with recent code execution CVEs.  Once a device is compromised, the bot downloads and executes a malicious Python script that joins the compromised device to the botnet.  The botnet is controlled by attackers using Internet Relay Chat (IRC) and enables the attackers to perform DDoS attacks and run crypto miner software on infected devices.  Updates are available to patch all CVEs exploited

According to cyber threat investigators, several Magecart groups hide their JavaScript skimmers, phishing domains and other malicious tools behind a secure hosting service called Media Land, according to a report from security firm RiskIQ. During their investigation, the researchers found that thousands of domains used for JavaScript skimmers, phishing domains and other malicious infrastructure have been registered with Media Land since 2018 using at least two email addresses and other aliases.

A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a multitude of user data.  Called Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.

Triangulum first shared a mobile RAT on a dark web forum in June 2017.  The threat was capable of data exfiltration, but could also destroy data locally, and even e