X-Industry

Red Sky Alliance continues to observe large data breaches across both the clear net on traditional forums, and on the dark web where new websites are being populated daily. Analysts recently discovered a site advertising a large data breach containing data stolen from Domino’s India.

The threat actors claim to have stolen 13TB of employee files and customer details.  At this time, the data showing up in searches consists mostly of past order details for customers, but the attackers claim “paymen

In the US, the Federal Bureau of Investigation (FBI) issued an alert on 20 May regarding “Conti,” a highly disruptive ransomware variant.  Cyber-attacks associated with Conti and the previously published Darkside ransomware variant are believed to be emanating from criminal networks operating from a non-cooperative foreign jurisdiction.  The FBI says it identified at least 16 Conti ransomware attacks targeting US health care and first responder networks, including law enforcement agencies, emerg

Iranian hackers have reportedly hit multiple Israeli companies with ransomware, in a new campaign of attacks.  A group describing itself as 'N3tw0rm' (Networm) recently added the logo of H&M Israel to their naming and shaming website, just three days after another local firm, Veritas Logistics, was hit.

It is suspected that Iran's Islamic Revolutionary Guard Corps was behind a ransomware campaign that used a contracting company called "Emen Net Pasargard," or ENP, to target over a dozen organiza

A coalition of government agencies and security firms has released a framework for how to disrupt ransomware attacks that calls for expanded regulation of the global cryptocurrency market to better track the virtual coins paid to cybercriminals during extortion schemes.

On 29 April 2021, the Institute for Security and Technology's Ransomware Task Force published the framework, which features 48 proposals. It calls for a coordinated, international diplomatic and law enforcement effort to combat t

Activity Summary - Week Ending 21 May 2021:

• Analysts identified 1,828 new IP addresses participating in various Botnets
• Red Sky Alliance identified 28,925 connections from new unique IP Addresses
• Our collection show 21 unique email accounts compromised with Keyloggers
• FiveHands Ransomware
• Panda Stealer
• Waikato (NZ) District Health Boar – Hit
• AXA Partners in Asia – attacked by the Avaddon Group
• Ireland Hospital Hacking
• Glasgow (Scotland) Caledonian University – IT shut Down
• Additional DarkSide T

Critical infrastructure in any country relies on energy sources and transmission for proper and safe national operations.  A direct cyber shot was delivered to the US oil and gas industry by a Russian criminal group known as DarkSide.  DarkSide was identified in the ransomware attack that shut down the US-Georgia-based Colonial Pipeline, which immediately created fuel shortages to cars, trucks, and the airline industry.  The ransom of $5 million USD was eventually paid to get the pipeline back i

From Krebs On Security, 17 May 2021.[1]  Our analysts think this is important information and wish to share with our Red Sky Alliance members.  In a Twitter discussion last week on ransomware attacks, Krebs On Security noted[2] that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukr

Recently a trusted cyber professional of Red Sky Alliance, with close to 40 years in the business said, “As cyber technology grew in the last thirty plus years, our international community sacrificed security for convenience.”  So true. 

Now we ask: if a Russian cyber-criminal group[1] or the North Korean military hacks[2] your company, places ransomware on your network because of corporate carelessness and then demands millions to unlock your valuable data - at that point - does it really matte

The volume of breach data, or exposed user credentials, has significantly increased in recent years.  The recent CompilationOfManyBreaches (COMB) breach was discovered in February 2021 and contains more than 3 billion unique sets of stolen user credentials.  The name of the breach file is accurate in that it contains breach data from numerous historical and recent data breaches all combined into one dataset.

While the risk associated with historical passwords is lower, users often re-use passwor

Activity Summary - Week Ending 14 May 2021:

• Red Sky Alliance observed 78 unique email accounts compromised with Keyloggers
• Analysts identified 23,596 connections from new unique IP Addresses
• 1,802 new IP addresses are participating in various Botnets
• COVID-19 Lures Continue
• RotaJakiro
• Lemon Duck
• Colonial Pipeline and DarkSide
• US – Oil Supply Chain Repercussions
• Belnet hit in Belgium
• Rubin Design Bureau, Russian DIB
• BoA upping Cyber Security Budgets
• The “new” Normal, is it?

Link to full report:

An ongoing disinformation campaign called "Ghostwriter," which leverages compromised social media accounts is targeting several NATO member countries in Europe.  Ghostwriter is attempting to undermine confidence in the defensive organization as well as spread discord in Eastern Europe.  Researchers who uncovered the campaign in July 2020, have now documented an additional 20 incidents related to the cyber operation, including at least one earlier in 2021. 

The Ghostwriter campaign is primarily a

Critical infrastructure in any country relies on energy sources and transmission for proper and safe national operations.  A direct cyber shot was delivered to the US oil and gas industry, allegedly by a Russian criminal group known as DarkSide.  DarkSide is suspected in the ransomware attack that shut down the US-Georgia based Colonial Pipeline, which immediately created fuel shortages to cars, trucks and the airline industry. 

This pipeline attack now has other energy sector officials on edge

What is RedPane?

RedPane is a dark web search engine tool that has been developed by Red Sky Alliance since late January 2021. With RedPane we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 300,000 data points on over 50 sites and we are adding new sites weekly.

With RedPane we have developed custom processes to capture text data from dark web sites that we designate, parse that information into a for

Cyber threat actors are increasingly using and abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.  Telegram is a cloud-based instant messaging and voice-over IP service. Telegram client apps are available for Android, iOS, Windows Phone, Windows NT, macOS, and Linux.  Users can send messages and exchange photos, videos, stickers, audio, and files of any type.  Even when Telegr

The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack.

The guidance released 28 April 2021, "Defending Against Software Supply Chain Attacks," offers recommendations on how to implement the NIST Cyber Supply Chain Risk Management Framework and the Secure Software Development Framework. "This resource provides in-depth re

US Atlanta based Colonial Pipeline Company said in a statement last Friday that it was the victim of a cybersecurity attack, and so "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems."  An updated statement over the weekend it said it had "determined that this incident involves ransomware."

A former U.S. official and two industry sources have told media that the group DarkSide is among the sus

The US Nation’s Capital police department has reportedly been hit by Russian-speaking ransomware threat actors who claim to have stolen sensitive information on informants.  If true, this is a very troubling cyber-attack.  If informants cannot keep their anonymity, they will never work with the police.  The Babuk group gave police three days to pay-up before it shares the data with local gangs, according to media sources.  The files were allegedly posted on a dark web forum. 

Babuk ransomware is

Activity Summary - Week Ending 7 May 2021:

• Taleq Simeon needs a new Email Address
• Red Sky Alliance identified 15,654 connections from new unique IP Addresses
• Analysts identified 1,209 new IP addresses participating in various Botnets
• Researchers observed 20 unique email accounts compromised with Keyloggers
• FormBook Variant – Part III
• Google Play Store
• Oil and Gas getting SMART
• Oil and Gas on the Rise, Finally
• Cyber-Attack on Oil and Gas to ‘continue’ Rise
• Angola’s National Oil, Gas and Biofuel’

Threat researchers have come across two new phishing scams targeting customers of JPMorgan Chase Bank.  Both attacks deployed social engineering and brand impersonation tactics to steal customers' login credentials.  While one scam involved an email that appeared to contain a credit card statement, the other impersonated a locked account workflow to falsely inform victims that access to their account had been blocked following the detection of unusual login activity.

Cyber threat researchers sai

The current US administration is introducing a 100-day plan to improve cybersecurity and address cyber threats across the nation's electrical grid.  Officials state the program is part of a broader cybersecurity plan designed to address issues across the nation's critical infrastructure.

The 100-day initiative will involve government agencies that are responsible for the security of critical infrastructure as well as businesses and private utilities that oversee or own infrastructure, such as el