X-Industry

Activity Summary - Week Ending 23 December 2020:

• Red Sky Alliance identified 38,232 connections from new unique IP addresses
• Analysts observed 32 unique email accounts compromised with Keyloggers
• 1,979 new IP addresses we seen participating in various Botnets
• JavaScript RAT
• Hacker Tactics
• BitGrail
• com
• MetaMax
• E-commerce up 600%
• Protesters using Bitcoin more and more
• City of Detroit suing #BLM

Link to full report: IR-20-358-001_eCommerces_358FINAL.pdf

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework.  See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020.  This APT actor has demonstrated

US federal authorities issued a warning on 17 December 2020 that Russian hackers used an expansive variety of malicious cyber tools to penetrate US government systems and said that the cyber offensive was, “a grave risk to the federal government.”  These cyber findings indicate a wider range of hacking, which appears to extend beyond nuclear research laboratories and the US Pentagon, Treasury and Commerce Department systems.  This expansion of cyber capabilities is complicating challenges for US

Activity Summary - Week Ending 18 December 2020:

• 28 unique email accounts compromised with keyloggers in the RedXray collections
• Red Sky Alliance identified 41,143 connections from new unique IP addresses
• Analysts identified 2,439 new IP addresses participating in various Botnets
• The top Malware Variants we again, Sality and Corkow, followed by Loki
• Covid-19 lures remain one of the top Suspicious Domains
• Bandook Trojan is Back
• UK based ‘end user computing’ (EUC)
• The Education Sector remains a t

The Dark Web is a place in cyberspace where criminals and other bad actors share stolen credentials and discuss successful attacks.  Fake COVID-19 cures, counterfeit travel documents, and scam call services are amongst the services being traded on the Dark Web. Cybercriminals continually search for new ways of exploiting the 2020 health crisis. Sensitive information often ends up for sale on the black market on the Dark Web, compromising the security of businesses and their employees.

According

Several high-profile breaches have been recently reported affecting major cybersecurity and IT companies and possibly affecting multiple government agencies.

On 8 December 2020, the cybersecurity firm FireEye, reported a breach in which internal software tools were stolen.  The stolen tools, known as Red Team tools, are used by the company to perform penetration tests of client IT assets.  While some of the tools were private and not meant to be publicly available, FireEye distributed some of th

An increasing number of companies are looking at an innovative approach to deal with hackers that attempt to break into their computer networks.  Note to hackers who may be reading this article, “There is nothing here of interest to you.” 

Companies are adding a new tool to their cybersecurity defenses called deception technology, which seeks to trick hackers into thinking they are getting close to critical data.  They lure cybercriminals into thinking they are getting close to the good stuff, a

Norwegian cruise company Hurtigruten sustained a cyberattack on 14 December 2020 and several critical network systems were affected, the company said in a statement.  Hurtigruten, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic in normal times, said it did not expect the attack to lead to a "material financial effect.”[1] 

"This is a serious attack. Hurtigruten's global IT infrastructure appears to be affected," the company's head of IT, said in a

A sophisticated organized network of cybercriminals are now pivoting to conducting successful vishing attacks against employees across multiple companies; all this with a goal of stealing financial assets.  So what’s ‘vishing?’ Photo: AgendaX

Voice phishing is a form of criminal phone fraud, using social engineering over traditional telephone systems to gain access to private personal and financial information for the purpose of financial reward.  Vishing is a play on ‘voice’ and cyber ‘phishing

Activity Summary - Week Ending 11 December 2020:

• Red Sky Alliance identified 49,028 connections from new unique IP addresses
• Analysts observed 66 unique email accounts compromised with Keyloggers
• Sality and Corkow has consistently remain the top Malware Variants
• Analysts identified 1,715 new IP addresses participating in various Botnets
• Ragnar Locker
• WatchBogMiner
• Leaking Browser URL and Protocol Handlers
• Malware targeting Synthetic DNA Orders to modify DNA strings sequence
• Covid-19 Rx. Researc

For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative.  Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation.  An old, yet tried and true use of chicanery.  Sometime old schemes become new schemes.  This is just the latest in a long line of shakedown tactics, which include not just using c

Business Email Compromise or BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors.  Once in, they request a seemingly legitimate business payment. The email looks authentic, seems to come from a known authority figure, so the unsuspecting employee complies.  These fraudsters are increasingly exploiting the auto-forwarding feature in compromised email accounts to help conduct business email compromise scams, the US Federal B

Russian state level hackers have been exploiting a vulnerability found in VMware products including virtual workspaces, this according to a cybersecurity advisory issued last week by the the US based, National Security Agency.

PHOTOGRAPH: YIFEI FANG, GETTY IMAGES

The VMware vulnerability, which is called in CVE-2020-4006 and rated 7.2 on the Common Vulnerability Scoring System (CVSS), was disclosed and patched last week.  According to the NSA advisory, threat actors are using the vulnerability t

As the Covid virus marches on, many are seeing the light at the end of the tunnel.  Each day brings us a little closer to the approval and distribution of COVID-19 vaccines in the US, UK and close in many other countries.  According to the US Health and Human Services (HHS) Secretary Alex M. Azar II, officials with Operation Warp Speed (OWS) report that 20 million doses of the COVID-19 vaccine could be distributed this month.  ”We are planning to be ready when [an emergency-use authorization by

The cybercriminal-controlled botnet known as TrickBot has become a public enemy number one (again) for the cybersecurity community. It has survived takedown attempts by Microsoft, analysts from leading cybersecurity firms, and even US Cyber Command. It now appears that the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.

The security firms AdvIntel and Eclypsium revealed that t

‘Hired Gun’ Hackers and the PowerPepper Backdoor

Kaspersky Labs announced a new find regarding a new backdoor loaded into Windows RAM, developed by Hackers for Hire (HfH).  The backdoor is capable of remotely executing malicious code and stealing confidential information.

The malware is called PowerPepper and is linked to the DeathStalker (DS) cybercriminal group (previously called the Deceptikons).  DS members of this group have been targeting law firms and financial institutions in Europe and

Red Sky Alliance observed 21 unique email accounts compromised with Keyloggers
Analysts identified 23,342 connections from new unique IP addresses
1,814 new IP addresses were observed participating in various Botnets
Red Sky Alliance now offers Code Repository and will present this index very Soon
BlackShadow targeting Israel
Make sure your WiFi is Safe
A cybercriminal is currently selling hundreds of C-level executives' Passwords
Lowe’s Insider Threat – Busted
Home Depot still has cyber issues,

Ransomware was one of the most observed cyber threats this year to date. Ryuk and Sodinokibi, were the most observed villains in Red Sky Alliance’s client investigations, have been joined by Maze as the top three ransomware variants so far in 2020.  After launching several high-profile attacks earlier in 2020, the actors behind Ryuk ransomware seem to have gone on a vacation near the end of Q2. According to cyber threat analysts, Crimeware and their developers often have periods where they go do

Ransomware attacks on enterprises of all sizes across industry sectors are on the rise.  Cyber threat experts estimate that worldwide, ransomware is expected to infect a business every 11 seconds and projected to cost over $20 billion in 2021.  Any organization can be a victim as a successful ransomware attack is within the reach of cybercriminals everywhere.  As ransom demands have increased, organizations continue to pay these hefty sums.

The sophisticated threat actors have proven to be metic

cPanel and Web Host Manager (WHM) are two popular administrative tools for web site administrators published by cPanel LLC. According to cPanel, over 70 million web sites are deployed that use their software for administration.  One of the security features of the software is 2-factor authentication using a mobile application such as Google Authenticator, Microsoft Authenticator, or Duo. Recently, a flaw was discovered that allows attackers to guess the 2 factor authentication token using a brut