X-Industry

Activity Summary - Week Ending 20 November 2020:

• Red Sky Alliance identified 35,859 connections from new unique IP addresses
• Microsoft IP is a compromised C2
• APT 10 – Stone Panda back in the Top 5 Threat Actor Groups
• Capcom Hack - Part II
• Kucoin Exchange Hacked
• Kucoin-activity[.]com - Beware
• Cryptocurrency Challenges
• Plowshares going to Prison
• Black activists in Portland OR doing the Moonwalk
• Sodinokibi using BLM as Registry key

Link to full report: IR-20-325-001-Tactical Cyber Brief325_FINAL.

Brazil is known for its pristine beaches, nightlife, hot dancing, and of course - The Girl from Ipanema.  A recently uncovered Brazilian banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges, and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky.  A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that is a contradiction.  Viruses can execute and r

Remember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.  The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level.

DDoS attacks have not been in the spotlight this year, due the onslaught of high dollar a

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by Kaspersky.  Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth operation. Distribution was never c

A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. 

The malware, named Jupyter by its finders at Israeli security firm Morphisec, has been active since at least May 2020, but it escaped detection by most antivirus software until last week; partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a syst

The 2020 Holidays are here and many global and domestic economies are preparing for the subsequent shopping. This buying season is being executed in an environment that has changed entirely due to the Corona Pandemic lockdowns and fears of virus infection.  This creates – buying on-line.  It is estimated that this will be the largest on-line/eCommerce holiday season ever.  As tradition on Black Friday was once, consumers will not be standing outside of brick and mortar stores waiting for the lat

In August 2020, the NSA and FBI published a joint security alert containing details about a previously undisclosed Russian malware.  The entire report can be viewed here

The agencies say that the Linux strain malware has been developed and deployed in real-world attacks by Russian military hackers. The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85^th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector

Encryption is a valuable partner in maintaining privacy.  Encryption keeps our data safe from unwanted guests.  It stops people from robbing our valuable credit card details, our app usage habits, and our passwords.  While this is the answer for those with privacy concerns, IT teams will face a massive influx of traffic that they cannot look inside without decryption technology.  This means encryption brings a bit of a double-edged sword because cyber threat actors can use it too.  Encryption ca

Walmart wants to learn whether robotic deliveries can fit into with its retail operations so it is launching a pilot program with General Motors funded electric automobile company Cruise, using the tech startup’s electric, self-driving to deliver groceries and other goods to suburban Phoenix customers.

The project will begin sometime in early 2021 and will use battery-powered vehicles in Cruise’s test fleet in Scottsdale, Arizona, Tom Ward, Walmart’s senior vice president for customer product, s

Law enforcement in Jackson, Mississippi has launched a pilot program that allows officers to tap into private surveillance devices during criminal investigations.  On 30 October 2020, the AP reported that the trial, now signed off by the city, will last for 45 days.  The small trial could herald a wider rollout with participating residents in the future. The pilot program uses technology provided by Pileum and Fusus, an IT consultancy firm and a provider of a cloud-based video, sensor, and data

Previously, Red Sky Alliance reported on Fancy Bear imposters demanding Bitcoin ransom from a Florida election information website.  These actors send various ransom/scam demands using coronavirus-themed domains covidpapers[.]org and coronaxy[.]com.  In some cases, they threaten with exposure of allegedly hacked personal files, in other cases, with DDoS attack.  They often claim to be Russian government hackers, pretending to be Fancy Bear, Cozy Bear, or Venomous Bear.   Their ransom emails typi

A cyberespionage campaign aimed at aerospace and defense sectors to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.  The use of job of employment ads and postings have the recent bait for unsuspecting victims.

The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involve

Activity Summary - Week Ending 13 November 2020:

• Red Sky Alliance observed 67 unique email accounts compromised with Keyloggers
• Analysts identified 42,222 connections from new unique IP addresses
• 2,563 new IP addresses were observed Participating in various Botnets
• Hezbollah is the Top Threat actor this week targeting Israel, US, Lebanon, Syria and Iran
• TrickBot and BazarLoader
• WatchBogMiner
• Ransomware blocks electronic Stadium Entrances
• A UK Premier League soccer club's Managing Director was H

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it downloaded in a November 3, 2020 attack unless a US$15 million ransom is paid in Bitcoin.  Attacks that are carried out by the gang behind Ragnar Locker, break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manuall

The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent

American toy manufacturing giant Mattel this week revealed that it fell victim to a ransomware attack that impacted some of its operations.  Founded in 1945 and headquartered in El Segundo, California, Mattel is one of the largest toy sellers in terms of revenue, with its operations divided into three segments, namely North America, International, and American Girl.  Mattel sells products such as Barbie, Fisher-Price, Monster High, American Girl, Polly Pocket, and Hot Wheels in 150 countries, an

Cofense Intelligence researchers found a new version of the Hentai OniChan ransomware called “King Engine” and is being delivered in a Coronavirus-themed phishing campaign.   The new variant exfiltrates data and demands a massive amount for ransom, which is significantly higher than previously discovered Hentai OniChan campaigns.[1]  This is odd. 

According to researchers, cybercriminals used the Berserker variant of this ransomware previously in their campaign, which did not exfiltrate data and

Akamai recently published a report detailing criminal activity targeting the retail, travel, and hospitality market segments with attacks of all types and sizes between July 2018 and June 2020.  The report also includes numerous examples of criminal ads from the Dark web illustrating how they cash in on the results from successful attacks and the corresponding data theft.

So, what is credential stuffing?  Please visit and read our full report at: https://redskyalliance.org/xindustry/credential-s

The 2020 election season appears to have to end in sight.  For states not under vote-counting-scrutiny, there have been many ballot measures around the country that have drawn people's attention.  One of these measures is Proposition 24 in California, known as the California Privacy Rights Act of 2020 (CPRA). The measure passed with a majority of people voting to strengthen consumer privacy rights.

The new measure will update existing conditions from the 2018 California Consumer Privacy Act (CCP