X-Industry

Activity Summary - Week Ending 13 November 2020:

• Red Sky Alliance observed 67 unique email accounts compromised with Keyloggers
• Analysts identified 42,222 connections from new unique IP addresses
• 2,563 new IP addresses were observed Participating in various Botnets
• Hezbollah is the Top Threat actor this week targeting Israel, US, Lebanon, Syria and Iran
• TrickBot and BazarLoader
• WatchBogMiner
• Ransomware blocks electronic Stadium Entrances
• A UK Premier League soccer club's Managing Director was H

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it downloaded in a November 3, 2020 attack unless a US$15 million ransom is paid in Bitcoin.  Attacks that are carried out by the gang behind Ragnar Locker, break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manuall

The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent

American toy manufacturing giant Mattel this week revealed that it fell victim to a ransomware attack that impacted some of its operations.  Founded in 1945 and headquartered in El Segundo, California, Mattel is one of the largest toy sellers in terms of revenue, with its operations divided into three segments, namely North America, International, and American Girl.  Mattel sells products such as Barbie, Fisher-Price, Monster High, American Girl, Polly Pocket, and Hot Wheels in 150 countries, an

Cofense Intelligence researchers found a new version of the Hentai OniChan ransomware called “King Engine” and is being delivered in a Coronavirus-themed phishing campaign.   The new variant exfiltrates data and demands a massive amount for ransom, which is significantly higher than previously discovered Hentai OniChan campaigns.[1]  This is odd. 

According to researchers, cybercriminals used the Berserker variant of this ransomware previously in their campaign, which did not exfiltrate data and

Akamai recently published a report detailing criminal activity targeting the retail, travel, and hospitality market segments with attacks of all types and sizes between July 2018 and June 2020.  The report also includes numerous examples of criminal ads from the Dark web illustrating how they cash in on the results from successful attacks and the corresponding data theft.

So, what is credential stuffing?  Please visit and read our full report at: https://redskyalliance.org/xindustry/credential-s

The 2020 election season appears to have to end in sight.  For states not under vote-counting-scrutiny, there have been many ballot measures around the country that have drawn people's attention.  One of these measures is Proposition 24 in California, known as the California Privacy Rights Act of 2020 (CPRA). The measure passed with a majority of people voting to strengthen consumer privacy rights.

The new measure will update existing conditions from the 2018 California Consumer Privacy Act (CCP

The number of attacks related to Emotet continue to spike after the dangerous botnet re-emerged over the summer with a fresh phishing and spam campaign that is primarily infecting devices with a banking Trojan, according to new research from HP-Bromium, an end-point security company.

Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions o

It should come as no reprise that ransomware groups that steal a company's data and then get paid a fee to delete it don't always follow through on their promise.

The number of cases where this has happened has increased, according to a report[1] published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months. These incidents take place only for a certain category of ransomware attacks — namely those carried out by

Activity Summary - Week Ending 6 November 2020:

• Red Sky Alliance observed 60 unique email accounts compromised with Keyloggers
• A University of Albert professor may be Keylogged
• Analysts identified 44,623 connections from new unique IP addresses
• Collection identified 3,097 new IP addresses participating in various Botnets
• Ryuk Evolving Its Encryption and Evasion TTPs
• GravityRAT
• Eastern European cybercriminal group Attacking Health Care Services
• FBI warns of an "imminent" increase in Ransomware a

Account takeover seeks to infiltrate an existing account and use them for the criminal’s benefit.  Cyber threat actors will target any firm from any market segment, so there is no pattern to follow.  Once the criminal accesses the account, they may make unauthorized purchases and cash advances; they may also change account information so that the real owner does not receive notifications from the account.

According to a recent report, account takeover has tripled over a year-to-year comparison,

The Maze cybercrime gang, which revolutionized the ransomware business by adding an extortion element to each attack, has issued a statement saying it has hung up its spikes and will retire, at least temporarily.  Can you believe anything a ransomware group says?  Maze posted a "retirement" notice to its darknet site on Nov. 1 saying: "This project is now closed." The word "project" appears to be a reference to the ransomware gang stating in the note that its attacks were intended to teach its v

The Covid-19 pandemic has led to dangerous gray areas for employers, such as new BYOD policies, thanks to the rapid and required shift to remote working.  The work to home (WTH) phenomenon has cause numerous cyber challenges.  This creates an ‘insider threat’ scenario.  Yes, trusted employees working at home could become an insider threat, though most likely an unwitting threat.[1]  Many company cyber security professionals are starting to seriously examine the changing nature of traditional ins

They say, “Common Sense is Instinct; Enough of it - Genius.”  Let us prove a path toward cyber brilliance.  Cybersecurity hygiene has never been as important as it is today.  At home workers are now doing business remotely, putting in more hours and dealing with new situations they have never experienced.  For many, this change is both stressful and distracting.  These changes have upended the traditional workday and, in many cases, our concentration, which introduces risk.  Even the most securi

Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated

US authorities are sharing a quick reference on Ransomware.  "Ransomware is a type of malicious software cyber actors use to deny access to systems or data.  The malicious cyber actor holds systems or data hostage until the ransom is paid.  After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems.  If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. L

Link to full report: Ransomware_Exec

Activity Summary - Week Ending 30 October 2020:

• Red Sky Alliance identified 42,687 connections from new unique IP addresses
• 79 unique email accounts compromised with Keyloggers
• Analysts identified 3,334 new IP addresses participating in various Botnets
• Vulnerabilities in Multiple Adobe Products
• Eval-stdin.PHP.Remote.Code.Execution
• Spoofing US Census Bureau
• Hungarian Financial Institutions hit with DDoS attack
• Bots and Covid Loan Applications
• Robinhood Markets Inc.
• Hackers and ‘Social Bandits’
• T

There is no shortage of places within the Internet's dark market where stolen credit and debit card information is sold.  Most of them, truth be told, are criminal chancers trading in recycled data from old breaches; bargains are to be held for fraudsters willing to take a gamble that some of the bundle of payment cards they have bought will actually be usable.  Not only is it the biggest, but Joker's Stash, which was established in 2014, prides itself on traders selling the "freshest" of paymen

Red Sky Alliance analysts detected Fancy Bear impersonators targeting a US county election information website. Their DDoS ransom note claims they will take the site down one day before the election if not paid in Bitcoin. This year we see an uptick of similar impersonation emails claiming to be from Fancy Bear, Lazarus Group, or Armada Collective hackers.

Details: Florida Vote Case

Election support infrastructure being vulnerable to ransomware attacks is widely discussed.  But sites going dow