X-Industry

A ransomware vaccine, called "Raccine," was released as an open source tool by Nextron Systems on 3 October 2020.  Raccine prevents ransomware from attacking vssadmin.exe, a Windows utility that manages shadow copies of a Windows system's data.  Threat actors can take advantage of vssadmin.exe to delete shadow volumes in Windows so that ransomware victims cannot restore their data from local backups.

"We see ransomware delete all shadow copies using vssadmin pretty often," post in the GitHub tex

The US Federal Bureau of Investigation (FBI) is warning organizations in the financial sector about an increase in botnet-launched credential stuffing attacks.  Many of these attacks, which target APIs, are being fed by billions of stolen credentials leaked over the last several years. 

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized acces

Our friends from the US Department of Homeland Security have provided an open source Threat Assessment for October 2020 - which is Cyber Security Awareness Month.  The following is the Cyber Threat Assessment Section. 

Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, w

Throughout the USA, State and County election computer networks are still vulnerable to cyber-attacks and Election Day is only 29 days.  In a little-noticed episode in 2016, an unusual number of voters in Riverside, California, complained that they were turned away at the polls during the primary because their voter registration information had been changed.

The Riverside County district attorney, Mike Hestrin, investigated and determined that the voter records of dozens of people had been tampe

Cyber security researchers are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months.  Similarities to Sekhmet Crypto-Locking malware and bee noted.

True to other ransomware hackers, the bad actors behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days.  The cybercriminals linked to Egregor are also mimicking Maze tactics

The popularity of ransomware threats does not seem to be decreasing. Instead, more and sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style. 

The actors behind Ragnar Locker partnered with the Maze ransomware gang as a means of extorting victims whose unencrypted data they had stolen.  This continued cooperation between ransomware gangs is a dangerous development.  The sharing of advice. Tactics and a centralized data leak platform bet

Cyber threat researchers have examined security incidents over the past several years that appear to connect North Korea's Lazarus Group with Russian speaking attackers.  A recent analysis has examined reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.

In a summary of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to

Activity Summary - Week Ending 2 October 2020:

• Red Sky Alliance identified 43,777 connections from new unique IP addresses
• Fairdeal Furniture LTD in Kenya is still Keylogged
• Analysts identified 2,258 new IP addresses participating in various Botnets
• Fancy Bear and the Zebrocy Malware
• Ransomware hitting Virtual Machine Techniques
• FinSpy and Egypt
• Cyber Attacks on Oil and Gas, UP
• Oil Prices steady around $40.00 a Barrel
• Kurdistan Region of Iraq complying with OPEC
• Libya continues with its Oil Rec

Our friends at the US Department of Homeland Security (DHS), Cyber Security and Infrastructure Agency (CISA) shared the follow good practices:

DRIVE CYBERSECURITY STRATEGY, INVESTMENT, CULTURE  [Link to DHS CISA report with helpful active links: 20-02019b - Telework_Essentials-08272020-508.pdf

After rapidly adopting wide-scale remote work practices in response to COVID-19, organizations have started planning for more permanent and strategic teleworking postures. An organization’s executive leade

French container shipping company CMA CGM was hit by a major cyber-attack on 27 September 2020, which disrupted its daily operations.  According to Lloyd’s of London Intelligence sources, several of the company’s Chinese offices were affected by Ragnar Locker ransomware.   CMA CGM initially claimed that their booking system was disabled by an internal IT issue, but later confirmed “external access to CMA CGM IT applications are currently unavailable” after the ransomware attack.

CMA CGM is worki

Last week, the US Department of Justice (DOJ) indicted three Iranian hackers for their role in a campaign intended to steal critical data related to US' aerospace and satellite technology and resources.  Said Pourkarim Arabi, 34; Mohammad Reza Espargham, 25; and Mohammad Bayati, 34; are all residents and nationals of Iran and allegedly participated in a coordinated campaign of identity theft and hacking on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC), a designated foreign terrorist

In a recent study by CrowdStrike regarding cyber threat activity show more intrusion attempts in the first six months of this year than in all of 2019.  The pandemic-related shift to remote work and the growing availability of Ransomware-as-a-Service (RaaS) were two major drivers.  Red Sky Alliance has reported on many of these ransomware groups and actors in detail in 2020.  These reports can be found at no charge at https://redskyalliance.org.

The security vendor's threat-hunting team blocked

A new cybercriminal group called OldGremlin has been targeting Russian companies including banks, industrial enterprises and medical firms with ransomware attacks.

Researchers have said that OldGremlin’s first activities began between late March and early April 2020.  The group took advantage of the COVID-19 pandemic in early lures (a common theme for ransomware strains during this time period, sending financial institutions purported recommendations on how to organize a safe working environment

Artem Lifshits is allegedly a part of Project Lakhta/IRA: the ongoing disinformation campaign targeting the upcoming US election.  Lifshits is facing US criminal charges to commit wire fraud as he was accessing cryptocurrency exchange accounts created using stolen US persons’ personal data.

Artem Lifshits Profile

Name:                           Artem Mikhaylovich Lifshits, Artem Lifshits, Artyom Lifshits.

Name in Russian:               Лифшиц Артем Михайлович, Артем Михайлович Лифшиц, Артем Ли

Activity Summary - Week Ending 25 September 2020:

• Analysts identified 3,021 new IP addresses participating in various Botnets
• Red Sky Alliance observed 56 unique email accounts compromised with Keyloggers
• RSAC identified 46,283 connections from new unique IP addresses
• Winnti Group and the Shadowpad Backdoor
• Baka JavaScript Skimmer Stealing Credit Card Data
• Zap Energy – Zapped
• OIL / GAS vs. Renewable Energy
• $40.00 a Barrel, Stagnant + -
• Libya pumping Oil
• ReconAfrica targeted by Environmentalists

The current US administration is signaling it will be updating the US government’s approach to its maritime cybersecurity strategy.  Cyber security priorities are being discussed to enhance and secure the US’ ability to ‘project power at sea and defend against adversarial cyberattacks.’  The plan involves a re-examination of the national approach to information sharing and better emphasizing the use of operational technologies in ports. 

Hackers at all tier levels have long targeted shipping fir

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions.  Dubbed "Raccoon Attack," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

"The root cause for this side-channel is that the TLS st

The back-to-school season has already been stressful for schools and families. Now a spate of ransomware attacks targeting K-12 schools has made it even more challenging.  In May 2020, the FBI warned schools about the increasing risk of ransomware attacks during the pandemic. The agency warned that cyber actors would likely increase targeting of K-12 schools as an "opportunistic target" as more institutions shift from in-person learning to online classes and teachers and staff rely on remote ac

Activity Summary - Week Ending 18 September 2020:

• Red Sky Alliance identified 45,527 connections from new unique IP addresses
• IP: 149[.]202[.]67[.]223 – French company, Roubaix Ovh Sas is compromised for the 2^nd week
• Analysts identified 4,362 new IP addresses participating in various Botnets
• Multiplatform RaaS SMAUG
• Shlayer Adware Targets OSX
• Crude prices Rose at the end of this Week
• Australian and US Pii leaked by CN Company
• Colombian Ecopetro drilling in the US Permian Basin, but has some Cyb

Cyberattacks on Small to Medium-sized businesses (SMBs) are continuing at a relentless pace for 2020, with most data breaches coming from outside the organization.  Cyber-attacks are up and average 75% since the Corona pandemic.  Cybersecurity analysts believe hackers are specifically targeting these smaller firms because they know SMBs lack adequate resources and enterprise-grade security tools, making them easier prey than larger businesses.

A new report from Cisco counters this misconception.