X-Industry

Our friends at several cyber media outlets are reporting that the operators behind the REvil ransomware-as-a-service (RaaS) is back.  In a surprise return, REvil reappeared after a two-month break following the widely publicized attack on technology services provider Kaseya on 4 July 2021.  In fact, Red Sky Alliance analysts observed its return this past week.

Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have reappeared online, wit

Activity Summary - Week Ending 10 September 2021:

• Red Sky Alliance identified 47,398 connections from new unique IP addresses- Sinkholes
• Analysts identified 1,034 new IP addresses participating in various Botnets
• 4 unique email accounts compromised with Keyloggers were used to log into Personal Accounts
• Sality Malware Variant seen 42252 times this past week
• Hive Ransomware Alert
• STRRAT RAT
• FIN7 again
• Microsoft and $20 billion in Cyber Security
• South Korea and TrickBot Arrest
• To SOAR, or to SIEM

Did you ever wonder how a can of green beans gets to the shelf of your supermarket?  Well, from planting the seeds, harvesting the crop, canning the beans, and pushing them to market – is all called the ‘Food Supply Chain.’  Now cyber-attackers are targeting our food supply chain and the Jolly Green Giant ain’t so happy.

The US Federal Bureau of Investigation (FBI) has issued a new alert on 06 September 2021 warning companies in the food and agricultural sector that they are increasingly at risk

A new twist on an old con; remember the Nigerian Princes who wanted to share their fortune with you - if only you would only send them your bank account number?  A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in Bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme.

"The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then the

Valyria malware is a trojan distributed by phishing email attacks seemingly targeting business emails, commonly using the words “Invoice,” “Order,” or “Report” in the subject line. 

Among these emails, there is a strong resurgence of tactics, techniques, and procedures (TTP’s) previously known to be employed by the Gorgon Group with the MasterMana Botnet.

Link to full technical report: TIR-21-224-001_Val.pdf

Security professionals have long wrestled with properly identifying rogue employees bent on crippling a company.  This was once evident in identifying stolen proprietary or classified paper documents for personal or professional gains – or some were just plain focused on outright revenge and destruction.  Now ‘everything’ is cyber related, yes everything, and thus cyber security meets with physical security, human resources (HR) and company management teams.  This lateral cooperation is a must i

Ransomware-as-a-Service Operations Seek Affiliates for Extorting New Victims.  After a number of high-profile hits during 2021, some of the largest and most notorious ransomware operations disappeared. Beginning in May 2021, ransomware attacks by Russian-language groups Conti against Ireland's health service, DarkSide against U.S.-based Colonial Pipeline, and REvil against meat processing giant JBS and remote management software firm Kaseya led the Biden administration to try to better disrupt t

Lloyd’s of London, for centuries the world’s dominant marine insurer, continues to witness sharp decline in premium volumes as lines on graph now cross with Asian economic giant.[1]  China is now the world’s second-largest provider of hull insurance, after overtaking Lloyd’s on market share, the International Union of Marine Insurance (IUMI) has confirmed.

China, which has seen its slice of the pie grow slowly but steadily in recent years, recorded a 12.4% share of 2020 global aggregate hull pre

The US Securities and Exchange Commission (SEC) sanctioned eight financial firms for alleged failures related to cybersecurity policies and procedures, each stemming from email account takeovers and related incident response, the regulator announced on 01 September 2021.[1]

The sanctioned firms did not admit or deny the commission's findings, but "agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty," according to the SEC. Cumulative fi

Activity Summary - Week Ending 3 September 2021:
✓ Red Sky Alliance identified 31,051 connections from new unique IP addresses
✓ 6 unique email accounts Compromised with Keyloggers were observed this Week
✓ Analysts identified 134 new IP addresses participating in various Botnets
✓ PrintNightmare & Magniber
✓ Vulnerable Microsoft Exchange Servers
✓ SparklingGoblin
✓ FIN8 / Sardonic and the Financial Sector
✓ Transportation / Bangkok Airways
✓ Biometric Data / Afghanistan
✓ US Labor Day Warning
✓ The Best C

The current US administration unveiled a new package of supply chain and critical infrastructure security initiatives on 25 August 2021.  This following a meeting at the White House with about 25 tech, banking, insurance, and infrastructure executives.   Little did the group know that an inexpensive solution has been available for 3 years:  Wapack Labs LLC - Introduces RedXray: Wapack Labs

The initiatives feature a pledge by several companies, including tech giants Microsoft, Google and IBM and

New vulnerabilities have been discovered in Fortress S03 Wi-Fi Home Security System that could be potentially abused by a malicious party to gain unauthorized access with an aim to alter system behavior, including disarming the devices without the victim's knowledge.  The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a 60-day deadline to fix the

US Government Cyber Warning Summary:

Immediate Actions You Can Take Now to Protect Against Ransomware

• Make an offline backup of your data.
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Update your OS and software.
• Use strong passwords.
• Use multi-factor authentication.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on US holidays and we

Red Sky Alliance wanted to share this important article from Technology Review and MIT.  As the Taliban swept through Afghanistan in mid-August, declaring the end of two decades of war, reports quickly circulated that they had also captured US military biometric devices used to collect data such as iris scans, fingerprints, and facial images.  Some feared that the machines, known as HIIDE, could be used to help identify Afghans who had supported coalition forces.[1]  

According to experts speaki

A threat actor is selling what they claim to be 30 million T-Mobile customers’ Social Security and driver license numbers on an underground web forum.  The collection is a subset of the purported 100 million records contained in stolen databases.  The seller’s offer does not mention T-Mobile.  The seller told Motherboard and BleepingComputer publications that the source is in fact the T-Mobile servers.  Specifically, they claim to have penetrated T-Mobile’s production, staging, and development s

Activity Summary - Week Ending 27 August 2021:

• Red Sky Alliance identified 34,340 connections from new unique IP addresses
• Analysts have observed 22 unique email accounts compromised with Keyloggers
• Researchers identified 1,744 new IP addresses participating in various Botnets
• DigitalOcean has a compromised IP
• Grief Ransomware
• IISerpent Malware
• “Tricky” TrickBot
• T-Mobile’s 5 Million Customers
• US State Department hit
• The Electric Grid and Zero Trust
• India’s Election Fraud
• Indiana’s COVID Cyber I

Ransomware actors have taken a page from the playbooks of tech support scammers of yore by guiding victims to download malware using persuasion over the phone. The technique was first spotted in February, according to Palo Alto Networks' Unit 41 research unit. But Microsoft is issuing a fresh warning about the campaigns, contending they're much more dangerous than it first realized. Microsoft calls the campaign "BazaCall."

See:  https://redskyalliance.org/xindustry/ransomware-demand-answer-line-

A new Raccoon Stealer campaign shows the evolution of this information-stealer, which has recently been distributed through a dropper campaign to steal cryptocurrencies, cookies, and other types of information on target machines.

See:  https://redskyalliance.org/xindustry/raccoon-attack-exposes-secret-key

Sophos researchers have been tracking a "particularly active" campaign by attackers using Raccoon Stealer, a widely used information stealer. While the campaign is no longer active, researchers

On 31 May 2021, a spokesperson for AllWorldCards published their first post on the cybercrime forum XSS announcing that they are open for business. Similar to the shops that have preceded them, AllWorldCards advertised shop links on deep web and Tor domains, a presence on cybercrime forums, and an accessible customer support email. Further, they have taken a cue from the major ransomware collectives, Lockbit and REvil, and sponsored an article competition on XSS dubbed “XSS Hot Summer.” The comp

Years ago, baby monitors were able to listen in on remote telephones in people’s homes.  This may still be the case, only in reverse.  Current baby monitors include interactive devises that allow parent to both listen and watch their precious little one.  They can even talk to their babies remotely.  That is very cool, but it may come with vulnerabilities.

Many variants of smart devices have been identified as being at risk from cyber intrusion.  Devices of concern include security cameras, DVRs