X-Industry

The Zeus Sphinx banking trojan is back after being off the scene for nearly three years. According to cyber researchers at IBM X-Force, Sphinx (a.k.a. Zloader or Terdot) began resurfacing in December 2019. However, the researchers observed a significant increase in victims in March 2020, as Sphinx's operators looked to take advantage of the interest and news of the government relief payments for businesses and individuals. 

First seen in August 2015, Sphinx is a modular malware based on the leak

US Tax Day has come and gone.  Due to the COVID-19 pandemic, the US has delayed the filing deadline to July 15^th.  That is great news for many, AND additionally many taxpayers will be eligible for the US New Economic Stimulus program.  The Internal Revenue Service (IRS) is now issuing warnings to alert the US public about a flood in Corona Virus-related scams over email, phone calls, or social media requesting personal identifying information (pii) while using the pandemic economic impact paymen

Even the largest companies can become victims of ransomware attacks by targeting supply chain members. A third-party ransomware attack has documents from Boeing, Lockheed Martin, SpaceX, and Tesla published for the world to see. These "high end" ransomware demands are now being called "nuclear" ransomware.  

The attack hit Visser, a manufacturing and design contractor for several prominent aerospace and defense companies. Here is how things unfolded, according to The Register: "The data was pilf

A new NATO report exposes Chinese government leaders plan to push through standardization of a new Internet architecture which will broaden the threat landscape, destabilize security and privacy, and fragment the world wide web. First proposed at the United Nations International Telecommunication Union (ITU) conference in September 2019, the plans call for a replacement to the current TCP/IP model, dubbed “New IP.”  China is being led by Huawei, its state-run communications company, and the comm

Google and Apple are working together. Yes, you heard that correctly. Two of the largest tech giants (and competitors) in the world are working together to prevent the spread of COVID-19.  Google and Apple are working in a joint endeavor to provide new API and functionalities in their mobile operating systems which help application developers create contact-tracing applications which can be used to mitigate the spread of the CoronaVirus.  In May2020, both companies will release APIs that enable

New car showrooms are closed.  Inventory is backing up.  Auto dealers are cash strapped and ready to negotiate a good deal, almost any deal.  So, if a person in the market for a new car, in good health and has a solid job (even with the various state “lock downs”), the timing is very good to buy a new car.  Car shopping will currently be electronic, but salespersons are willing to sell cars and reduce their inventories.  If you are a savvy online shopper and ready to negotiate a price by email o

Activity Summary - Week Ending 10 April 2020:

• Red Sky Alliance identified 52,538 connections from new unique IP addresses
• Who’s Faru Potter? Well, he’s pwned
• APT32, Bitter APT and Kimsuky group taking advantage of the COVID-19 pandemic
• "New" Crown Pneumonia Ransomware, dusted off and Operable
• Firefox Browser Zero-Day Vulnerabilities - Extended Support Release 68.6.1 – fix ASAP
• 3M on hackers Radar Screen, Again
• Brent crude up to $33.38
• Iraq losing Oil Revenues
• The Saudis are sending Oil to US to

The cybercrime environment is evolving as cyber threat actors improve their attack planning, build new malware and sneaky methods to take advantage of both business and consumer’s on-line behavior. Cybercrimes via social media are not new but now have catapulted into a severe problem with the CoronaVirus. Mobile users are more at risk to criminal schemes as popular on-line banking, and merchant services are available as mobile applications.

Besides social engineering techniques, cybercriminals a

Our Friends at the FBI issued a cyber bulletin on 04 01 2020.  This was no April Fool's Joke, but a serious cyber warning on the Sodinokibi Ransomware (pic: tgsoft.it), also known as REvil, Bluebackground, or Sodin.  Red Sky Alliance / Wapack Labs was already researching this ransomware.  Last week, Jesse Burke our Chief of Special Operations, provided a brief on Sodinokibi Ransomware.  Look to your right (Did you miss the March Cyber Intelligence Briefing (CIB). Topics: Coronavirus Lures and Bu

As information security professionals with over 20+ years in the business, we now see that if a bad actor wants to successfully scam someone online, all these hackers need is to have a basic level of software or networking skills.  Everyone now has the tools to enter this lucrative business; albeit in many cases: very illegal.  Malicious “phishers” of the past used poor graphics, poor grammar, misspellings and showed signs that English was not their first language.  Most often, businesspeople we

We all need some good news on the “new” COVID-19 Cyber Front.  The FBI has delivered the good news this past week.  During these first weeks of the “New Normal” during the worldwide Corona Virus pandemic, more and more employees are working from home with limited cyber threat protections or training.  Taking down a Crime as a Service (CaaS) web store off the Internet is fantastic news.  This past week, the FBI seized the domain of Deer.io, which federal prosecutors say served as a clearinghouse

Cyber threat analysts recently uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.  TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps.  The malware has also evolved to send sp

Ransomware actors have been preying on small governments, because it is an easy payday.  Small governments have limited cyber threat resources and the demand of their citizens to bring back vital services (immediately).  City leaders want to get their services back in operation and running quickly, as voters have long memories.  Because it is cheaper than going completely offline, city and county governments often pay the ransom, especially if insurance companies pay the demanded amount or honor

During these current and uncertain times, who can you trust for updated, reliable and virus free information on the Coronavirus?  A safe reliable source is InfraGard.  InfraGard National is an FBI-affiliated nonprofit organization dedicated to strengthening national security, community resilience and the foundation of American life.  InfraGard is one of the FBI’s longest-running outreach programs and its largest public/private partnership, with over 60,000 members representing 77 InfraGard chapt

The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware on 07 March 2020.  Local media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk Ransomware on their systems.  Ryuk was developed by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once deployed, Ryuk can spread across network servers through file shares to individual compu

Later yesterday, the US based InfraGard National https://www.infragard.org/ provided a very valuable link to a Northeastern University site that provides COVID-19 information and prevention on-line training.  Much of this information is provided through the support of John Hopkins University, Center for Disease Control and the World Health Organization.  We here at Red Sky Alliance would like to provide this very valuable reliable reference source; as “Knowledge is Power.”   Having the proper pr

Two week ago, T-Mobile announced it experienced a data breach which was caused by an email vendor being hacked and exposed the personal and financial information for some of its customers.

In early February 2020, our Red Sky Alliance RedXray service, which is cyber threat notification service that simplifies monitoring for organizations and supply chains, provided our collection and analysis to T-Mobile, regarding our discovered cyber threats (knowns as “hits”) in our proprietary collections....

Summary

The IoTReaper, a.k.a. IoTroop, botnet was discovered in 2017, and remains a significant threat to the cyber domain. Check Point Research completed a thorough investigation of the malware when it was discovered in 2017, but researchers have still seen no sign that the botnet has been activated to conduct a significant DDoS attack, similar to that seen against Dyn in 2016. In 2016, a DDos coming from the Mirai botnet triggered a shutdown of services across the country and analysts believe

Summary

This document summarizes threats reported by Red Sky Alliance’ RedXRay for one of the largest shipping/transportation companies in the world.  Analysts observed hits in most collections.  The name of the company will be redacted for this report, and the company will be referred to as “Shipping Co.”  Recent international events have caused a significantly higher risk for all industries but especially an industry in charge of transporting important commodities around the globe.  With many

A new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.[1]  Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.

Details

The earliest PXJ ransomware sample is from 24 February 2020.  It received its name for the .pxj extension that it adds to the files it encrypts.  Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@pr