Mirai is a self-propagating malware that infects networked devices and turns them into remotely controlled bots. Targets include devices in the Internet of Things (IoT) such as IP cameras and home routers and access is achieved with either software exploits or via authentication with factory default credentials. Mirai is frequently updated to include new exploits making it difficult to mitigate.
This report provides cluster trending on infrastructure over the past several weeks from this repor
On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field accounts@hhhmarine.com.sg. Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).
Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.
The attackers use the popular malware Lokibot. Wapack Labs detected communications of these samples to known and new Lokibot C2s:
On 1 May 2019, Russian President Vladimir Putin signed “Internet sovereignty” bill. New requirements to use ISPs to track traffic origin will likely force traffic decryption and support of internal censorship efforts. In the future, Russia will develop its own DNS system to conduct special Internet controls. Currently, LinkedIn is banned in Russia. Russian national payment system, Mir, was developed after several Russian banks were denied services by US-based Visa and MasterCard. Future st
Research Overview
Background: The detonation of a nuclear weapon at high altitude or in space (~30 km or more above the earth’s surface) can generate an intense electromagnetic pulse (EMP) referred to as a high-altitude EMP or HEMP. HEMP can propagate to the earth and impact various ground-based technological systems such as the electric power grid. Depending on the height of the explosion above the earth’s surface and the yield of the weapon, the resulting HEMP can be characterized by three haz
The People’s Republic of China has claimed the whole of the South China Sea as its sovereign territory ever since coming to power in 1949. However, several other countries have historical claims over some of the islands, and the Law of the Sea Treaty gives several of these countries rights to economic zones that overlap with Chinese claims. This has led to conflict between China and the United States, which supports the claims of its allies to parts of the South China Sea under international l
In April 2019, Krebs reported that Wipro, an Indian IT outsourcing company, was the victim a successful cyber attack by suspected state-sponsored actors. The actors leveraged ScreenConnect, a remote administration tool, to gain access to various Wipro systems which were then used as launching points for additional attacks against Wipro’s customers. The follow-on attacks consisted of a phishing campaign capturing data as part of gift card fraud operation.
Additional open sources reported this at
In February 2019, conflict between India and Pakistan over the disputed territory of Kashmir escalated into the worst violence there is decades. An Islamic extremist suicide bomber with a vehicle packed with explosives attacked an Indian police convoy in Kashmir, killing 40. This provoked a military response by India, with Indian Air Force fighter jets carrying out a bombing raid into Pakistan proper for the first time since 1971. India claimed they were attacking a terrorist camp, but no inj
Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing. Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector. During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.
Details
Figure 1. Malicious .doc attachment in an email spoofing Darwish Trading Company
The Darwish Trading Company (DTC) has a w
China’s need for energy has skyrocketed over the last 20 years as the country has gotten richer and the middle class—now 400 million—has grown into a significant segment of the population. Energy demands are not being met by domestic production, so China is now a net importer of oil, natural gas, and coal.
China’s energy source mix has traditionally been dominated by coal, but the share of energy produced by coal is dropping. China is highly dependent on imported oil, which makes up about 68 p
Summary
Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them. These files have been identified malicious. Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019. Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability." Most of the samples were submitted from either Ukraine, the Czech Republic or the US. In seve
Summary
Wapack Labs reports on the use of vessel names as lures in malicious emails. Using the names of Motor Vessel (MV), or Merchant/Motor Tanker (MT) in the subject line, is a social engineering tactic used by attackers when sending malicious emails to companies related to the shipping industry. Successful infiltrations into transportation related networks can result in the theft of valuable financial information or corrupt a system with damaging results. This report provides details about
Summary
Shared through the Multi-State (MS)-ISAC: A vulnerability have been discovered in Google Chrome, which could result in arbitrary code execution. Google Chrome is a web browser used to access the Internet. This vulnerability can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with this ap
Huawei Technologies and its 5G network construction work around the world have created concern in many quarters. The chief cause for this con cern is the perception that Huawei networks have a unique potential for exploitation by Chinese intelligence services.
A Wapack Labs review to determine the scale of this problem showed that Huawei is in fact involved in 5G infrastructure development in many countries. Germany, Ireland, Switzerland, and Canada have been using Huawei equipment to set u
Summary
APT-C-36 or Blind Eagle (BE) is an APT group that is believed to originate from South America. BE has been carrying out attacks against Colombian government institutions, to include the financial sector, petroleum industry and professional manufacturing. BE has been active since April 2018. Affected targets include Ecopetrol (Colombian Oil Company), Banco Agrario (State Financial Institution) and IMSA (Colombian Wheel Manufacturer). It is possible BE is involved in recent geopolitica
