All Articles (2242)

Sort by

10862220462?profile=RESIZE_400xRed Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products.  This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network.  To date we have collected over 1.4 million data points across 80 dark web sites.  The set of sites that we collect from on an ongoing basis will change with ne

10861789694?profile=RESIZE_400xA Ukrainian man has been charged with computer fraud for allegedly infecting millions of computers with malware in a cybercrime operation known as "Raccoon Infostealer," the US Justice Department (DOJ) said 25 October 2022.  Mark Sokolovsky, 26, is being held in the Netherlands and the US is seeking his extradition, the DOJ said in a statement.

It said Raccoon Stealer malware was leased to cybercriminals for $200 a month, payable in cryptocurrency.  The malware was then installed on the computer

10860964468?profile=RESIZE_400xShadowPad is a modular malware platform privately shared with multiple PRC-linked threat actors since 2015.   According to SentinelOne, ShadowPad is highly likely the successor to PlugX.  Due to its prevalence in the cyber espionage field, the VMware Threat Analysis Unit (TAU) was motivated to analyze the command and control (C2) protocol to discover active ShadowPad C2s on the Internet.  C2 Protocol:  ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS.  In this research[1]

10860429263?profile=RESIZE_400xOver two and a half years, a Russian-speaking ransomware group named OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation.  The group's victims include companies in logistics, industry, insurance, retail, real estate, software development, banking, and arms manufacturing.

OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance a

10861060279?profile=RESIZE_400xThe FBI released an alert last week warning of hack-and-leak operations targeting organizations in the US and Israel by a group based in Iran.  The alert centers on Emennet Pasargad, an Iranian company US law enforcement agencies have previously spotlighted for its role in efforts to interfere with the 2020 US presidential election.  Last week, the FBI said the company, which has changed its name several times to avoid sanctions, has targeted entities in Israel since 2020 with attacks that invol

10859966875?profile=RESIZE_400xThe White House has begun its second annual International Counter Ransomware Summit in which Biden administration officials will convene with representatives of three dozen nations, the EU, and private business to discuss the growing threat posed by data-destroying cyberattacks. President Biden will not be attending the meetings.

According to administration officials previewing the summit over the weekend, the two-day event will focus on priorities like improving system resilience and developing

10859960864?profile=RESIZE_400xCyber threat actors are using a never-before-seen technique to stealthily infect victims with malware by abusing legitimate tools.  The campaign has been detailed by cybersecurity researchers  who say that the attackers can spend more than 18 months inside the networks of victims while taking steps to ensure their activity stays under the radar to avoid detection in what's thought to be an intelligence-gathering and espionage operation. 

How the attack begins is still uncertain, but victims beco

10859349472?profile=RESIZE_400xThe US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.

Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code in September 2021, and also engaging in data theft and extortion.  It has

10859346866?profile=RESIZE_400xMost businesses are surprised by how long a single cyberattack can take to carry out, from beginning to end.  When the average dwell time of an intruder in an IT ecosystem has increased to more than 9 months; why malicious actors seem to be given the luxury of time.

To better understand how this all works, here is a brief review the five stages of a cyberattack.

  1. Getting to know the victim: Adversaries start by identifying target organizations and collecting information about them. Key focuses i

10859343060?profile=RESIZE_400xResearchers found buried deep in a 61-page recent report by the U.S. Attorney General, the Biden Administration called for a dramatic expansion in the federal government’s ability to seize and keep cryptocurrency. If enacted, the proposed changes would bolster both criminal forfeiture, which requires a conviction to permanently confiscate property, as well as civil forfeiture, which does not require a conviction or even criminal charges to be filed.  Notably, the report’s release was coupled wit

10856609287?profile=RESIZE_400xLinkedIn has become a popular destination for threat actors trying to communicate with people for a variety of purposes, such as distributing malware, cyberespionage, credential stealing, financial fraud, etc.  One common approach to using LinkedIn by cyber criminals is to approach people using fake profile claiming to be a recruiter working at technology, defense, or media companies.  The North Korean-sponsored group Lazarus often engaged in these kinds of activities in order to propagate malwa

10855623668?profile=RESIZE_400xAs a young intelligence officer, if you had told me an adversary could act anonymously and alone, easily acquire the most advanced weaponry, disrupt or take down almost any “connected” target globally, and our ability to prevent these attacks was systemically flawed – I would have been astonished.  As always, all adversaries integrate intention, capability, and opportunity.  With cyber warfare, a breadth of adversaries and individuals can bring to bear all three by continuously aiming at the U.S

10854679261?profile=RESIZE_400xOne of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan described as "significantly dangerous" and likely to be used for ransomware attacks.  The new variant of Ursnif malware, also known as Gozi, has been detailed by researchers who suggest it has been purposefully built to power ransomware and data-theft attacks by using malicious Microsoft Office documents to get into users’ computers and requires macros to be activated. 

Designed to steal ban

10854665084?profile=RESIZE_400xThe US Transportation Security Administration (TSA) have announced a new cyber-security directive regulating designated passenger and freight railroad carriers.  The announcement demonstrates the Biden Administration’s commitment to strengthen the cyber-security of US critical infrastructure.  Building on the TSA’s work to strengthen defenses in other transportation modes, this security directive will further enhance cyber-security preparedness and resilience for the nation’s railroad operations

10853901881?profile=RESIZE_400xThere have been some developments in the Ducktail phishing campaign.  To begin our report, it seems reasonable to go over a little bit of history on Ducktail for those who might be unfamiliar.  The Ducktail phishing campaign was first discovered and reported on in late July of 2022.  Researchers at the firm WithSecure are credited with the discovery of the campaign.  In terms of who is responsible, WithSecure’s report on this campaign indicated a high level of confidence in their belief that the

10853628288?profile=RESIZE_400xVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021 that has alleged ties to Russia who attacks “With Love.”  Vice have crossed the line of what many hackers said was off limits – education and health care systems and facilities.  This past September, a ransomware attack on the Los Angeles Unified School District crippled its digital operations across their system, which includes more than 1,000 schools and serves roughly 600,000 students.  

10846789675?profile=RESIZE_400xActivity Summary - Week Ending on 21 October 2022:

  • Red Sky Alliance identified 32,517 connections from new IP’s checking in with our Sinkholes
  • NoVa hit 17x
  • Analysts identified 1,515 new IP addresses participating in various Botnets
  • “Alchimist” Attack
  • REvil
  • Good News from Brazil
  • Khan Academy
  • Vinomofo
  • Japanese Crypto Funds
  • Oh Canada

Link to full report: IR-22-295-001_weekly295.pdf

10846071263?profile=RESIZE_400xFifteen percent of car dealers have experienced a cybersecurity incident in the past year.  Of those impacted, 85% of the occurrences were due to sophisticated phishing attempts concealed as legitimate emails that resulted in data breaches, IT-related business interruptions and loss of revenue. 

The 2022 State of Cybersecurity in the Dealership report from CDK Global Inc. surveyed business and IT executives at 201 car dealerships in the United States about their current cybersecurity posture.  T

10845614100?profile=RESIZE_400x

 

Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with assoc

10845404453?profile=RESIZE_400xCyber threat investigators say do not let the ongoing "crypto winter" lull you into a false sense of cybersecurity.  The phrase “crypto winter” likely came from the hit HBO series, “Game of Thrones.”  In the series, the motto of the House of Stark was “Winter Is Coming.”  It was considered a warning that lasting conflict could descend on the land of Westeros at any time.  Similarly, an extended period of trouble may be settling over the crypto market.  During this difficult time, you must remain