X-Industry

Activity Summary - Week Ending on 17 June 2022:

• Red Sky Alliance identified 39,997 connections from new IP’s checking in with our Sinkholes
• Amazon in Portland OR 35 x
• Analysts identified 1,669 new IP addresses participating in various Botnets
• Yashma Ransomware, GoodWill Ransomware and Horsemagyar Ransomware
• Grandoreiro Malware
• Moses Staff
• Summer Vacation
• Async RAT
• Netwire RAT
• Colombian Military members
• Quasar RAT

Link to full report:  IR-22-168-002_weekly168.pdf

Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

Data cloud company Snowflake (NYSE: SNOW) is the latest enterprise technology firm looking to help fuel the massive data lakes that power enterprise security programs.  Snowflake recently launched a new Cybersecurity workload that helps cybersecurity teams to better protect their enterprises using its platform and an extensive ecosystem of partners delivering security capabilities with connected applications, cybersecurity teams can quickly gain visibility and automation at cloud scale.[1]

“With

Recently, a researcher has shown how a simple key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.  The research was conducted by an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.  Https://trifinite.ord   

The Trifinite Group was founded in August 2004 and it is a loosely coupled group of computer experts that focuses on researching wireless communications and rel

Cyber threat researchers have identified some of the most prolific mobile banking Trojans that have targeted 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.  Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official

The US State Department said the Conti strain of ransomware was the most-costly in terms of payments made by victims as of January 2022.  Conti, a Ransomware-as-a-Service RaaS program, is one of the most notorious ransomware groups and has been responsible for infecting hundreds of servers with malware to gain corporate data or digital damage systems, essentially spreading misery to individuals and hospitals, businesses, government agencies and more all over the world.

See:  https://redskyallian

A joint publication coauthored by the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) was released on 7 June 2022 about the People’s Republic of China State-Sponsored activities.

State-Sponsored actors have been exploiting Common Vulnerabilities and Exposures (CVEs) that are related to network devices.  The vulnerabilities that these actors are exploiting are documented, and should be patched immediately if they

Cl0p ransomware began as a part of the Cryptomix family and was first seen in the wild in 2019 operating as a Ransomware-as-a-Service (RaaS) platform.  The group has targeted international organizations including companies in the pharmaceditcal, education, technology, and industrial verticals.   

The Cl0p ransomware group had a quiet end to 2021 after being shut down following Operation Cyclone, a joint law enforcement operation involving Interpol, Europol, Ukrainian Law enforcement, United Stat

Network credentials and virtual private network (VPN) access for colleges and universities based in the US are being advertised for sale on underground and public criminal marketplaces. "This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber-attacks against individual users or affiliated organizations," the US Federal Bureau of Investigation (FBI) said in an advisory published last week.  See:  https://www.ic3.gov

Activity Summary - Week Ending on 3 June 2022:

• Red Sky Alliance identified 43,371 connections from new IP’s checking in with our Sinkholes
• Microsoft in Iowa hit 154 x
• Analysts identified 1,186 new IP addresses participating in various Botnets
• FluBot in the Top 5 Malware
• ArguePatch Variant
• Twisted Panda
• 1AveMariaRAT
• SideWinder, aka: Rattlesnake
• Karakurt
• Vulnerabilities in Smartphone Chips
• OneDrive Attacks

Link to full report: IR-22-154-001_weekly154.pdf

Our bi-weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions.   

Link to full report:  IR-22-153-001_IntelSummary153.pdf

Costa Rica is still reeling from the ransomware attacks deployed by the Conti group, and now the Hive ransomware group has joined in.  According to Bleeping Computer, the Hive ransomware group is behind the attack beginning 31 March 2022 targeting Costa Rica’s public health service.  

The Costa Rican government agency has publicly stated that an attack took place early Tuesday morning.  The targeted government entities included the Costa Rican Social Security Fund (CCSS).  The government also st

The recent BillQuick attack was an important reminder of the dangers of SQL injection.  Malicious hackers discovered a SQL injection flaw in BillQuick software used by over 400,00 organizations and used it to deploy ransomware across customer networks.  Below are lessons learned from Gilad David Maayan and provides measures to protect your organization from SQL injection.

So, what Is SQL Injection?  SQL injection (SQLi) techniques are one of the primary focuses of database security initiatives.

Both public and private maritime industries within the entire transportation supply chain is finally getting up to speed with cyber security.  The Port of Long Beach in California is poised to build its “Supply Chain Information Highway” digital infrastructure on the Amazon Web Services platform, following a new agreement with the online retail giant.

This “Information Highway” is being created to aggregate data collected at the port on a single platform for access by companies across different

The Conti Ransomware group has been in and out of the news for the majority of 2022.  Beginning the year with an attack on Kenyon Produce (KP) Snacks and conducting business as usual.  When the conflict between Russia and Ukraine boiled over, the group again made headlines for taking the side of Russia.  This led to widespread dissemination of the group's internal chat messages and eventually leaks of the ransomware source code.   

The group remains in the spotlight with news of an ongoing confl

A new cryptographic era is beginning where quantum computing will be able to break the encryption that underpins our entire digital society, this warning coming from Ms. Anne Dames, distinguished engineer at IBM.[1]  Speaking at an IBM press tour in Poughkeepsie, New York last, where Dames told journalists that “there’s a lot to be concerned about” when it comes to the potential threat of quantum attacks.  “We believe there will be a time when quantum computers can break the cryptographic protec

Activity Summary - Week Ending on 27 May 2022:

• Red Sky Alliance identified 39,820 connections from new IP’s checking in with our Sinkholes
• “Comment dire aide”
• Analysts identified 1,254 new IP addresses participating in various Botnets
• Sality remains our top Malware Variant
• Conti’s last Stand in Costa Rica
• Onyx Ransomware
• ZxxZ and Bitter
• Ransom DDoS Attacks
• Zola Ripped Off
• Battelle for Kids

Link to full report: IR-22-147-001_weekly147.pdf

Seems Twitter is having many serious issues of late.  A few months ago, Elon Musk started a whirlwind inside and outside the social media giant.  Now regulators at the US Federal Trade Commission (FTC) issued regulatory action against Twitter.  Twitter has agreed to pay $150 million for violating a 2011 administrative order with the FTC over how it used the email addresses and phone numbers of its users for targeted advertising, the agency announced with the US Department of Justice (DOJ) on May

Malware has become an industry segment and professional developers are found to exchange, steal each other’s code and engage in collaborations. Attacks are multi-layer with diverse sophisticated software apps taking over different jobs along the attack chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service such as Malware as a Service (MaaS0), including customer support and subscript

Credit card skimming is when someone uses an illegal device to collect the information from the magnetic stripe on your ATM, debit, or credit card. Once the individual has this information, they can copy it over to another card and use it to withdraw cash or make purchase in your name. Considering the potential financial turmoil, it's vital to do everything possible to keep your credit card data safe. 

With card skimming, the thief uses a camouflaged counterfeit card reader to record all of the