X-Industry

The US government is sounding the alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. Investigators reported that a custom-made, modular ICS attack framework can be used to disrupt and/or destruct devices in industrial environments.

A joint advisory from the Department of Energy, CISA, NSA, and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider El

Activity Summary - Week Ending on 15 April 2022:
✓ Red Sky Alliance identified 5,384 connections from new IP’s checking in with our Sinkholes
✓ Turkish Netmax being Hit
✓ Analysts identified 1,361 new IP addresses participating in various Botnets
✓ BeastMode
✓ Deep Panda
✓ Verblecon
✓ EnemyBot
✓ Ukraine Stops RU Energy Attack
✓ India Grid

Link to full report: IR-22-105-001_weekly105.pdf

Our weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions.   

Link to full report: IR-22-104-001_IntelSummary104.pdf

Business Email Compromise or BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases of merchandise or gift cards. Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.

All accounting personne

The international Anonymous hacktivists group has targeted the Russian Ministry of Culture and leaked 446 GB worth of data online.  The cyberattack was carried out as part of their collective’s ongoing operation OpRussia against the country’s invasion of Ukraine.

Anonymous is a group of hacktivists that publicly announced a cyberwar against Russia after the country invaded Ukraine in late February 2022.  The latest to suffer a data leak is Russia’s Ministry of Culture.  As seen by Hackread.com,

Any cyber professionals, at any level, will attest that what they desperately need is coffee to stay awake while working.  Russian analysts, both good and bad, are now in serious trouble.  Commodity traders are diverting coffee shipments that were initially expected to go to Russia, and some have stopped selling to that market altogether, attendees at a US coffee conference said. 

Although food trade is not included in sanctions imposed on Russia after its invasion of Ukraine, difficulties in pr

A spokesman from the United States said on 07 April 2022 that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia.  The actions, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure including financial firms, pipelines and the electric grid in response to the sanctions

Understandable fears of an unparalleled Russian cyberwar began to grow around the same time Russia began staging its military on their border with Ukraine.  Some people pictured a Russian digital assault not just on Ukraine but on all the West. At least a few people thought the Kremlin might team up with ransomware gangs to punish those who defied the invasion. Others were afraid that conflict between Putin’s hackers and Ukraine might spin out of control and spur a broader cyber melee around the

Microsoft says it's blocked GRU cyber operations directed against US, European, and Ukrainian targets. Redmond calls the group "Strontium," in its metallic naming convention for threat groups, but the threat actor is also known as APT28 and, of course, Fancy Bear. The disruption was a familiar (and entirely praiseworthy) takedown. Microsoft explained, "On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these a

At the onset of the Civil War, a man whose name would eventually become synonymous with famous American detectives was reportedly providing false reports to the Union’s top general.  Allan Pinkerton, who once successfully smuggled Abraham Lincoln into Washington, DC to avoid a rumored assassination attempt before he was even sworn in as president, acted as General George McClellan’s top intelligence officer.  He was considered one of the best spymasters in the United States, responsible for effe

Activity Summary - Week Ending on 8 April 2022:

• Red Sky Alliance identified 1,898 connections from new IP’s checking in with our Sinkholes
• Go Daddy LLC domain - 61 x
• Analysts identified 1,311 new IP addresses participating in various Botnets
• IcedID Trojan
• DoubleZero Wiper Malware
• ChronoPay
• Inverse Finance
• TX Infrastructure
• CN also attacking UA

Link to full report: IR-22-098-001_weekly098.pdf

Our weekly Cyber Threats & Vulnerabilities Report is provided to our Red Sky Alliance Members to consolidate both prominent government and private cyber security reporting which include descriptions (TTPs), indicators of compromise (IoCs) and at times remediation directions.   

Link to full report: IR-22-097-001_IntelSummary097.pdf

The US Justice Department announced on 06 April 2022 a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the US government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).

The malware called “sandworm” is infecting users’ systems, t

Ransomware is a constant thorn in the side of cyber security professionals worldwide.  Hive Ransomware stormed onto the scene in June of 2021 and in their first six months, from June to December of 2021 they managed to compromise 355 companies.  The group made headlines for targeting IT, real estate, and healthcare organizations, prompting an FBI Alert sharing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the group in late August.

Recently the

Electricity, oil and gas and other critical infrastructure vital to any country’s day to day lives is increasingly at risk from cyber-attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services.  A report from cybersecurity company Dragos[1] details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe and its warned t

They say “Birds of a Feather, Flock Together.”  This holds true with criminal hackers.  Threat analysts have recently compiled a detailed technical report on FIN7 operations from late 2021 to early 2022, showing that the adversary continues to be very active, evolving, and trying new monetization methods.[1]

Link to full report: TR-22-095-002_Fin7.pdf

[1] https://www.bleepingcomputer.com/news/security/fin7-hackers-evolve-toolset-work-with-multiple-ransomware-gangs/

Those readers who have children have already built a sandbox and watched the contents be tracked into their house.  What I will be describing is a different type of sandbox or some have referred to it as a “Cuckoo box.”  Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it; build your own environment or use third-party solutions.  Here are some “easy” steps required to create a custom malware sandbox where you can perform a proper a

With the worldwide push to stamp out the internal combustion engine and push electric vehicles; a research study on how to thwart the charging process of EVs was introduced.  University of Oxford researchers in the UK, in collaboration with Switzerland and the UK’s Armasuisse federal agency, identified a novel attack method that let them remotely force EVs to abort charging.  The attack method called Brokenwire works by sending malicious signals wirelessly to the targeted vehicle to cause electr

Activity Summary - Week Ending on 1 April 2022:

Today is April Fools' Day, but sound Cyber Security is No Joke.  Call us for protection.

• Red Sky Alliance identified 15,105 connections from new IP’s checking in with our Sinkholes
• Kanzas LLC Moscow RU - 241 x
• Analysts identified 1,392 new IP addresses participating in various Botnets
• Emotet Variant
• AbereBot is Escobar
• Kaspersky Lab
• Shortage of female Cyber Security Professional
• Hacked Ukrainian News Website
• Spearphishing Attack from Belize

The 2022 Major League Baseball season is set to kick off next week, which means fans everywhere are trying to gauge how their team stacks up to the competition.  To prepare for the season Wapack Labs has skipped the analysis of Batting Averages, RBI’s, and On-Base Percentages in favor of measuring each team’s cyber security posture.  

Horizon Actuarial Services, LLC provided notice regarding a data privacy incident that occurred on 12 November 2021.  The incident involved the theft of data inclu