Link to full report: IR-22-357-001_weekly357.pdf
With minutes left in the holiday buying season, online shopping and gift-giving are at the top of many people's to-do lists. But before you hit the "buy" button, it is important to remember that this time of year is also the highest time for cybercriminals. Cybercriminals often increase their efforts during the traditional Christmas holidays and often take advantage of the flood of ‘new’ online shoppers and the general chaos of this buying time of year.
Do not let cybercriminals steal your ho
The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) are releasing this joint Cybersecurity Advisory (CSA) to advise the Food & Agriculture sector about recently observed incidents of criminal actors using business email compromise (BEC) to steal shipments of food products and ingredients valued at hundreds of thousands of dollars.
While BEC is most commonly used to steal money, in cas
Cybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems. Azov is the name of ransomware, malware that blocks access to files by encrypting them. It encrypts all files (except files with .ini, .dll, and .exe extensions) and appends the ".azov" extension to their filenames. Also, Azov drops ransom notes (the "RESTORE_FILES.txt" files) in all folders that i
The New York State Department of Financial Services (NYDFS) is proposing an amendment to its regulations requiring financial services companies to increase their cybersecurity planning reporting and protection. The Department of Financial Services supervises and regulates the activities of approximately 1,500 banking and other financial institutions with assets totaling more than $2.6 trillion and more than 1,400 insurance companies with more than $4.7 trillion.
Under the proposed amendment, th
Sometimes, good intentioned research can actually benefit adversaries. Recently when a US-based foreign affairs analyst, received an email from the Director of the “38 North think-tank” to commission an article, it seemed to be business as usual. The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.
Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to b
In the era of digitization and ever-changing business needs, the production environment has becomes more attractive. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization's assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy.
To keep up with business needs while effectively assessing and managing cybersecurity risk, there are two primary elements that
With the threat of cyber-attacks increasing in the agriculture industry, some farmers differ if there is a need to secure data. Jason Perdue farms and raises cattle in Eastern Nebraska said, “I don’t understand all of what’s out there and all of the possibility of what is at risk.” He says he’s more concerned about livestock data than crop information. “I’m probably a little more concerned if something were to happen to our controlling system like the ventilation, feed or water in our livestoc
Link to full report: IR-22-350-001_weekly350.pdf
Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with assoc
The Luna Moth, also known as the Silent Ransom Group, has been active since March 2022 and has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing callback phishing or Telephone-oriented attack Delivery (TOAD).
The lure of recent Luna Moth campaigns is a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personaliz
In November 2022, FortiGuard analysts observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count (shown in Figure 1), this campaign started its distribution of the current version someti
Red Sky Alliance utilizes Fortinet collections, analysis, and support; this is important. A vulnerability has been recently discovered in Fortinet's FortiOS, which could allow for arbitrary code execution. FortiOS is the Fortinet’s proprietary operation system which is utilized across multiple product lines. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose acc
Recently, victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand simply because the ransomware is not able to decrypt files it just destroys them instead. Coded in Python, Cryptonite ransomware first appeared in October 2022 as part of a free-to-download open-source toolkit available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.
An anal
Ransomware attacks keep increasing in volume and impact largely due to organizations' weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations. According to a recent RSM survey, 62% of mid-market companies believe they are at risk of ransomware in the next 12 months.
As ransomware is still the preferred way for actors to monetize their access, there is a need to u
A newly discovered web skimming campaign running for the past year has already compromised over 40 e-commerce sites, according to researchers. The JavaScript protection vendor revealed that “Group X,” which exfiltrated card data to a server in Russia, used a novel supply-chain technique to compromise its victims. The cyber-criminals exploited a third-party software named Cockpit, a free web marketing and analytics service that was discontinued in December 2014. Cockpit is a JavaScript librar
The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities. Aside from being dropped alongside other malware families, LodaRAT has also been observed being delivered through a previously unknown variant of another commodity trojan called Venom RAT, which has been c
Old technology solutions are still in the house. It could be an old and unsupported storage system or a tape library holding the still-functional backups from over 10 years ago. This is a common scenario with software too. For example, consider an accounting software suite that was extremely expensive when it was purchased. If the vendor eventually went under, then there is no longer any support for the software, which means that the accounting solution only works on some older operating system
Malware is nothing more that burglary tools. Cyber researchers have recently shed light on a Dark web marketplace called “In the Box” that is designed to specifically cater to mobile malware operators. The actor behind the criminal storefront, believed to be available since at least January 2020, has been offering over 400 custom web injects grouped by geography that can be purchased by other adversaries looking to mount attacks of their own. The automation allows other bad actors to create o
Link to full report: IR-22-343-001_weekly343.pdf
