In late January, a new botnet campaign was discovered targeting unpatched software running on Linux devices with recent code execution CVEs. Once a device is compromised, the bot downloads and executes a malicious Python script that joins the compromised device to the botnet. The botnet is controlled by attackers using Internet Relay Chat (IRC) and enables the attackers to perform DDoS attacks and run crypto miner software on infected devices. Updates are available to patch all CVEs exploited
All Articles (2242)
Sort by
According to cyber threat investigators, several Magecart groups hide their JavaScript skimmers, phishing domains and other malicious tools behind a secure hosting service called Media Land, according to a report from security firm RiskIQ. During their investigation, the researchers found that thousands of domains used for JavaScript skimmers, phishing domains and other malicious infrastructure have been registered with Media Land since 2018 using at least two email addresses and other aliases.
A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a multitude of user data. Called Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.
Triangulum first shared a mobile RAT on a dark web forum in June 2017. The threat was capable of data exfiltration, but could also destroy data locally, and even e
Red Sky Alliance has previously reported on the many cyber perils within critical infrastructure and key resource sectors. Our worldwide electric grids remain on the top of government concerns. The New Yorker recently published a very thought-provoking and sobering piece on the same subject(s). We would like to share with our members.
In the nightmare, sirens caterwaul as ambulances career down ice-slicked, car-crashed streets whose traffic lights flash all three colors at once (they’ve been
Last week, US and Bulgarian law enforcement seized the underground site used by the NetWalker ransomware cybercriminal group that was used to post stolen data from victims. Additionally, a Canadian national is a person of interest who allegedly extorted more than $27 million through the spreading of NetWalker and was indicted in Florida, US.
NetWalker is a ransomware-as-a-service (Raas) crimeware product in which affiliates rent access to the continuously updated malware code in exchange for a
The ongoing controversies surrounding TikTok hit a new gear on 14 January 2021 with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google. According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.
TikTok, based in Beijing, China, h
A German-led police operation has taken down the "world's largest" darknet marketplace, whose Australian alleged operator used it to facilitate the sale of drugs, stolen credit card data and malware, prosecutors stated on 12 January 2021. At the time of its closure, DarkMarket had nearly 500,000 users and more than 2,400 vendors worldwide, as the coronavirus pandemic leads much of the street trade in narcotics to go online. DarkMarket was an English-speaking internet cybercrime forum created b
SANS has long been a leader in cyber and has recently published a research paper on Ransomware Prevention. 2020 saw ransomware attacks sky-rocket. Below is a brief introduction and link to the full report. "Ransomware is a fast-growing threat affecting organizations of all sizes and industries. Quick spreading and highly interruptive, ransomware damage ranges from profoundly impacting a business’s finances to threatening proper healthcare by disabling access to critical data needed for medic
Activity Summary - Week Ending 29 January 2021:
- Red Sky Alliance observed 62 unique email accounts compromised with Keyloggers
- Analysts identified 39,701 connections from new unique IP addresses
- British Telecommunications has Compromised C2 Servers
- Researchers identified 1,619 new IP addresses participating in various Botnets
- Hancitor Malware
- OSAMiner & Crypto-miner Campaigns
- Zyxel Firewalls the Backdoor is Open
- Mimecast Compromised
- Malwarebytes Caught in the Wind, SolarWinds
- Dell/SonicWall hit
Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts. It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks.
This oversight is one that cybercriminals are now taking adv
Attacks involving million-dollar ransom demands attract headlines, but the payout is no longer the sole financial incentive for attackers. The exfiltration of critical data is a key motivator that can be used to extort victims into paying even larger fees to recover assets. Data, including intellectual property such as research and patents, is often targeted by organized groups or as part of corporate espionage. Stealing this information and then coercing a business into paying to get access to
Financial services firms in the UK were hit hard in 2020, with 70% experiencing a successful cyber-attack and most of these blaming COVID-related conditions for the incident, according to Keeper Security. The password security firm commissioned the Ponemon Institute to poll over 370 UK IT security leaders in the sector, as part of a larger global study. It revealed that the rapid shift to remote working forced on businesses during the pandemic provided threat actors with an opportunity to targ
The president of Microsoft, Brad Smith, provided a warning of increasing cyber-threats to society as technology plays a more powerful role in our lives. This warning delivered during his recent talk at the Consumer Electronics Show (CES) 2021. Smith delineated the potential enormous benefits and advancements that technologies offer, including in areas like; sustainability, the cyber-threats being faced are correspondingly becoming increasingly concerning. “As computers create all this promise,
Activity Summary - Week Ending 22 January 2021:
- Keylogged: imports1@fairdealfurniture.biz - Mombasa Kenya
- Red Sky Alliance observed 29 unique email accounts compromised with Keyloggers
- Analysts identified 19,902 connections from new unique IP Addresses
- 1,957 new IP addresses participating in various Botnets
- Ursnif (Gozi) banking Trojan
- ElectroRat Crypto-Stealing
- JetBrains
- Social Media Alternative Parler is under Siege
- The Word of the Moment – Purge
- Censorship-Resistant Blockchain Social Media
- S
Red Sky Alliance has long reported on the underground carding site – Joker’s Stash (JS). Well several research firms have identified that JS is ‘goiong out of business.’ Joker’s Stash is reportedly (or was…) the largest underground forum/shop for selling stolen credit card and identity data. JS is reporting they are closing its shop by the middle of February 2021. This news was shared after a crazy 2020 for the major cybercrime store, and several weeks after US and European law enforcement a
A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. The malware is tracked as OSAMiner and has been in the wild since at least 2015. Analyzing it has been difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code difficult.
OSAMiner is a typical Trojan which mainly cause system vulnerability on PCs to help hackers’ remote attack. Use
Hackers recently posted confidential documents regarding Covid-19 medicines and vaccines on the internet after a data breach late last year at the European Medicines Agency (EMA). Timelines related to evaluating and approving Covid medicines and vaccines haven’t been affected, the EMA said in a statement on Tuesday. The agency said it remains fully functional and that law enforcement authorities are taking action on the breach.
It is suspected by cyber threat investigators that these hacks ma
Activity Summary - Week Ending 15 January 2021:
- 46 unique email accounts were seen compromised with Keyloggers
- Red Sky Alliance identified 43,555 connections from new unique IP addresses
- Analysts identified 2,201 new IP addresses participating in various Botnets
- German - Strang 1&1 Ionos SE in the Top 10 C2 compromised Servers
- Solar Winds Updates
- Dassault Falcon Jet – Hit / Ransomware
- “Up in Smoke” - Aurora Cannabis
- More Activism going On
Link to full report: IR-21-015-001_Manufacturing_015_FI
In their attempt to extort as much money as quickly as possible out of victims, ransomware gangs know some effective techniques to get the full attention of a firm’s management team. One of them is to specifically target the sensitive information stored on the computers used by a company’s top executives, in the hope of finding valuable data that can best pressure bosses into approving the payment of a sizeable ransom.
Although the technique of prioritizing the theft of data from managers’ PCs
For years, Red Sky Alliance has been monitoring the Chinese Communist Party (CCP) in both cyber activity and geopolitical matters. The CCP has been and continues to be aggressive in their Belt and Road, long term, initiatives, or the China Maritime Silk Road.[1] The CCP yearly train approximately 20,000 cyber ‘professionals’ in hacking type activities. This permeates into the business and citizen cultures of the Chinese population. China controls all business ventures inside its borders and
