X-Industry

Activity Summary - Week Ending 8 January 2021:

• Red Sky Alliance observed 123 unique email accounts compromised with Keyloggers
• roger1983@gmail.com ??
• Analysts identified 46,954 connections from new unique IP addresses
• Red Sky Alliance identified 2,131 new IP addresses participating in various Botnets
• WhatsApp – New Policies
• Egregor Ransomware
• T-Mobile hit AGAIN
• The Green New Deal now on Steroids
• 6^th of January a Sad Day in the US
• Protests and new technology surveillance

Link to full report: IR

Last October 2020, researchers at US security company AdvIntel discovered that one of the Internet’s most troublesome malware platforms, Trickbot, had started testing something rather threatening: probing UEFI firmware chips inside targeted PCs to see whether they were vulnerable to known firmware vulnerabilities.  This was only reconnaissance, Trickbot was not infecting the SPI flash chip on which UEFI firmware resides, but the discovery is significant.

UEFI (Unified Extensible Firmware Interfa

Our Red Sky Alliance research predictions for 2021 are not necessarily in any order of importance yet presented as what we believe are the most important.

Ransomware…Ransomware… Ransomware

2020 saw a dramatic rise in ransomware activity.  While it is difficult to predict specifically what ransomware authors will do next, it can be expected that they will continue to do what has worked well for them in the past if it continues as profitable.  Ransomware ‘payment’ amounts saw a 217% rise in 2020 f

T-Mobile after completing its recent merger with Sprint, ended 2020 by announcing its second data breach of the year.   T-Mobile US, Inc., doing business as T-Mobile, is an American wireless network operator. Its largest shareholder is the German telecommunications company Deutsche Telekom with a 43% share, with Japanese conglomerate holding company SoftBank Group partially owning the company as well at a 24% share. Its headquarters are located in Bellevue, Washington, in the Seattle metropolita

The Covid pandemic add numerous concerns with the shipment of cargo in many countries.  Part of these “concerns” are the drastic increase of ransomware into the IT and OT (operating technology) systems of the transportation sector.  Transportation Topics published a recent article regarding the growing transportation targeted ransomware threat.[1]  The authors report that ransomware attacks have jumped 715% year-over-year.   

United States Tennessee state-based trucking and logistics company For

Activity Summary - Week Ending 31 December 2020:

• Red Sky Alliance identified 22,558 connections from new unique IP addresses
• Analysts identified 2,589 new IP addresses participating in various Botnets
• 52 unique email accounts were observed compromised with Keyloggers
• NZBGeek hit
• Year of the Covid - Hacking
• Auchtung - Funke Mediengruppe und Doppelpaymer
• Social Media and Hacking
• Victor Gevers, “yourefired”
• Twitch has a sever Itch, or Worse
• Cuban Artists and Social Media Protests
• Activists using s

Regarding cybersecurity, misconfigurations can create exploitable issues that can cause vulnerabilities later.  The following are some common-sense security misconfigurations that can easily be avoided.[1]

Development permissions that do not get changed when something goes live.  For example, AWS S3 buckets are often assigned permissive access while development is going on.  The issues arise when security reviews are not carefully performed prior to pushing the code live, no matter if that push

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research.   Affiliates are typically threat actors responsible for gaining an initial foothold in a target network.  In a recent analysis published by Sophos.  The report states that the new deployments of Ryuk and Egregor ransomware have involved the use of SystemBC backdoor to laterally move across the network and fetch additional payloads for fu

With the new incoming US government and other international countries looking seriously at renewable energy sources; so are hackers, who are no fools and are researching ways to compromise the future of energy.  The ‘rush’ to renewable energy technology may open multiple cybersecurity threats and vulnerabilities if caution is not placed on cyber security and these energy source developments. 

Quick developing solar and wind technologies present new risks to power grid security, especially as sma

Activity Summary - Week Ending 23 December 2020:

• Red Sky Alliance identified 38,232 connections from new unique IP addresses
• Analysts observed 32 unique email accounts compromised with Keyloggers
• 1,979 new IP addresses we seen participating in various Botnets
• JavaScript RAT
• Hacker Tactics
• BitGrail
• com
• MetaMax
• E-commerce up 600%
• Protesters using Bitcoin more and more
• City of Detroit suing #BLM

Link to full report: IR-20-358-001_eCommerces_358FINAL.pdf

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework.  See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020.  This APT actor has demonstrated

US federal authorities issued a warning on 17 December 2020 that Russian hackers used an expansive variety of malicious cyber tools to penetrate US government systems and said that the cyber offensive was, “a grave risk to the federal government.”  These cyber findings indicate a wider range of hacking, which appears to extend beyond nuclear research laboratories and the US Pentagon, Treasury and Commerce Department systems.  This expansion of cyber capabilities is complicating challenges for US

Activity Summary - Week Ending 18 December 2020:

• 28 unique email accounts compromised with keyloggers in the RedXray collections
• Red Sky Alliance identified 41,143 connections from new unique IP addresses
• Analysts identified 2,439 new IP addresses participating in various Botnets
• The top Malware Variants we again, Sality and Corkow, followed by Loki
• Covid-19 lures remain one of the top Suspicious Domains
• Bandook Trojan is Back
• UK based ‘end user computing’ (EUC)
• The Education Sector remains a t

The Dark Web is a place in cyberspace where criminals and other bad actors share stolen credentials and discuss successful attacks.  Fake COVID-19 cures, counterfeit travel documents, and scam call services are amongst the services being traded on the Dark Web. Cybercriminals continually search for new ways of exploiting the 2020 health crisis. Sensitive information often ends up for sale on the black market on the Dark Web, compromising the security of businesses and their employees.

According

Several high-profile breaches have been recently reported affecting major cybersecurity and IT companies and possibly affecting multiple government agencies.

On 8 December 2020, the cybersecurity firm FireEye, reported a breach in which internal software tools were stolen.  The stolen tools, known as Red Team tools, are used by the company to perform penetration tests of client IT assets.  While some of the tools were private and not meant to be publicly available, FireEye distributed some of th

An increasing number of companies are looking at an innovative approach to deal with hackers that attempt to break into their computer networks.  Note to hackers who may be reading this article, “There is nothing here of interest to you.” 

Companies are adding a new tool to their cybersecurity defenses called deception technology, which seeks to trick hackers into thinking they are getting close to critical data.  They lure cybercriminals into thinking they are getting close to the good stuff, a

Norwegian cruise company Hurtigruten sustained a cyberattack on 14 December 2020 and several critical network systems were affected, the company said in a statement.  Hurtigruten, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic in normal times, said it did not expect the attack to lead to a "material financial effect.”[1] 

"This is a serious attack. Hurtigruten's global IT infrastructure appears to be affected," the company's head of IT, said in a

A sophisticated organized network of cybercriminals are now pivoting to conducting successful vishing attacks against employees across multiple companies; all this with a goal of stealing financial assets.  So what’s ‘vishing?’ Photo: AgendaX

Voice phishing is a form of criminal phone fraud, using social engineering over traditional telephone systems to gain access to private personal and financial information for the purpose of financial reward.  Vishing is a play on ‘voice’ and cyber ‘phishing

Activity Summary - Week Ending 11 December 2020:

• Red Sky Alliance identified 49,028 connections from new unique IP addresses
• Analysts observed 66 unique email accounts compromised with Keyloggers
• Sality and Corkow has consistently remain the top Malware Variants
• Analysts identified 1,715 new IP addresses participating in various Botnets
• Ragnar Locker
• WatchBogMiner
• Leaking Browser URL and Protocol Handlers
• Malware targeting Synthetic DNA Orders to modify DNA strings sequence
• Covid-19 Rx. Researc

For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative.  Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation.  An old, yet tried and true use of chicanery.  Sometime old schemes become new schemes.  This is just the latest in a long line of shakedown tactics, which include not just using c