X-Industry

Activity Summary - Week Ending 16 October 2020:

• Red Sky Alliance identified 52,441 connections from new unique IP addresses
• Analysts observed 159 unique email accounts compromised with Keyloggers
• 2,640 new IP addresses were observed participating in various Botnets
• SlothfulMedia
• New Dridex Malware Campaign
• Mobile Money being attacked in the retail world in Africa
• Securing Your Cell Enterprise against Retail Attacks
• Sam's West, Inc. Retail Giant - Analysis
• No Justice, No Peace at Sam’s Club
• Star

Microsoft collaborated with cybersecurity companies and government agencies to take down the million-device Trickbot botnet to help protect the November 3^rd US Presidential election and stop the global spread of ransomware and other malware. The botnet has been used to distribute a variety of malicious code, including the Ryuk ransomware variant, which the US government has cited as a potential threat vector against the election. 

Microsoft obtained a court order from the US District Court, East

Researchers recently discovered the ‘WarezTheRemote’ attack, which affects Comcast’s XR11 voice remote control.  This security flaw allows cyber attackers to remotely snoop in on victims’ private conversations was is found to stem from an unexpected device, their TV remotes.  Huh?

The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the US.  The remote enables users to say the channel or content they want

A newly identified group of financially motivated hackers, likely based in a Russian-speaking country, has been running high-volume phishing, ransomware, and extortion campaigns in the United States, Germany, and many other countries for the last four years, using the Clop ransomware and various backdoors in their operations.

Researchers at Mandiant have been tracking the group since 2016 and have responded to a number of intrusions in which the group, known as FIN11, has used initial access to

A new ransomware has emerged online threatening Android security.  This new malware triggers on an infected phone as soon as the victim presses the Home key. Researchers at Microsoft are warning about a new strain of mobile ransomware that takes advantage of incoming call notifications and Android's Home button to lock the device behind a ransom note.

The findings concern a variant of a known Android ransomware family called, "MalLocker.B" which has resurfaced with new techniques.  This malware

A US digital marketing provider has exposed almost three million records containing personally identifiable information (PII) after another cloud configuration mistake.  The privacy snafu at Friendemic, whose main clients are reportedly US car dealerships, was discovered by researchers at Comparitech.  As is usual in these cases, the unencrypted data was left exposed to the public Internet with no password or authentication required to access it.  Research earlier this year found that misconfigu

Even simple things in life, like using a Fitbit watch, can be turned into a hacking tool.   While you are losing pounds, you could also be losing your personal, private and financial information.  During these uncertain months of the pandemic, working out seemed like a harmless activity and a way to keep in shape.  Red Sky Alliance wants to thank Becky Bracken for her report as follows:

An Immersive Labs Researcher took advantage of lax Fitbit privacy controls to build a malicious spyware watch

Palmerworm, an advanced persistent threat (APT) group, has been active since 2013 and is engage in cyber espionage campaigns that target organizations in the US, East Asia, particularly Taiwan, and occasionally Japan and Hong Kong.  Palmerworm hackers are using new customized malware as well as ‘living off the land’ techniques manipulating tools and commands already built into an operating system for malicious purposes.

This APT group, also known as BlackTech, has conducted long-term espionage c

A US Treasury Department advisory was issued on 1 October 2020 and strongly warned that financial institutions, cyber insurance firms, and others that facilitate a ransom payment after a ransomware attack ‘could’ face federal penalties.[1]  But the warning is not a sure sign of a looming enforcement effort, some cybersecurity experts say.

Charles Carmakal, senior vice president and CTO with FireEye Mandiant, calls ransomware "the most significant and prevalent cybersecurity threat facing corpora

Though very tempting to get out of the house and conduct “work to home” (WTH) in a nice and quiet hotel room, this practice is fraught with dangers that need discussing.  Red Sky Alliance can help with current and past cyber reporting, as we have been collecting, analyzing, and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. 

The installation, updating and monitoring of firewalls, use of a virtual private network (VPN), and proper user t

Activity Summary - Week Ending 9 October 2020:

• Red Sky Alliance analysts identified 2,258 new IP addresses participating in various Botnets
• Analysts observed 28 unique email accounts compromised with keyloggers
• Red Sky Alliance identified 45,867 connections from new unique IP addresses
• Finspy Malware Part 2
• MoDi RAT Leverages OneDrive Cloud Storage
• Microsoft DDR
• Nobel and Chevron
• Denmark and Nord Stream 2
• Russia ups oil Output
• Armenia and Azerbaijan still at it, compromising oil pipelines
• Norwa

A ransomware vaccine, called "Raccine," was released as an open source tool by Nextron Systems on 3 October 2020.  Raccine prevents ransomware from attacking vssadmin.exe, a Windows utility that manages shadow copies of a Windows system's data.  Threat actors can take advantage of vssadmin.exe to delete shadow volumes in Windows so that ransomware victims cannot restore their data from local backups.

"We see ransomware delete all shadow copies using vssadmin pretty often," post in the GitHub tex

The US Federal Bureau of Investigation (FBI) is warning organizations in the financial sector about an increase in botnet-launched credential stuffing attacks.  Many of these attacks, which target APIs, are being fed by billions of stolen credentials leaked over the last several years. 

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized acces

Our friends from the US Department of Homeland Security have provided an open source Threat Assessment for October 2020 - which is Cyber Security Awareness Month.  The following is the Cyber Threat Assessment Section. 

Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, w

Throughout the USA, State and County election computer networks are still vulnerable to cyber-attacks and Election Day is only 29 days.  In a little-noticed episode in 2016, an unusual number of voters in Riverside, California, complained that they were turned away at the polls during the primary because their voter registration information had been changed.

The Riverside County district attorney, Mike Hestrin, investigated and determined that the voter records of dozens of people had been tampe

Cyber security researchers are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months.  Similarities to Sekhmet Crypto-Locking malware and bee noted.

True to other ransomware hackers, the bad actors behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days.  The cybercriminals linked to Egregor are also mimicking Maze tactics

The popularity of ransomware threats does not seem to be decreasing. Instead, more and sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style. 

The actors behind Ragnar Locker partnered with the Maze ransomware gang as a means of extorting victims whose unencrypted data they had stolen.  This continued cooperation between ransomware gangs is a dangerous development.  The sharing of advice. Tactics and a centralized data leak platform bet

Cyber threat researchers have examined security incidents over the past several years that appear to connect North Korea's Lazarus Group with Russian speaking attackers.  A recent analysis has examined reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.

In a summary of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to

Activity Summary - Week Ending 2 October 2020:

• Red Sky Alliance identified 43,777 connections from new unique IP addresses
• Fairdeal Furniture LTD in Kenya is still Keylogged
• Analysts identified 2,258 new IP addresses participating in various Botnets
• Fancy Bear and the Zebrocy Malware
• Ransomware hitting Virtual Machine Techniques
• FinSpy and Egypt
• Cyber Attacks on Oil and Gas, UP
• Oil Prices steady around $40.00 a Barrel
• Kurdistan Region of Iraq complying with OPEC
• Libya continues with its Oil Rec

Our friends at the US Department of Homeland Security (DHS), Cyber Security and Infrastructure Agency (CISA) shared the follow good practices:

DRIVE CYBERSECURITY STRATEGY, INVESTMENT, CULTURE  [Link to DHS CISA report with helpful active links: 20-02019b - Telework_Essentials-08272020-508.pdf

After rapidly adopting wide-scale remote work practices in response to COVID-19, organizations have started planning for more permanent and strategic teleworking postures. An organization’s executive leade