X-Industry

Activity Summary - Week Ending 14 May 2021:

• Red Sky Alliance observed 78 unique email accounts compromised with Keyloggers
• Analysts identified 23,596 connections from new unique IP Addresses
• 1,802 new IP addresses are participating in various Botnets
• COVID-19 Lures Continue
• RotaJakiro
• Lemon Duck
• Colonial Pipeline and DarkSide
• US – Oil Supply Chain Repercussions
• Belnet hit in Belgium
• Rubin Design Bureau, Russian DIB
• BoA upping Cyber Security Budgets
• The “new” Normal, is it?

Link to full report:

An ongoing disinformation campaign called "Ghostwriter," which leverages compromised social media accounts is targeting several NATO member countries in Europe.  Ghostwriter is attempting to undermine confidence in the defensive organization as well as spread discord in Eastern Europe.  Researchers who uncovered the campaign in July 2020, have now documented an additional 20 incidents related to the cyber operation, including at least one earlier in 2021. 

The Ghostwriter campaign is primarily a

Critical infrastructure in any country relies on energy sources and transmission for proper and safe national operations.  A direct cyber shot was delivered to the US oil and gas industry, allegedly by a Russian criminal group known as DarkSide.  DarkSide is suspected in the ransomware attack that shut down the US-Georgia based Colonial Pipeline, which immediately created fuel shortages to cars, trucks and the airline industry. 

This pipeline attack now has other energy sector officials on edge

What is RedPane?

RedPane is a dark web search engine tool that has been developed by Red Sky Alliance since late January 2021. With RedPane we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 300,000 data points on over 50 sites and we are adding new sites weekly.

With RedPane we have developed custom processes to capture text data from dark web sites that we designate, parse that information into a for

Cyber threat actors are increasingly using and abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.  Telegram is a cloud-based instant messaging and voice-over IP service. Telegram client apps are available for Android, iOS, Windows Phone, Windows NT, macOS, and Linux.  Users can send messages and exchange photos, videos, stickers, audio, and files of any type.  Even when Telegr

The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack.

The guidance released 28 April 2021, "Defending Against Software Supply Chain Attacks," offers recommendations on how to implement the NIST Cyber Supply Chain Risk Management Framework and the Secure Software Development Framework. "This resource provides in-depth re

US Atlanta based Colonial Pipeline Company said in a statement last Friday that it was the victim of a cybersecurity attack, and so "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems."  An updated statement over the weekend it said it had "determined that this incident involves ransomware."

A former U.S. official and two industry sources have told media that the group DarkSide is among the sus

The US Nation’s Capital police department has reportedly been hit by Russian-speaking ransomware threat actors who claim to have stolen sensitive information on informants.  If true, this is a very troubling cyber-attack.  If informants cannot keep their anonymity, they will never work with the police.  The Babuk group gave police three days to pay-up before it shares the data with local gangs, according to media sources.  The files were allegedly posted on a dark web forum. 

Babuk ransomware is

Activity Summary - Week Ending 7 May 2021:

• Taleq Simeon needs a new Email Address
• Red Sky Alliance identified 15,654 connections from new unique IP Addresses
• Analysts identified 1,209 new IP addresses participating in various Botnets
• Researchers observed 20 unique email accounts compromised with Keyloggers
• FormBook Variant – Part III
• Google Play Store
• Oil and Gas getting SMART
• Oil and Gas on the Rise, Finally
• Cyber-Attack on Oil and Gas to ‘continue’ Rise
• Angola’s National Oil, Gas and Biofuel’

Threat researchers have come across two new phishing scams targeting customers of JPMorgan Chase Bank.  Both attacks deployed social engineering and brand impersonation tactics to steal customers' login credentials.  While one scam involved an email that appeared to contain a credit card statement, the other impersonated a locked account workflow to falsely inform victims that access to their account had been blocked following the detection of unusual login activity.

Cyber threat researchers sai

The current US administration is introducing a 100-day plan to improve cybersecurity and address cyber threats across the nation's electrical grid.  Officials state the program is part of a broader cybersecurity plan designed to address issues across the nation's critical infrastructure.

The 100-day initiative will involve government agencies that are responsible for the security of critical infrastructure as well as businesses and private utilities that oversee or own infrastructure, such as el

A specially crafted update created by Germany's Bundeskriminalamt (BKA) federal police agency created and pushed the uninstall update.  European law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world.  Emotet was thought to be the world's largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a coordinated takedown of Emotet infrastructur

The malware seems like nothing special at first, but further exploration shows it can wreak serious damage in follow-on attacks.  The NitroRansomware malware strain is changing the ransomware norm by demanding Discord Nitro gift codes from victims instead of actual money.  Discord is a VoIP, instant messaging and digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communit

The FBI and the Cybersecurity and Infrastructure Security Agency are warning of continued cyber threats stemming from Russia's Foreign Intelligence Service, or SVR, which the Biden administration accused of carrying out the SolarWinds supply chain attack.

In a joint alert issued 26 April 2021, the agencies warn that despite economic and other sanctions against Russia announced by the White House on 15 April 2021, attackers associated with the SVR likely will continue to target government network

Are large organizations better when it comes to cyber security? There are areas in which small and midsize businesses achieve stronger outcomes.  Cisco recently released the 2021 Security Outcomes Study - Small and Midsize Business (SMB) Edition, which revealed a number of somewhat surprising findings about SMBs and how they compare to their larger counterparts.

The entire report can be viewed at:  2021 Security Outcomes Study for Small to Midsize Businesses (SMBs) (cisco.com)

The report found t

The US Justice Department (DOJ) is creating a task force to tackle the growing threat of ransomware and related extortion schemes targeting school districts, hospitals and others, according to an internal department memo that began circulating the third week of April 2021.

The newly established Ransomware and Digital Extortion Task Force (RDE-TF) will include DOJ officials as well as representatives from the FBI and the Executive Office for US Attorneys.  The task force will target the "ransomwa

Activity Summary - Week Ending 30 April 2021:

• Beware of emails and trophies from Crystal Time
• Red Sky Alliance identified 40,298 connections from new unique IP addresses connected to Sinkholes
• Analysts identified 1,209 new IP addresses participating in various Botnets
• New FormBook Variant Delivered in Phishing Campaign
• SMS Flubot campaign in Italy
• Dear John: Farm Equipment
• US Agriculture Sector
• SickCodes
• Taylors Wines – Hit
• Kawasaki Heavy Equipment – Hit
• Protesting the MoMA, huh?

Link to full

As more web merchants accept cryptocurrencies, the possibilities for theft and fraud will increase.  There will no protections that consumers and businesses have enjoyed that are standard for purchases via credit card.  Hackers with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB.  Group-IB's new report builds on findings published in July 2020 by

China, Russia, North Korea, and Iran continue to pose significant cybersecurity threats to the US, because each is capable of launching disruptive attacks, according to a report published 13 April 2021 by the Office of the Director of National Intelligence.

Threats include disinformation campaigns that target elections and try to undermine democratic institutions as well as aggressive hacking campaigns, such as the SolarWinds supply chain attack, according to the report. In many cases, criminal

TechRadar is reporting that the personal data of about 500 million LinkedIn users is being sold on a popular hacking forum.  Cyber security analysts discovered this evidence, which includes LinkedIn IDs, full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, and professional titles, and other work-related data.  On a good note, no associated passwords or payment data appear to have been affected.

LinkedIn boasts of nearly 740 millio