X-Industry

Activity Summary - Week Ending on 4 February 2022:

• Red Sky Alliance identified 39,538 connections from new IP’s checking in with our Sinkholes
• Amazon IP hit
• Analysts identified 3,544 new IP addresses participating in various Botnets
• STRRAT RAT
• Molerats APT
• 47 Tbps DDoS Attack
• Ransomware Operators
• US Public Safety being Targeted
• Maritime Cranes & the Supply Chain
• US Water Protection
• Shipment & Delivery Scams

Link to full report: IR-22-035-001_weekly035.pdf

Democratic lawmakers on the House Committee on Financial Services on 27 January 2022 outlined nine (9) provisions of the proposed America COMPETES Act of 2022 one of which has been criticized by the cryptocurrency community for potential privacy and due process concerns.

Committee Chairwoman Maxine Waters, D-Calif., says the America Creating Opportunities for Manufacturing Pre-Eminence in Technology and Economic Strength or COMPETES Act will "strengthen the competitiveness of the US economy and

The US government has urged organizations to shore up defenses "now" in response to website defacements and destructive malware targeting Ukraine government websites and IT systems this week.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new 'CISA Insights' document aimed at all US organizations, not just critical infrastructure operators.  The checklist of actions is CISA's response to this week's cyberattacks on Ukraine's systems and websites, which the country

The US Department of Justice, FBI's Internet Crime Center (IC3) is warning that scammers are exploiting verification weaknesses in job-focused networking sites to post legitimate looking ads, capture personal information and steal money from job seekers.  Scammers "continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money," authorities warn in a new public service announcement.  Se

Conti ransomware was first discovered in December of 2019 and has become one of the most prominent ransomware platforms to date. The Conti Ransomware as a Service (RaaS) platform gained international attention in May of 2021 when it was used to shutdown Ireland’s Health Service Executive (HSE).  The group has shown no signs of slowing down with notable attacks reported in the United States, Australia, United Kingdom, Taiwan, and Indonesia in the past two and a half months.

The most recent attack

Previous attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Recently a new set of tools incorporated into the group's arsenal, and a connection with the Memento ransomware, have been discovered. Researchers from have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection.

See Previous

A Twitter spokesman has said it is firing Peiter Zatko, the network security expert it hired in November 2020 as head of security. Changes in the composition of Twitter's security team followed "an assessment of how the organization was being led," according to a company memo.  Zatko, known by the handle "Mudge," gained fame as a member of the Cult of the Dead Cow ethical hacking collective in the 1990s and later moved to top cybersecurity research positions at the Defense Advanced Research and

The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.  "As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls," IBM Trusteer said in a report. "In most cases, these extra protections have been applied to injections used in the process of online banking fraud TrickBot'

Shell Deutschland GmbH is reporting it was able to "reroute to alternative supply depots for the time being," said Shell.  The company’s Oiltanking Deutschland GmbH and mineral oil dealer Mabanaft was hit by a cyber-attack which disrupted its IT systems and supply chain.  The attack allegedly took place on 31 January 2022.   

Royal Dutch Shell said today it was re-routing oil supplies to other depots following a cyber-attack on two subsidiaries of German logistics firm Marquard & Bahls this week

UniCC, the biggest dark web marketplace for stolen credit and debit cards, has announced that it is closing its operations after earning $358 million in purchases since 2013 using cryptocurrencies such as Bitcoin, Litecoin, Ether, and Dash.  It operated since 2014 and offers credit cards of all brands (Amex, Visa, MasterCard, Diner’s Club).  It is also one of the most popular markets because it updates very frequently with new offers.

“Our team retires. Thanks to everyone who has been part of us

Apple's AirTags are can be used for both good and evil purposes.  That can be the problem with any new technology.  For every potential good use, there are at least several pain-inducing and criminal-pleasing uses.  Sometimes, the bad outweighs the good, especially in the public eyes and ears.  This time the good prevailed. 

Case in point, a young US military spouse has moved around the globe numerous times.  She knows the drill.  As she told the Military Times, she also knows that moving compan

Activity Summary - Week Ending on 28 January 2022:

• Red Sky Alliance identified 21,120 connections from new IP’s checking in with our Sinkholes
• Intern LLC in Moscow hit
• Analysts identified 5,665 new IP addresses participating in various Botnets
• AvosLocker Ransomware
• Wormable Windows Vulnerability
• Nmap
• Belarus Trains hit
• Canada mad at Russia
• QR Code Confusion
• 22% Gone Phishing
• Vessel Impersonation

Link to full report: IR-22-028-001_weekly028.pdf

The U.S. Department of Homeland Security is reportedly warning that the U.S. could witness a retaliatory cyberattack at the hands of Russia if it decides to respond to the latter's potential invasion of Ukraine, where 100,000 or more troops have been amassed for weeks.  According to a DHS Intelligence and Analysis bulletin dated 23 January 2022 and sent to law enforcement agencies around the country, officials believe that if the U.S. responds to rising tensions at Ukraine's eastern border, the

Shipping is an indispensable part of modern life.  It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.  Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails: such as false invoices, changes in shipping delive

Keyloggers have been around for decades. They have constantly adapted to the changing technology landscape and remain an effective method used by attackers to obtain information about computer users.  In this report we take a look at what keyloggers do, how they have changed, and what keyloggers to look out for going forward.

Keyloggers are software or hardware devices used to record keyboard inputs by users on a computer. They were originally invented for corporations to monitor employee comput

Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with assoc

The US Federal Energy Regulatory Commission (FERC) announced on 20 January 2022, to strengthen its Critical Infrastructure Protection (CIP) Reliability Standards by requiring internal network security monitoring (INSM) for high and medium impact bulk electric system cyber systems.

The Notice of Proposed Rulemaking (NOPR) proposes to direct the North American Electric Reliability Corporation to develop and submit new or modified Reliability Standards to address a gap in the current standards.[1]

Since mid-2021, TrendMicro analysts have been investigating a threat actor called Earth Lusca (EL) that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes.  This group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 rese

Activity Summary - Week Ending on 21 January 2022:

• Red Sky Alliance identified 34,423 connections from new IP’s checking in with our Sinkholes
• Microsoft IP hit again
• Analysts identified 4,093 new IP addresses participating in various Botnets
• SysJoker Backdoor
• Konni Campaign
• Take Down of VPNLab.net
• Russia shuts down REvil, huh?
• Brookings Blog on Russia
• SilverTerrier sent to the Kennel
• China and the Olympics
• Up-Date on Ukraine Hit

Link to full report: IR-22-021-001_weekly021.pdf

The US Department of Justice (DOJ) authorities first became aware of Diavol ransomware in October 2021.  Diavol is allegedly associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan.  Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.  While ransom demands have ranged from $10,000 to $500,000, Diavol actors have