Hackers are using a phishing campaign to deploy KONNI malware, a remote access trojan (RAT), via Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code, according to a recent Department of Homeland Security (DHS) Cybersecurity and Infrastructure alert (CISA). 

First observed in 2014, the malware was linked to several campaigns tied to North Korea. There are also significant links in code with the NOKKI malware family and researchers possess some evidence that link

Activity Summary - Week Ending 21 August 2020:

• Red Sky Alliance observed 15 unique email accounts compromised with Keyloggers
• Videoholka still is Keylogged
• Analysts identified 47, 658 connections from new unique IP addresses
• 3,294 new IP addresses participating in various Botnets
• Drovorub Malware Exposed
• FritzFrog P2P botnet struck at least 500 government and enterprise SSH servers
• COVID-19 Variants
• Magecart Group 8
• Oil Prices stuck in the $40-$45 Range
• Petrobas and Microsoft working together f

Carnival Corporation & PLC is the largest cruise line operator in the world.  In 2019, Carnival pulled in a record revenue of $20.8 billion.  Even with the troubles of 2020, this makes them a significant target for attackers looking to earn a profit. On 15 August 2020, Carnival Corp & PLC detected a ransomware attack that encrypted a portion of one brand’s IT systems.  Attackers not only encrypted the data, but also downloaded certain files indicating some data was stolen. In their SEC filings,

Small and Medium (SMB) sized businesses are facing a growing number of ransomware threats as the programs needed to launch such attacks become more widespread and easier to use.  Also known as the “fast food franchise of cybercrime,” Ransomware-as-a-Service (RaaS) enables even low-level and inexperienced hackers to purchase a ready-made solution for attacking small and medium-sized businesses.[1]

The malicious group named Dharma as one of the most popular offerings around, explaining it provides

New samples of the Ekans ransomware have revealed how today's cyber attackers are using a variety of methods to compromise key industrial companies.  Researchers from our friends at FortiGuard Labs have uncovered two samples of the Ekans ransomware strain that offer some additional insight into how the crypto-locking malware targets industrial control systems.[1] 

Ekans, which is also referred to as Snake[2], was first identified in February 2020 and early reports indicated that it had been desi

Activity Summary - Week Ending 31 July 2020:

• Red Sky Alliance observed 41 unique email accounts compromised with Keyloggers
• Analysts identified 43,115 connections from new unique IP addresses
• 1,518 new IP addresses were discovered participating in Various Botnets
• Taidoor remote access Trojan
• Lazarus Attacks with Ransomware Worms
• Baker Hughes still has Cyber issues
• Hezbollah remains in the Top 5 Cyber Threat Actors
• Oil moving Renewable & Green
• Egypt and Greece signed a maritime agreement; Turkey

Maze ransomware is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning. The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later. The operators of the Maze ransomware have published tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts.

The hackers leake

Three US agencies published a joint warning alert for private companies about new versions of Taidoor, a malware family previously associated with Chinese state-sponsored hackers.

The alert is from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense's Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI).  The three US government agencies report they have observed Taidoor being used in new attacks.  The n

Analysts studying CoronaVirus-related phishing and malware threats in malicious emails reveal four major topics abused by hackers: news, medical, financial, and regulatory.  In the first phases of the Corona pandemic, hackers were mostly disguising their malicious emails as general news and medical information with the most common keywords being “update” and “affected.”  When Summer 2020 (June-July) arrived, the dominating attack theme became “financial” and the leading keyword became “payment.

Activity Summary - Week Ending 7 August 2020:

• WastedLocker, ta505 Strikes Again
• Analysts observed 28 unique email accounts compromised with Keyloggers
• Red Sky Alliance identified 45,195 connections from new unique IP addresses
• Analysts identified 1,682 new IP addresses participating in various Botnets
• Malicious Code in Twilios
• Boko Haram remains the top Threat actors – hitting African targets (Nigerian oil)
• Syrian SDF, US and Oil
• Husky Energy Inc to Escalate Production in Canada
• WTH in Oil busi

From our friends at Be Cyber Aware at Sea:  Welcome to this month’s edition of Phish & Ships, brought to you by The Be Cyber Aware at Sea campaign.  For the last few months we have been swept up in the effects of the coronavirus on the world, and its impact on the cyber sphere for shipping in particular.   While the virus is still very much in circulation and we are adjusting to the measures put in place for our protection, we must start to look ahead once more.   After all, round the corner is

Our friends and colleages at Dryad Global maritime intellgience group in UK provies the following intellignece update on the 4 August 2020 explosion in Beirut Lebanon:

Dryad Incident Overview:  Reporting indicates that a significant explosion has occurred in the vicinity of the port of Beirut.  Eyewitness observers, social media footage and local intelligence sources all confirm that a large 'shockwave' was observed, and caused significant structural damage to nearby buildings, with the blast ra

Mac devices are currently targeted by new ransomware, which is more sinister than before.  But its true purpose may be hidden.  According to Arstechnica's latest report, the new Mac ransomware is called ThiefQuest or EvilQuest.  It is a data wiper and info-stealer that is using ransomware as a decoy.  It is more dangerous because it steals credit card numbers and passwords.  The victims get infected after downloading trojanized installers of popular apps from torrent trackers.

While not common, r

Military patrols working outside their forward operating bases (FOB) are categorized as “working outside the wire.”  This is often where reconnaissance patrols and military intelligence officers collect and gather valuable military intelligence to provide back to its unit, base, and section commanders to use in future proactive combat operations.  This is no different from what RedXray does in cyber security.  RedXray collects and analyzes indicators of compromise (IOCs) to help customers identi

Maybe some of our readers are old enough to remember Avon’s catchphrase, “Avon calling!” The Avon ladies show up at your door and rang the doorbell to sell your mother cosmetics. “Avon is Reeling.” A misconfigured cloud server at global cosmetics brand Avon was recently discovered leaking 19 million records including personal information and technical logs. Researchers at SafetyDetectives said they found the Elasticsearch database on an Azure server publicly exposed with no password protection o

Red Sky Alliance analysts have read that the New York Power Authority (NYPA) and Siemens Energy announced a new collaboration to create a Center of Excellence regarding industrial cybersecurity monitoring, research and innovation center, that will concentrate on detecting and guard against cyberattacks on NYPA’s infrastructure.  NYPA’s Board of Trustees approved the creation of the cybersecurity center this past week.[1]  Public and private solutions are a critical component to sound cyber healt

Activity Summary - Week Ending 31 July 2020:

• Red Sky Alliance identified 65,708 connections from new unique IP addresses
• 83 unique email accounts have been shown to be Compromised with Keyloggers
• Analysts identified 2,442 new IP addresses participating in various Botnets
• Emotet is Back
• Phishing Campaign Targeting High-Profile Twitter Accounts
• Confidential & Proprietary
• Russia conducts 1^st gas delivery via Artic shipping Route to Japan
• DAPL in the news Again
• Cavitas Energy and Thor
• Floating stor

According to a recent article from ThreatPost, the North Korea-linked APT known as Lazarus Group, also known by names such as the Guardians of Peace, Whois Team, Hidden Cobra and Zinc has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux, and macOS operating systems.  Cyber threat investigators at Kaspersky have uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the

A previously unreported Fancy Bear campaign indicates APT28 has persisted for well over a year and indicates that the notorious group has broadened its focus.   Hackers from Russia’s GRU military intelligence agency, Units 26165 and 74455, aka Fancy Bear/APT28, have deep interests and experience in decryption, hacking, and dissemination of stolen information.  These two units have carried out many of the most aggressive acts of hacking in history that have included destructive worms, blackouts,

Researchers say it is estimated that more than 70 percent of cyberattacks target hit small businesses, many resulting in the demise of the business.

Small and midsize businesses (SMBs) are often easy targets for hackers.  A smaller company, with a limited cyber threat defense budget, is less likely it to use multi-layered defenses that block hackers in today’s cyber environment.  SMBs often think they are protected with one layer of security, such as a firewall, anti-virus, or a simple backup.