X-Industry

Activity Summary - Week Ending 25 November 2020:

• Red Sky Alliance observed 106 unique email accounts compromised with Keyloggers
• Analysts identified 45,355 connections from new unique IP addresses
• Lir Ukraine Llc Compromised C2
• Hezbollah Threat Actors remain as the Top Hacking Group
• Lazarus is Targeting the Supply Chain
• Muhstik Botnet targeting Oracle
• Boom!Mobile – Still not Happy
• Everyone hang in there, add Oil
• To our US Friends – Happy Thanksgiving
  
  Link to full report: IR-20-330-001-Tactical C

In the US, many people fear the Internal Revenue Service (IRS).  When a US citizen receives any type communication from the IRS, people take notice.  The cyber bad guys know that too and send IRS phishing messages to unwitting US citizens.  In addition to receiving scam voice mails and texts about your Social Security number being at risk, a “credible looking” yet fake, IRS email has been sent to tens of thousands of email inboxes across the US.  The question of authenticity can be explained in

I am sure everyone reading this post has had a dream where you wake up laughing.  You sit on the edge of your bed and think about what was so funny that made you laugh.  Well a recently identified Chinese hacking group called ‘FunnyDream’ (FD) ain’t so funny.  In fact, FD has targeted over 200 government units in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign.  This according to research from the security firm Bitdefender.  The FunnyDream campaign, active since 2018, mai

The North Korean APT group known as Kimsuky, Black Banshee, Velvet Chollima and Thallim is actively attacking commercial-sector businesses, often by posing as South Korean reporters, according to an alert from the CISA.

Kimsuky (Hidden Cobra or Lazarus) has been known since 2012, mainly targeting think tanks in South Korea, but more recently expanding operations to the United States, Europe, and Russia with the help of the regime in Pyongyang. Its mission is global intelligence gathering, CISA n

Activity Summary - Week Ending 20 November 2020:

• Red Sky Alliance identified 35,859 connections from new unique IP addresses
• Microsoft IP is a compromised C2
• APT 10 – Stone Panda back in the Top 5 Threat Actor Groups
• Capcom Hack - Part II
• Kucoin Exchange Hacked
• Kucoin-activity[.]com - Beware
• Cryptocurrency Challenges
• Plowshares going to Prison
• Black activists in Portland OR doing the Moonwalk
• Sodinokibi using BLM as Registry key

Link to full report: IR-20-325-001-Tactical Cyber Brief325_FINAL.

Brazil is known for its pristine beaches, nightlife, hot dancing, and of course - The Girl from Ipanema.  A recently uncovered Brazilian banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges, and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky.  A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that is a contradiction.  Viruses can execute and r

Remember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.  The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level.

DDoS attacks have not been in the spotlight this year, due the onslaught of high dollar a

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by Kaspersky.  Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth operation. Distribution was never c

A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. 

The malware, named Jupyter by its finders at Israeli security firm Morphisec, has been active since at least May 2020, but it escaped detection by most antivirus software until last week; partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a syst

The 2020 Holidays are here and many global and domestic economies are preparing for the subsequent shopping. This buying season is being executed in an environment that has changed entirely due to the Corona Pandemic lockdowns and fears of virus infection.  This creates – buying on-line.  It is estimated that this will be the largest on-line/eCommerce holiday season ever.  As tradition on Black Friday was once, consumers will not be standing outside of brick and mortar stores waiting for the lat

In August 2020, the NSA and FBI published a joint security alert containing details about a previously undisclosed Russian malware.  The entire report can be viewed here

The agencies say that the Linux strain malware has been developed and deployed in real-world attacks by Russian military hackers. The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85^th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector

Encryption is a valuable partner in maintaining privacy.  Encryption keeps our data safe from unwanted guests.  It stops people from robbing our valuable credit card details, our app usage habits, and our passwords.  While this is the answer for those with privacy concerns, IT teams will face a massive influx of traffic that they cannot look inside without decryption technology.  This means encryption brings a bit of a double-edged sword because cyber threat actors can use it too.  Encryption ca

Walmart wants to learn whether robotic deliveries can fit into with its retail operations so it is launching a pilot program with General Motors funded electric automobile company Cruise, using the tech startup’s electric, self-driving to deliver groceries and other goods to suburban Phoenix customers.

The project will begin sometime in early 2021 and will use battery-powered vehicles in Cruise’s test fleet in Scottsdale, Arizona, Tom Ward, Walmart’s senior vice president for customer product, s

Law enforcement in Jackson, Mississippi has launched a pilot program that allows officers to tap into private surveillance devices during criminal investigations.  On 30 October 2020, the AP reported that the trial, now signed off by the city, will last for 45 days.  The small trial could herald a wider rollout with participating residents in the future. The pilot program uses technology provided by Pileum and Fusus, an IT consultancy firm and a provider of a cloud-based video, sensor, and data

Previously, Red Sky Alliance reported on Fancy Bear imposters demanding Bitcoin ransom from a Florida election information website.  These actors send various ransom/scam demands using coronavirus-themed domains covidpapers[.]org and coronaxy[.]com.  In some cases, they threaten with exposure of allegedly hacked personal files, in other cases, with DDoS attack.  They often claim to be Russian government hackers, pretending to be Fancy Bear, Cozy Bear, or Venomous Bear.   Their ransom emails typi

A cyberespionage campaign aimed at aerospace and defense sectors to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.  The use of job of employment ads and postings have the recent bait for unsuspecting victims.

The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involve

Activity Summary - Week Ending 13 November 2020:

• Red Sky Alliance observed 67 unique email accounts compromised with Keyloggers
• Analysts identified 42,222 connections from new unique IP addresses
• 2,563 new IP addresses were observed Participating in various Botnets
• Hezbollah is the Top Threat actor this week targeting Israel, US, Lebanon, Syria and Iran
• TrickBot and BazarLoader
• WatchBogMiner
• Ransomware blocks electronic Stadium Entrances
• A UK Premier League soccer club's Managing Director was H

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it downloaded in a November 3, 2020 attack unless a US$15 million ransom is paid in Bitcoin.  Attacks that are carried out by the gang behind Ragnar Locker, break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manuall

The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent