All Articles (193)

Remote Desktop Protocol (RDP) serves as an entry point for an attacker that desires to move laterally throughout an organization via RDP session hijacking. In order to persist and consistently be able to access the compromised RDP account an attacker must place a backdoor on the system. Attackers use binary replacement and registry debugger methods to backdoor RDP and other popular Windows accessibility services: osk.exe, Magnify.exe, Narrorator.exe, DisplaySwitch.exe, AtBroker.exe. Sticky Keys

2271211259?profile=RESIZE_710xThe People’s Republic of China has claimed the whole of the South China Sea as its sovereign territory ever since coming to power in 1949.  However, several other countries have historical claims over some of the islands, and the Law of the Sea Treaty gives several of these countries rights to economic zones that overlap with Chinese claims.  This has led to conflict between China and the United States, which supports the claims of its allies to parts of the South China Sea under international l

During the time frame 26 March 2019 until 18 April 2019, leaker Lab_Dookhtegan dumped information, photos, and source code allegedly belonging to APT34 / OilRig via their Telegram messenger channel.  The leak highlights Iran’s heavy use of ASP web shells on compromised exchange servers to launch attacks and exfiltration via DNS.  Several tools from APT34 / OilRig were released (high confidence): PoisonFrog, base.aspx, webmask_dns, FoxPanel222 nodeJS phishing kit, HighShell, HyperShell, MinionPro

2210160469?profile=RESIZE_710xIn April 2019, Krebs reported that Wipro, an Indian IT outsourcing company, was the victim a successful cyber attack by suspected state-sponsored actors.  The actors leveraged ScreenConnect, a remote administration tool, to gain access to various Wipro systems which were then used as launching points for additional attacks against Wipro’s customers. The follow-on attacks consisted of a phishing campaign capturing data as part of gift card fraud operation.

Additional open sources reported this at

In February 2019, conflict between India and Pakistan over the disputed territory of Kashmir escalated into the worst violence there is decades.  An Islamic extremist suicide bomber with a vehicle packed with explosives attacked an Indian police convoy in Kashmir, killing 40.  This provoked a military response by India, with Indian Air Force fighter jets carrying out a bombing raid into Pakistan proper for the first time since 1971.  India claimed they were attacking a terrorist camp, but no inj

Ursnif, aka Gozi, is a popular Info-stealing malware that first emerged during 2012. Since then the malware has undergone several variations with the latest distribution using word document attachments with malicious Powershell commands. A new Ursnif campaign was recently observed targeting customers for various financial institutions in the US, Canada, and Italy.

Summary

Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing.  Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector.  During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.

Details

1862810384?profile=RESIZE_710x

Figure 1. Malicious .doc attachment in an email spoofing Darwish Trading Company

The Darwish Trading Company (DTC) has a w

Summary

Loki is a very popular bot/stealer malware which has been for sale in the underground since 2015.  In 2017, two hackers from the Russian hacking forum fuckav.ru cracked Loki and released a cracked builder.  Once the cracked builder was released new unofficial versions of Loki were found for sale in novice English speaking forums for less than the original version. 


This report provides details on the following Loki variants:

  • Loki 1.6 & 2.0 by Carter
  • Loki 1.7 (1.6 Cracked) by Abbat-v &
Summary Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism. As of March 2019, Smominru showed no signs of slowing down. Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days. This report provides a high-level overview

China’s need for energy has skyrocketed over the last 20 years as the country has gotten richer and the middle class—now 400 million—has grown into a significant segment of the population.  Energy demands are not being met by domestic production, so China is now a net importer of oil, natural gas, and coal.

China’s energy source mix has traditionally been dominated by coal, but the share of energy produced by coal is dropping.  China is highly dependent on imported oil, which makes up about 68 p

Summary

Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them.  These files have been identified malicious.  Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019.  Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability."  Most of the samples were submitted from either Ukraine, the Czech Republic or the US.  In seve

Summary

Wapack Labs reports on the use of vessel names as lures in malicious emails.  Using the names of Motor Vessel (MV), or Merchant/Motor Tanker (MT) in the subject line, is a social engineering tactic used by attackers when sending malicious emails to companies related to the shipping industry.  Successful infiltrations into transportation related networks can result in the theft of valuable financial information or corrupt a system with damaging results.   This report provides details about

Mikrotik is a Latvian router and is popular hardware product in many countries. Beginning in 2018, attackers began exploiting vulnerabilities for Mikrotik routers, as well as attempting brute force attacks. As a result, compromised Mikrotik routers have since been leveraged in a host of botnet related activities and fraud. Many of the compromised Mikrotik devices were also made into SOCKS or HTTP proxies and were reported in a number anonymous proxy lists. In March of 2019, Wapack Labs performed

Summary

Shared through the Multi-State (MS)-ISAC: A vulnerability have been discovered in Google Chrome, which could result in arbitrary code execution.  Google Chrome is a web browser used to access the Internet.  This vulnerability can be exploited if a user visits, or is redirected to, a specially crafted web page.  Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.  Depending on the privileges associated with this ap

Huawei Technologies and its 5G network construction work around the world have created concern in many quarters.  The chief cause for this con cern is the perception that Huawei networks have a unique potential for exploitation by Chinese intelligence services.   

A Wapack Labs review to determine the scale of this problem showed that Huawei is in fact involved in 5G infrastructure development in many countries.  Germany, Ireland, Switzerland, and Canada have been using Huawei equipment to set u

Summary

APT-C-36 or Blind Eagle (BE) is an APT group that is believed to originate from South America.  BE has been carrying out attacks against Colombian government institutions, to include the financial sector, petroleum industry and professional manufacturing.  BE has been active since April 2018.  Affected targets include Ecopetrol (Colombian Oil Company), Banco Agrario (State Financial Institution) and IMSA (Colombian Wheel Manufacturer).  It is possible BE is involved in recent geopolitica

On 13 February 2019, Bank of Valletta (BOV) employees discovered the hackers' intrusion and temporarily shut down all BOV IT systems. Wapack Labs analysis shows a continued heightened risk for BOV - primarily due exposed plain text employees’ passwords, signs of botnet connections from the BOV networks, incoming malicious emails, to inherent industry targeting, and a shared IT infrastructure with a French shipping company
Summary Wapack Labs has identified a new credential stuffing tool named BlackBullet for sale through third-party hacking sites. BlackBullet started selling on hacking sites in early 2018 and will be available in open source in March 2019. This report provides background information on the BlackBullet tool, outlines capabilities, and identifies companies targeted for credential stuffing.

The Network Systems Department (NSD) of the People’s Liberation Army (PLA) Strategic Support Force, created in December 2015, appears to be the entity where military cyber operations are now based.  It is a challenging collection target and many aspects of this PLA organization are still unknown.

The NSD is very rarely mentioned in open sources by its actual name.  Instead, new data confirms that it uses the cover designator “32069 Unit.”  Using this as a search term, some new information was di

New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

If your company uses Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then technicians should immediately install the latest firmware update released by the Cisco last week.  

Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities, after a security researcher released their proof-of-concept exploit code on the Internet last weekend.  The vulnerabilities in question are a co