All Articles (181)


Wapack Labs reports on the use of vessel names as lures in malicious emails.  Using the names of Motor Vessel (MV), or Merchant/Motor Tanker (MT) in the subject line, is a social engineering tactic used by attackers when sending malicious emails to companies related to the shipping industry.  Successful infiltrations into transportation related networks can result in the theft of valuable financial information or corrupt a system with damaging results.   This report provides details about

Mikrotik is a Latvian router and is popular hardware product in many countries. Beginning in 2018, attackers began exploiting vulnerabilities for Mikrotik routers, as well as attempting brute force attacks. As a result, compromised Mikrotik routers have since been leveraged in a host of botnet related activities and fraud. Many of the compromised Mikrotik devices were also made into SOCKS or HTTP proxies and were reported in a number anonymous proxy lists. In March of 2019, Wapack Labs performed


Shared through the Multi-State (MS)-ISAC: A vulnerability have been discovered in Google Chrome, which could result in arbitrary code execution.  Google Chrome is a web browser used to access the Internet.  This vulnerability can be exploited if a user visits, or is redirected to, a specially crafted web page.  Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.  Depending on the privileges associated with this ap

Huawei Technologies and its 5G network construction work around the world have created concern in many quarters.  The chief cause for this con cern is the perception that Huawei networks have a unique potential for exploitation by Chinese intelligence services.   

A Wapack Labs review to determine the scale of this problem showed that Huawei is in fact involved in 5G infrastructure development in many countries.  Germany, Ireland, Switzerland, and Canada have been using Huawei equipment to set u


APT-C-36 or Blind Eagle (BE) is an APT group that is believed to originate from South America.  BE has been carrying out attacks against Colombian government institutions, to include the financial sector, petroleum industry and professional manufacturing.  BE has been active since April 2018.  Affected targets include Ecopetrol (Colombian Oil Company), Banco Agrario (State Financial Institution) and IMSA (Colombian Wheel Manufacturer).  It is possible BE is involved in recent geopolitica

On 13 February 2019, Bank of Valletta (BOV) employees discovered the hackers' intrusion and temporarily shut down all BOV IT systems. Wapack Labs analysis shows a continued heightened risk for BOV - primarily due exposed plain text employees’ passwords, signs of botnet connections from the BOV networks, incoming malicious emails, to inherent industry targeting, and a shared IT infrastructure with a French shipping company
Summary Wapack Labs has identified a new credential stuffing tool named BlackBullet for sale through third-party hacking sites. BlackBullet started selling on hacking sites in early 2018 and will be available in open source in March 2019. This report provides background information on the BlackBullet tool, outlines capabilities, and identifies companies targeted for credential stuffing.

The Network Systems Department (NSD) of the People’s Liberation Army (PLA) Strategic Support Force, created in December 2015, appears to be the entity where military cyber operations are now based.  It is a challenging collection target and many aspects of this PLA organization are still unknown.

The NSD is very rarely mentioned in open sources by its actual name.  Instead, new data confirms that it uses the cover designator “32069 Unit.”  Using this as a search term, some new information was di

New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

If your company uses Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then technicians should immediately install the latest firmware update released by the Cisco last week.  

Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities, after a security researcher released their proof-of-concept exploit code on the Internet last weekend.  The vulnerabilities in question are a co

Summary King Servers is a Russian hosting firm whose servers have been involved in numerous Russian criminal and Russian APT activities over the last few years. These activities include the compromise of the Arizona and Illinois SBOE (State Board of Elections) websites in 2016, and the use of King Server IP’s as C2’s for the newest Trickbot module. Wapack Labs also found that in February 2018, King Servers hosted the Emotet malicious email campaign involving denniscrawford2014[.]com. This domain


China’s Tencent Games is the developer of the mobile version of PlayerUnknown’s Battlegrounds, a vastly popular game that Wapack Labs has identified as being used to create botnets for conducting industrial fraud.  This report examines the relationship between Tencent and the Chinese government to explore the question of whether Tencent is a witting participant in this activity or being used by malicious actors in the government.

871403268?profile=RESIZE_710xTencent dominates the Chinese online world.  Tencent’s tex

ProxyLTE, a supplier of US based mobile and home router proxies, has been identified as one component in a large-scale fraud, targeting a Wapack Labs’ client. was created in late 2017, however associated malware was first observed in 2013. This report includes details on ProxyLTE malware and associated infrastructure.

766097321?profile=RESIZE_710xReport Date: January 14, 2019                                                  


Players Unknown Battleground (PUBG) has been identified by Wapack Labs as a large-scale proxy participant in major fraud. It is unclear whether PUBG is a witting or unwitting participant, but it is clear that the PUBG network has been abused for fraudulent purposes.

Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into various botnets. However, the


Information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the US and abroad was recently collected and analyzed by US federal authorities.  This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM.  This group heavily targets managed service providers (MSP) who offer cloud computing services; commercial and governmental clients

2019 Cyber Security Threat and Vulnerability Predictions

This report outlines our predictions regarding cyber threats and vulnerabilities for 2019.  We base those on the trends Wapack Labs were observing during 2018.  The main topics are artificial intelligence, IoT and mobile, cryptocurrency cybercrime, APT activity, and eCommerce targeting.

  1. Smarter Computing: Swarm, AI and Quantum

Quantum Computing

IBM-Q allows access to its quantum computer for research and testing. Quantum computing will revolut


China has long exerted control over Internet content and access by its citizens.  The censorship regime known as the Great Firewall of China has been used to eliminate unwanted content such as criticism of Communist Party leadership.  Since Xi Jinping’s became president in 2013, that regime has been tightening up in many ways. 

China’s right to control its own portion of the Internet has been defended by the government through its promotion of the concept of “cyber sovereignty.”  They e


US federal authorities are assessing cyber criminals are likely using Internet query (IQY) files in their phishing campaign emails targeting US businesses, indicating a new tactic, technique, and procedure (TTP).  IQY files are a specific file format used to import data from external sources such as remote servers into Excel spreadsheets, where it is then executed on the computers. In cybercriminal phishing attempts, a malicious web server URL was put into the IQY file attached to the em


Meng Wanzhou, the Chief Financial Officer of Huawei Technologies, was arrested at the Vancouver Airport on 1 December 2018 at the request of US authorities.  The US seeks her extradition so that she can face charges of US sanction violations in America court.  After being held for ten days, Meng was released on bail and is staying in Vancouver while the extradition request is adjudicated by the Canadian government.

411043467?profile=RESIZE_710xThe Chinese government has reacted strongly to her arrest and has deploye

Below is the Executive Summary regarding the recent email bomb threats sent internationally.  Our good friends from Global Guardian shared their threat assessment for situational awareness.

Summary - On 13 December 2018, hundreds of businesses, law enforcement agencies and public services across the United States and Canada received email threats demanding a bitcoin payment of $20,000 in the early afternoon, prompting evacuations, building sweeps and overloading police call centers. What’s more,


Wapack Labs SOC identified JexBoss exploit attempts against an HVAC Controller, a NetScaler device, and the CEO of the company. This exploit is known to be a delivery mechanism of SamSam ransomware --and it would have been the second time this company would have suffered a large scale ramsomware attack.


Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows